0 votes
by (360 points)

Which algorithms are considered to be FIPS 140-2 compliant for the purpose of the Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly option? I can't find any documentation for this option

The reason for this question is that I noticed aes-ctr cannot be used for SSH when this option is enabled, but I cannot find any sources saying aes-ctr is not FIPS compliant. In fact I could only find references saying ctr is preferred over cbc.

1 Answer

+1 vote
by (147k points)
selected by
Best answer

The documentation for CryptoHelper.UseFipsAlgorithmsOnly is currently sumewhat misleading. When it's enabled, only NIST-validated implementations of FIPS 140-2 compliant algorithms are to be used. This means that Rebex SSH will only use a subset of .NET classes in System.Security.Cryptography namespace (which are wrappers around MS Crypto API implementations that are validated) and several additional algorithms (for which we have implemented wrappers around MS Crypto API ourselves).

AES in CTR mode is not supported in FIPS-compliant mode because .NET AesCryptoServiceProvider does not support CTR mode, and Windows CNG API does not support it either. And although Rebex SSH includes an implementation of AES in CTR mode that uses AesCryptoServiceProvider, this implementation has not been validated by NIST, which is why it's not enabled in FIPS-compliant mode (even though it is actually preferred over CBC).

For Rebex components using SSH, this means that the following ciphers are enabled in FIPS-comliant mode:

Encryption algorithms: aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc

MAC algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha1

Key exchange algorithms: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithms: ssh-dss, ssh-rsa, x509v3-sign-rsa

On a related note: Microsoft updated its official security baselines in 2014 and they no longer recommend enabling FIPS-mode by default. Their reasoning is a very informative and interesting read and can help when deciding whether and when exactly to enable FIPS-compliant mode.

by (360 points)
Thank you for the fast and clear reply. Unfortunately our customer is forced to keep FIPS-compliant mode enabled, but we'll find a way around it.
by (147k points)
Actually, it's possible to enable `aes-ctr` on Windows in FIPS-compliant mode by setting `CryptoHelper.UseFipsAlgorithmsOnly` to `false` - this overrides the OS settings. In addition to this, `Sftp`/`Scp`/`Ssh' objects should be configured to only allow algorithms that are actually going to work (use client.Settings.SshParemeters objects to set those: https://www.rebex.net/sftp.net/features/security.aspx#ssh-parameters).
by (220 points)
Let me ask you regarding the current status of the question.
Is CTR still unsupported under the FIPS mode because of the .NET capabilities?
by (147k points)
Yes, nothing has changed in regards to AES/CTR - it's still not supported by Windows CNG API, so it's still not available in FIPS mode. However, we now support AES/GCM, and a FIPS-certificed implementation is provided by Windows CNG API, which means we can (and do) use it in FIPS mode.