Cryptographic Services and FIPS Compliance in Windows Mobile 5.0 and Windows Mobile 6


Windows Mobile supports the technologies required for Federal Information Processing Standard (FIPS) compliance. FIPS certification is required for selling products to the federal government. Some security-sensitive industries such as finance and insurance, have also adopted FIPS certification.

FIPS 140-1 and its successor, FIPS 140-2, are U.S. Government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.

An evaluation process administered by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation (CMV) Program ( allows encryption product vendors to demonstrate the extent of their compliance with the standards, and thus the trustworthiness of their implementations.


NIST CMV as of May 26, 2002 accepts validation test reports for cryptographic modules against only FIPS 140-2. However, it states on the CMV program Web page that "agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002."

The following Cryptographic Service Providers have completed U.S. Government FIPS 140-2, level 1:

  • Windows CE Enhanced Cryptographic Service Provider 5.0
  • Windows CE Enhanced Cryptographic Service Provider 5.01 (this is the default for Windows Mobile-powered devices, and the certificate is listed in the security policy of the Windows CE certificate (

Applications make use of cryptographic modules to perform cryptographic operations. As long as they use of FIPS certified crypto modules and FIPS approved algorithms, and are run on FIPS capable operating systems, then they are automatically FIPS complaint. There is no need for additional certifications.

The following table shows examples of components that are Windows CE Enhanced Cryptographic Service Provider 5.01 FIPS compliant.

FIPS Compliant Description

Active Sync

Microsoft ActiveSync provides support for synchronizing data between a Windows-based desktop computer and Windows Embedded CE-based devices.


Extensible Authentication Protocol (EAP) provider for MD5 Challenge Handshake Authentication Protocol (CHAP).

EAP allows third-party authentication applications to interact with the Point-to-Point Protocol (PPP).

CHAP is an encrypted authentication mechanism that avoids transmission of the actual password on the connection.


Extensible Authentication Protocol Over LAN implements the state machine for 802.1x authentication. It facilitates the sending and receiving of packets on the network and receives network status and configuration information, and registers with the EAP framework for provider-specific operations.


IPSEC family of protocols that can be used for IETF standard end-to-end encryption with Windows 2000, Windows XP, or Windows Server 2003 systems, including:

  • L2TP/IPSec VPN client and server for remote access
  • L2TP/IPSec tunnels for gateway-to-gateway VPN connections
  • IPSec tunnels for gateway-to-gateway VPN connections


Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is an encrypted authentication mechanism very similar to CHAP, except it is supported by both PPP and EAP.


NTLM is a Windows challenge response authentication system that uses Windows domain credentials for authentication.


Point-to-Point Protocol (PPP)

RSAENH module

The certification applies to RSAENH cryptographic service provider module (rsaenh.dll).

Applies to Windows Mobile 6:

The RSAENH crypto module certified is an updated version of the module that shipped with CE 5.0.

Windows Mobile uses the same RSAENH crypto module as CE 5.01. Hence Windows Mobile is FIPS capable. Currently the certificate does not explicitly mention Windows Mobile as a tested operational environment.

The FIPS certificate for RSAENH can be found at this Web site:

S/MIME protocol

S/MIME e-mail encryption protocol that is used to protect the confidentiality and integrity of e-mail messages

Applies to Windows Mobile 5.0 with MSFP:

When configured to encrypt outgoing messages with 3DES, the S/MIME e-mail encryption protocol that is used to protect the confidentiality and integrity of e-mail messages is FIPS-140 compliant.

Schannel (SSL)

Microsoft Remote Desktop Protocol (RDP) 5.2, or later, of Terminal Service Client, which is available from Windows Server 2003 and runs on a Windows XP or later machine, connecting to a Terminal Server session on a Windows 2003 Server configured for FIPS-compatible encryption


SQL Tabular Data Stream (TDS) protocol that is used with the Windows TLS/SSL Security Provider between SQL clients and SQL Server 2000, or later

TLS protocol

The IETF RFC 2246 Transport Layer Security (TLS) protocol that is used between the Web browser (Internet Explorer) and Web server (Internet Information Server)

Terminal Services Client

Supports the user interface for Windows Terminal Server and Remote Desktop Protocol (RDP).

It is software that enables a device to access Windows-based applications on the Terminal Server.

Third party and end-user-developed software that requires cryptographic services can call on the CryptoAPI to invoke this cryptographic service provider.

See Also


Security Model for Windows Mobile 5.0 and Windows Mobile 6