mlindgren
commented
9 months ago Hi @vennemp, currently SymCrypt is certified as part of various Windows modules that link to it - primarily cng.sys and bcryptprimitives.dll. Quoting Niels from #14 :
A library can't be FIPS-140 certified, only an executable can. SymCrypt is used in CNG.SYS and BCryptPrimitives.DLL, the two primary crypto libraries used in Windows which are FIPS-140 certified. For example https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3527 which links to algorithm certificates such as https://csrc.nist.gov/projects/Cryptographic-Algorithm-Validation-Program/details?source=AES&number=5300 which lists the implementation name that contains SymCrypt.
For a full list of Microsoft's CMVP modules, you can look here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=microsoft&CertificateStatus=Active&ValidationYear=0
All of the modules on that page use SymCrypt except for:
- CBL-Mariner OpenSSL Cryptographic Module
- CBL-Mariner 1.0 Kernel Crypto API
- Microsoft Azure Networking Adapter Kernel
- Microsoft BoringCrypto Module
Let us know if you have additional questions.
Thanks, Mitch
If you believe you have an issue that affects the security of applications that use SymCrypt, please do NOT create a GitHub issue, but instead email your issue details to secure@microsoft.com. Your report may be eligible for a bug bounty, but ONLY if it is reported through email.
What is the FIPS CMVP Certificate # for this library?