Enabling FIPS on SecureAuth Prevents Uses Using Hard and Soft Tokens

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  •  

    Introduction

    Due to Security and compliance you may want to enable FIPS on your SecureAuth servers, but after enabling you lose the ability to use OATH and Knowledge Based Answers for 2 Factor.

    Or during a installation of Windows Credential Provider installation, you receive error:

    Error 1001. Error 1001. This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
    DEBUG: Error 2769:  Custom Action _658FF7C4_C96E_42A7_A1E6_4274F421DB3B.install did not close 1 MSIHANDLEs.
    The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: _658FF7C4_C96E_42A7_A1E6_4274F421DB3B.install, 1,
    CustomAction _658FF7C4_C96E_42A7_A1E6_4274F421DB3B.install returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

    Cause

    For customers inquiring about Tokens:
    Currently the advanced encryption option is not FIPS compliant and will not work while FIPS is enabled. 

    For customers inquiring about Windows Credential Provider:

    • Formerly in version 2.1.11, we used 3DES, which is FIPS compliant.
    • In version 2.6.5, we moved to AES256, but happened to use a non-FIPS library which broke FIPS compliance. 
    • We are planning to to use a FIPS compliant AES256 library in the 2.8 release that should be out later this year.  

    Resolution

    If FIPS has to be enabled you would need to switch the encryption method from Advanced to Standard on any attribute being encrypted. 

    Because the two encryption methods use a different algorithm's you will be required to re-enroll all soft and hard tokens as well as Knowledge Based Questions so this might not be practical if your SecureAuth implementation is already in production.

     

    For Customers looking to install the Windows Credential Provider version 2.6.5: Have them check Local and Group Policy to disable FIPS compliance requirement.

    0 out of 0 found this helpful

    Comments

    0 comments

    Article is closed for comments.