glen beasley wrote:
Nelson B wrote:
What is the min/max password length when the module is operating in
FIPS 140-2 mode?
Wan-Teh will have to answer that. I think it has changed recently.
It seems that the requirements have changed since the last time NSS was
FIPS 140 evaluated, or at least our new test lab interprets them very
differently.
see: http://wiki.mozilla.org/Security_Policy#Specification_of_Roles
In FIPS mode, the NSS cryptographic module imposes the following
requirements on the password.
* The password must be at least seven characters long.
* The password must consist of characters from three or more
character classes. We define five character classes: digits (0-9), ASCII
lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric
characters (such as space and punctuation marks), and non-ASCII
characters. If an ASCII uppercase letter is the first character of the
password, the uppercase letter is not counted toward its character
class. Similarly, if a digit is the last character of the password, the
digit is not counted toward its character class.
Hrm...NSS 3.11.2 is *definately* not enforcing this. Today I went
through our code and changed the password from "test" (which was working
just fine) to "password" (which is now working just fine) on all of our
databases. I'll wait for Wan-Teh to chime in before I go changing to
the even stricter version. Maybe this is something that will only
happen once 3.11.5 (The wiki says that's the version reserved for FIPS
approval) is out.
I've read in the past somewhere something about needing to enforce
the minimum password length for FIPS mode in the future as it's not
being done now. I have some modules in FIPS mode and when I query
the minimum password length with PK11_GetMinimumPwdLength it reports
7 but I am currently using a password of length 4 and everything is
working just fine.
That doesn't sound right (to me).
Are you sure you're running in FIPS mode?
$ modutil -list -dbdir certs
Using database directory certs...
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal FIPS PKCS #11 Module
slots: 1 slot attached
status: loaded
slot: NSS FIPS 140-2 User Private Key Services
token: NSS FIPS 140-2 Certificate DB
The above is output from one of our databases, but all but one (for
testing purposes) are in FIPS mode because we explicitly added a check,
PK11_IsFIPS(), and the code throws an error if a database is not
operating in FIPS mode.
Thanks,
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
