On 10/04/2015 17:01, jonetsu wrote: >> From: jonetsu <jonetsu at teksavvy.com> >> Date: 04/10/15 09:55 >> Is it possible to use DES_crypt() in OpenSSL FIPS mode ? Some low >> level non-EVP methods are allowed, I think. The question comes from >> seeing if it is possible to use the OpenSSL password() method in FIPS >> mode. > Hmmm... In any case, trying to squeeze DES in a FIPS validation might be pushing it a bit. Any drop-in replacement for the crypto() method in glibc2 (that supports SHA-256, SHA-512) ? > > Regards. I see two possibilities without using any crypto outside the FIPS validated functionality: a) If triple DES (TDEA in NIST-speak) is included, then you can emulate DES by repeating the same 56 bit key 2 or 3 times. For instance if you need DES with the key 0x123456789ABCDE, you can just use 112 bit triple DES with the key 0x123456789ABCDE123456789ABCDE or 168 bit triple DES with the key 0x123456789ABCDE123456789ABCDE123456789ABCDE . Then with that problem solved, you can recreate the "unix password"formula using the FIPS validated TDEA code via EVP. b) If triple DES is not included, then you will have to use one of the modern password encodings found on Linux and BSD. Those use standard hashes such as MD5 (not allowed!), SHA1 (possibly not allowed, at least not for long), SHA-2-256 (clearly still allowed and probably in the FIPS validated EVP API). Then once again use the EVP API to reimplement the formula found in libcrypt (which uses a non-validated copy of the standard algorithm and is thus not allowed). Of cause it is possible that one of the large distributions suchas Red Hat may have already done the footwork as part ofcreating a US government edition of their Linux distribution.For example I have heard rumors that most federal US courtsuse a case management system running on Red Hat, whichwould probably imply that they are using a FIPS validatedimplementation of the Linux password encoding formula. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
