Towards FIPS 140-X Compliance

  • MD5 usage addressed in iRODS 5.1.0:
    • Signed zone keys for server-to-server authentication
      • Introduced zone_key_signing_hash_scheme configuration
    • Hashing rulebases and delay rules (SHA256)
    • mockarchive resource physical paths (SHA256)
  • Other MD5 usage: checksums and native authentication

irods authentication - Objectives and Features

New built-in authentication scheme with the following objectives:

  • Secure password storage
  • Time-limited, token-based authentication
  • TLS required
  • FIPS 140-X compliant (no MD5)

Opt-in for iRODS 5. Default for iRODS 6. native removed in iRODS 7.

irods authentication - Usage and Password Management

  • Use password to get session token for authentication
    • Users set "irods_authentication_scheme" to "irods"
    • ~/.irods/.irods_secrets file holds returned session token
  • Set user passwords as normal (no-scramble prevents MD5) 
    • ipasswd --no-scramble
    • iadmin moduser alice password apass no-scramble
  • irods auth passwords and tokens can be cleared 
    • iadmin moduser alice remove_password
    • iadmin remove_session_tokens expired alice
  • Script to clear legacy/native passwords packaged with 5.1.0

irods authentication - Grid Configurations

The following were added to the "authentication" namespace:

  • password_hashing_parameters: JSON which configures KDF
    • Key derivation "algorithm" (only scrypt supported)
    • "parameters" are specific to the chosen algorithm
      • scrypt: keylen, CPU/memory cost, block size, parallelization
  • password_storage_mode: controls password-setting behavior
    • "legacy" (default/native), "hashed" (irods), "both"
  • token_lifetime_in_seconds: controls session timeouts (like TTL)
Made with Slides.com