FIPS compliance - Kerberos

This is a discussion on FIPS compliance - Kerberos ; Hello all, I am writing some security documentation for work. A question came up about whether or not the Linux security packages used for authentication (krb5) and key management (RSA/DSA for SSH) were FIPS compliant. I don't really know. I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: FIPS compliance

  1. FIPS compliance

    Hello all,

    I am writing some security documentation for work. A question came up
    about whether or not the Linux security packages used for
    authentication (krb5) and key management (RSA/DSA for SSH) were FIPS
    compliant.

    I don't really know. I know that Kerberos v5 is FIPS compliant and I
    know that SSH v2 is FIPS compliant. However, are the Linux packages
    FIPS compliant?

    Any ideas how I would verify if they are or not?
    Would they be compliant because the underlying algorithm is compliant?

    Thanks for any insight.


  2. Re: FIPS compliance

    "jofo" writes:
    > From: "jofo"
    > X-Newsgroups: comp.protocols.kerberos
    > Subject: FIPS compliance
    > Date: 9 Nov 2006 16:02:41 -0800
    >
    > Hello all,
    >
    > I am writing some security documentation for work. A question came up
    > about whether or not the Linux security packages used for
    > authentication (krb5) and key management (RSA/DSA for SSH) were FIPS
    > compliant.
    >
    > I don't really know. I know that Kerberos v5 is FIPS compliant and I
    > know that SSH v2 is FIPS compliant. However, are the Linux packages
    > FIPS compliant?
    >
    > Any ideas how I would verify if they are or not?
    > Would they be compliant because the underlying algorithm is compliant?
    >
    > Thanks for any insight.


    Which FIPS standard are you thinking of? There are a bunch.
    FIPS 81?
    FIPS-PUB-113?
    FIPS 140-2?
    FIPS 197?

    I don't think you can say any 'generic' thing is FIPS-compliant.
    Strictly speaking, FIPS compliance is something you get by going
    through a very particular governmental certification process, which
    normally does not deal with generic standards, but instead deals with specific
    and particular implementations. Standards are described, but the
    compliance aspect is to show that a particular implementation meets
    that standard. So, any random implementation of kerberos 5 is not
    inherently FIPS compliant. Indeed, the original kerberos 5 spec (RFC
    1510) had just enough deficiencies that it's not even entirely safe to
    assume it will interoperate with all or even most other implementations
    of kerberos 5. Somebody's particular build of kerberos 5, installed
    with a particular set of packages for the rest of the operating system,
    on a particular hardware platform (probably particular down to the make
    & model of the system hardare), and certified (probably at considerable
    expense) at one of a small number of government approved private
    laboratories which will follow a specific testing regime proscribed by
    the government, that might be compliant. I doubt anybody but a
    commercial outfit bidding for a governmental contract would bother to
    follow this whole process. It's unlikely an open source organization
    would bother; there's simply no reason to do so.

    Open source organizations can and do attempt to follow FIPS standards,
    of course. That's not for FIPS compliance, that's for
    interoperability. Another reason folks often choose to follow FIPS
    standards is because they have been reviewed by enough folks that there
    is some level of assurance that they can deliver a given, though often
    not entirely ideal, level of security. Perhaps a better term would be
    "FIPS compatible", although even that is a bit silly. Usually people
    just name the particular algorithm or protocol, ie, ``aes'', or ``des-cbc''.

    Now, if you want to have fun, find a copy of the original FIPS
    standard for DES (FIPS 46), and try to decide from that standard in what
    order the bits of a DES key or data block should be stored in memory, for
    a software implementation of DES.

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread