I have to conclude the FIPS-mode enforcement for .NET is broken on Win2016/Win10annivEdition.
The SHA256Managed code, https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32 reads:
#if FEATURE_CRYPTO
if (CryptoConfig.AllowOnlyFipsAlgorithms)
throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
Contract.EndContractBlock();
#endif // FEATURE_CRYPTO
which clearly means that we get an exception if both the following are true:
- a) the build includes
FEATURE_CRYPTO
- b) the value of
CryptoConfig.AllowOnlyFipsAlgorithms
istrue
Further, according to FIPS 140 Validation TechNet article, dated Feb 2017, the "cryptographic classes whose names end in 'Managed'" should never be allowed when running in FIPS-mode.
To test this I have two systems, Win2016 and Win2012R2, as described and configured below . For this, I want both systems to:
- Have Powershell 5.1
- .NET framwork 4.6 (4.0.30319.42000)
- Have FIPS -mode enabled by setting the appropriate registry-key and rebooting.
Update: 2017-03-30 I should have noted that I used AWS us-east for the Windows2016 and Windows2012R2 instances.
iwr https://chocolatey.org/install.ps | Invoke-Expression
choco install powershell
And on both systems:
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy -Name Enabled -Value 1
Restart-Computer
Run the function Miguel Lopez provided
> Get-FIPSEnabled # from test function above
Directly make the system call from https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,35
> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
Call two unaccredited crypto algorithms, including SHA256Managed::Create
method as used in AzureRM module at https://github.com/Azure/azure-powershell/blob/master/src/Common/Commands.Common/MetricHelper.cs#L210
$md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
$sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
The two tests of FIPS-enablement should return true, and the two calls to unaccredited crypto functions should fail:
PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True
PS C:\Users\Administrator> $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True
PS C:\Users\Administrator> $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS
validated cryptographic algorithms."
At line:1 char:1
+ $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator>
PS C:\Users\Administrator>
PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
Oh wow! No exception for SHA256Manged!! What the hell?
Let's look at the $sha256
object:
PS C:\Users\Administrator> $sha256
HashSize : 256
Hash :
InputBlockSize : 1
OutputBlockSize : 1
CanTransformMultipleBlocks : True
CanReuseTransform : True
It's legit! and you can further demonstrate this for your pleasure but running AzureRM modules on Win2016...
Powershell + .NET 4.6.0 does not properly enforce FIPS-mode on Win2016/Win10annivEdition.
PS C:\Users\Administrator> systeminfo | clip.exe
Host Name: WIN-ADUHNJ9ED5K
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00252-70000-00000-AA535
Original Install Date: 3/23/2017, 12:11:31 PM
System Boot Time: 3/23/2017, 1:54:00 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz
BIOS Version: Xen 4.2.amazon, 2/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 8,192 MB
Available Physical Memory: 7,356 MB
Virtual Memory: Max Size: 16,384 MB
Virtual Memory: Available: 15,567 MB
Virtual Memory: In Use: 817 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\WIN-ADUHNJ9ED5K
Hotfix(s): 227 Hotfix(s) Installed.
