Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] RE: http://support.microsoft.com/kb/811833

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] RE: http://support.microsoft.com/kb/811833


Chronological Thread 
  • From: David Walker <>
  • To:
  • Subject: Re: [AD-Assurance] RE: http://support.microsoft.com/kb/811833
  • Date: Fri, 08 Mar 2013 15:12:15 -0800
  • Authentication-results: sfpop-ironport05.merit.edu; dkim=pass (signature verified)

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm has a list of FIPS 140-1 and 140-2 validated modules, sorted by vendor.  There are several there by Microsoft, but none with Active Directory in the name.  Someone with more familiarity with the product line might recognize something, though.

David

On Fri, 2013-03-08 at 19:10 +0000, Capehart,Jeffrey D wrote:
When I read the Microsoft FIPS Evaluation, I did not see anything obvious that would lend itself to password encryption by the operating system or Active Directory.  Anyone else?


FIPS 140 Evaluation

Updated : February 10, 2012

 

http://technet.microsoft.com/en-us/library/cc750357.aspx

The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic libraries:

·        Schannel Security Package

·        Remote Desktop Protocol (RDP) Client

·        Encrypting File System (EFS)

·        Microsoft .NET Framework Applications

·        BitLocker® Drive Full-volume Encryption (Windows Vista, Windows Server 2008, or later)

·        IPsec Settings of Windows Firewall (Windows Vista SP1, Windows Server 2008, or later)

Note: Microsoft Product Relationship with CAPI/CNG libraries

Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic components. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API (CAPI) and Cryptographic API: Next Generation (CNG) FIPS 140 validated cryptographic libraries. Windows components and Microsoft products use the documented application programming interfaces (API) for each of the libraries to access various cryptographic services.

 

Jeff C.

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, March 08, 2013 2:03 PM
To:
Subject: [AD-Assurance] FW: http://support.microsoft.com/kb/811833


 

I sent the following question off to the DS MVPs and AD product team representatives. I've gotten a response back that there is a special FIPS mailing list within Microsoft where my question has been sent along to. I'll let folks know if/when I get something back on this.

 

From: Brian Arkills
Sent: Friday, March 08, 2013 9:34 AM
Subject: http://support.microsoft.com/kb/811833


 

Does anyone know whether this FIPS setting also affects the encryption used by Active Directory for password encryption (and for the PEK encryption)?

 

I suspect it doesn't, but I'd be really happy to learn that it does. :)

 

If it doesn't, I think the KB should be modified to note that it doesn't affect all encryption processes that Windows uses so it isn't misleading.

 

-B






Archive powered by MHonArc 2.6.16.

Top of Page