RADIUS对MD5算法的使用是否使其未针对允许RADIUS身份验证的应用进行FIPS验证? [英] Does RADIUS’s use of the MD5 algorithm make it not FIPS validated for an application that allows RADIUS authentication?

问题描述

问题是，如果您在Windows安全策略设置中强制执行FIPS验证的加密，则将引发异常，因为RADIUS协议使用MD5算法对请求身份验证器进行哈希处理.没有经过FIPS验证的另一种MD5算法，因此在提供FIPS验证的密码的机器上，似乎没有RADIUS的任何代码实现.

The issue is if you enforce FIPS validated cryptography in the Windows security policy settings, an exception will be thrown because RADIUS protocol uses the MD5 algorithm to hash the request authenticator. There is not an alternative MD5 algorithm that is FIPS validated so it does not appear any code implementation of RADIUS would be possible on a machine providing FIPS validated cryptography.

这是否意味着RADIUS与FIPS验证互斥?

Does this mean RADIUS is mutually exclusive with FIPS validation?

该代码实现了官方RFC( http://tools.ietf所指定的RADIUS协议. org/html/rfc2865 ).

The code implements the RADIUS protocol as specified by the official RFC (http://tools.ietf.org/html/rfc2865).

推荐答案

在Windows中启用FIPS验证的加密时，您断言现在将仅使用FIPS验证的加密和哈希算法.更具体地说，只有经过验证的Windows中的加密模块才允许用户使用经过批准的FIPS算法.可接受的算法列表在附录A:FIPS PUB的批准安全功能中定义140-2，密码模块的安全要求.

When you enable FIPS validated cryptography in Windows, you're asserting that you are now going to use only the FIPS-validated encryption and hash algorithms. More specifically, it's the cryptographic module in Windows that has been validated only to allow users to use approved FIPS algorithms. The list of acceptable algorithms is defined in Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules.

MD5不是批准的哈希算法，因此不，应用程序无法使用它.对于散列，您仅限于SHA系列算法.因此基于MD5的Radius退出了市场，因为它无法使用经过FIPS验证的安全模块中的MD5.

MD5 is not an approved hash algorithm, so no, applications cannot use it. For hashing, you're limited to the SHA family of algorithms. So MD5-based Radius is out because it cannot use MD5 from a FIPS-validated security module.

如果仔细阅读FIPS验证的模块，您可能会注意到有些人将MD5声明为未经批准的算法.这意味着经过认证的模块在内部使用MD5，但不向应用程序公开功能或将其用于通讯.例如，运行嵌入式linux的硬件加密模块可以使用MD5对/etc/passwd中的密码进行哈希处理.可以，因为该模块的用户无法使用MD5.

If you peruse the FIPS-validated modules, you may notice that some declare MD5 as a non-approved algorithm. What this means is that the certified module internally uses MD5, but does not expose the functionality to applications, or use it for communication. For example, a hardware encryption module running embedded linux may use MD5 to hash passwords in /etc/passwd. That's OK because users of the module cannot use MD5.

这篇关于RADIUS对MD5算法的使用是否使其未针对允许RADIUS身份验证的应用进行FIPS验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！