I have to conclude the FIPS-mode enforcement for .NET is broken on Win2016/Win10annivEdition.
The SHA256Managed code, https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32 reads:
#if FEATURE_CRYPTO
if (CryptoConfig.AllowOnlyFipsAlgorithms)
throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
Contract.EndContractBlock();
#endif // FEATURE_CRYPTOwhich clearly means that we get an exception if both the following are true:
- a) the build includes
FEATURE_CRYPTO - b) the value of
CryptoConfig.AllowOnlyFipsAlgorithmsistrue
Further, according to FIPS 140 Validation TechNet article, dated Feb 2017, the "cryptographic classes whose names end in 'Managed'" should never be allowed when running in FIPS-mode.
To test this I have two systems, Win2016 and Win2012R2, as described and configured below . For this, I want both systems to:
- Have Powershell 5.1
- .NET framwork 4.6 (4.0.30319.42000)
- Have FIPS -mode enabled by setting the appropriate registry-key and rebooting.
Update: 2017-03-30 I should have noted that I used AWS us-east for the Windows2016 and Windows2012R2 instances.
iwr https://chocolatey.org/install.ps | Invoke-Expression
choco install powershell
And on both systems:
Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy -Name Enabled -Value 1
Restart-Computer
Run the function Miguel Lopez provided
> Get-FIPSEnabled # from test function above
Directly make the system call from https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,35
> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
Call two unaccredited crypto algorithms, including SHA256Managed::Create method as used in AzureRM module at https://github.com/Azure/azure-powershell/blob/master/src/Common/Commands.Common/MetricHelper.cs#L210
$md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
$sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
The two tests of FIPS-enablement should return true, and the two calls to unaccredited crypto functions should fail:
PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True
PS C:\Users\Administrator> $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True
PS C:\Users\Administrator> $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS
validated cryptographic algorithms."
At line:1 char:1
+ $md5 = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
PS C:\Users\Administrator>
PS C:\Users\Administrator>
PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
Oh wow! No exception for SHA256Manged!! What the hell?
Let's look at the $sha256 object:
PS C:\Users\Administrator> $sha256
HashSize : 256
Hash :
InputBlockSize : 1
OutputBlockSize : 1
CanTransformMultipleBlocks : True
CanReuseTransform : True
It's legit! and you can further demonstrate this for your pleasure but running AzureRM modules on Win2016...
Powershell + .NET 4.6.0 does not properly enforce FIPS-mode on Win2016/Win10annivEdition.
PS C:\Users\Administrator> systeminfo | clip.exe
Host Name: WIN-ADUHNJ9ED5K
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00252-70000-00000-AA535
Original Install Date: 3/23/2017, 12:11:31 PM
System Boot Time: 3/23/2017, 1:54:00 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz
BIOS Version: Xen 4.2.amazon, 2/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 8,192 MB
Available Physical Memory: 7,356 MB
Virtual Memory: Max Size: 16,384 MB
Virtual Memory: Available: 15,567 MB
Virtual Memory: In Use: 817 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\WIN-ADUHNJ9ED5K
Hotfix(s): 227 Hotfix(s) Installed.
[01]: KB3191564
[02]: KB2894856
[03]: KB2896496
[04]: KB2919355
[05]: KB2919442
[06]: KB2920189
[07]: KB2934520
[08]: KB2938066
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2955164
[13]: KB2959626
[14]: KB2965500
[15]: KB2967917
[16]: KB2969339
[17]: KB2971203
[18]: KB2973351
[19]: KB2973448
[20]: KB2975061
[21]: KB2975719
[22]: KB2976627
[23]: KB2977765
[24]: KB2978041
[25]: KB2978126
[26]: KB2984006
[27]: KB2987107
[28]: KB2989647
[29]: KB2989930
[30]: KB2993100
[31]: KB2995004
[32]: KB2995388
[33]: KB2996799
[34]: KB2998174
[35]: KB2999226
[36]: KB3000483
[37]: KB3000850
[38]: KB3003057
[39]: KB3004361
[40]: KB3004365
[41]: KB3004545
[42]: KB3008923
[43]: KB3012199
[44]: KB3012702
[45]: KB3013172
[46]: KB3013769
[47]: KB3013791
[48]: KB3013816
[49]: KB3014442
[50]: KB3019978
[51]: KB3021910
[52]: KB3021952
[53]: KB3022345
[54]: KB3022777
[55]: KB3023222
[56]: KB3023266
[57]: KB3024751
[58]: KB3024755
[59]: KB3029603
[60]: KB3030377
[61]: KB3030947
[62]: KB3032359
[63]: KB3032663
[64]: KB3033446
[65]: KB3035126
[66]: KB3036612
[67]: KB3037579
[68]: KB3037924
[69]: KB3038002
