FIPS feature
Alan DeKok
aland at deployingradius.com
Tue Apr 28 18:29:46 CEST 2009
William Rettig wrote:
> My boss has asked me to add a FIPS feature to FreeRADIUS.
OK.
> It really doesn’t amount to much at this point. We think that FIPS mode
> requires additional two things:
>
> 1) Use of HMAC-SHA1 MAC (vendor neutral)
For... what? The TLS methods?
> 2) AES Key Wrap of the MSK in the Access-Accept (attribute format
> is vendor specific - but feature could be mostly generic).
That won't be supported by most NASes, but OK.
> Is this something that could be supported moving forward?
Sure. Submit a patch.
> Would someone be willing to direct my efforts?
My suggestion for the AES keywrap is to write a module that takes the
existing MSK, creates the keywrapped attributes, and then (possibly)
deletes the original MSK.
Alan DeKok.
More information about the Freeradius-Devel
mailing list