none
Enable FIPS 140.2 in Windows 7 (cng.sys version does not match with versions from NIST Validated list RRS feed

  • Question

  • Hi everyone,

    I am currently working on an application running in Windows 7 Ultimate, and it has to be FIPS 140-2 compliance.

    As far as I have researched in https://technet.microsoft.com/en-us/library/security/cc750357.aspx, there is a kind of validation process which consist in set a policy setting (secpol.msc) for using FIPS algorithms. The other step consist in checking that a few binaries (cng.sys, bcryptprimtive.dll) are the same version than the validated from NIST. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1328

    I am having troubles with this last step, the thing is that I cannot find any place where it is said how to modified these binaries, e.g. hotfix, downgrade separatly these binaries, ...

    Could somebody help me or clarify me this issue? Is it necessary to have the versions from NIST validated list?





    • Edited by Víctor DMS Tuesday, December 15, 2015 3:38 PM
    Tuesday, December 15, 2015 3:25 PM

Answers

  • Hello Simon Wang_

    I am sorry but I cannot mark your response as an answer because it does not contain any references about what you say.

    I mean, I have reviewed that document from the beggining to the end and it is not written that if I have a newer version then my OS is FIPS validated. Even if that is the real solution, I do not know if it is dependable.

    The only solution that I have found is through installing a update from Microsoft:

    https://technet.microsoft.com/en-us/library/security/2868725

    https://www.microsoft.com/en-us/download/details.aspx?id=40959

    I still not knowing if this is a good solution, but at least it modifies the version of the binaries (Dll) listed on FIPS

    Best Regards,

    Víctor DMS


    VDMS

    • Marked as answer by Víctor DMS Friday, January 8, 2016 12:30 PM
    Friday, January 8, 2016 12:30 PM

All replies

  • Hi Víctor DMS,

    Thanks for posting in Microsoft TechNet forums.

    I will try to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, December 17, 2015 7:02 AM
    Moderator
  • Hi Simon Wang_, thanks I aprreciate it :)

    If you have any doubt please contact me

    Best Regards

    Thursday, December 17, 2015 2:24 PM
  • Hi Victor,

    After reviewing the document in the link below,

    http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1328

    I would like to explain that if your Windows 7 Ultimate version is higher than the OS version mentioned in articles, that supports for using FIPS algorithms. That’s not necessary to have the versions from NIST validated list.  Because some latest OS version has not updated and published in this documents, you just ensure the windows 7 OS version is not lower.

    Hope it will be helpful to you.

    Best Regards

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, December 30, 2015 8:36 AM
    Moderator
  • Hello Simon Wang_

    I am sorry but I cannot mark your response as an answer because it does not contain any references about what you say.

    I mean, I have reviewed that document from the beggining to the end and it is not written that if I have a newer version then my OS is FIPS validated. Even if that is the real solution, I do not know if it is dependable.

    The only solution that I have found is through installing a update from Microsoft:

    https://technet.microsoft.com/en-us/library/security/2868725

    https://www.microsoft.com/en-us/download/details.aspx?id=40959

    I still not knowing if this is a good solution, but at least it modifies the version of the binaries (Dll) listed on FIPS

    Best Regards,

    Víctor DMS


    VDMS

    • Marked as answer by Víctor DMS Friday, January 8, 2016 12:30 PM
    Friday, January 8, 2016 12:30 PM