Is FreeRADIUS FIPS-140 Compliant?

Modern security and a 27 year-old protocol.

In order to create more secure systems, standards such as FIPS-140 2 are being more widely used. The FIPS standard provides for limits on which cryptographic protocols can be used, along with limits on the way that those protocols can be used. The standard also provides a process for validating and certifying software implementations.

As FreeRADIUS uses cryptographic protocols (e.g. TLS), a natural question is then “Is FreeRADIUS FIPS-140 Compliant?” The answer is:

FreeRADIUS can be used on a FIPS compliant system.

That answer is not necessarily what people like to hear, but it is the most truthful one. To see why, we have to go into some technical background.

The RADIUS protocol was first defined in RFC 2058 in 1997. However, earlier implementations of RADIUS go back to 1993. Given that history, it is safe to assume that the base RADIUS protocol does not use modern cryptographic methods. But what does that mean?

The RADIUS protocol is secured using the MD5 message-digest algorithm. The process used to secure the packets is essentially hashing the packet followed by a secret, and then placing that hash into the packet. Anyone receiving the packet can use the packet and secret to calculate their own version of the hash. If that hash matches what is in the packet, then the packet is considered to be authentic. If the hashes do not match, then the packet is considered to be forged, and is discarded.

The danger with this approach is that MD5 was first broken in 2005. Since then, many other attacks on MD5 have been published. The result of these attacks is that FIPS has long deprecated MD5, and has forbidden it’s use.

Unfortunately, forbidding the use of MD5 makes it impossible to use RADIUS. This limitation has nothing to do with FreeRADIUS, but is instead “baked in” to the base RADIUS protocol. We should also point out that despite MD5 being “broken”, there has not yet been a successful attack on RADIUS. So RADIUS is still secure.

We should also highlight the fact that FreeRADIUS does not implement any cryptographic methods itself (we know our limits). Instead, FreeRADIUS uses OpenSSL to implement all of it’s cryptographic operations. OpenSSL in turn provides for a FIPS module, which is used in multiple Linux distributions. So FreeRADIUS has some sort of relationship with FIPS mode.

The obvious question, then, is “how can RADIUS be used in a FIPS compliant system, if MD5 is deprecated?” The answer is simple, FreeRADIUS just passes a special flag EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to the OpenSSL APIs! OpenSSL will see the flag, and allow FreeRADIUS to use the “non-FIPS” compliant message digest algorithm, MD5.

That summary is very high level, and is focussed on FreeRADIUS. For a more comprehensive evaluation of FIPS, we recommend an article from Microsoft on the limitations of FIPS. That article discusses a number of caveats and concerns with using FIPS.

So, then, why use FIPS? The simple answer is that FIPS can help prevent the use of insecure cryptographic methods in protocols such as EAP-TLS or PEAP. When FIPS mode in is enabled for systems running FreeRADIUS, it is impossible for EAP-TLS or PEAP to negotiate insecure cryptographic methods with FreeRADIUS.

To close out this article, we should ask again “is FreeRADIUS FIPS compliant?” As we have seen here, the answer to that question is not a simple “yes” or “no”. Instead, we can say that FreeRADIUS is as secure as possible, given the underlying limitations of RADIUS, OpenSSL, and the underlying system. And, that FreeRADIUS can be used on a FIPS compliant system.