possible FIPS changes required

Alan DeKok aland at deployingradius.com
Thu Apr 16 21:56:21 CEST 2009

William Rettig wrote:
> I am facing a requirement for FIPS compliant AES Key-wrap function.  I
> have not found support for it in the docs I have skimmed the code to no
> avail.  Before I go off and add the feature, I wanted to make sure that
> it is not already there either in whole or in part.

  FreeRADIUS does not yet support the IETF key-wrap document.

> In a nutshell AES Key-wrap is the name of a procedure to encrypt and
> package the Master Key sent to the Access Point in the RADIUS accept packet.

  Hmm... no.  The EAP/802.1X specifications specify that the keys are
put into the MS-MPPE-*-Key attributes.  Those attributes are obfuscated
with MD5 operations, not AES.

> So that I stay within the design intent of FreeRADIUS, I request some
> guidance with an approach that “stays between the lines”.

  As always, patches are welcome.

  Alan DeKok.

More information about the Freeradius-Devel mailing list