EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FIPS Compliance Mode for WIndows - SBB v7

Posted: 03/03/2009 13:32:50
by Seth Lowrey (Priority Standard support level)
Joined: 03/03/2009
Posts: 3

We are developing a product using SBB (specifically PKI black box) and our client is requiring FIPS 140-2 compliance. We noticed in the pre-release of version 7 that you support FIPS compliance mode for Windows, which might ensure that our product is FIPS 140-2 compliant if you can assure us that you are using the Microsoft cryptography modules that are FIPS compliant. Will you be able to supply a signed letter stating that PKI Black Box incorporates a validated cryptographic module (Windows cryptography providers) and ONLY these modules for cryptography functions, and reference the validation certificate number of the Windows modules -- see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

The Windows modules appear to be RSAENH, DSSENH, and FIPS.SYS

Seth Lowrey
Sent Software, Inc

Posted: 03/04/2009 04:53:02
by Eugene Mayevski (Team)

We can only assure that the library makes calls to certain Windows API functions with certain parameters - nothing more. It's up to software developer to check that the destination system has proper versions of modules and that the calls actually go to those modules. This is beyond our control and we can't guarantee this.

Sincerely yours
Eugene Mayevski
Posted: 03/05/2009 11:50:24
by Seth Lowrey (Priority Standard support level)
Joined: 03/03/2009
Posts: 3

Thanks for the reply,
In the Windows version, do you use Cryptographic functions other than those provided by Windows -- i.e. other third party, open source, or in-house developed cryptographic functions?
What are the cryptographic Windows API functions that the library calls?

For FIPS compliance we must verify what is being used to implement the cryptography. If you are using the standard Windows API functions for all your cryptographic services, then we are going to be able to establish FIPS compliance. If you are using other functions for cryptography, in addition to the Windows API functions, then we may not be able to establish FIPS compliance.

Thanks for your help!
Seth Lowrey
Posted: 03/05/2009 12:52:02
by Eugene Mayevski (Team)

Originally SecureBlackbox had all [cryptographic] functions implemented internally. Then, back in SecureBlackbox 5, we have introduced the concept of cryptoproviders, which act as proxies between higher-level protocol implementations and cryptographic functions. Default cryptoprovider gives access to everything we have in SecureBlackbox. Custom cryptoproviders (such as Win32 or PKCS#11 cryptoprovider) have limited functionality. FIPS cryptoprovider provides access only to FIPS-"compliant" modules. In FIPS mode we replace the default cryptoprovider with FIPS one and the calls go to CryptoAPI. That's all. We don't control, what CryptoAPI does.

As a registered customer you have access to the source code. I think you can browse it for more information and if you have questions regarding the source code, please post them to the HelpDesk and we will assist you.

There's on thing though - even the modules, declared as FIPS-compliant in Windows are not always FIPS-compliant. I'll quote the words of our competitor (Henrick Hellström <henrick@streamsec.se>) here:

"Additionally, even if the full CryptoAPI
*is* available on the target system, there is no guarantee that it is in
fact FIPS 140 certified on *that* particular target system. For
instance, CryptoAPI in beta versions of Windows aren't certified, and
neither is any CryptoAPI clone under e.g. Wine. There is also no
guarantee that Microsoft won't release a new version (in either a
Windows Update or a new version of Windows) *before* it is certified.
Hence, using CryptoAPI means that you effectively hand over the
responsibility for verifying that a FIPS 140 certified module is being
used, to the end user.".

I can't say better.

Sincerely yours
Eugene Mayevski
Posted: 03/10/2009 14:03:35
by Alex Rogers (Priority Standard support level)
Joined: 07/08/2008
Posts: 6

How do you determine if you are running in FIPS mode? In the code, how do we set it to use a FIPS cryptoprovidor as opposed to the default? I am using the prerelease version 7 of PKIBlackBox for .net.

Is there any documentation for the fips code anywhere?

Posted: 03/10/2009 15:10:26
by Ken Ivanov (Team)

As Eugene said (citing the words of Henrick Hellström), it is not possible to detect if CryptoAPI modules installed on a particular machine are really FIPS-compliant. Although they really are for certain versions of Windows (release versions of Windows XP, 2003, Vista and 2008), there's no guarantee that they were not substituted with non-FIPS-compliant modules on a particular system. SecureBlackbox just loads the modules that are described as FIPS-compliant in official Microsoft guidelines.

The documentation for FIPS compliance mode is not ready yet. FIPS mode can be activated in two ways, global and local. To enable FIPS compliance mode for all SecureBlackbox classes, set SBCryptoProvManager.Unit.DefaultCryptoProviderManager.EngineType property to SBCryptoProvManager.TSBCryptoEngineType.cetFIPS. FIPS mode for a particular class can be set by assigning the SBCryptoProvManager.Unit.FIPSCompliantCryptoProviderManager object to the CryptoProviderManager property of the needed object (e.g., TElSimpleSSHClient.CryptoProviderManager).

Please note, that FIPS mode is only supported by PKI, PDF, SSH and XML components.
Posted: 03/11/2009 12:04:20
by Alex Rogers (Priority Standard support level)
Joined: 07/08/2008
Posts: 6

Thanks again.

Now I am getting a "feature not available" when I try to run the generate command of a SBX509Ex.TElX509CertificateEx. this was working before I enabled the FIPS mode. Is there a list of available functions that I can use to recreate how my software will generate certificates?

Posted: 03/11/2009 13:53:41
by Ken Ivanov (Team)

Certificate generation is not supported in FIPS mode at the moment, sorry.
Posted: 03/12/2009 00:32:16
by Seth Lowrey (Priority Standard support level)
Joined: 03/03/2009
Posts: 3

I would hope this is planned for the final V7 release. Very little can be accomplished with a PKI solution without certificate generation. If this is not planned for v7, please let us know. If it is planned, please let us know if you have an estimated time that it will be ready to preview.
Posted: 03/12/2009 13:21:46
by Ken Ivanov (Team)

This is actually planned for 7.1. It is likely that this functionality will be available in one of the first 7.1 beta builds (by the end of April).



Topic viewed 3807 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!