FIPS 140 Evaluation
Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are US Government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system. An evaluation process that is administered by National Institute of Standards and Technology's (NIST) Cryptographic Module Validation (CMV) Program (http://csrc.nist.gov/cryptval/) allows encryption product vendors to demonstrate the extent to which they comply with the standards, and thus the trustworthiness of their implementations. Some US Government agencies purchase only FIPS 140-1 or FIPS 140-2 evaluated encryption products. However, the security community at large values products that have completed this evaluation, as it carries the imprimatur of an independent third party.
While NIST CMV accepts validation test reports for cryptographic modules against only FIPS 140-2 as of May 26, 2002, it states on the CMV program web page that “agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002”.
Microsoft intends to submit cryptographic modules shipping with future Windows Operating System platforms for validation testing against FIPS 140-2. Microsoft also intends to maintain the FIPS 140-1 or FIPS 140-2 (as appropriate) validation status of cryptographic modules already shipped with Windows XP and Windows Server 2003 via their service packs (which may require updates of the cryptographic modules, where necessary).
Four Microsoft cryptographic software components have completed the US Government FIPS 140-1 or FIPS 140-2 (as appropriate) evaluation process. These components are in turn used by a variety of Microsoft products running on a variety of operating system platforms. The Microsoft cryptographic software components, that have completed FIPS-140-1 or FIPS 140-2 (as appropriate) evaluation, are
| • | The two Microsoft default cryptographic services providers (CSPs) |
| • | The Windows Kernel Mode Cryptographic Module |
| • | The Exchange Cryptographic Services provider (CSP) |
These evaluated components provide the cryptographic services that are used to secure a variety of protocols across a number of Microsoft products. The products that incorporate these components include:
| • | Windows 98 (default CSPs) |
| • | Windows NT Version 4.0 (default CSPs) |
| • | Windows 2000 (default CSPs and Kernel Mode Cryptographic Module) |
| • | Windows XP (default CSPs and Kernel Mode Cryptographic Module) |
| • | Windows Server 2003 (default CSPs and Kernel Mode Cryptographic Module) |
| • | Internet Explorer when running as a component of Windows 98, Windows NT Version 4.0, Windows 2000, Windows XP, Windows Server 2003 |
| • | Internet Information Server Versions 4, 5, and 6 |
| • | Microsoft Outlook using the Exchange Cryptographic Services provider when running on Windows 98, Windows NT Version 4.0, Windows 2000, or Windows XP |
| • | Windows 2000 and Windows Server 2003 Public Key Certificate Server |
| • | Live Communications Server 2005 and Windows Messenger 5.1 use the Windows platform FIPS-140 compliant TLS/SSL Security Provider for communication security (i.e. encryption, decryption, and authentication) |
| • | .NET Framework using the DESCryptoServiceProvider, TripleDESCryptoServiceProvider, SHA1CryptoServiceProvider, RSACryptoServiceProvider, DSACryptoServiceProvider, and RNGCryptoServiceProvider classes as they simple redirect of the caller requests to the Windows Platform FIPS-140 validated crypto modules |
The protocols whose cryptographic processing takes advantage of the components that have completed FIPS-140-1 or FIPS 140-2 (as appropriate) evaluation include:
| • | The IETF RFC 2246 Transport Layer Security (TLS) protocol that is used between web browser (Internet Explorer) and web server (Internet Information Server); | ||||||
| • | The IPSEC family of protocols that may be used for IETF standard end-to-end encryption with Windows 2000, XP, or Server 2003 systems, which includes
| ||||||
| • | The S/MIME email encryption protocol that may be used to protect the confidentiality and integrity of email messages; | ||||||
| • | The SQL TDS (Tabular Data Stream) protocol that is used with the Windows TLS/SSL Security Provider between SQL clients and SQL SERVER 2000 or above; | ||||||
| • | The Microsoft Remote Desktop Protocol (RDP) 5.2 (or above) of Terminal Service Client (available from Windows Server 2003) running on a Windows XP (or above) machine, connecting to a Terminal Server session on a Windows 2003 Server that is configured for FIPS-compatible encryption; | ||||||
| • | The SMS 2003 SP1 Management Protocol between SMS Advanced Clients running on Windows 2000 SP2 or above and SMS Management Point Servers running on Windows 2000 SP3 or above in deployment environments that use Windows Active Directory for public key certificates repository and look up; |
In Windows XP and later product releases (including Windows Server 2003), a new Group Policy managed security option called “system cryptography: Use FIPS compliant algorithms for encryption” is provided so that administrators will have an easier way to configure specific Windows XP protocol services for FIPS 140 compliance.
In addition, the evaluated User Mode CSPs can be invoked via standard Windows APIs (CryptoAPI). Thus, third party and end-user developed software that requires cryptographic services can call on the services provided by the FIPS-140-1 or FIPS 140-2 (as appropriate) User Mode CSPs in the operating systems. Components of Windows such as the Windows 2000, Windows XP, or Windows Server 2003 data protection API also use FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated CSPs to protect private keys; for example, the Windows 2000, XP, or Server 2003 Encrypting File System (EFS) uses evaluated CSPs to protect file encryption keys that are included in the EFS data decryption and data recovery fields.
Both IPSEC and EFS in Windows 2000, XP, and Server 2003 use the FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated Kernel Mode Cryptographic Module to encrypt the traffic packet data and file contents respectively if configured appropriately with the selections of FIPS compliant algorithms.
The officially assigned numbers of the FIPS 140 certificates that have been awarded to Microsoft are 60, 68, 75, 76, 103, 106, 110, 238, 240, 241, 381, 382, 405.
The following table lists supported and FIPS-validated cryptographic algorithm implementations on Microsoft Windows OS Platforms.
FIPS-46-3 | Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys |
FIPS-46-3 | Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys |
FIPS-197 | Windows XP SP1, Windows Server 2003 rsaenh.dll |
FIPS-186-2 | Windows NT4, 2000, XP, Server 2003 dssenh.dll |
FIPS-186-2 | Windows NT4, 2000, XP, Server 2003 rsaenh.dll |
FIPS-180-2 | Windows NT4, 2000, XP, Server 2003 rsaenh.dll and dssenh.dll, Windows 2000, XP, Server 2003 fips.sys |
FIPS-198 | Windows XP, Server 2003 rsaenh.dll, Windows XP, Server 2003 fips.sys |
For more Information
| • | |
| • | |
| • |
