[Swan] FIPS mode

Paul Wouters paul at nohats.ca
Tue Apr 14 18:16:57 EEST 2015


On Tue, 14 Apr 2015, jonetsu wrote:

>> IKE is encrypted using the NSS library (which has been FIPS
>> certified in itself on some distributions such as RHEL)
>
> NSS has 'native' FIPS mode that can be switched on using the
> modutil utility.  No need for an extra package (as in the case
> with OpenSSL).

It is also turned out by the kernel parameter fips=1

>> For RHEL7, Libreswan is currently going through FIPS and Common
>> Criteria certification.
>
> (Sorry I haven't looked yet) Is there any FIPS-related code
> update available such as restriction of crypto used in FIPS mode
> ?

Restriction of algorithms will be done post RHEl-7.1 (and is not strictly
a requirement of FIPS, you can document that one should not use MD5
without blocking MD5)

However, current libreswan git head (which will become 3.13) does have
these restrictions enforced now. Which means, MD5, TWOFISH and SERPENT
are not available for IKE or ESP.

> So far I can say that putting the kernel through FIPS validation
> is not something that was ever mentioned with the consultants.

It's very expensive. It might be much better to pick a kernel that has
been FIPS certified when you can.

> Considering that it would certainly be a huge effort from the
> testing lab, they would have mentioned it early on.  And, not all
> of the kernel would be certified.
>
> Red Hat 5.0 clearly excludes XFRM of their Security Policy.
> Section 1.1.2 page 8:
>
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf

That's because the XFRM itself does not perform cryptographic
operations. The kernel crypto API does that, and it is FIPS certified on
its own:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1387.pdf

> As you say, there are not that many IKE packets anyways.  I'm
> still wondering why Strongswan would say that using the OpenSSL
> crypto plug-ins is the easiest way to get FIPS certification.
>
> Page 12 (yes, it dates from 2008, things might have changed) :

Perhaps in 2008 they didn't have AF_KEY support yet? or their other
many modules. I'm pretty sure those different modules were paid for
by people who did not want to pay twice for a FIPS certification. So
depending on your other applications on your device, it might make
more sense to use openssl or nss or the kernel or gcrypt, etc etc.

Paul


More information about the Swan mailing list