Microsoft seeks certification for cryptographic module
- By Florence Olsen
- Oct 12, 1998
Microsoft Corp. has submitted a cryptographic services module for federal certification
as part of an ongoing drive to fit its Microsoft Windows NT into agency network
Certification under the Federal Information Processing Standard 140-1 Cryptographic
Module Validation Program could be completed late this year, said Karan Khanna, Microsoft
lead product manager on the Windows NT security team in Redmond, Wash.
The cryptographic module submitted to the National Institute of Standards and
Technology provides public-key services based on the Digital Encryption Standard, Secure
Hash Algorithm 1 (FIPS 180-1) and Digital Signature Standard.
Microsoft also is seeking FIPS 140-1 validation of its native Secure Sockets Layer
communications support for Fortezza encryption, which uses PC Cards and the Skipjack
algorithm. Part of the FIPS 140-1 validation includes specific tests to see
that the algorithms are working correctly, said Jim Foti, a technical staff member
at NISTs Computer Security Division.
If an agency needs to protect sensitive information in computer and telecommunications
systems, its cryptography method must incorporate a validated FIPS 140-1 module, Foti
Microsoft is seeking FIPS 140-1 certification at Level 2 of NISTs validation
program, which certifies cryptographic products up to Level 4.
So far, no product has been certified higher than Level 3, Foti said.
The Microsoft cryptographic services and Fortezza modules both plug into the Microsoft
Crypto Application Programming Interface, which provides encryption services to any
application written to that API.
After certification, the modules will be free to all NT users, either in the next
service pack or as a download, were not sure yet, Khanna said. They also will
become part of Windows NT 5.0, expected sometime next year.
Microsoft engineers in Redmond are doing the software design for the federal security
CygnaCom Solutions Inc., a NIST-accredited lab in McLean, Va., has been evaluating the
Microsoft has two cryptographic APIs in the current versions of NT 4.0, Windows 95 and
Its Crypto API supports various public-key encryption standards including RC2, RC4 and
X.509 digital certificates.
A second Microsoft API, the Security Support Provider Interface, authenticates users
based on the NT LANManager challenge-response protocol, Khanna said.
In NT 5.0, the interface will support the Kerberos authentication protocol in addition
to NT LANManager.