Search code examples
windows-mobile-6.5fips

Is there a way to enable FIPS mode on a Windows Mobile device?

I'm using a Windows Mobile 6.5 device, and was wondering, is there a way to enable FIPS only mode on it, the way you can in Windows 7 and XP?

The equivalent setting I've found on a desktop OS is:

Security Settings/Local Policies/Security Options/
System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing = Enabled

I'm looking for either an equivalent setting, or a registry fix (assuming it is even possible).

There is an explanation of what FIPS is at the Mozilla site. FIPS mode enforces stricter security practices throughout the OS. It is important because it is a requirement for those that need to be FIPS-compliant (which many branches of the government require).

If it helps, we are using the RSAENH cryptographic module in our application.

Solution

  • No, there's no such provision in Windows Mobile 6.5.

    From http://technet.microsoft.com/en-us/library/cc750357.aspx, we can see that the Microsoft cryptographic libraries do not check the FIPS local policy flag at all and it's up to applications to do so.

    Note – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic libraries (CAPI or CNG). Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic libraries.

    (If you're wondering, the .NET framework counts as an application here and it is what checks the flag on the Desktop OS—not the underlying crypto library)

    Knowing this, you have to look at the Security Policy for the Windows Mobile Cryptographic Provider (RSAENH) to find out how to ensure FIPS compliance:

    Secure Operation

    The Microsoft Windows CE and Windows Mobile Enhanced Cryptographic Module (RSAENH) is used in FIPS Approved Mode by application, through the invocation of individual functions in FIPS Approved Mode. The application is responsible for ensuring that it does not perform non-Approved functions in ways that make the application non-FIPS Compliant. The non-Approved functions include:

    • Any function using an algorithm which is non-Approved

    Further, the Security Policy mentions what are the non-approved FIPS algorithms. It's up to you to make sure you don't use them to remain FIPS compliant. These are the non-approved algorithms that it lists and you must not use:

    • RSA keypair generation (key sizes from 384 to 16384) (the RSAENH module does not implement the Approved X9.31 algorithm for keypair generation)
    • RSA encrypt and decrypt with private and public key
    • RC2 keypair derivation (key sizes from 40 to 128)
    • RC2 keypair generation (key sizes from 40 to 128)
    • RC2 ECB / CBC encrypt/decrypt
    • RC4 keypair derivation (key sizes from 40 to 128)
    • RC4 keypair generation
    • RC4 encrypt/decrypt
    • MD2 hash
    • MD4 hash
    • MD5 hash
    • MD5 based Keyed-Hash Message Authentication Code (HMAC)
    • non-Approved Software Psuedo Random Number Generator (PRNG) (seeded by hardware data, and by application-provided data)
    • Lan Manager Hash Generation