How can Windows OS detect if an algorithm is FIPS compliant?

Question

When Windows setting to force use FIPS Compliant algorithms is turned on and if there is an application that uses non-FIPS compliant algorithm running on that machine, and exception is thrown in that application saying something like it is not part of windows FIPS implementation... I have seen someone bypassing the the FIPS check by commenting out this check in the application code. If one can do this, is this real FIPS compliant?

How does windows detect if an application is using FIPS compliant algorithm or not?

Answer 1

The algorithms are provided by libraries built in to Windows or by products shipped by Microsoft, they contain both complaint and non complaint algorithms.

When your code calls in to those built in libraries those libraries contain the check for the windows setting and will throw a exception if those libraries are set.

Here is a example of the check inside of Sha256Managed

    public SHA256Managed()
    {
#if FEATURE_CRYPTO
        if (CryptoConfig.AllowOnlyFipsAlgorithms)
            throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
        Contract.EndContractBlock();
#endif // FEATURE_CRYPTO

        _stateSHA256 = new UInt32[8];
        _buffer = new byte[64];
        _W = new UInt32[64];

        InitializeState();
    }

If you use a 3rd party implementation or write your own of implementation of an algorithm windows will not detect that you are using a non FIPS complaint algorithms on a system with that setting set.