Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

Answer from Tim Myers (Security Program Manager | Common Criteria and FIPS 140-2 Security Evaluations):

 

FIPS local policy doesn’t appear to impact PEK encryption. Ultimately, the Windows OS source code is the source of the answer.

 

We probably want to keep Tim's name handy for other questions.

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, March 08, 2013 11:03 AM
To:
Subject: [AD-Assurance] FW: http://support.microsoft.com/kb/811833

 

I sent the following question off to the DS MVPs and AD product team representatives. I've gotten a response back that there is a special FIPS mailing list within Microsoft where my question has been sent along to. I'll let folks know if/when I get something back on this.

 

From: Brian Arkills
Sent: Friday, March 08, 2013 9:34 AM
Subject: http://support.microsoft.com/kb/811833

 

Does anyone know whether this FIPS setting also affects the encryption used by Active Directory for password encryption (and for the PEK encryption)?

 

I suspect it doesn't, but I'd be really happy to learn that it does. :)

 

If it doesn't, I think the KB should be modified to note that it doesn't affect all encryption processes that Windows uses so it isn't misleading.

 

-B