[19923] in Kerberos_V5_Development
Re: FIPS support for Kerberos
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri May 3 08:25:22 2019
Message-ID: <9d3c81f333520c9c39e94adf143c3c69d9e8a023.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Abhidnya Joshi <abhidnyachirmule@gmail.com>, <krbdev@mit.edu>
Date: Fri, 3 May 2019 08:25:08 -0400
In-Reply-To: <CALmqtCUGUm913e03hzwCppEhhcYzNk+tTF78XdPWbeQT+ekSVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
As far as I know there is no version of Kerberos that is FIPS compliant
at this point. There are also problems with some aspects of the
protocol that would have to be approved as allowed by FIPS.
There is definitely commercial interest to get there, but that effort
is generally happening at each vendor individually.
Simo.
On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> Hi All,
>
> Is there a FIPS compliant version of Kerberos library available?
>
> Even if I build it with fips comliant openssl crypto, it gives problem for
> low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> Openssl libcrypto aborts on call to such function when FIPS mode is on.
>
> There is also MD5 used via krb5_rc_hash_message() which aborts via openssl
> libcrypto.
>
> Any suggestion/comments on how to handle this? ANy configurable to control
> these options?
>
> Thanks
> Abhidnya Joshi
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
