WPA3 SAE and FIPS 140-3
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Fri Jul 8 14:14:33 PDT 2022
On Tue, 5 Jul 2022, Alan DeKok wrote:
> On Jul 5, 2022, at 3:24 PM, James Ralston <ralston at pobox.com> wrote:
>> If you are required to run your Wi-Fi client in FIPS mode, where the
>> cryptographic libraries that wpa_supplicant calls will fail an attempt
>> to call a cryptographic function forbidden by FIPS (or a FIPS-approved
>> function but with parameters forbidden by FIPS) will fail,
>> unfortunately, I think you will find that you will be unable to
>> connect / authenticate to many Wi-Fi networks.
>
> EAP-TLS will work. But if the EAP packets are carried over RADIUS, RADIUS uses MD5, which isn't FIPS compliant.
Hostapd/wpa_supplicant provide a private implementation of MD5, which
is used by the RADIUS implementation.
> These issues are the same for RADIUS servers, which is why I've
> spent too much time looking into them. Any hard-line approach to
> FIPS means that RADIUS won't work, and many EAP methods won't work.
> Which severely limits your choices for network access.
At least looking at FIPS 140-2 (which I am still on the early-side of
so not much personal experience yet), I found that several products
using RADIUS had achieved certification by only supporting EAP
protocols which provide secure encryption using TLS. In fact, this
appears to be the common approach.
Obviously any authentication which depends on crypto which does not
meet FIPS requirements is never going to be allowed.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
More information about the Hostap
mailing list