Issue 209 in google-authenticator: FIPS 140-2 Compliance?

[google-aut...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 209 by mboorsht...@gmail.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

What steps will reproduce the problem?
N/A
What is the expected output? What do you see instead?
N/A

What version of the product are you using? On what operating system?
2.x, any OS

Please provide any additional information below.
Working with a large government agency for using google authenticator for
2fa for internet users that wither don't have PIV cards or can't use them.
My understanding is the FIPS 140-2 compliance is based on the OS'
underlying libraries. Is this correct?

[google-aut...@googlecode.com]

Updates:
Owner: klyu...@google.com
Labels: -Type-Defect Type-Enhancement

Comment #1 on issue 209 by klyu...@google.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

No, Google Authenticator (Android, BlackBerry, or iOS one) has not gone
through FIPS 140-2 certification.

The certification is based not just on the underlying OS/framework
libraries. The first step is to define what is being certified -- what
constitutes the so-called "cryptography module" -- and it doesn't make
sense to exclude the app (or parts thereof) from being part of the module.

[google-aut...@googlecode.com]

Comment #2 on issue 209 by mboorsht...@gmail.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

Thanks. Our security personel have said that as long as the app uses FIPS
140-2 certified modules and algorithms then we can use it. While I haven't
tried it yet, i see SHA-512 is supported. So a better question is, does
google authenticator use its own crypto libraries or just the OS'? (ie does
the blackberry verison only use the internal blackberry crypto apis or does
it use its own library for crypto?)

Thanks
Marc

[google-aut...@googlecode.com]

Comment #3 on issue 209 by klyu...@google.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

The app uses HMAC with SHA-1 (provided by the platform) to generate
verification codes from secret keys. However, this does not automatically
make the app (or even verification code generation in the app) FIPS 140-2
certified. I cannot comment on whether the platform-provided implementation
of the algorithms is FIPS 140-2 certified (in most cases it probably is
not) or whether the way these algorithms are exposed to Google
Authenticator and the way they are used by the app breaks their FIPS 140-2
certification (if any).

[google-aut...@googlecode.com]

Updates:
Status: Done

Comment #4 on issue 209 by klyu...@google.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

(No comment was entered for this change.)

[google-aut...@googlecode.com]

Comment #5 on issue 209 by dharma.s...@gmail.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

Hi klyu,

We are doing PCI DSS Level 1 compliance process right now and we are using
google authenticator for two factor authentication.
Our QSA (Assesor) is asking about the security of google authenticator
because it is not FIPS 140-2 certified.
How should we address this ? What are the security details of google
authenticator ?

Thank you.

Kind regards,
Dharma

[google-aut...@googlecode.com]

Comment #6 on issue 209 by klyu...@google.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

Security details of Google Authenticator are not documented.

[google-aut...@googlecode.com]

Comment #7 on issue 209 by hungry.r...@gmail.com: FIPS 140-2 Compliance?
http://code.google.com/p/google-authenticator/issues/detail?id=209

I'm not sure it really matters. #1, it uses hashing not encryption, all
FIPS means in this case, is that you are using a FIPS compliant hash, which
SHA1 is, and according to web documents, HMAC-SHA1 is as well. #2, I'm not
sure the generator is going to matter as long as the validator IS
compliant, because if the generator is not and the validator is, the
generated code will not work in the application/device that is validating
it.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings