[19924] in Kerberos_V5_Development
Re: FIPS support for Kerberos
daemon@ATHENA.MIT.EDU (Abhidnya Joshi)
Fri May 3 13:52:02 2019
MIME-Version: 1.0
In-Reply-To: <9d3c81f333520c9c39e94adf143c3c69d9e8a023.camel@redhat.com>
From: Abhidnya Joshi <abhidnyachirmule@gmail.com>
Date: Fri, 3 May 2019 23:21:39 +0530
Message-ID: <CALmqtCUZVoFgStq75P5+SWeB_Nk0JGXd9Dwq03O59vg1w0T4GQ@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi Simo,
Thank you for the quick reply. May I know what do you mean by "some
aspects" of the protocol that have to be approved as allowed by FIPS?
Does Kerberos available in RHEL enterprise edition claims as FIPS
compliant?
Thanks
Abhidnya Joshi
On Fri, May 3, 2019 at 5:55 PM Simo Sorce <simo@redhat.com> wrote:
> As far as I know there is no version of Kerberos that is FIPS compliant
> at this point. There are also problems with some aspects of the
> protocol that would have to be approved as allowed by FIPS.
>
> There is definitely commercial interest to get there, but that effort
> is generally happening at each vendor individually.
>
> Simo.
>
> On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> > Hi All,
> >
> > Is there a FIPS compliant version of Kerberos library available?
> >
> > Even if I build it with fips comliant openssl crypto, it gives problem
> for
> > low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> > Openssl libcrypto aborts on call to such function when FIPS mode is on.
> >
> > There is also MD5 used via krb5_rc_hash_message() which aborts via
> openssl
> > libcrypto.
> >
> > Any suggestion/comments on how to handle this? ANy configurable to
> control
> > these options?
> >
> > Thanks
> > Abhidnya Joshi
> > _______________________________________________
> > krbdev mailing list krbdev@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
>
>
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
