CNG and FIPS

The Federal Information Processing Standards (FIPS) at http://www.itl.nist.gov/fipspubs/ define standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for U.S. federal computer systems. Five standards pertinent to this chapter are as follows:

• FIPS 140-2: Security Requirements for Cryptographic Modules

• FIPS 180-2: Secure Hash Standard (SHS)

• FIPS 186-2: Digital Signature Standard (DSS)

• FIPS 197: Advanced Encryption Standard (AES)

• FIPS 198: The Keyed-Hash Message Authentication Code (HMAC)

These standards define cryptographic requirements and cryptographic algorithms to be used in U.S. federal information systems. It is possible to configure Windows Vista to use only FIPS-mandated algorithms by performing these steps:

1. Open MMC.

2. Add the Group Policy Objects Snap-in.

3. Navigate to Local Computer Policy, Computer Configurations, Windows Settings, Security Settings, Local Policies, Security Options.

4. Enable the following option: “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.”

Now here’s the caveat. This setting only affects the protocol suites used by SSL/TLS and .NET code. The following C# will fail with a System.InvalidOperationException exception because it is using a non-FIPS compliant algorithm, MD5.

 MD5CryptoServiceProvider hash = new MD5CryptoServiceProvider(); byte[] result = hash.ComputeHash(ASCIIEncoding.UTF8.GetBytes(message));

From a CNG application, it is possible to determine if the FIPS requirement is enabled or not by using the BCryptGetFipsAlgorithmMode function.