Marcus has answered your question in detail. I will only add a few extra bits.
>I don't really know. I know that Kerberos v5 is FIPS compliant and I >know that SSH v2 is FIPS compliant. However, are the Linux packages >FIPS compliant? When people say "FIPS compliant", they are usually talking about FIPS 140-1 or 140-2. These particular FIPS standards are significant because government agencies are required to only purchase cryptographic hardware and software that are certified to this standard. Whether or not government agencies can use open-source software that do not meet these standards is a question which is open to interpretation. Like Marcus said, protocols are not covered under any FIPS standards that I am aware of. Particular crypto implementations can be certified, if you're willing to spend the time and money to do so (it's in the tens of thousands of dollars when I looked into it). I know of no open-source Kerberos implementation that have been certified under any of the FIPS 140 standards. The situation with OpenSSH is more complicated. What really gets certified is the crypto module, which in this case is OpenSSL. The OpenSSL FIPS 140 certification is in a weird state; it might get resolved, it might not, but I don't want to go into that here. As a practical matter, all government agencies that I deal with basically ignore the FIPS requirements when it comes to open-source software. Last week I saw a presentation by the people who are working on the FIPS 140 certification for OpenSSL. After seeing that, it just reinforces my opinion that FIPS 140 is a complete waste of time for software. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
