FIPS compliant packages

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello all,

I am writing some security documentation for work.  A question came up
about whether or not the Linux security packages used for
authentication (krb5) and key management (RSA/DSA for SSH) were FIPS

I don't really know.  I know that Kerberos v5 is FIPS compliant and I
know that SSH v2 is FIPS compliant.  However, are the Linux packages
FIPS compliant?

Any ideas how I would verify if they are or not?
Would they be compliant because the underlying algorithm is compliant?

Thanks for any insight.

Re: FIPS compliant packages

Quoted text here. Click to load it

This is only a partial answer, but if something (a software
product, or an implementation of an algorithm) is on the
FIPS validation list ( /),
that's a good sign.

To email me, substitute nowhere->spamcop, invalid->net.

Re: FIPS compliant packages

The OSSI has put the OpenSSL package through FIPS compliance testing
although there has some controversy. The certification is just to level

FIPS compliance is, as those who deal with the US government know, a
big hurdle. There are not a lot of products which conform as the
compliance list shows. Ideally, I think, the secuity aspects of Linux
to include an encrypting file system, OpenSSL could receive
certification opening up opportunities not only for Linux on general
machines but embedded into routers and other network appliances. The
opportunities for a system, like the Linksys consumer routers marketed
as a way to "secure" other commercial systems and sensors would be huge.

Site Timeline