Microsoft and FIPS
FIPS is the Federal Information Processing Standard, a body of standards defined by the US National Institute of Science and Technology, NIST and the world’s foremost national standards body. NIST has provided guidance on information processing standards for more than a century, since its founding in 1901 as a non-regulatory federal agency within the US Department of Commerce. NIST help manage a variety of standards spanning all industry of interest to the Department of Commerce and thus help in establishing internationally recognized measures and protocol standards for all engineering, scientific, medical and computer systems.
Since before the inception of the information assurance industry, NIST has partnered with various other agencies including the US NSA in the development of the Common Criteria for Information Systems Assurance, the adoption of the Digital Encryption Standard (DES) a recognized international cryptography standard, and in the development and adoption of DES ultimate successor; the Advanced Encryption Standard (AES).
In the mid 1990s, with the growing recognition by the US government of the increasing vulnerabilities various government agencies face as they move towards widespread adoption of information systems, NIST was tasked with developing the FIPS to provide basic guidance to the various government agencies and those doing business with them. Since 1994, NIST has been publishing various FIPS to address specific assurance domain. The FIPS 140-1 was released in 1995 and FIPS 140-2 in 2002 and FIPS 140-3 was released in 2005.
The FIPS provide basic guidance regarding the types of encryption schemes, the general nature of implementation and a verification and certification process for determining compliance.
Cryptographic implementation in software systems could be complex and difficult to verify. But since much of the security of computer systems depend on the proper implementation of these scheme, the availability of standards to which various implementations can be verified and certified is essential for the protection of critical data and infrastructure. FIPS provide this basic assurance for systems intended to be deployed by agencies of the United States and has become the defacto framework for all other serious security efforts, particularly by major software vendors.
Software vendors rely on various cryptographic schemes in their software to implement security features such as password protection, authentication schemes, digital certificates, digital signature and many more. Operating Systems vendors such as Microsoft, particularly have a great responsibility for deploying highly reliable cryptographic framework on which all other software running on their OS can be built. In the past, Microsoft, like most other software vendors have pied lip service to security, implementing a whatever goes security strategy, that for most of the late 1990s and early 21st century left users and business vulnerable to myriads of security attacks.
Since 2002, Microsoft has made progress in developing its cryptographic framework for FIPS validation and has achieved such validation for many of its software products. In 2005, Microsoft in a news release committed to FIPS standards in the release of its future platforms including Windows 2003 and beyond. With the release of Windows Vista and the subsequent service pack upgrades to Windows 2003 R2, Windows XP and others, Microsoft Cryptographic framework for all supported platform now include FIPS 140-2 compliant implementation.
The FIPS efforts by Microsoft means it now implements a validated set of cryptographic framework that include some basic assurance. Many third party software vendors however, continue to target older versions of Microsoft Cryptographic framework. Since the introduction of .NET framework, third-party applications targeted at Microsoft OS increasingly rely on the .NET framework; which also includes Microsoft’s implementation of its cryptographic container or a connected to a kernel based implementation. Since third-party providers can target a given version of .NET framework, many have stayed several versions behind the Microsoft’s latest versions. version 2.0 and above of .NET framework have kept pace with Microsoft’s FIPS promises and this is a known cause of software incompatibility for many third-party application.
It is important to know that while these third-party software incompatibilities can be addressed by simple work-arounds, they are indeed a pointer to the vendors to update their implementations to meet the more recent definitions.
In the event that you run into error messages pointing to a FIPS related issue, we advise that you contact the software vendor to encourage them to upgrade their implementation to .NET version 3.0 and above and ensure that their cryptographic implementations are compliant with Microsoft’s framework definitions.
References
Microsoft KB entry on FIPS error
Microsoft List of FIPS Publications
