Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

This document does a good job of explaining the FIPS mode changes.

http://support.microsoft.com/kb/811833/en-us

 

·         Notes

o    By default, EFS on Windows XP RTM uses the DESX algorithm. If you enable this setting, EFS uses 168-bit 3DES encryption.

o    By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

o    In Windows Vista and in Windows Server 2008, EFS uses the AES algorithm with 256-bit keys. If you enable this setting, AES-256 will be used.

o    FIPS local policy does not affect password key encryption.

 

·         This setting also affects Terminal Services in Windows Server 2003 and in later versions of Windows. The effect depends on whether TLS is being used for server authentication.

If TLS is being used for server authentication, this setting causes only TLS 1.0 to be used.

By default, if TLS is not being used, and this setting is not enabled on the client or on the server, the Remote Desktop Protocol (RDP) channel between the server and the client is encrypted by using the RC4 algorithm with a 128-bit key length. After you enable this setting on a Windows Server 2003-based computer, the following is true:

o    The RDP channel is encrypted by using the 3DES algorithm in Cipher Block Chaining (CBC) mode with a 168-bit key length.

o    The SHA-1 algorithm is used to create message digests.

o    Clients must use the RDP 5.2 client program or a later version to connect.

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, April 26, 2013 12:51 PM
To:
Subject: [AD-Assurance] RE: http://support.microsoft.com/kb/811833

 

Here's that contact name ...

 

From: [] On Behalf Of Brian Arkills
Sent: Wednesday, March 13, 2013 8:56 AM
To:
Subject: [AD-Assurance] RE: http://support.microsoft.com/kb/811833

 

Answer from Tim Myers (Security Program Manager | Common Criteria and FIPS 140-2 Security Evaluations):

 

FIPS local policy doesn’t appear to impact PEK encryption. Ultimately, the Windows OS source code is the source of the answer.

 

We probably want to keep Tim's name handy for other questions.

 

From: [] On Behalf Of Brian Arkills
Sent: Friday, March 08, 2013 11:03 AM
To:
Subject: [AD-Assurance] FW: http://support.microsoft.com/kb/811833

 

I sent the following question off to the DS MVPs and AD product team representatives. I've gotten a response back that there is a special FIPS mailing list within Microsoft where my question has been sent along to. I'll let folks know if/when I get something back on this.

 

From: Brian Arkills
Sent: Friday, March 08, 2013 9:34 AM
Subject: http://support.microsoft.com/kb/811833

 

Does anyone know whether this FIPS setting also affects the encryption used by Active Directory for password encryption (and for the PEK encryption)?

 

I suspect it doesn't, but I'd be really happy to learn that it does. :)

 

If it doesn't, I think the KB should be modified to note that it doesn't affect all encryption processes that Windows uses so it isn't misleading.

 

-B