How does Windows determine if an algorithm is FIPS compliant?

Question

How does Windows determine if an algorithm is FIPS compliant?

When the Windows installation to enforce FIPS-compliant algorithms is enabled, and if there is an application that uses a FIPS-incompatible algorithm running on that machine and an exception is thrown into that application saying that it is not part of the Windows FIPS implementation .. I saw someone bypassing FIPS validation by commenting out this validation in application code. If it can be done, is it real FIPS compliant?

How does windows detect if an application is using a FIPS compliant algorithm or not?

+3

c # algorithm windows fips

SET 11 May '17 at 20:00

source to share

1 answer

Scott chamberlain · Accepted Answer · 2017-05-11T20:05:29+0000

Algorithms are provided by libraries built into Windows or by products supplied by Microsoft, they contain both complaint algorithms and complaints.

When your code calls the built-in libraries, these libraries check for Windows settings and throw an exception if those libraries are installed.

Here is an example of checking inside Sha256Managed

    public SHA256Managed()
    {
#if FEATURE_CRYPTO
        if (CryptoConfig.AllowOnlyFipsAlgorithms)
            throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
        Contract.EndContractBlock();
#endif // FEATURE_CRYPTO

        _stateSHA256 = new UInt32[8];
        _buffer = new byte[64];
        _W = new UInt32[64];

        InitializeState();
    }

If you use a third-party implementation or create your own version of the algorithm, windows will not detect that you are using non-FIPS complaint algorithms on a system with this preset.

How does Windows determine if an algorithm is FIPS compliant?

More articles: