Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode

[Paul Moore]

On Wednesday, June 06, 2012 01:56:52 AM Alexander Graf wrote:
> On 06.06.2012, at 01:07, Anthony Liguori wrote:
> > On 06/06/2012 06:06 AM, Paul Moore wrote:
> >> On Tuesday, June 05, 2012 11:51:40 PM Alexander Graf wrote:
> >>> On 05.06.2012, at 23:45, Paul Moore wrote:
> >>>> On Tuesday, June 05, 2012 03:08:26 AM Alexander Graf wrote:
> >>>>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a
> >>>>> password is set? I agree with the assessment that we should never
> >>>>> silently drop features. So the best way to make sure that the user
> >>>>> knows
> >>>>> he did something stupid (enable FIPS, but require a non-FIPS compliant
> >>>>> authentication method) would be to just quit, no?
> >>>> 
> >>>> That is basically what the patch does now.  In vnc_display_open() if it
> >>>> detects that the user has supplied a VNC password it prints an error to
> >>>> stderr and returns an error which causes QEMU to exit.
> >>>> 
> >>>> The error message displayed is shown below:
> >>>> 
> >>>> "VNC password auth disabled due to FIPS mode, consider using the
> >>>> VeNCrypt
> >>>> 
> >>>>  or SASL authentication methods as an alernative"
> >>>> 
> >>>> ... which seems pretty obvious to me.  If anyone would prefer something
> >>>> different, let me know.
> >>> 
> >>> No, as long as the spelling is actually correct and not the one above,
> >>> that's perfectly fine.
> >> 
> >> What, not a fan of my "alernative" spelling?  Fixed in the next version
> >> of the patch :)
> >> 
> >>> I just have a habit of not reading the patches I comment on :).
> >> 
> >> If nothing else, it makes the discussions much more interesting :)
> >> 
> >>>> On Tuesday, June 05, 2012 09:23:04 AM Anthony Liguori wrote:
> >>>>> I think my primary requirement is: allow a user to use vnc
> >>>>> authentication
> >>>>> even when fips mode is active by using some command line option.
> >>>> 
> >>>> I'll agree that FIPS mode can be a bit silly in the case of QEMU and
> >>>> VNC
> >>>> but to be honest, that requirement above seems just as silly to me, if
> >>>> not more so.  However, if making this behavior optional is what it
> >>>> takes
> >>>> to get the patch accepted, so be it.
> >>>> 
> >>>> I'll start working on v4 of the patch tomorrow.
> >>> 
> >>> Let's just wait for Anthony to reply ...
> >> 
> >> Fine with me, I've got plenty else to do in the meantime and I don't
> >> think
> >> this is 1.1 material anyway.
> > 
> > What's the actual requirement from FIPS for applications?
> 
> If I understood Roman correctly, there are 2 puzzle pieces to this. One
> (whose name I forgot) is responsible for making sure you use encryption at
> all, which authentication methods (retina scan, fingerprint, etc) are
> allowed and so forth.
> 
> The other one (FIPS) is basically a list of encryption algorithms that are
> deemed OK and not crackable within seconds by anyone.
> 
> Only one of the 2 doesn't help much. In combination they actually enhance
> security. This patch is only about FIPS though.

I don't have much to add beyond what Alex already posted.  FIPS 140-2 outlines 
a set of security requirements for systems implementing cryptography in a 
variety of forms; the full requirements are likely beyond the scope here but 
you can always read the full specification (Google knows where to find the 
document).

The relevant portion appears to be annex A which lists the approved ciphers 
and their approved uses; DES is not listed as an approved cipher and that is 
the main problem we are trying to solve right now.

-- 
paul moore
security and virtualization @ redhat