FIPS Compliance with Protection PLUS 5 SDK
What is FIPS?
Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology (NIST) for various purposes including computer system security and interoperability. It is a security standard that is recognized by the U.S., Canada, and European Union. These standards are used by government contractors and vendors.
FIPS 140-2 is the standard used to approve cryptographic modules. It is a security standard for software and hardware products that ensures their encryption meets requirements strong enough for securing sensitive government data. The Federal Information Security Management Act (FISMA) specifies U.S. government agencies must use FIPS 140-2 validated cryptography modules, therefore U.S. government contractors and third parties working for federal agencies are required to use FIPS 140-2.
The current FIPS standards including 140-2 can be found on the NIST website.
FIPS certified vs FIPS-approved
Validation certificates are issued for cryptographic modules by NIST. A module may either be an embedded component of a product or application, or a complete product in and of itself. It is important to know the difference between cryptographic modules that are FIPS certified and those that just implement FIPS-approved cryptographic algorithms. If a cryptographic module simply implements only FIPS-approved cryptographic algorithms, the module may still not be FIPS certified. In order to be FIPS certified, it must be tested and validated by NIST. This process can take weeks or years and is very costly.
PLUSManaged for .NET Framework
PLUSManaged for .NET Framework uses classes available through the .NET Framework for cryptography, therefore it falls to how Microsoft implements cryptography as to what uses FIPS validated and/or compliant implementations.
There are two versions of PLUSManaged built for .NET Framework:
- The PLUSManaged.dll file installed in the %PROGRAMFILES%\SoftwareKey\Protection PLUS 5\Library folder targets .NET Framework 2.0 and later. This uses some .NET Framework classes for encryption that are not FIPS validated/certified implementations.
- The PLUSManaged.dll file installed in the %PROGRAMFILES%\SoftwareKey\Protection PLUS 5\Library\FIPS folder targets .NET Framework 3.5 and later. This version only uses .NET Framework classes (which became available with .NET Framework 3.5) that are FIPS validated implementations. Note that you may use the FIPS compliant PLUSManaged library in environments that do not require FIPS compliance. The FIPS version is available with Protection PLUS 5 .NET Edition version 126.96.36.199 or newer.
More information on Microsoft FIPS validation and compliance can be found in the Microsoft documentation.
PLUSManaged for .NET Standard
PLUSManaged for .NET Standard uses classes outlined by .NET Standard 2.0 specification that are FIPS 140-2 approved. FIPS validation for the PLUSManaged for .NET Standard library depends on the targeted platform.
.NET Framework version 4.6.1 and newer is supported by .NET Standard 2.0, therefore the classes used are FIPS validated implementations.
.NET Core does not perform any cryptography within itself. All operations are delegated to the underlying native Operating System cryptographic providers. More information can be found in Microsoft's documentation.
- .NET Core on Windows: Microsoft provides quite a bit of documentation on their FIPS 140-2 compliance and validation.
- .NET Core on macOS: as of .NET Core 2.0 or newer, Security.Framework is used which relies on the corecrypto library to provide implementations of low-level cryptographic primitives. This is also the library submitted for validation of compliance with FIPS. More information can be found in Apple's documentation.
- For Linux, the system provided OpenSSL libcrypto and libssl libraries are used which may or may not be the FIPS build of the libraries. In addition, they may or may not be certified for the specific distro version and hardware.
Internally, PLUSNative uses OpenSSL for its cryptographic functions, so compliance falls to OpenSSL.
- All algorithms used are FIPS 140-2 approved algorithms.
- The included build of OpenSSL that PLUSNative currently uses is not a version that includes a FIPS validated/certified implementation of said algorithms.
If using FIPS validated/certified implementations is important for you, it is possible for you to use your own build/compilation of OpenSSL that is FIPS certified. Since the current releases of OpenSSL FIPS 2.0.x are based on the OpenSSL 1.0.2 tree, you should be aware this version of OpenSSL is End of Life and no longer receiving security fixes. With that said, you should be able to build it and have it ‘just work' with PLUSNative. You must use a release of PLUSNative prior to version 188.8.131.52 as OpenSSL was upgraded to version 1.1.1 with this release.