Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impose limits to HMAC and KMAC key size to be at least 112 bits #223

Open
Tracked by #237
paulidale opened this issue Sep 25, 2023 · 6 comments
Open
Tracked by #237

Impose limits to HMAC and KMAC key size to be at least 112 bits #223

paulidale opened this issue Sep 25, 2023 · 6 comments
Labels
FIPS FIPS related

Comments

@paulidale
Copy link

paulidale commented Sep 25, 2023
edited by t8m

Restrict HMAC and KMAC key sizes below 112 bits. There is no official guidance on this but it is something KeyPair has learnt from the CMVP.

This will need to be optional but enforced with the pedantic setting.
@paulidale paulidale self-assigned this Sep 25, 2023
@paulidale paulidale linked a pull request Oct 3, 2023 that will close this issue
FIPS: enforce KMAC length limits for FIPS 140-3 openssl/openssl#22256
Closed
2 tasks
@paulidale paulidale changed the title Impose mandated limited to KMAC Impose mandated limits to KMAC Oct 3, 2023
@paulidale paulidale mentioned this issue Oct 4, 2023
Open
@paulidale paulidale added the FIPS FIPS related label Oct 4, 2023
@paulidale paulidale mentioned this issue Oct 4, 2023
Open
@t8m t8m changed the title Impose mandated limits to KMAC Impose mandated limits to HMAC and KMAC Dec 12, 2023
@t8m t8m changed the title Impose mandated limits to HMAC and KMAC Impose limits to HMAC and KMAC key size to be at least 112 bits Dec 12, 2023
@slontis
Copy link
Member

slontis commented Jan 18, 2024

Not sure why openssl/openssl#22256 was closed

@slontis
Copy link
Member

slontis commented Jan 18, 2024

If these become configurable then indicators may be necessary

@t8m
Copy link
Member

t8m commented Jan 18, 2024

If these become configurable then indicators may be necessary

We do not have indicators for the other configurable checks.

@paulidale
Copy link
Author

We need indicators. The current approach to the 140-3 approval is not sustainable.
I've a good idea how to do them but it will take a fair amount of effort to implement.

@slontis
Copy link
Member

slontis commented Mar 14, 2024

openssl/openssl#23833 is kind of related (HKDF self test changed to use 112 bit key)

@nhorman
Copy link
Contributor

nhorman commented Apr 22, 2024

This is currently blocked on our FIPS 140-3 indicator design

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FIPS FIPS related
Projects
Project Board
Status: Blocked
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FIPS: enforce KMAC length limits for FIPS 140-3 paulidale/openssl
4 participants
@nhorman @t8m @paulidale @slontis