[01]: KB3191564
[02]: KB2894856
[03]: KB2896496
[04]: KB2919355
[05]: KB2919442
[06]: KB2920189
[07]: KB2934520
[08]: KB2938066
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2955164
[13]: KB2959626
[14]: KB2965500
[15]: KB2967917
[16]: KB2969339
[17]: KB2971203
[18]: KB2973351
[19]: KB2973448
[20]: KB2975061
[21]: KB2975719
[22]: KB2976627
[23]: KB2977765
[24]: KB2978041
[25]: KB2978126
[26]: KB2984006
[27]: KB2987107
[28]: KB2989647
[29]: KB2989930
[30]: KB2993100
[31]: KB2995004
[32]: KB2995388
[33]: KB2996799
[34]: KB2998174
[35]: KB2999226
[36]: KB3000483
[37]: KB3000850
[38]: KB3003057
[39]: KB3004361
[40]: KB3004365
[41]: KB3004545
[42]: KB3008923
[43]: KB3012199
[44]: KB3012702
[45]: KB3013172
[46]: KB3013769
[47]: KB3013791
[48]: KB3013816
[49]: KB3014442
[50]: KB3019978
[51]: KB3021910
[52]: KB3021952
[53]: KB3022345
[54]: KB3022777
[55]: KB3023222
[56]: KB3023266
[57]: KB3024751
[58]: KB3024755
[59]: KB3029603
[60]: KB3030377
[61]: KB3030947
[62]: KB3032359
[63]: KB3032663
[64]: KB3033446
[65]: KB3035126
[66]: KB3036612
[67]: KB3037579
[68]: KB3037924
[69]: KB3038002
[70]: KB3038314
[71]: KB3038701
[72]: KB3041857
[73]: KB3042085
[74]: KB3044374
[75]: KB3044673
[76]: KB3045634
[77]: KB3045685
[78]: KB3045717
[79]: KB3045719
[80]: KB3045755
[81]: KB3045992
[82]: KB3045999
[83]: KB3046017
[84]: KB3046737
[85]: KB3048043
[86]: KB3049563
[87]: KB3054169
[88]: KB3054203
[89]: KB3054256
[90]: KB3054464
[91]: KB3055323
[92]: KB3055343
[93]: KB3055642
[94]: KB3059316
[95]: KB3059317
[96]: KB3060681
[97]: KB3060793
[98]: KB3061512
[99]: KB3063843
[100]: KB3064209
[101]: KB3068708
[102]: KB3071756
[103]: KB3074228
[104]: KB3074548
[105]: KB3075220
[106]: KB3075853
[107]: KB3077715
[108]: KB3078071
[109]: KB3078405
[110]: KB3078676
[111]: KB3080042
[112]: KB3080149
[113]: KB3082089
[114]: KB3083325
[115]: KB3083711
[116]: KB3083992
[117]: KB3084135
[118]: KB3084905
[119]: KB3086255
[120]: KB3087038
[121]: KB3087041
[122]: KB3087137
[123]: KB3091297
[124]: KB3092601
[125]: KB3092627
[126]: KB3093983
[127]: KB3094486
[128]: KB3095701
[129]: KB3096433
[130]: KB3097997
[131]: KB3098779
[132]: KB3099834
[133]: KB3100473
[134]: KB3100773
[135]: KB3100956
[136]: KB3102429
[137]: KB3102467
[138]: KB3102812
[139]: KB3103616
[140]: KB3103696
[141]: KB3103709
[142]: KB3104002
[143]: KB3109103
[144]: KB3109976
[145]: KB3110329
[146]: KB3112148
[147]: KB3112336
[148]: KB3115224
[149]: KB3118401
[150]: KB3121255
[151]: KB3121261
[152]: KB3121461
[153]: KB3121918
[154]: KB3122654
[155]: KB3123242
[156]: KB3123245
[157]: KB3124275
[158]: KB3125424
[159]: KB3126033
[160]: KB3126434
[161]: KB3126587
[162]: KB3126593
[163]: KB3127226
[164]: KB3128650
[165]: KB3133043
[166]: KB3133681
[167]: KB3133690
[168]: KB3133924
[169]: KB3134179
[170]: KB3134814
[171]: KB3134815
[172]: KB3135449
[173]: KB3135456
[174]: KB3137061
[175]: KB3137725
[176]: KB3137728
[177]: KB3138602
[178]: KB3138615
[179]: KB3139164
[180]: KB3139398
[181]: KB3139914
[182]: KB3139929
[183]: KB3140219
[184]: KB3140234
[185]: KB3141092
[186]: KB3145384
[187]: KB3145432
[188]: KB3146604
[189]: KB3146723
[190]: KB3146751
[191]: KB3146963
[192]: KB3147071
[193]: KB3148198
[194]: KB3148851
[195]: KB3149090
[196]: KB3153704
[197]: KB3154070
[198]: KB3155784
[199]: KB3156017
[200]: KB3156019
[201]: KB3156059
[202]: KB3156418
[203]: KB3159398
[204]: KB3160005
[205]: KB3161949
[206]: KB3161958
[207]: KB3162343
[208]: KB3162835
[209]: KB3164294
[210]: KB3169704
[211]: KB3170455
[212]: KB3172614
[213]: KB3172729
[214]: KB3173424
[215]: KB3174644
[216]: KB3175024
[217]: KB3175443
[218]: KB3177186
[219]: KB3178539
[220]: KB3179574
[221]: KB3179948
[222]: KB3184122
[223]: KB3184943
[224]: KB3185319
[225]: KB3195387
