locked
Crypto Libraries & FIPS 140 Compliance

    Question

  • is Windows Metro Cryptography libraries FIPS 140 compliant? Couldn’t find info http://technet.microsoft.com/en-us/library/cc750357.aspx#e1

    Windows 8 / Windows Server 2012 aren't listed as compliant modules here - i suspect this document hasn't been updated with that information. is it still using Windows 2008 and Windows 7 underlying components? i.e. BCRYPTPRIMITIVES.DLL, CNG.SYS),

    Friday, June 08, 2012 4:00 PM

Answers

  • Hi,

    As far as I know, the Windows 8 and Windows Server 8 Crypto API and CNG providers have not finished FIPS validation yet.  When they do, they will be listed on the NIST FIPS validation site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm) with their certificate numbers and the certificate numbers of each validated algorithm.  You can then look up the individual algorithm certificates on http://csrc.nist.gov/groups/STM/cavp/validation.html.

    FIPS validation applies only to the modules that implement cryptographic algorithms (encryption, hashing, signing, RNG) not the library code that calls them.  So, when a library like the .NET Framework provides cryptography classes, the FIPS status depends on the underlying implementations.  For the .NET Framework, there are two groups:  XXXXManaged (which are not FIPS validated) and XXXXCryptoServiceProvder or XXXXCng (which are FIPS validated to the extent that the underlying Crypto API or CNG provider is).  The .NET Framework checks for the Windows security option:  "System cryptography:  Use FIPS-compliant algorithms for encryption, hashing, and signing."  If this policy is enabled and an app tries to instantiate an object from a cryptography class that isn't FIPS-compliant, the .NET Framework throws an exception.

    As David mentioned, Windows.Security.Cryptography.Core classes use the underlying CNG providers and thus will offer FIPS-validated algorithms to the extent that the CNG providers do.  I can't comment on an ETA for when FIPS validation will be complete.

    I hope this helps.

    Sincerely,

    Dan Ruder [MSFT]

    Monday, June 11, 2012 11:20 PM
    Moderator
  • Hi Sid,

    Windows 8, Windows RT, Windows Server 2012, Surface RT, Surface Pro, and Windows Embedded Compact are nearing completion of FIPS 140-2 validation for the low-level CSP and CNG providers and we expect this to be completed this summer.  You can track the progress of these modules on NIST's website:  http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. 

    FIPS validation is important to Windows customers and we will continue seeking validation for future Windows releases.  The process documented on http://csrc.nist.gov/groups/STM/cmvp/index.html if you'd like to understand more about what is involved.  In particular, the two documents on http://csrc.nist.gov/groups/STM/cmvp/faqs.html have flow charts showing the overall process.

    Sincerely,

    Dan Ruder [MSFT]

    Thursday, June 06, 2013 8:24 PM
    Moderator

All replies

  • Windows.Security.Cryptography.Core is built on top of win32 crypto APIs. I suspect that TechNet document would be updated after Windows 8 RTM.

    David Lamb

    Monday, June 11, 2012 8:19 PM
    Moderator
  • Hi,

    As far as I know, the Windows 8 and Windows Server 8 Crypto API and CNG providers have not finished FIPS validation yet.  When they do, they will be listed on the NIST FIPS validation site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm) with their certificate numbers and the certificate numbers of each validated algorithm.  You can then look up the individual algorithm certificates on http://csrc.nist.gov/groups/STM/cavp/validation.html.

    FIPS validation applies only to the modules that implement cryptographic algorithms (encryption, hashing, signing, RNG) not the library code that calls them.  So, when a library like the .NET Framework provides cryptography classes, the FIPS status depends on the underlying implementations.  For the .NET Framework, there are two groups:  XXXXManaged (which are not FIPS validated) and XXXXCryptoServiceProvder or XXXXCng (which are FIPS validated to the extent that the underlying Crypto API or CNG provider is).  The .NET Framework checks for the Windows security option:  "System cryptography:  Use FIPS-compliant algorithms for encryption, hashing, and signing."  If this policy is enabled and an app tries to instantiate an object from a cryptography class that isn't FIPS-compliant, the .NET Framework throws an exception.

    As David mentioned, Windows.Security.Cryptography.Core classes use the underlying CNG providers and thus will offer FIPS-validated algorithms to the extent that the CNG providers do.  I can't comment on an ETA for when FIPS validation will be complete.

    I hope this helps.

    Sincerely,

    Dan Ruder [MSFT]

    Monday, June 11, 2012 11:20 PM
    Moderator
  • Hi guys,

    The FIPS-140-2 list still lacks any listings on Windows 8 as well as Windows Server 2012 - can someone from MSFT comment on what the roadmap looks like? Its been almost a year with little visible progress. Concerns are only greater considering Microsoft is looking at adopting annual releases/updates to Windows Servers ...

    Thanks

    Sid

    Thursday, June 06, 2013 2:37 AM
  • Hi Sid,

    Windows 8, Windows RT, Windows Server 2012, Surface RT, Surface Pro, and Windows Embedded Compact are nearing completion of FIPS 140-2 validation for the low-level CSP and CNG providers and we expect this to be completed this summer.  You can track the progress of these modules on NIST's website:  http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. 

    FIPS validation is important to Windows customers and we will continue seeking validation for future Windows releases.  The process documented on http://csrc.nist.gov/groups/STM/cmvp/index.html if you'd like to understand more about what is involved.  In particular, the two documents on http://csrc.nist.gov/groups/STM/cmvp/faqs.html have flow charts showing the overall process.

    Sincerely,

    Dan Ruder [MSFT]

    Thursday, June 06, 2013 8:24 PM
    Moderator