FIPS compliant packages - Security

This is a discussion on FIPS compliant packages - Security ; Hello all, I am writing some security documentation for work. A question came up about whether or not the Linux security packages used for authentication (krb5) and key management (RSA/DSA for SSH) were FIPS compliant. I don't really know. I ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: FIPS compliant packages

  1. FIPS compliant packages

    Hello all,

    I am writing some security documentation for work. A question came up
    about whether or not the Linux security packages used for
    authentication (krb5) and key management (RSA/DSA for SSH) were FIPS
    compliant.

    I don't really know. I know that Kerberos v5 is FIPS compliant and I
    know that SSH v2 is FIPS compliant. However, are the Linux packages
    FIPS compliant?

    Any ideas how I would verify if they are or not?
    Would they be compliant because the underlying algorithm is compliant?

    Thanks for any insight.


  2. Re: FIPS compliant packages

    On 9 Nov 2006 16:00:25 -0800, jofo wrote:
    > . . . However, are the Linux packages
    > FIPS compliant?
    >
    > Any ideas how I would verify if they are or not?


    This is only a partial answer, but if something (a software
    product, or an implementation of an algorithm) is on the
    FIPS validation list (http://csrc.nist.gov/cryptval/),
    that's a good sign.

    --
    To email me, substitute nowhere->spamcop, invalid->net.

  3. Re: FIPS compliant packages

    The OSSI has put the OpenSSL package through FIPS compliance testing
    although there has some controversy. The certification is just to level
    1.

    FIPS compliance is, as those who deal with the US government know, a
    big hurdle. There are not a lot of products which conform as the
    compliance list shows. Ideally, I think, the secuity aspects of Linux
    to include an encrypting file system, OpenSSL could receive
    certification opening up opportunities not only for Linux on general
    machines but embedded into routers and other network appliances. The
    opportunities for a system, like the Linksys consumer routers marketed
    as a way to "secure" other commercial systems and sensors would be huge.


+ Reply to Thread