[Freeipa-users] Re: FreeIPA 2FA OTP FIPS-140-2 Compliance

Fri, 19 Jan 2024 04:54:29 -0800 

On Пят, 19 сту 2024, Valentin Stancu via FreeIPA-users wrote:


Hello,

I've been searching for information on FIPS 140-2 compliance for OTP
token generation in FreeIPA for a while, but I haven't been able to
find anything conclusive.


Generation of a token is done by creating a random binary key using
Python's os.urandom(KEY_LENGTH) where key length is set to 35. This is
part of ipaserver/plugins/otptoken.py:otptoken class parameters
initialization when 'ipatokenotpkey' parameter is not provided by a
client. The rest of OTP token parameters can be overidden as well.

        OTPTokenKey('ipatokenotpkey?',
            cli_name='key',
            label=_('Key'),
            doc=_('Token secret (Base32; default: random)'),
            default_from=lambda: os.urandom(KEY_LENGTH),
            autofill=True,
            # force server-side conversion
            normalizer=lambda x: x,
            flags=('no_display', 'no_update', 'no_search'),
        ),


Could you tell me if the plugin that generates OTP tokens in FreeIPA is
FIPS-140-2 compliant? If so, from which version has it been compliant?

Could you also provide guidance on how we can verify the algorithms
used by this 2FA component to generate these tokens? (Token generation
system)


FreeIPA itself is an Open Source project, not a product. Upstream does
not provide FIPS compliance assurance.

RHEL IdM is a part of Red Hat Enterprise Linux. A particular set of
fixes that made integrated OTP implementation working in FIPS 140-2 mode

on RHEL were released as part of https://access.redhat.com/errata/RHBA-2018:3187 
Or a specific RFE that was implemented is

https://bugzilla.redhat.com/show_bug.cgi?id=1544679 -- you can start
from there. There are more than just fixes on FreeIPA side, though.

Current FreeIPA code (in daemons/ipa-slapi-plugins/libotp/hotp.c) is
using OpenSSL (since 2020, the original was built with NSS) and does not
implement own crypto primitives.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to