FIPS support for Kerberos

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS support for Kerberos

Abhidnya Joshi
Hi All,

Is there a FIPS compliant version of Kerberos library available?

Even if I build it with fips comliant openssl crypto, it gives problem for
low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
Openssl libcrypto aborts on call to such function when FIPS mode is on.

There is also MD5 used via krb5_rc_hash_message() which aborts via openssl
libcrypto.

Any suggestion/comments on how to handle this? ANy configurable to control
these options?

Thanks
Abhidnya Joshi
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FIPS support for Kerberos

Simo Sorce-3
As far as I know there is no version of Kerberos that is FIPS compliant
at this point. There are also problems with some aspects of the
protocol that would have to be approved as allowed by FIPS.

There is definitely commercial interest to get there, but that effort
is generally happening at each vendor individually.

Simo.

On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:

> Hi All,
>
> Is there a FIPS compliant version of Kerberos library available?
>
> Even if I build it with fips comliant openssl crypto, it gives problem for
> low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> Openssl libcrypto aborts on call to such function when FIPS mode is on.
>
> There is also MD5 used via krb5_rc_hash_message() which aborts via openssl
> libcrypto.
>
> Any suggestion/comments on how to handle this? ANy configurable to control
> these options?
>
> Thanks
> Abhidnya Joshi
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FIPS support for Kerberos

Abhidnya Joshi
Hi Simo,
Thank you for the quick reply. May I know what do you mean by "some
aspects" of the protocol that have to be approved as allowed by FIPS?
Does Kerberos available in RHEL enterprise edition claims as FIPS
compliant?

Thanks
Abhidnya Joshi

On Fri, May 3, 2019 at 5:55 PM Simo Sorce <[hidden email]> wrote:

> As far as I know there is no version of Kerberos that is FIPS compliant
> at this point. There are also problems with some aspects of the
> protocol that would have to be approved as allowed by FIPS.
>
> There is definitely commercial interest to get there, but that effort
> is generally happening at each vendor individually.
>
> Simo.
>
> On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> > Hi All,
> >
> > Is there a FIPS compliant version of Kerberos library available?
> >
> > Even if I build it with fips comliant openssl crypto, it gives problem
> for
> > low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> > Openssl libcrypto aborts on call to such function when FIPS mode is on.
> >
> > There is also MD5 used via krb5_rc_hash_message() which aborts via
> openssl
> > libcrypto.
> >
> > Any suggestion/comments on how to handle this? ANy configurable to
> control
> > these options?
> >
> > Thanks
> > Abhidnya Joshi
> > _______________________________________________
> > krbdev mailing list             [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
>
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FIPS support for Kerberos

Simo Sorce-3
On Fri, 2019-05-03 at 23:21 +0530, Abhidnya Joshi wrote:
> Hi Simo,
> Thank you for the quick reply. May I know what do you mean by "some
> aspects" of the protocol that have to be approved as allowed by FIPS?

Going from memory the PRF used in Kerberos is no approved in FIPS 140-
2, not that it has anything wrong as a PRF, it is just not listed.

> Does Kerberos available in RHEL enterprise edition claims as FIPS
> compliant?

No, up to the latest public RHEL release (7.6) we do not claim FIPS
compliance for our distribution of Kerberos, yet.

Simo.

> Thanks
> Abhidnya Joshi
>
> On Fri, May 3, 2019 at 5:55 PM Simo Sorce <[hidden email]> wrote:
>
> > As far as I know there is no version of Kerberos that is FIPS compliant
> > at this point. There are also problems with some aspects of the
> > protocol that would have to be approved as allowed by FIPS.
> >
> > There is definitely commercial interest to get there, but that effort
> > is generally happening at each vendor individually.
> >
> > Simo.
> >
> > On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> > > Hi All,
> > >
> > > Is there a FIPS compliant version of Kerberos library available?
> > >
> > > Even if I build it with fips comliant openssl crypto, it gives problem
> >
> > for
> > > low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> > > Openssl libcrypto aborts on call to such function when FIPS mode is on.
> > >
> > > There is also MD5 used via krb5_rc_hash_message() which aborts via
> >
> > openssl
> > > libcrypto.
> > >
> > > Any suggestion/comments on how to handle this? ANy configurable to
> >
> > control
> > > these options?
> > >
> > > Thanks
> > > Abhidnya Joshi
> > > _______________________________________________
> > > krbdev mailing list             [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/krbdev
> >
> > --
> > Simo Sorce
> > Sr. Principal Software Engineer
> > Red Hat, Inc
> >
> >
> >
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: FIPS support for Kerberos

Robbie Harwood
Simo Sorce <[hidden email]> writes:

> On Fri, 2019-05-03 at 23:21 +0530, Abhidnya Joshi wrote:
>
>> Does Kerberos available in RHEL enterprise edition claims as FIPS
>> compliant?
>
> No, up to the latest public RHEL release (7.6) we do not claim FIPS
> compliance for our distribution of Kerberos, yet.

I have made it work in FIPS mode, but be careful - working in FIPS mode
isn't the same as being compliant.  Be aware of your exact needs etc.

Thanks,
--Robbie

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (847 bytes) Download Attachment