[jcifs] FIPS compliance for JCIFS

Michael B Allen ioplex at gmail.com
Wed Apr 27 19:39:35 MDT 2011

Hi Marasim,

To be honest I'm not sure if security methods used by CIFS in general
could claim to be FIPS compliant. There are a lot of MD5 this and HMAC
that and other such things that are problematic for FIPS compliance.

In general, we just make JCIFS mimic Windows. So if CIFS on WIndows is
FIPS compliant or if there are some conditions under which CIFS on
Windows is FIPS compliant then you would just have to run JCIFS under
those same conditions. Although if those conditions are using Kerberos
with AES-256 or some such then that would be a problem because we
don't officially support Kerberos yet. The JCIFS codebase is littered
with references to an NtlmPasswordAuthentication object representing
the user's credentials. Meaning the codebase would have to be
restructured considerably to factor out the NTLM specific credential
type and in doing so we would effectively be doing "JCIFS 2.0" which
has a whole laundary list of other things attached to it. That makes
financing the principal issue.

However, note that CIFS is exclusively an IntrAnet protocol so it's
not crystal clear to me why FIPS compliance would be terribly
important. If an attacker is already on a corporate IntrAnet, the
difference between AES-256 and RC4 is not going to be a weak link in
the security chain. I realize there are bureaucrats and spreadsheets
that do not care about this but it does remove an edge of importance
from the issue.


Michael B Allen
Java Active Directory Integration

On Mon, Apr 25, 2011 at 8:20 PM, Marasim <marasim at gmail.com> wrote:
> Christopher R. Hertel <crh <at> ubiqx.mn.org> writes:
>> FIPS compliant or Windows compliant?
>> Unless someone were to sponsor the testing, I don't know of any way to get
>> FIPS accreditation for jCIFS.  In any case, the real goal would be to ensure
>> that jCIFS can leverage any and all of the myriad available authentication
>> mechanisms supported by Windows CIFS servers.  I don't currently know where
>> we are in relation to that latter goal.
>> Chris -)-----
>> Marasim wrote:
>> > I tried searching for this on the forum, but cannot seem to find an answer.
> Is
>> > there a tweak to the JCIFS library that will make it FIPS compliant,
> especially
>> > for authentication to the Windows hosts?
>> >
>> > Thanks,
>> > Marasim
>> >
> Thanks for your reply Chris. My question was more in terms of inherent FIPS
> compliance not necessarily an official accreditation or certification. I do see
> there is a separate JCIFS kerberos package available and that may provide the
> solution (I am still working on figuring it out, there seems to be an example
> class KerberosAuthExample that provides some insight into how this may work). Is
> there a way the default package (maintained more frequently) can be tweaked to
> use FIPS compliant algorithms?
> Thanks,
> Marasim

More information about the jCIFS mailing list