Wednesday, 17 December 2014

How to enable FIPS Compliant algorithms in Windows

What is FIPS Compliance

The FIPS (Federal Information Processing Standard) compliance is the United States Government standard that provide a benchmark for implementing cryptographic software. For the Schannel Security Service Provider (SSP), this security setting disables the weaker SSL protocols and supports only the TLS protocols. If this setting is enabled, the TLS/SSL Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

Summary:

Enable FIPS Compliant algorithms via Registry

You can force the FIPS Compliance into every software by the changing the value 0 to 1 in below registry key
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled

Enable FIPS Compliant algorithms via Local Security Policy

You can alternatively force FIPS Compliance via Local Security Policy. Follow the below steps to configure FIPS compliant in Local Computer.

1. Open Local Security Policy by running the command secpol.msc.

How to enable FIPS Compliant algorithms in Windows

2. In the Local Security Policy Editor, under the Local Polices node, click Security Options.

3. In the right-hand side, search the setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing

Steps to enable FIPS Compliant algorithms

4. Double-click the policy setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing, click Enable and click the button Apply to complete FIPS Compliance configuration.

Steps to enable FIPS Compliance algorithms

How to develop a software to support FIPS Compliance

When we develop a software, we need to use FIPS validated cryptographic algorithms for encryption, hashing, and signing. Otherwise, you will get the following error when you run the application in FIPS compliant enabled system:
Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Fix for RijindaelManaged algorithms:

The RijindaelManaged class is NOT FIPS complaint supported class. Instead you can use the AesCryptoServiceProvider class which is an FIPS equivalent of RijindaelManaged.

Refer this link: http://blogs.msdn.com/b/winsdk/archive/2009/11/04/is-rijndaelmanaged-class-fips-complaint.aspx

Fix for SHA256Managed algorithms:

The SHA256Managed class is NOT FIPS complaint supported class. Instead you can use the SHA256CryptoServiceProvider class which is an FIPS equivalent of SHA256Managed.


Advertisements
Advertisements

No comments:

Post a Comment