CryptoAPI FIPS 140-2  
Author Message
technica





PostPosted: Visual C# General, CryptoAPI FIPS 140-2 Top

Does anyone know with authority if the CryptoAPI is 140-2 certified

Example, if I create an application that uses Microsoft's CryptoAPI, i.e. key exchange(Diffe/Hellman), data encryption, etc, will my application be 140-2 certified, validated or compliate

I have read some blogs stating CryptoAPI is 140-2 certified but when I go to the NITS database I do not see it as a listed certification, at least a 140-2 certification.

As a note: I see that the FIPS.SYS is 140-2 certified, but only for Window Server 2003 and the last certification for the CryptoAPI, number 103 from the NITS database, is for 140-1.

Thanks



Visual C#20  
 
 
James Manning - MSFT





PostPosted: Visual C# General, CryptoAPI FIPS 140-2 Top

A quick search returns this page

http://www.microsoft.com/technet/archive/security/topics/issues/fipseval.mspx mfr=true

From there it looks pretty clear that using the CryptoAPI to call the windows services passes as long as the provider you're using is one of the ones that passes (and it looks like most of the shipped ones do, based on the lists higher in the page):

In addition, the evaluated User Mode CSPs can be invoked via standard Windows APIs (CryptoAPI). Thus, third party and end-user developed software that requires cryptographic services can call on the services provided by the FIPS-140-1 or FIPS 140-2 (as appropriate) User Mode CSPs in the operating systems.