Hello Martin. Thank you for your reply. We currently use the default strongSwan crypto routines and I would prefer to keep using them. The NIST 800-131a mentions that in 2007,a new set of RNGs were approved in SP 800-90. Does the default strongSwan crypto routines uses these approved RNGs? Thank you again for your help.
Regards, Dale Dale H. Anderson DS Command Line Interface Architect Dept.74CA/9032-2, Room 972 9000 S. Rita Road Tucson, AZ 85744-0002 Tieline: 321- 2629 External: (520) 799-2629 External: mailto:[email protected] From: Martin Willi <[email protected]> To: Dale H Anderson/Tucson/IBM@IBMUS Cc: [email protected] Date: 11/05/2012 07:52 AM Subject: Re: [strongSwan-dev] NIST 800-131a Hello Dale, > but I did find that the crypto back end is based on libgcrypt. We support different crypto backends in strongSwan. The default uses our own crypto routines provided directly by strongSwan. Alternatively you can use the OpenSSL or the libgcrypt based crypto backends. This can be configured by passing the appropriate options to the ./configure script. Additionally to what we use in userspace, you usually make use of the cryptographic API from the Linux kernel to process ESP packets. > does this mean that just by specifying the required encryption > algorithms with the appropriate key lengths for connections, my system > (currently 4.6.1) will be compliant with the NIST standard? Yes, the ipsec.conf "esp" and "ike" proposal keywords allow you to define the algorithms to use, man ipsec.conf for details. Also make sure to append a "!" to the value of these keywords; this will remove the fallback to other algorithms supported by your build. Public key strengths are defined by the keys you configure, or what your CA issues. In newer strongSwan releases, you can also define additional public key strength requirements with the left/rightauth options. The manpage of ipsec.conf has more details. Regards Martin
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
