Kerberos 5 certified under NIST 140-2.

Marcus Watts mdw at spam.ifs.umich.edu
Sat Sep 1 07:47:22 EDT 2007


Various wrote:
> >I work at the U.S. Census Bureau and would like to use Kerberos 5 as our
> >network authentication protocol.  The only problem is that for us to meet
> >our Certification and Accreditation and use Kerberos 5, it must be
> >certified under NIST 140-2.  Do you have plans to have version 5 certified?
> >My understanding is that version 4 was.
...
> When I looked into this for Kerberos, doing the certification cost
> around $25,000-$35,000 and took a couple of years.  And having seen
...

As I read FIPS 140-2, it addresses hardware much more than software, and
very much addresses "complete systems" or sometimes "components" and really
does not address frameworks or pluggable environments much at all.

OpenSource software loses here on several points:
 1. it's not a "finished" system.  Somebody might come along at any
	point and change it, invalidating any test results done until
	that point.
 2. the development process for "open source" does not generally conform
	to FIPS 140-2 appendix A and B.

	Appendix A describes the documentation that is necessary.
	There's a lot of it, and it is very specific to the testing
	required for FIPS 140-2.  $25K to hire somebody to produce
	this would be a real bargain for something as complicated as
	kerberos 5.

	Appendix B describes the "recommended software development
	practice".  These practices are probably a bit out of date, and
	certainly do not describe modern conventions for C.  The testing &
	documentation is certainly considerably more rigorous than many
	open source projects.  Note that the better organized projects
	at least approach the software methodology suggested here, with
	interesting differences: for instance the design stage may happen
	in part via online chat, unit testing may be on the honor system,
	functional specifications may be terse, & structure charts are
	nearly extinct except in the personnel department.

In fact, I think kerberos 5 probably conforms to about half of
these practices.  For instance, the "life-cycle software engineering
recommendations" including the phrase "may".  I suspect the kerberos
developers actually follow most of those practices, but may be resistant
to documenting that they did so.  The coding standards contain many
"shoulds" for things that MIT kerberos actually follows far less rigidly
MIT kerberos certainly uses gotos (...using only structured programming
constructs...), unions ("equivalence of variables should not be used...",
global variables ("should not be used..."), and more than 2 exit points
for many routines ("...at most two exit points").  In-line documentation
is certainly *far* sparser than the appendix B authors suggest.

Rather than looking to the open source community to produce this, I
think your best bet is to look at one of the vendors to do this.
Say, Apple, Solaris, etc.  They distribute the complete system,
not just the software, so they have a better claim on "complete system",
plus both the money stream, and the incentive, to pay for the
certification.  Apparently at least one of the Solaris people
is already pursuing FIPS 140-2 for some of the lower-level crypto
stuff (not kerberos yet).

				-Marcus Watts



More information about the Kerberos mailing list