Behaviour of AesCryptoServiceProvider class with FIPS policy set/ unset

 

 You may want to use a Crypto API for Advanced Encryption Standard that is FIPS 140-2 complaint.

While doing this using managed code you can come across the AesCryptoServiceProvider class that is FIPS complaint. I want to highlight some points before using this class.

They are:

• 1. AesCryptoServiceProvider calls the Crypto API, which uses RSAENH.DLL, which has been validated by NIST in the Cryptographic Module Validation Program.
• 2. So it is RSAENH.DLL that is FIPS 140-2 complaint and AesCryptoServiceProvider calls the FIPS version of this DLL.
• 3. Enabling FIPS policy from registry ensures that NON FIPS complaint algorithms will throw an exception saying "Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"
• 4. Of course AesCryptoServiceProvider will work on systems where AES was implemented in RSAENH.DLL which is Windows XP and higher OS's. It will not run on Windows 2000.

 

Reference:

• https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1010.pdf

Test directly from the above link:

The Microsoft Corporation's Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.

 

1010

Microsoft CorporationOne Microsoft WayRedmond, WA 98052-6399USA -Dave Friant TEL: 425-704-7984 FAX: 425-936-7329

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) (Software Versions: 6.0.6001.22202 and 6.0.6002.18005) (When operated in FIPS mode with Code Integrity (ci.dll) validated to FIPS 140-2 under Cert. #1006 operating in FIPS mode) Validated to FIPS 140-2 Security Policy Certificate

Software

08/15/2008;07/24/2009

Overall Level: 1  -Operational Environment: Tested as meeting Level 1 with Microsoft Windows Server 2008 (x86 Version); Microsoft Windows Server 2008 (x64 version); Microsoft Windows Server 2008 (IA64 version) (single-user mode) -FIPS-approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656) -Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 80 and 150 bits of encryption strength; non-compliant less than 80 bits of encryption strength) Multi-chip standalone"RSAENH encapsulates several different cryptographic algorithms in an easy-to-use cryptographic module accessible via the Microsoft CryptoAPI. Developers dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support."

Table directly referenced from https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm.

• https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1010.pdf
• https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1012.pdf

Text directly from the above link:

The Microsoft Corporation's Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.

The Microsoft Enhanced Cryptographic Provider (RSAENH) consists of a single dynamically-linked library (DLL) named RSAENH.DLL (Software version 5.2.3790.4313 [Service Pack 2]) tested on an x86, x64, and ia64 processors, which comprises the modules logical boundary.

 

• https://blogs.msdn.com/winsdk/archive/2009/11/04/is-rijndaelmanaged-class-fips-complaint.aspx
• https://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx