What is FIPS Compliance
The FIPS (Federal Information Processing Standard) compliance is the United States Government standard that provide a benchmark for implementing cryptographic software. For the Schannel Security Service Provider (SSP), this security setting disables the weaker SSL protocols and supports only the TLS protocols. If this setting is enabled, the TLS/SSL Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
Summary
Enable FIPS Compliant algorithms via Registry
You can force the FIPS Compliance into every software by the changing the value 0 to 1 in below registry key
HKLMSystemCurrentControlSetControlLsaFIPSAlgorithmPolicyEnabled
Enable FIPS Compliant algorithms via Local Security Policy
You can alternatively force FIPS Compliance via Local Security Policy. Follow the below steps to configure FIPS compliant in Local Computer.
1. Open Local Security Policy by running the command secpol.msc.
2. In the Local Security Policy Editor, under the Local Polices node, click Security Options.
3. In the right-hand side, search the setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing
4. Double-click the policy setting System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing, click Enable and click the button Apply to complete FIPS Compliance configuration.
How to develop a software to support FIPS Compliance
When we develop a software, we need to use FIPS validated cryptographic algorithms for encryption, hashing, and signing. Otherwise, you will get the following error when you run the application in FIPS compliant enabled system:
Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms
Fix for RijindaelManaged algorithms:
The RijindaelManaged class is NOT FIPS complaint supported class. Instead you can use the AesCryptoServiceProvider class which is an FIPS equivalent of RijindaelManaged.
Refer this link: http://blogs.msdn.com/b/winsdk/archive/2009/11/04/is-rijndaelmanaged-class-fips-complaint.aspx
Fix for SHA256Managed algorithms:
The SHA256Managed class is NOT FIPS complaint supported class. Instead you can use the SHA256CryptoServiceProvider class which is an FIPS equivalent of SHA256Managed.