This does not extend the discussion at hand, but it might be useful to some here who may have to deal with FIPS 140-2.
On 13 Oct 2007 09:32:44 +1000, Damien Miller wrote: > Some comments: > > * Use of an off-the-shelf algorithm like SHA1 might be nice for "tick here > for FIPS certification", but they render the hashing scheme more > vulnerable to dictionary attacks assisted by (near-)commodity hardware. > Contrast with OpenBSD's blowfish scheme, which is deliberately designed > to not be implementable using off-the-shelf crypto accelerator chips. Although there are password hashing mechanisms built from FIPS-approved algorithms (e.g., SHA-1 HMAC), there are no FIPS-approved password hashing mechanisms specifically defined. Meaning, I think there is some room to move here. Now, assuming passwords are a critical security parameter (CSP) for a module, password hashing built from non-FIPS-approved algorithms automatically means the generated password hashes are considered to be CSPs in the clear for FIPS 140-2 purposes (i.e., the password hashes are just considered to an obfuscated form of the plaintext password), and so we have to deal with the requirements revolving around plaintext CSPs for those password hashes. Inside of the cryptographic boundary of a module, CSPs can be maintained in plaintext, as they are considered protected by the security mechanisms of the module, which gives us a foothold for using such password hashing mechanisms. However, while the passwords are considered in the clear, the fact they are undergoing password hashing is not ignored - the authentication mechanism must still meet the applicable authentication requirements of FIPS 140-2, so the password hashing must not cause the password-based authentication to fail to meet those FIPS 140-2 requirements. And, I think password hashing mechanisms built from non-FIPS-approved algorithms can still be used to help meet some FIPS 140-2 authentication requirements - e.g, I can envision bcrypt being configured such that, given a particular module's hardware, it slows does authentication attempts sufficiently to satisfy some strength of authentication requirements. -Andrew --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
