SRP in BCFIPS

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SRP in BCFIPS

Melanie Coggan

Hi everyone,

 

We’re currently switching from the standard BouncyCastle JARs (1.55) to the BouncyCastle FIPS JARs. Most of the transition has been pretty smooth, but we’ve run into some issues involving SRP. Specifically, we were using a number of BC SRP classes (e.g. org.bouncycastle.crypto.agreement.srp.SRP6Server, org.bouncycastle.crypto.params.SRP6GroupParameters, org.bouncycastle.crypto.agreement.srp.SRP6Client, org.bouncycastle.crypto.agreement.srp.SRP6Util, etc…) but can’t seem to find any equivalent classes in the FIPS module.

 

Has the SRP implementation in BCFIPS been removed, or has it just been moved to other classes and we’re just not finding it?

 

Thanks for your time!

Melanie Coggan

Senior Software Engineer, CSSLP

Tridium, Inc

 


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SRP in BCFIPS

David Hook

Hi Melanie,

The SRP implementation is not in the FIPS library. You will find equivalent classes (I think...) in the bctls jar.

Regards,

David

On 31/01/17 05:14, Coggan, Melanie wrote:

Hi everyone,

 

We’re currently switching from the standard BouncyCastle JARs (1.55) to the BouncyCastle FIPS JARs. Most of the transition has been pretty smooth, but we’ve run into some issues involving SRP. Specifically, we were using a number of BC SRP classes (e.g. org.bouncycastle.crypto.agreement.srp.SRP6Server, org.bouncycastle.crypto.params.SRP6GroupParameters, org.bouncycastle.crypto.agreement.srp.SRP6Client, org.bouncycastle.crypto.agreement.srp.SRP6Util, etc…) but can’t seem to find any equivalent classes in the FIPS module.

 

Has the SRP implementation in BCFIPS been removed, or has it just been moved to other classes and we’re just not finding it?

 

Thanks for your time!

Melanie Coggan

Senior Software Engineer, CSSLP

Tridium, Inc

 


Reply | Threaded
Open this post in threaded view
|

Re: SRP in BCFIPS

Smith, Bill (Tridium)
Do you feel that using the bctls.jar with the fips jar would violate fips compliance?

Sent from my iPhone

On Feb 1, 2017, at 6:08 PM, David Hook <[hidden email]> wrote:


Hi Melanie,

The SRP implementation is not in the FIPS library. You will find equivalent classes (I think...) in the bctls jar.

Regards,

David

On 31/01/17 05:14, Coggan, Melanie wrote:

Hi everyone,

 

We’re currently switching from the standard BouncyCastle JARs (1.55) to the BouncyCastle FIPS JARs. Most of the transition has been pretty smooth, but we’ve run into some issues involving SRP. Specifically, we were using a number of BC SRP classes (e.g. org.bouncycastle.crypto.agreement.srp.SRP6Server, org.bouncycastle.crypto.params.SRP6GroupParameters, org.bouncycastle.crypto.agreement.srp.SRP6Client, org.bouncycastle.crypto.agreement.srp.SRP6Util, etc…) but can’t seem to find any equivalent classes in the FIPS module.

 

Has the SRP implementation in BCFIPS been removed, or has it just been moved to other classes and we’re just not finding it?

 

Thanks for your time!

Melanie Coggan

Senior Software Engineer, CSSLP

Tridium, Inc

 


Reply | Threaded
Open this post in threaded view
|

RE: SRP in BCFIPS

Melanie Coggan
In reply to this post by David Hook

Thank you David.

 

Do you happen to know whether the SRP classes are FIPS compliant when used with the BCFIPS provider?

 

Thanks again,

-Melanie

 

From: David Hook [mailto:[hidden email]]
Sent: Wednesday, February 01, 2017 6:08 PM
To: Coggan, Melanie <[hidden email]>; [hidden email]
Subject: Re: [dev-crypto] SRP in BCFIPS

 


Hi Melanie,

The SRP implementation is not in the FIPS library. You will find equivalent classes (I think...) in the bctls jar.

Regards,

David

On 31/01/17 05:14, Coggan, Melanie wrote:

Hi everyone,

 

We’re currently switching from the standard BouncyCastle JARs (1.55) to the BouncyCastle FIPS JARs. Most of the transition has been pretty smooth, but we’ve run into some issues involving SRP. Specifically, we were using a number of BC SRP classes (e.g. org.bouncycastle.crypto.agreement.srp.SRP6Server, org.bouncycastle.crypto.params.SRP6GroupParameters, org.bouncycastle.crypto.agreement.srp.SRP6Client, org.bouncycastle.crypto.agreement.srp.SRP6Util, etc…) but can’t seem to find any equivalent classes in the FIPS module.

 

Has the SRP implementation in BCFIPS been removed, or has it just been moved to other classes and we’re just not finding it?

 

Thanks for your time!

Melanie Coggan

Senior Software Engineer, CSSLP

Tridium, Inc

 

 


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SRP in BCFIPS

David Hook

Hi Melanie,

NIST don't provider CAVP testing for SRP-6 so in as much as it can be FIPS compliant if you are using the BCFIPS provider it will be as it will be built on a FIPS compliant provider.

I'm not sure what the NIST position on the actual protocol is though as it is a password authenticated key agreement - password authenticated shouldn't cause any issues, but the key agreement aspect might. You need to check what the situation is for your application - at the moment I really don't know.

Regards,

David

On 04/02/17 00:50, Coggan, Melanie wrote:

Thank you David.

 

Do you happen to know whether the SRP classes are FIPS compliant when used with the BCFIPS provider?

 

Thanks again,

-Melanie

 

From: David Hook [[hidden email]]
Sent: Wednesday, February 01, 2017 6:08 PM
To: Coggan, Melanie [hidden email]; [hidden email]
Subject: Re: [dev-crypto] SRP in BCFIPS

 


Hi Melanie,

The SRP implementation is not in the FIPS library. You will find equivalent classes (I think...) in the bctls jar.

Regards,

David

On 31/01/17 05:14, Coggan, Melanie wrote:

Hi everyone,

 

We’re currently switching from the standard BouncyCastle JARs (1.55) to the BouncyCastle FIPS JARs. Most of the transition has been pretty smooth, but we’ve run into some issues involving SRP. Specifically, we were using a number of BC SRP classes (e.g. org.bouncycastle.crypto.agreement.srp.SRP6Server, org.bouncycastle.crypto.params.SRP6GroupParameters, org.bouncycastle.crypto.agreement.srp.SRP6Client, org.bouncycastle.crypto.agreement.srp.SRP6Util, etc…) but can’t seem to find any equivalent classes in the FIPS module.

 

Has the SRP implementation in BCFIPS been removed, or has it just been moved to other classes and we’re just not finding it?

 

Thanks for your time!

Melanie Coggan

Senior Software Engineer, CSSLP

Tridium, Inc