You may want to use a Crypto API for Advanced Encryption Standard that is FIPS 140-2 complaint.

While doing this using managed code you can come across the AesCryptoServiceProvider class that is FIPS complaint. I want to highlight some points before using this class.

They are:

  • 1. AesCryptoServiceProvider calls the Crypto API, which uses RSAENH.DLL, which has been validated by NIST in the Cryptographic Module Validation Program.
  • 2. So it is RSAENH.DLL that is FIPS 140-2 complaint and AesCryptoServiceProvider calls the FIPS version of this DLL.
  • 3. Enabling FIPS policy from registry ensures that NON FIPS complaint algorithms will throw an exception saying "Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"
  • 4. Of course AesCryptoServiceProvider will work on systems where AES was implemented in RSAENH.DLL which is Windows XP and higher OS's. It will not run on Windows 2000.

 

Reference:

Test directly from the above link:

The Microsoft Corporation's Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.

 

1010

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA

-Dave Friant
TEL: 425-704-7984
FAX: 425-936-7329

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH)
(Software Versions: 6.0.6001.22202 and 6.0.6002.18005)

(When operated in FIPS mode with Code Integrity (ci.dll) validated to FIPS 140-2 under Cert. #1006 operating in FIPS mode)

Validated to FIPS 140-2

Security Policy

Certificate

Software

08/15/2008;
07/24/2009

Overall Level: 1 

-Operational Environment: Tested as meeting Level 1 with Microsoft Windows Server 2008 (x86 Version); Microsoft Windows Server 2008 (x64 version); Microsoft Windows Server 2008 (IA64 version) (single-user mode)

-FIPS-approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)

-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 80 and 150 bits of encryption strength; non-compliant less than 80 bits of encryption strength)

Multi-chip standalone

"RSAENH encapsulates several different cryptographic algorithms in an easy-to-use cryptographic module accessible via the Microsoft CryptoAPI. Developers dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support."

Table directly referenced from http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm.

Text directly from the above link:

The Microsoft Corporation's Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) is a FIPS 140-2 Level 1 compliant, software-based, cryptographic service provider.

The Microsoft Enhanced Cryptographic Provider (RSAENH) consists of a single dynamically-linked library (DLL) named RSAENH.DLL (Software version 5.2.3790.4313 [Service Pack 2]) tested on an x86, x64, and ia64 processors, which comprises the modules logical boundary.