Kerberos 5 certified under NIST 140-2.

Ken Hornstein kenh at cmf.nrl.navy.mil
Sat Sep 1 00:16:21 EDT 2007


>I work at the U.S. Census Bureau and would like to use Kerberos 5 as our
>network authentication protocol.  The only problem is that for us to meet
>our Certification and Accreditation and use Kerberos 5, it must be
>certified under NIST 140-2.  Do you have plans to have version 5 certified?
>My understanding is that version 4 was.

You of course have to decide what you want to do.  I will only point
out that the Department of Defense has set minimum required versions
of open-source software the clearly has never been certified under
FIPS 140-2 (well, okay, they don't use crypto modules which have
been certified, but you knew that's what I meant); that tells me
that at a DoD level, they seem to not care about FIPS 140-2.  So I
would question the practical relevance of FIPS 140-2 when using
open-source software today.

I may be wrong, but I do not believe any implementation of Kerberos
4 ever went through a FIPS certification process; what you may be
thinking of is that some implementations of DES that met the original
FIPS requirements for DES could say that they were certified under
some later specification (it's been a while, and I think I've forgotten
many of the details).

When I looked into this for Kerberos, doing the certification cost
around $25,000-$35,000 and took a couple of years.  And having seen
presentations from the people who did the work to get OpenSSL
FIPS-certified, it seems that NIST is actively hostile to open-source
software.  If you have a a chunk of money sitting around and a few
years to spend jousting at windmills, let us know.  So far no one
has done so.

--Ken



More information about the Kerberos mailing list