2

Openssl allows going in and out of FIPS mode. Does the windows crypto api and .net wrapper classes alow a similar function?

I want to enable FIPS mode, sign a document, and then return to normal mode.

Rex Bloom
  • 364
  • 4
  • 14
  • Relevant https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/ not your answer, but it may guide your search. –  Jun 08 '16 at 17:51

2 Answers2

3

Unfortunately not; at least, not without some architectural changes.

You can enable/disable FIPS mode by setting a registry value:

HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled (DWORD)

0 is disabled, 1 is enabled

However, there are some limitations: once you load the cryptographic providers into your process, it "remembers" the state of that FIPS mode for the rest of the process' lifetime. So code like this would work:

(NOTE: both cases assume that FIPS mode is off at the beginning)

static void Main(string[] args)
{
    using (RegistryKey fipsAlgorithmPolicy = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy", true))
    {
        fipsAlgorithmPolicy.SetValue("Enabled", 1, RegistryValueKind.DWord);
    }
    SHA1 sha = new SHA1Managed(); // throws, which is what you want
}

But code like this would not:

static void Main(string[] args)
{
    SHA1 sha = new SHA1Managed(); // Does not throw, which is expected
    using (RegistryKey fipsAlgorithmPolicy = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy", true))
    {
        fipsAlgorithmPolicy.SetValue("Enabled", 1, RegistryValueKind.DWord);
    }
    sha = new SHA1Managed(); // Also does not throw, which is a shame
}

In order for your code to reflect the new state, you'd have to restart your process. With that being said, what you could do is sequester the code that performs the cryptographic routines into a "helper" process that your application spawns after setting FIPS mode. It'd be a bit of a pain to implement, but it would allow you to toggle FIPS mode and have your code behave as expected.

Andy Hopper
  • 3,618
  • 1
  • 20
  • 26
0

You can on a per program basis - setting enforceFIPSPolicy to true in a .NET Runtime Settings Schema will specify that you want to enforce a computer configuration requirement that cryptographic algorithms must comply with the Federal Information Processing Standards (FIPS).

Anon
  • 6,306
  • 2
  • 38
  • 56
Kaven Wu
  • 51
  • 4
  • 1
    That documentation appears to indicate that setting is `true` by default, and only acts to enforce FIPS-only mode if the registry key is already enabled; it's not a per-application version of that registry key. Its true purpose appears to be that you can set it to `false` and the registry key setting that "enforces" FIPS-only mode will be ignored by the CLR, thus allowing that application to use non-FIPS-certified cryptographic providers. – Kdawg May 13 '19 at 19:21