- changed status to open
FIPS issue in PBKDF2
com.nimbusds.jose.crypto.impl.PBKDF2.deriveKey does not appear to be FIPS compliant as it is implementing a key derivation function.
In order to be compliant code should use a validated library that implements the KDF function, as this library is not validated it would be impossible to use this function in a FIPS compliant environment.
Fortunately the JDK has an API to support PBKDF2 and BouncyCastle supports this (along with the BC FIPS variant).
The API support has existed since java1.4 and OpenJDK8 supports PBKDF2WithHmacSHA1 / PBKDF2WithHmacSHA224 / PBKDF2WithHmacSHA256 / PBKDF2WithHmacSHA384 / PBKDF2WithHmacSHA512.
Earlier JDK versions may also support this, however java7 is EOL, and in the rare case where support is not available, the user can use the either of the bouncycastle libraries to obtain support.
The code should be changed to use standard java.security APIs to run the PBKDF function so that a FIPS validated provider can be used at runtime
Comments (4)
-
-
Note to self:
PBKDF2WithHmacSHA256
is available starting from API level 26 (Android 8.0, Oreo) -
Merged PR 120: https://bitbucket.org/connect2id/nimbus-jose-jwt/pull-requests/120/overview
PBKDF2 must use the JCA provider configured via
PasswordBasedCryptoProvider.getJCAContext().getProvider()
: a45bb297ad52074b9e605bd372a4d809674d9c71 -
- changed status to resolved
Released as:
9.41 (2024-09-10) * JWEHeader receives typed support for the "iss" (issuer), "sub" (subject) and "aud" (audience) claims as replicated JWE header parameters. * Updates the JWE encryption with "PBES2-HS256+A128KW", "PBES2-HS384+A192KW" and "PBES2-HS512+A256KW" to use a JCA provider instead of a local PBKDF2 implementation. "PBKDF2WithHmacSHA256" support is available since Java 8 and Android API level 26 (iss #561). * For "RSA-OAEP" and "RSA-OAEP-256" the cipher mode should be either WRAP or UNWRAP, not ENCRYPT or DECRYPT. Otherwise it will throw an exception when used with a FIPS provider (iss #564).
- Log in to comment
We wanted to check that this change will not affect Android deployments.