[7481] in Kerberos
Federal systems and Kerberos
daemon@ATHENA.MIT.EDU (Gene Hilborn)
Thu Jun 13 22:38:59 1996
To: kerberos@MIT.EDU
Date: Thu, 13 Jun 1996 18:54:23 -0400
From: Gene Hilborn <ghilborn@csc.com>
Background:
Kerberos uses the Data Encryption Standard (DES) specified in Federal Information
Processing Standard Publication (FIPSPUB) 46-2 to encrypt information, manage keys, and
authenticate the integrity and source of data over a network.
The FIPS specifies the use of the Data Encryption Standard (DES - FIPSPUB 46-2) to
encrypt sensitive but unclassified information in Federal information systems.
While the algorithm is the main standard, there are also related companion standards:
-DES MODES OF OPERATION (FIPSPUB 81)
-GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD (FIPSPUB 74)
-SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES (FIPSPUB 140-1)
-COMPUTER DATA AUTHENTICATION (FIPSPUB 113)
-KEY MANAGEMENT USING ANSI X9.17 (FIPSPUB 171)
Issue:
While Kerberos seems to comply with the general intent and spirit of these FIPS, I am
looking for anyone who can cite a case or agency where there was an "official
determination" that Kerberos in any version, product, or as part of a system, complied
with all these FIPS. Unless there was an official waiver of the FIPS, any decision to
operate using Kerberos to secure sensitive information would seem to constitute such an
"official determination." Has NIST been asked the question of Kerberos compliance?
Gene Hilborn
ghilborn@csc.com
