[strongSwan-dev] NIST 800-131a

Dale H Anderson dalea at us.ibm.com
Mon Nov 5 19:01:41 CET 2012 

Hello Martin.

Thank you for your reply. We currently use the default strongSwan crypto 
routines
and I would prefer to keep using them. The NIST 800-131a mentions that in 
2007,a
new set of RNGs were approved in SP 800-90. Does the default strongSwan 
crypto
routines uses these approved RNGs? Thank you again for your help.

Regards,

Dale

Dale H. Anderson
DS Command Line Interface Architect
Dept.74CA/9032-2, Room 972
9000 S. Rita Road
Tucson, AZ 85744-0002

Tieline: 321- 2629  External: (520) 799-2629
External: mailto:dalea at us.ibm.com



From:
Martin Willi <martin at strongswan.org>
To:
Dale H Anderson/Tucson/IBM at IBMUS
Cc:
dev at lists.strongswan.org
Date:
11/05/2012 07:52 AM
Subject:
Re: [strongSwan-dev] NIST 800-131a



Hello Dale,

> but I did find that the crypto back end is based on libgcrypt.

We support different crypto backends in strongSwan. The default uses our
own crypto routines provided directly by strongSwan. Alternatively you
can use the OpenSSL or the libgcrypt based crypto backends. This can be
configured by passing the appropriate options to the ./configure script.

Additionally to what we use in userspace, you usually make use of the
cryptographic API from the Linux kernel to process ESP packets.

> does this mean that just by specifying the required encryption
> algorithms with the appropriate key lengths for connections, my system
> (currently 4.6.1) will be compliant with the NIST standard?

Yes, the ipsec.conf "esp" and "ike" proposal keywords allow you to
define the algorithms to use, man ipsec.conf for details. Also make sure
to append a "!" to the value of these keywords; this will remove the
fallback to other algorithms supported by your build.

Public key strengths are defined by the keys you configure, or what your
CA issues. In newer strongSwan releases, you can also define additional
public key strength requirements with the left/rightauth options. The
manpage of ipsec.conf has more details.

Regards
Martin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20121105/7ae83fcf/attachment.html>

More information about the Dev mailing list