locked
Crypto API in kernel mode RRS feed

  • Question

  • Hi

    Requirement: I want to generate cryptographic secure random number in my kernel mode library on all platforms XP and later. I cant create Separate library for XP and Win vista/7.

    Problem:
    BCryptGenRandom() is available only in Vista and later.
    FIPSGenRandom is available on XP through FIPS.sys.However I cant find any documentation or help on how to use FIPS.sys APIS
    (header file etc.). I opened FIPS.sys in depend.exe and did not see any exported function.

    Also in this link http://technet.microsoft.com/en-us/library/cc750357.aspx , its mentioned that FIPS.sys APIs are available in Windows vista through fips.sys and on win 7 through cng.sys. Again on win7 in cng.sys i don't find FIPSGenRandom export.

    Can someone tell me how can I use link and use FIPSGenRandom on all the platforms? or is there any other way to achieve my requirement mentioned above?

    Thanks in advance.

    Ravi Suhane

    Wednesday, May 16, 2012 1:10 PM

Answers

  • I haven't used the FIPS api's but have you looked at http://technet.microsoft.com/en-us/library/cc750356.aspx ?  As far as I know you will need to have different code for Vista and later than for XP.  You can possibly encapsulate this in a seperate kernel mode DLL, or just conditionally compile and have to binaries.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 16, 2012 1:24 PM

All replies

  • I haven't used the FIPS api's but have you looked at http://technet.microsoft.com/en-us/library/cc750356.aspx ?  As far as I know you will need to have different code for Vista and later than for XP.  You can possibly encapsulate this in a seperate kernel mode DLL, or just conditionally compile and have to binaries.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 16, 2012 1:24 PM
  • Thanks for looking into this.


    Yes I looked at http://technet.microsoft.com/en-us/library/cc750356.aspx . This link doesn't talk about how to use FIPS APIs.Also since I am not seeing any exported functions in fis.sys i am not sure how can I call FIPSGenRandom.

    In our product we have an IM driver and a helper kernel mode crypto dll and currently we don't conditionally compile these binaries for XP and later OSs. We are using NDIS 5.x driver.That's why I want to avoid two separate kernel mode dlls and was looking for FIPS APIs in CNG.sys as mentioned in http://technet.microsoft.com/en-us/library/cc750357.aspx under section named "Overview of CAPI and CNG".

    Even if I go for separate code approach I am blocked for XP since I have no clue on how to use it.

    Thanks,
    Ravi

    Wednesday, May 16, 2012 1:53 PM
  • FIPS is not documented for use on any OS, bcrypt and friends on vista is the first supported OS

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, May 16, 2012 2:19 PM
  • So in Window its impossible to fulfill my requirement? 

    In Windows XP are these FIPS APIs meant for OS internal use only?

    refer
    http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp997.pdf
    http://technet.microsoft.com/library/cc750356.aspx

    Thursday, May 17, 2012 6:14 AM
  • That is the first piece of documentation i have seen on FIPS. it certainly does not exist in teh same way on current releases as it does on XP, so you will need to ship two different binaries, one for XP which imports from FIPS and another for Vista and later that uses bcrypt.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 17, 2012 6:36 AM