The documentation for CryptoHelper.UseFipsAlgorithmsOnly
is currently sumewhat misleading. When it's enabled, only NIST-validated implementations of FIPS 140-2 compliant algorithms are to be used. This means that Rebex SSH will only use a subset of .NET classes in System.Security.Cryptography
namespace (which are wrappers around MS Crypto API implementations that are validated) and several additional algorithms (for which we have implemented wrappers around MS Crypto API ourselves).
AES in CTR mode is not supported in FIPS-compliant mode because .NET AesCryptoServiceProvider does not support CTR mode, and Windows CNG API does not support it either. And although Rebex SSH includes an implementation of AES in CTR mode that uses AesCryptoServiceProvider
, this implementation has not been validated by NIST, which is why it's not enabled in FIPS-compliant mode (even though it is actually preferred over CBC).
For Rebex components using SSH, this means that the following ciphers are enabled in FIPS-comliant mode:
Encryption algorithms: aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc
MAC algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha1
Key exchange algorithms: diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
Host key algorithms: ssh-dss, ssh-rsa, x509v3-sign-rsa
On a related note: Microsoft updated its official security baselines in 2014 and they no longer recommend enabling FIPS-mode by default. Their reasoning is a very informative and interesting read and can help when deciding whether and when exactly to enable FIPS-compliant mode.