possible FIPS changes required
aland at deployingradius.com
Thu Apr 16 21:56:21 CEST 2009
William Rettig wrote:
> I am facing a requirement for FIPS compliant AES Key-wrap function. I
> have not found support for it in the docs I have skimmed the code to no
> avail. Before I go off and add the feature, I wanted to make sure that
> it is not already there either in whole or in part.
FreeRADIUS does not yet support the IETF key-wrap document.
> In a nutshell AES Key-wrap is the name of a procedure to encrypt and
> package the Master Key sent to the Access Point in the RADIUS accept packet.
Hmm... no. The EAP/802.1X specifications specify that the keys are
put into the MS-MPPE-*-Key attributes. Those attributes are obfuscated
with MD5 operations, not AES.
> So that I stay within the design intent of FreeRADIUS, I request some
> guidance with an approach that “stays between the lines”.
As always, patches are welcome.
More information about the Freeradius-Devel