On 7/1/22 22:38, Bob Friesenhahn wrote:
On Fri, 1 Jul 2022, achtol wrote:
Does this mean that WPA3 is incompatible with FIPS? That would be
puzzling, when the arguably less secure WPA2 does not pose such a
problem (only constraints on the length of SSID/passphrases).
Or, can it be claimed that these operations do not fulfill a security
function? In which case, I believe, using a non-FIPS-approved
algorithm is permitted.
Regardless of the reasoning employed (and hopefully it is the latter),
your FIPS 140-3 crypto library is not going to be very helpful since
it will refuse to work. You would then need to find the necessary
crypto algorithms independent of that library and add them in a
non-conflicting way, much as hostapd/wpa_supplicant include a private
implementation of MD5.
Bob
That's right. My plan would be to throw in custom implementations of
these algorithms, for these two functions only. But to do that I need a
justification for these exceptions, so that the FIPS status of the whole
system is not questioned.
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
