[strongSwan-dev] NIST SP800-131a

Martin Willi martin at strongswan.org
Wed Jan 16 09:35:36 CET 2013


Hi Dale,

> 1. Does strongSwan 4.6.1 comply with NIST SP800-131a?

I haven't read that spec in detail, but it seems that it just defines
algorithms and key lengths to use for "acceptable" operation.

strongSwan can support many of these algorithms and key lengths, it's
just a matter of configuration. Make sure to define the algorithms you
require in your connections in the "esp" and "ike" proposal keywords,
and append a '!' to disable others (man ipsec.conf for details).

If you are using certificates, generate the the keys with appropriate
key length and sign the certificates with the required hashing
algorithms.

So yes, it should be possible to configure strongSwan for NIST
SP800-131a compliance (but it is also possible to configure it to
violate this spec).

> If the answer is no to all three questions, then we will look into using 
> the OpenSSL or libgcrypt routines with strongSwan.

I don't think that the selection of the crypto backend matters, you can
use weak algorithms or key lengths with any backend.

Regards
Martin





More information about the Dev mailing list