[70]: KB3038314
[71]: KB3038701
[72]: KB3041857
[73]: KB3042085
[74]: KB3044374
[75]: KB3044673
[76]: KB3045634
[77]: KB3045685
[78]: KB3045717
[79]: KB3045719
[80]: KB3045755
[81]: KB3045992
[82]: KB3045999
[83]: KB3046017
[84]: KB3046737
[85]: KB3048043
[86]: KB3049563
[87]: KB3054169
[88]: KB3054203
[89]: KB3054256
[90]: KB3054464
[91]: KB3055323
[92]: KB3055343
[93]: KB3055642
[94]: KB3059316
[95]: KB3059317
[96]: KB3060681
[97]: KB3060793
[98]: KB3061512
[99]: KB3063843
[100]: KB3064209
[101]: KB3068708
[102]: KB3071756
[103]: KB3074228
[104]: KB3074548
[105]: KB3075220
[106]: KB3075853
[107]: KB3077715
[108]: KB3078071
[109]: KB3078405
[110]: KB3078676
[111]: KB3080042
[112]: KB3080149
[113]: KB3082089
[114]: KB3083325
[115]: KB3083711
[116]: KB3083992
[117]: KB3084135
[118]: KB3084905
[119]: KB3086255
[120]: KB3087038
[121]: KB3087041
[122]: KB3087137
[123]: KB3091297
[124]: KB3092601
[125]: KB3092627
[126]: KB3093983
[127]: KB3094486
[128]: KB3095701
[129]: KB3096433
[130]: KB3097997
[131]: KB3098779
[132]: KB3099834
[133]: KB3100473
[134]: KB3100773
[135]: KB3100956
[136]: KB3102429
[137]: KB3102467
[138]: KB3102812
[139]: KB3103616
[140]: KB3103696
[141]: KB3103709
[142]: KB3104002
[143]: KB3109103
[144]: KB3109976
[145]: KB3110329
[146]: KB3112148
[147]: KB3112336
[148]: KB3115224
[149]: KB3118401
[150]: KB3121255
[151]: KB3121261
[152]: KB3121461
[153]: KB3121918
[154]: KB3122654
[155]: KB3123242
[156]: KB3123245
[157]: KB3124275
[158]: KB3125424
[159]: KB3126033
[160]: KB3126434
[161]: KB3126587
[162]: KB3126593
[163]: KB3127226
[164]: KB3128650
[165]: KB3133043
[166]: KB3133681
[167]: KB3133690
[168]: KB3133924
[169]: KB3134179
[170]: KB3134814
[171]: KB3134815
[172]: KB3135449
[173]: KB3135456
[174]: KB3137061
[175]: KB3137725
[176]: KB3137728
[177]: KB3138602
[178]: KB3138615
[179]: KB3139164
[180]: KB3139398
[181]: KB3139914
[182]: KB3139929
[183]: KB3140219
[184]: KB3140234
[185]: KB3141092
[186]: KB3145384
[187]: KB3145432
[188]: KB3146604
[189]: KB3146723
[190]: KB3146751
[191]: KB3146963
[192]: KB3147071
[193]: KB3148198
[194]: KB3148851
[195]: KB3149090
[196]: KB3153704
[197]: KB3154070
[198]: KB3155784
[199]: KB3156017
[200]: KB3156019
[201]: KB3156059
[202]: KB3156418
[203]: KB3159398
[204]: KB3160005
[205]: KB3161949
[206]: KB3161958
[207]: KB3162343
[208]: KB3162835
[209]: KB3164294
[210]: KB3169704
[211]: KB3170455
[212]: KB3172614
[213]: KB3172729
[214]: KB3173424
[215]: KB3174644
[216]: KB3175024
[217]: KB3175443
[218]: KB3177186
[219]: KB3178539
[220]: KB3179574
[221]: KB3179948
[222]: KB3184122
[223]: KB3184943
[224]: KB3185319
[225]: KB3195387
[226]: KB3210135
[227]: KB3205401
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 172.31.0.1
IP address(es)
[01]: 172.31.9.151
[02]: fe80::b912:aa84:b2fb:c82a
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Also:
PS C:\Users\Administrator> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14409.1005
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1005
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\Users\Administrator> [environment]::version
Major Minor Build Revision
----- ----- ----- --------
4 0 30319 42000
PS C:\Users\Administrator> systeminfo | clip.exe
Host Name: EC2AMAZ-I5LDISB
OS Name: Microsoft Windows Server 2016 Datacenter
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00376-40000-00000-AA918
Original Install Date: 3/23/2017, 11:22:33 AM
System Boot Time: 3/23/2017, 1:54:07 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 2/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 8,192 MB
Available Physical Memory: 7,131 MB
Virtual Memory: Max Size: 10,112 MB
Virtual Memory: Available: 9,162 MB
Virtual Memory: In Use: 950 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\EC2AMAZ-I5LDISB
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB3176936
[02]: KB3192137
[03]: KB3199209
[04]: KB3199986
[05]: KB3213986
Network Card(s): 1 NIC(s) Installed.
[01]: AWS PV Network Device
Connection Name: Ethernet 2
DHCP Enabled: Yes
DHCP Server: 172.31.0.1
IP address(es)
[01]: 172.31.13.102
[02]: fe80::b07c:8f30:631a:e51c
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Also:
PS C:\Users\Administrator> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.693
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.693
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\Users\Administrator> [environment]::version
Major Minor Build Revision
----- ----- ----- --------
4 0 30319 42000
@pburkholder - I can't speak to the techie stuff but this may help; https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/