Behaviour of AesCryptoServiceProvider class with FIPS policy set/ unset
You may want to use a Crypto API for Advanced Encryption Standard that is FIPS 140-2 complaint.
While doing this using managed code you can come across the AesCryptoServiceProvider class that is FIPS complaint. I want to highlight some points before using this class.
- 1. AesCryptoServiceProvider calls the Crypto API, which uses RSAENH.DLL, which has been validated by NIST in the Cryptographic Module Validation Program.
- 2. So it is RSAENH.DLL that is FIPS 140-2 complaint and AesCryptoServiceProvider calls the FIPS version of this DLL.
- 3. Enabling FIPS policy from registry ensures that NON FIPS complaint algorithms will throw an exception saying "Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"
- 4. Of course AesCryptoServiceProvider will work on systems where AES was implemented in RSAENH.DLL which is Windows XP and higher OS's. It will not run on Windows 2000.
Test directly from the above link:
The Microsoft Corporation's Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.
Microsoft CorporationOne Microsoft WayRedmond, WA 98052-6399USA
-Dave Friant TEL: 425-704-7984 FAX: 425-936-7329
Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) (Software Versions: 6.0.6001.22202 and 6.0.6002.18005) (When operated in FIPS mode with Code Integrity (ci.dll) validated to FIPS 140-2 under Cert. #1006 operating in FIPS mode)
Validated to FIPS 140-2
Overall Level: 1
-Operational Environment: Tested as meeting Level 1 with Microsoft Windows Server 2008 (x86 Version); Microsoft Windows Server 2008 (x64 version); Microsoft Windows Server 2008 (IA64 version) (single-user mode)
-FIPS-approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 80 and 150 bits of encryption strength; non-compliant less than 80 bits of encryption strength)
Multi-chip standalone"RSAENH encapsulates several different cryptographic algorithms in an easy-to-use cryptographic module accessible via the Microsoft CryptoAPI. Developers dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support."
Table directly referenced from http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm.
Text directly from the above link:
The Microsoft Corporation's Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.
The Microsoft Enhanced Cryptographic Provider (RSAENH) consists of a single dynamically-linked library (DLL) named RSAENH.DLL (Software version 5.2.3790.4313 [Service Pack 2]) tested on an x86, x64, and ia64 processors, which comprises the modules logical boundary.