TripleDESCryptoServiceProvider FIPS 140-2 合规性

发布于 2024-09-25 21:48:31 字数 1405 浏览 5 评论 0原文

我按以下方式使用 System.Security.Cryptography 的 TripleDESCryptoServiceProvider:

  TripleDESCryptoServiceProvider CreateCipher()
        {
            TripleDESCryptoServiceProvider cipher = new TripleDESCryptoServiceProvider();
            cipher.KeySize = 192;
            cipher.BlockSize = 64;
            cipher.Padding = PaddingMode.ISO10126;
            cipher.Mode = CipherMode.CBC;
            return cipher;
        }

我想知道这是否符合 FIPS 140-2。我发现了许多页面概述了合规性的不同方面,但在我看来,微软是通过平台而不是类别来获得合规性证书的(有道理)。相反,我无法找到任何积极的证据来证明上述密码符合 FIPS 140-2。到目前为止,我发现的最有用的链接:

简而言之,有人知道此类/加密方法属于什么证书编号吗?或者它是特定于平台的? (这就是我正在收集的。)

I am using the System.Security.Cryptography's TripleDESCryptoServiceProvider in the following manner:

  TripleDESCryptoServiceProvider CreateCipher()
        {
            TripleDESCryptoServiceProvider cipher = new TripleDESCryptoServiceProvider();
            cipher.KeySize = 192;
            cipher.BlockSize = 64;
            cipher.Padding = PaddingMode.ISO10126;
            cipher.Mode = CipherMode.CBC;
            return cipher;
        }

I would like to know if this is FIPS 140-2 compliant. I have found numerous pages outlining different aspects of compliance, but it seems to me that Microsoft gets their compliance certificates by the platform, not by the class (make sense). In lieu of that, I have not been able to find any positive confirmation that the above cipher is FIPS 140-2 compliant. So far, the most useful links I have found:

In short, does anybody know what certificate number that this class/encryption method would fall under? Or is it platform specific? (That's what I am gleaning.)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

月下伊人醉 2024-10-02 21:48:31

FIPS 140-2 认证适用于算法和模块。算法实现通过一系列测试用例获得认证。模块在满足所有 FIPS 要求后即可获得认证。其中一项要求是仅使用 FIPS 认证的算法(以及以 FIPS 批准的方式使用非 FIPS 认证的算法,如 Diffie-Hellman 密钥交换)提供加密服务。

Triple-DES 是一种FIPS 认证算法,因此可以获得 FIPS 证书。这只是拼图的一小部分。

下一部分是找出哪个模块提供 Triple-DES,以及该模块是否经过 FIPS 认证。您已链接到 Microsoft 列出所有 FIPS 批准模块的页面。这就是你需要知道的一切。我认为从 Windows Vista 开始,一切最终都会通过 bcrypt.dll 进行。

当然,您可以直接访问来源< /a> 并自行搜索模块。以 Windows Vista 中 Microsoft bcrypt.dll 的证书 #1001 为例。您可以看到该模块已获得其 Triple-DES 实现的算法证书(证书#656),因此您可以从此模块使用 Triple-DES。

那么您如何知道您正在使用经过 FIPS 认证的模块呢? 您在 Windows 中启用 FIPS 模式。如果您不启用 FIPS 模式,则您不会在 FIPS 批准的操作模式中使用 FIPS 认证的算法。在 Windows 上,如果您尝试在 FIPS 模式下使用非 FIPS 算法,则会出现异常。

最后一点是,了解某个算法是否被批准在 FIPS 模式下使用的一个好方法是打开 FIPS 模式并尝试一下!

顺便说一句,此 Triple-DES 证书页面列出了所有批准的 Triple-DES 操作模式:

ECB = TDEA Electronic Codebook
TCBC = TDEA Cipher Block Chaining
TCBC-I = TDEA Cipher Block Chaining - Interleaved
TCFB = TDEA Cipher Feedback
TCFB-P = TDEA Cipher Feedback - Pipelined
TOFB = TDEA Output Feedback
TOFB-I = TDEA Output Feedback - Interleaved

以及以下密钥选项。

KO 1 = Three-key Triple DES
KO 2 = Two-key Triple DES

FIPS 140-2 certification applies to both algorithms and modules. Algorithm implementations get certified by passing a series of test cases. Modules get certified when they meet all FIPS requirements. One such requirement is to provide cryptographic services only with FIPS-certified algorithms (and non-FIPS-certified algorithms used in a FIPS-approved manner like Diffie-Hellman key exchange).

Triple-DES is a FIPS-certified algorithm, and therefore can obtain a FIPS certificate. That's one piece of the puzzle.

The next piece is finding out what module is providing Triple-DES, and whether that module is FIPS certified. You already linked to the page where Microsoft lists all their FIPS-approved modules. That's got all you need to know. I think as of Windows Vista everything ultimately goes through bcrypt.dll.

Of course, you can go straight to the source and search modules yourself. Take, for instance, certificate #1001 for Microsoft's bcrypt.dll in Windows Vista. You can see that this module has obtained an algorithm certificate for its Triple-DES implementation (Cert. #656), so you can use Triple-DES from this module.

So how do you know you're using the FIPS-certified module? You enable FIPS mode in Windows. If you don't enable FIPS mode, you aren't using a FIPS-certified algorithm in a FIPS-approved mode of operation. On Windows, if you try to use a non-FIPS algorithm while in FIPS mode, you'll get an exception.

Bringing me to my last point that a good way to find out whether an algorithm is approved for use in FIPS mode is to turn on FIPS mode and try it!

By the way, this Triple-DES certificate page lists all approved Triple-DES modes of operation:

ECB = TDEA Electronic Codebook
TCBC = TDEA Cipher Block Chaining
TCBC-I = TDEA Cipher Block Chaining - Interleaved
TCFB = TDEA Cipher Feedback
TCFB-P = TDEA Cipher Feedback - Pipelined
TOFB = TDEA Output Feedback
TOFB-I = TDEA Output Feedback - Interleaved

And the following Keying Options.

KO 1 = Three-key Triple DES
KO 2 = Two-key Triple DES
场罚期间 2024-10-02 21:48:31

包含符合 FIPS 的算法列表。

符合 FIPS 的算法:

哈希算法

HMACSHA1

MAC三重DES

SHA1CryptoServiceProvider

对称算法(使用相同的密钥
用于加密和解密)

DESCryptoServiceProvider

三重DESCryptoServiceProvider

非对称算法(使用公共
加密密钥和私钥
用于解密)

DSACryptoServiceProvider

RSACryptoServiceProvider

我也问过类似的 关于 AES 的问题

This has a list of FIPS compliant algorithms.

FIPS compliant Algorithms:

Hash algorithms

HMACSHA1

MACTripleDES

SHA1CryptoServiceProvider

Symmetric algorithms (use the same key
for encryption and decryption)

DESCryptoServiceProvider

TripleDESCryptoServiceProvider

Asymmetric algorithms (use a public
key for encryption and a private key
for decryption)

DSACryptoServiceProvider

RSACryptoServiceProvider

I've also asked a similar question about AES.

月依秋水 2024-10-02 21:48:31

我个人会使用 AES 进行加密,因为它比 TripleDES“更轻”且更安全,事实上我认为它是目前事实上的算法。如果 AES 不符合标准,我会感到惊讶。

I personally would use AES for my encryption as it is 'lighter' and more secure than TripleDES in fact I think it is the de facto algorithm at the moment. If AES does not meet the standards I would be surprised.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文