Towards FIPS 140-X Compliance

• MD5 usage addressed in iRODS 5.1.0:
  • Signed zone keys for server-to-server authentication
    • Introduced zone_key_signing_hash_scheme configuration
  • Hashing rulebases and delay rules (SHA256)
  • mockarchive resource physical paths (SHA256)
• Other MD5 usage: checksums and native authentication

irods authentication - Objectives and Features

New built-in authentication scheme with the following objectives:

• Secure password storage
• Time-limited, token-based authentication
• TLS required
• FIPS 140-X compliant (no MD5)

Opt-in for iRODS 5. Default for iRODS 6. native removed in iRODS 7.

irods authentication - Usage and Password Management

• Use password to get session token for authentication
  • Users set "irods_authentication_scheme" to "irods"
  • ~/.irods/.irods_secrets file holds returned session token
• Set user passwords as normal (no-scramble prevents MD5)

  • ipasswd --no-scramble

  • iadmin moduser alice password apass no-scramble

• irods auth passwords and tokens can be cleared

  • iadmin moduser alice remove_password

  • iadmin remove_session_tokens expired alice

• Script to clear legacy/native passwords packaged with 5.1.0

irods authentication - Grid Configurations

The following were added to the "authentication" namespace:

• password_hashing_parameters: JSON which configures KDF
  • Key derivation "algorithm" (only scrypt supported)
  • "parameters" are specific to the chosen algorithm
    • scrypt: keylen, CPU/memory cost, block size, parallelization
• password_storage_mode: controls password-setting behavior
  • "legacy" (default/native), "hashed" (irods), "both"
• token_lifetime_in_seconds: controls session timeouts (like TTL)