[226]: KB3210135
[227]: KB3205401
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 172.31.0.1
IP address(es)
[01]: 172.31.9.151
[02]: fe80::b912:aa84:b2fb:c82a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Also:
PS C:\Users\Administrator> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14409.1005
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1005
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\Users\Administrator> [environment]::version
Major Minor Build Revision
----- ----- ----- --------
4 0 30319 42000
PS C:\Users\Administrator> systeminfo | clip.exe
Host Name: EC2AMAZ-I5LDISB
OS Name: Microsoft Windows Server 2016 Datacenter
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00376-40000-00000-AA918
Original Install Date: 3/23/2017, 11:22:33 AM
System Boot Time: 3/23/2017, 1:54:07 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 2/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 8,192 MB
Available Physical Memory: 7,131 MB
Virtual Memory: Max Size: 10,112 MB
Virtual Memory: Available: 9,162 MB
Virtual Memory: In Use: 950 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\EC2AMAZ-I5LDISB
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB3176936
[02]: KB3192137
[03]: KB3199209
[04]: KB3199986
[05]: KB3213986
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: Yes
DHCP Server: 172.31.0.1
IP address(es)
[01]: 172.31.13.102
[02]: fe80::b07c:8f30:631a:e51c
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Also:
PS C:\Users\Administrator> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.693
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.693
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\Users\Administrator> [environment]::version
Major Minor Build Revision
----- ----- ----- --------
4 0 30319 42000
https://meet.tsa.dhs.gov/sajai.raj/F581SS15
Hello Peter,
I find the information interesting. Here’s a bit of information as to why:
• The error, as documented on the GitHub issue states as follows:
• SHA256Managed is class that implements SHA256 within .NET code. This algorithm wasn’t submitted to pass FIPS validation.
• Hence the error above states that the constructor threw exception.
• The source code be reviewed here: https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32
• If checks for a property called AllowOnlyFipsAlgorithms and if true, throws that exception.
• The source code for that property can be seen here: https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/cryptoconfig.cs,60dba5f3579c03b5
• For OS’s with Major version greater than 6, it will call bcrypt32.dll’s BCryptGetFipsAlgorithmMode (documented here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375460(v=vs.85).aspx)
• Because this algorithm is a .NET algorithm, the algorithm will be the same for any Operating System as long as the .NET versions are identical on the servers compared.
• Basically SHA256Managed’s implementation is not entirely OS dependent except for the initial OSVersion check.
• On our FIPS 140-2 documentation (https://technet.microsoft.com/en-us/library/cc750357.aspx) we state that for Windows Server 2008 R2 and later we maintain FIPS 140-2 validation on bcryptprimitives.dll and cng.sys modules. This includes Server 2016.
• This means that the modules validated for FIPS 140-2 Server 2012 R2 are the same for Server 2016.
• I tried my best to mimic that check (except for the enforceFipsPolicy in the following PowerShell
• Is there a chance you run this in both environments and verify its return value? (After running the code above in PowerShell, run Get-FIPSEnabled)
• I haven’t tried this on a FIPS-enabled OS yet, but if it returns True for the non-working environment, I may save this cmdlet for future use.