[Swan] FIPS mode
jonetsu
jonetsu at teksavvy.com
Tue Apr 14 18:39:04 EEST 2015
> From: "Paul Wouters" <paul at nohats.ca>
> Date: 04/14/15 11:17
> Restriction of algorithms will be done post RHEl-7.1 (and is not strictly
> a requirement of FIPS, you can document that one should not use MD5
> without blocking MD5)
It's a few times now that I see this. A device offers non-FIPS option but, the user guide says not to use them. Seems all OK for validation purposes. To extrapolate, I guess a device could offer SNMP v1, v2c and v3 witha FIPS user guide that says 'please do not use SNMP v1 and v2c'.
> However, current libreswan git head (which will become 3.13) does have
> these restrictions enforced now. Which means, MD5, TWOFISH and SERPENT
> are not available for IKE or ESP.
OK ! Thanks !
> > So far I can say that putting the kernel through FIPS validation
> > is not something that was ever mentioned with the consultants.
>
> It's very expensive. It might be much better to pick a kernel that has
> been FIPS certified when you can.
Hmmm...
> That's because the XFRM itself does not perform cryptographic
> operations. The kernel crypto API does that, and it is FIPS certified on
> its own:
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1387.pdf
Ah.
More information about the Swan
mailing list