FIPS support for Kerberos

Simo Sorce simo at redhat.com
Fri May 3 14:30:21 EDT 2019 

On Fri, 2019-05-03 at 23:21 +0530, Abhidnya Joshi wrote:
> Hi Simo,
> Thank you for the quick reply. May I know what do you mean by "some
> aspects" of the protocol that have to be approved as allowed by FIPS?

Going from memory the PRF used in Kerberos is no approved in FIPS 140-
2, not that it has anything wrong as a PRF, it is just not listed.

> Does Kerberos available in RHEL enterprise edition claims as FIPS
> compliant?

No, up to the latest public RHEL release (7.6) we do not claim FIPS
compliance for our distribution of Kerberos, yet.

Simo.

> Thanks
> Abhidnya Joshi
> 
> On Fri, May 3, 2019 at 5:55 PM Simo Sorce <simo at redhat.com> wrote:
> 
> > As far as I know there is no version of Kerberos that is FIPS compliant
> > at this point. There are also problems with some aspects of the
> > protocol that would have to be approved as allowed by FIPS.
> > 
> > There is definitely commercial interest to get there, but that effort
> > is generally happening at each vendor individually.
> > 
> > Simo.
> > 
> > On Fri, 2019-05-03 at 10:44 +0530, Abhidnya Joshi wrote:
> > > Hi All,
> > > 
> > > Is there a FIPS compliant version of Kerberos library available?
> > > 
> > > Even if I build it with fips comliant openssl crypto, it gives problem
> > 
> > for
> > > low level functions calls like SHA256_init, AES_set_encrypt_key, etc.
> > > Openssl libcrypto aborts on call to such function when FIPS mode is on.
> > > 
> > > There is also MD5 used via krb5_rc_hash_message() which aborts via
> > 
> > openssl
> > > libcrypto.
> > > 
> > > Any suggestion/comments on how to handle this? ANy configurable to
> > 
> > control
> > > these options?
> > > 
> > > Thanks
> > > Abhidnya Joshi
> > > _______________________________________________
> > > krbdev mailing list             krbdev at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/krbdev
> > 
> > --
> > Simo Sorce
> > Sr. Principal Software Engineer
> > Red Hat, Inc
> > 
> > 
> > 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

More information about the krbdev mailing list