I’m using a Windows Mobile 6.5 device, and was wondering, is there a way to enable FIPS only mode on it, the way you can in Windows 7 and XP?
The equivalent setting I’ve found on a desktop OS is:
Security Settings/Local Policies/Security Options/
System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing = Enabled
I’m looking for either an equivalent setting, or a registry fix (assuming it is even possible).
There is an explanation of what FIPS is at the Mozilla site. FIPS mode enforces stricter security practices throughout the OS. It is important because it is a requirement for those that need to be FIPS-compliant (which many branches of the government require).
If it helps, we are using the RSAENH cryptographic module in our application.
No, there’s no such provision in Windows Mobile 6.5.
From http://technet.microsoft.com/en-us/library/cc750357.aspx, we can see that the Microsoft cryptographic libraries do not check the FIPS local policy flag at all and it’s up to applications to do so.
(If you’re wondering, the .NET framework counts as an application here and it is what checks the flag on the Desktop OS—not the underlying crypto library)
Knowing this, you have to look at the Security Policy for the Windows Mobile Cryptographic Provider (RSAENH) to find out how to ensure FIPS compliance:
Further, the Security Policy mentions what are the non-approved FIPS algorithms. It’s up to you to make sure you don’t use them to remain FIPS compliant. These are the non-approved algorithms that it lists and you must not use: