All geek questions in one place

Why does SHA512Managed not match FIPS?

As the header asks why the SHA512 Indicated Encryption raises an InvalidOperationException when FipsAlgorithmPolicy is active on the machine?

Is it not secure enough for FIP or is it too secure?

+4
source share
2 answers

FIPS is not a standard, but a wide range of standards.

"FIPS-compliant" is a redundant term - any implementation of an algorithm defined by FIPS is compatible, otherwise it will not interact with other implementations.

Now there is FIPS 140-2 - a set of rules (mostly administrative and IT-related, not just programming-related) that define what can be considered a โ€œsecureโ€ environment.

Now we come closer ... The algorithm can be "FIPS certified", which is approved by a certified body that meets the requirements of various standards, including FIPS 140-2.

When you turn on FIPS mode, you actually only need to use Windows certified FIPS modules. And Windows does not have all certified cryptographic modules - certification is both expensive and time-consuming, therefore only a certain set of its own (unmanaged) modules is certified, and only certain versions of these modules are certified.

So, it's simple: the SHA512Managed class has not been certified, so it does not meet the requirements of the policy.

+4
source

FIPS140-x deals with crypto modules in general, they are more related to how much work to test how well cryptography is implemented.

Now FIPS180-4 is dedicated to the Secure Hashing Standard, in which you will find detailed information about the SHA512 and all its variants. Perhaps SHA512Managed is not doing what FIPS180 agrees with, or maybe this mode of operation simply has not been evaluated.

+3
source

Source: https://habr.com/ru/post/1440063/

More articles:


All Articles