Reputation: 1472
How to check that CNG Windows API returns algorithm implementation which is FIPS compliant
I am calling Windows CNG API (bcrypt.dll) on a host where FIPS mode is enabled. The fact that FIPS is enabled is confirmed by the result of the function BCryptGetFipsAlgorithmMode.
How can I ensure that the returned implementation of an algorithm by the API is FIPS compliant?
It looks that just enabling the FIPS mode on the host does not guarantee the API to prevent from non-FIPS compliant algorithms instantiation, because I can successfully get MD5 hash algorithm (which is known not to be FIPS compliant).
Upvotes: 0
Views: 287
Answers (1)
Reputation: 101746
This policy is only advisory to applications. Therefore, if you enable the policy, it does not make sure that all applications will comply. The following of areas in the operating system will be affected by this setting:
and goes on to list things affected by the policy. This includes SChannel and .NET but not the CNG API itself. This blog post confirms the .NET behavior but it can be overridden with enforceFIPSPolicy in the app config file.
When calling BCryptOpenAlgorithmProvider you can force the provider by specifying MS_PRIMITIVE_PROVIDER.
Upvotes: 1
Related Questions
- How to check Win API function support during runtime?
- How to check that an Asp.NET application is FIPS-ready
- How do I check for FIPS compliance at compile time?
- Detecting if FIPS is being enforced via .NET C#
- How to enforce FIPS in asp.net code (This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.)
- Are CNG classes in .NET Cryptography namespace FIPS certified?
- How can Windows OS detect if an algorithm is FIPS compliant?
- Checking for existence of Windows API Functions
- How to check if the openssl libraries are using the FIPS validated crytpography
- What data for BCryptGetFipsAlgorithmMode use to determine FIPs status?