Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-5507

SCRAM-SHA-256 looks to be not FIPS compliant

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 5.2.0
    • Affects Version/s: None
    • Component/s: Authentication
    • None
    • Java Drivers
    • Needed
    • Hide

      1. What would you like to communicate to the user about this feature?

      The driver now delegate the implementation of the PBKDF2WithHmacSHA1/ PBKDF2WithHmacSHA256 algorithms needed to implement SCRAM-SHA-1 /SCRAM-SHA-256 auth mechanisms to the configured JCA provider. There is no behavioral change, but it means that the driver no longer is implementing a cryptographic primitive, so if the application has configured a FIPS-compliant JCA provider, that provider will be used by the application, thus improving FIPS compliance for the application.

      2. Would you like the user to see examples of the syntax and/or executable code and its output?

      No, there is no application code changes required. This is an internal change to the driver.

      3. Which versions of the driver/connector does this apply to?

      Java/Scala/Kotlin sync/reactive 5.2.0+ 

      Show
      1. What would you like to communicate to the user about this feature? The driver now delegate the implementation of the PBKDF2WithHmacSHA1/ PBKDF2WithHmacSHA256 algorithms needed to implement SCRAM-SHA-1 /SCRAM-SHA-256 auth mechanisms to the configured JCA provider. There is no behavioral change, but it means that the driver no longer is implementing a cryptographic primitive, so if the application has configured a FIPS-compliant JCA provider, that provider will be used by the application, thus improving FIPS compliance for the application. 2. Would you like the user to see examples of the syntax and/or executable code and its output? No, there is no application code changes required. This is an internal change to the driver. 3. Which versions of the driver/connector does this apply to? Java/Scala/Kotlin sync/reactive 5.2.0+ 

      Summary

      The https://www.mongodb.com/docs/manual/core/security-scram/#std-label-authentication-scram page states that SCRAM-SHA-256 can be used in the FIPS mode.

      At the same time looking into mongo-java-driver: https://github.com/mongodb/mongo-java-driver/blob/98934ddc52efa48e7e3b41339e57ff4c8dc89322/driver-core/src/main/com/mongodb/internal/connection/ScramShaAuthenticator.java#L258

      it looks that:

      private byte[] hi(final byte[] password, final byte[] salt, final int iterations) throws SaslException
      

      is kind of key derivation function implementation. While SHA-256 is OK, still the problem is that imho any crypto/key derivation should be done via FIPS validated/certified crypto module, so for example PBKDF2 with Bouncy Castle FIPS via JCA.

      So, any crypto implemented outside of the certified module makes the code not FIPS compliant and SCRAM-SHA-256 should not be available in the FIPS mode, at least with that driver in the current form.

      Additional Background

      https://csrc.nist.gov/pubs/sp/800/132/final

            Assignee:
            jeff.yemin@mongodb.com Jeffrey Yemin
            Reporter:
            jawojciech@gmail.com Jarosław Wojciechowski
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: