TripleDESCryptoServiceProvider FIPS 140-2 合规性
我按以下方式使用 System.Security.Cryptography 的 TripleDESCryptoServiceProvider:
TripleDESCryptoServiceProvider CreateCipher()
{
TripleDESCryptoServiceProvider cipher = new TripleDESCryptoServiceProvider();
cipher.KeySize = 192;
cipher.BlockSize = 64;
cipher.Padding = PaddingMode.ISO10126;
cipher.Mode = CipherMode.CBC;
return cipher;
}
我想知道这是否符合 FIPS 140-2。我发现了许多页面概述了合规性的不同方面,但在我看来,微软是通过平台而不是类别来获得合规性证书的(有道理)。相反,我无法找到任何积极的证据来证明上述密码符合 FIPS 140-2。到目前为止,我发现的最有用的链接:
Microsoft 的 FIP 文档:
http://technet.microsoft.com/en-us/library/cc750357。 ASPX http://support.microsoft.com/kb/811833
简而言之,有人知道此类/加密方法属于什么证书编号吗?或者它是特定于平台的? (这就是我正在收集的。)
I am using the System.Security.Cryptography's TripleDESCryptoServiceProvider in the following manner:
TripleDESCryptoServiceProvider CreateCipher()
{
TripleDESCryptoServiceProvider cipher = new TripleDESCryptoServiceProvider();
cipher.KeySize = 192;
cipher.BlockSize = 64;
cipher.Padding = PaddingMode.ISO10126;
cipher.Mode = CipherMode.CBC;
return cipher;
}
I would like to know if this is FIPS 140-2 compliant. I have found numerous pages outlining different aspects of compliance, but it seems to me that Microsoft gets their compliance certificates by the platform, not by the class (make sense). In lieu of that, I have not been able to find any positive confirmation that the above cipher is FIPS 140-2 compliant. So far, the most useful links I have found:
Microsofts FIPs documents:
http://technet.microsoft.com/en-us/library/cc750357.aspx
http://support.microsoft.com/kb/811833Blog showing how to "dump" the sytems core libraries cryptographic modules and their compliance
In short, does anybody know what certificate number that this class/encryption method would fall under? Or is it platform specific? (That's what I am gleaning.)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
FIPS 140-2 认证适用于算法和模块。算法实现通过一系列测试用例获得认证。模块在满足所有 FIPS 要求后即可获得认证。其中一项要求是仅使用 FIPS 认证的算法(以及以 FIPS 批准的方式使用非 FIPS 认证的算法,如 Diffie-Hellman 密钥交换)提供加密服务。
Triple-DES 是一种FIPS 认证算法,因此可以获得 FIPS 证书。这只是拼图的一小部分。
下一部分是找出哪个模块提供 Triple-DES,以及该模块是否经过 FIPS 认证。您已链接到 Microsoft 列出所有 FIPS 批准模块的页面。这就是你需要知道的一切。我认为从 Windows Vista 开始,一切最终都会通过
bcrypt.dll进行。当然,您可以直接访问来源< /a> 并自行搜索模块。以 Windows Vista 中 Microsoft
bcrypt.dll的证书 #1001 为例。您可以看到该模块已获得其 Triple-DES 实现的算法证书(证书#656),因此您可以从此模块使用 Triple-DES。那么您如何知道您正在使用经过 FIPS 认证的模块呢? 您在 Windows 中启用 FIPS 模式。如果您不启用 FIPS 模式,则您不会在 FIPS 批准的操作模式中使用 FIPS 认证的算法。在 Windows 上,如果您尝试在 FIPS 模式下使用非 FIPS 算法,则会出现异常。
最后一点是,了解某个算法是否被批准在 FIPS 模式下使用的一个好方法是打开 FIPS 模式并尝试一下!
顺便说一句,此 Triple-DES 证书页面列出了所有批准的 Triple-DES 操作模式:
以及以下密钥选项。
FIPS 140-2 certification applies to both algorithms and modules. Algorithm implementations get certified by passing a series of test cases. Modules get certified when they meet all FIPS requirements. One such requirement is to provide cryptographic services only with FIPS-certified algorithms (and non-FIPS-certified algorithms used in a FIPS-approved manner like Diffie-Hellman key exchange).
Triple-DES is a FIPS-certified algorithm, and therefore can obtain a FIPS certificate. That's one piece of the puzzle.
The next piece is finding out what module is providing Triple-DES, and whether that module is FIPS certified. You already linked to the page where Microsoft lists all their FIPS-approved modules. That's got all you need to know. I think as of Windows Vista everything ultimately goes through
bcrypt.dll.Of course, you can go straight to the source and search modules yourself. Take, for instance, certificate #1001 for Microsoft's
bcrypt.dllin Windows Vista. You can see that this module has obtained an algorithm certificate for its Triple-DES implementation (Cert. #656), so you can use Triple-DES from this module.So how do you know you're using the FIPS-certified module? You enable FIPS mode in Windows. If you don't enable FIPS mode, you aren't using a FIPS-certified algorithm in a FIPS-approved mode of operation. On Windows, if you try to use a non-FIPS algorithm while in FIPS mode, you'll get an exception.
Bringing me to my last point that a good way to find out whether an algorithm is approved for use in FIPS mode is to turn on FIPS mode and try it!
By the way, this Triple-DES certificate page lists all approved Triple-DES modes of operation:
And the following Keying Options.
此包含符合 FIPS 的算法列表。
我也问过类似的 关于 AES 的问题。
This has a list of FIPS compliant algorithms.
I've also asked a similar question about AES.
我个人会使用 AES 进行加密,因为它比 TripleDES“更轻”且更安全,事实上我认为它是目前事实上的算法。如果 AES 不符合标准,我会感到惊讶。
I personally would use AES for my encryption as it is 'lighter' and more secure than TripleDES in fact I think it is the de facto algorithm at the moment. If AES does not meet the standards I would be surprised.