FIPS and AES-CTR

0 votes
asked Feb 11, 2016 by Noatak (360 points)

Which algorithms are considered to be FIPS 140-2 compliant for the purpose of the Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly option? I can't find any documentation for this option

The reason for this question is that I noticed aes-ctr cannot be used for SSH when this option is enabled, but I cannot find any sources saying aes-ctr is not FIPS compliant. In fact I could only find references saying ctr is preferred over cbc.

1 Answer

+1 vote
answered Feb 11, 2016 by Lukas Pokorny (86,990 points)
selected Feb 11, 2016 by Noatak
 
Best answer

The documentation for CryptoHelper.UseFipsAlgorithmsOnly is currently sumewhat misleading. When it's enabled, only NIST-validated implementations of FIPS 140-2 compliant algorithms are to be used. This means that Rebex SSH will only use a subset of .NET classes in System.Security.Cryptography namespace (which are wrappers around MS Crypto API implementations that are validated) and several additional algorithms (for which we have implemented wrappers around MS Crypto API ourselves).

AES in CTR mode is not supported in FIPS-compliant mode because .NET AesCryptoServiceProvider does not support CTR mode. And although Rebex SSH includes an implementation of AES in CTR mode that uses AesCryptoServiceProvider, this implementation has not been validated by NIST, which is why it's not enabled in FIPS-compliant mode (even though it is actually preferred over CBC).

For Rebex components using SSH, this means that the following ciphers are enabled in FIPS-comliant mode:

Encryption algorithms: aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc

MAC algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha1

Key exchange algorithms: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithms: ssh-dss, ssh-rsa, x509v3-sign-rsa

On a related note: Microsoft updated its official security baselines in 2014 and they no longer don't recommend enabling FIPS-mode by default. Their reasoning is a very informative and interesting read and can help when deciding whether and when exactly to enable FIPS-compliant mode.

commented Feb 11, 2016 by Noatak (360 points)
Thank you for the fast and clear reply. Unfortunately our customer is forced to keep FIPS-compliant mode enabled, but we'll find a way around it.
commented Feb 11, 2016 by Lukas Pokorny (86,990 points)
Actually, it's possible to enable `aes-ctr` on Windows in FIPS-compliant mode by setting `CryptoHelper.UseFipsAlgorithmsOnly` to `true` - this overrides the OS settings. In addition to this, `Sftp`/`Scp`/`Ssh' objects should be configured to only allow algorithms that are actually going to work (use client.Settings.SshParemeters objects to set those: https://www.rebex.net/sftp.net/features/security.aspx#ssh-parameters).
...