Does RADIUS’s use of the MD5 algorithm make it not FIPS validated for an application that allows RADIUS authentication?

一曲冷凌霜 提交于 2019-12-24 00:15:42

问题


The issue is if you enforce FIPS validated cryptography in the Windows security policy settings, an exception will be thrown because RADIUS protocol uses the MD5 algorithm to hash the request authenticator. There is not an alternative MD5 algorithm that is FIPS validated so it does not appear any code implementation of RADIUS would be possible on a machine providing FIPS validated cryptography.

Does this mean RADIUS is mutually exclusive with FIPS validation?

The code implements the RADIUS protocol as specified by the official RFC (http://tools.ietf.org/html/rfc2865).


回答1:


When you enable FIPS validated cryptography in Windows, you're asserting that you are now going to use only the FIPS-validated encryption and hash algorithms. More specifically, it's the cryptographic module in Windows that has been validated only to allow users to use approved FIPS algorithms. The list of acceptable algorithms is defined in Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules.

MD5 is not an approved hash algorithm, so no, applications cannot use it. For hashing, you're limited to the SHA family of algorithms. So MD5-based Radius is out because it cannot use MD5 from a FIPS-validated security module.

If you peruse the FIPS-validated modules, you may notice that some declare MD5 as a non-approved algorithm. What this means is that the certified module internally uses MD5, but does not expose the functionality to applications, or use it for communication. For example, a hardware encryption module running embedded linux may use MD5 to hash passwords in /etc/passwd. That's OK because users of the module cannot use MD5.



来源:https://stackoverflow.com/questions/3771256/does-radius-s-use-of-the-md5-algorithm-make-it-not-fips-validated-for-an-applica

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!