On Tue, 5 Jul 2022, Alan DeKok wrote:
On Jul 5, 2022, at 3:24 PM, James Ralston <ralston@xxxxxxxxx> wrote:
If you are required to run your Wi-Fi client in FIPS mode, where the
cryptographic libraries that wpa_supplicant calls will fail an attempt
to call a cryptographic function forbidden by FIPS (or a FIPS-approved
function but with parameters forbidden by FIPS) will fail,
unfortunately, I think you will find that you will be unable to
connect / authenticate to many Wi-Fi networks.
EAP-TLS will work. But if the EAP packets are carried over RADIUS, RADIUS uses MD5, which isn't FIPS compliant.
Hostapd/wpa_supplicant provide a private implementation of MD5, which
is used by the RADIUS implementation.
These issues are the same for RADIUS servers, which is why I've
spent too much time looking into them. Any hard-line approach to
FIPS means that RADIUS won't work, and many EAP methods won't work.
Which severely limits your choices for network access.
At least looking at FIPS 140-2 (which I am still on the early-side of
so not much personal experience yet), I found that several products
using RADIUS had achieved certification by only supporting EAP
protocols which provide secure encryption using TLS. In fact, this
appears to be the common approach.
Obviously any authentication which depends on crypto which does not
meet FIPS requirements is never going to be allowed.
Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
