Non-compliant operations

When configured to run in FIPS mode, the agent uses non-FIPS compliant hash and key-hash algorithms, as follows:

  • MD4, MD5 and HMAC-MD5 are used to support NTLM passthrough authentication (including using NLTM for PAM authentication).
  • MD4 is used to generate the managed computer password hash for use in setting up AES NetLogon Secure Channel. AES NetLogon Secure Channel is used for NTLM pass-through authentication as well as for updating operating system version attributes.
  • MD5 is used to generate the UNIX password hash to verify against the MD5 password hash that is stored in the cache during disconnected mode login. (This is for backward compatibility support; this happens when you upgrade from a DirectControl version that does not support the SHA256 password hash.)

When configured to run in FIPS mode, the agent uses a non-FIPS compliant encryption algorithm, as follows:

  • Non-FIPS compliant encryption will be used in encrypting secret information for internal communication through a UNIX domain socket.
  • A non-FIPS compliant random number generator is used in generating the Initialization Vector used in the encryption.