2

I'm currently performing some analysis and one of the finer details that had me puzzled was the following. What is the difference between SHA256Managed and SHA256Cng in regards to SHA256Cng meeting FIPS 140-2 Compliance? I know the outputs from both Hashing algorithms is identical but I was hoping someone could provide me a more detailed explanation as to what deems it to be FIPS 140-2 Compliant.

R007
  • 378
  • 4
  • 11

1 Answers1

1

FIPS compliance doesn't just mean that the output is validated, it also means that you perform e.g. startup tests to see if the algorithm works as intended. So there is an implementation part to it as well:

From FIPS 140:

  • Required and optional interfaces. Specification of all interfaces and of all input and output data paths.
  • Power-up tests: cryptographic algorithm tests, software/firmware integrity tests, critical functions tests. Conditional tests.
  • Configuration management system. Secure distribution. Functional specification.

FIPS 140 compliance is for cryptographic modules. The hashing is just a small part of it. It doesn't just target functionality, but also how it has been designed, documented, maintained, etc.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thanks for the input that makes more sense. I was hoping someone would know the exact specifics of what differs between the two based on the criteria you listed from FIPS 140 though. – R007 Jan 19 '17 at 15:39