What is FIPS 140-2? #

FIPS 140-2 is a U.S. government standard that defines approved cryptographic algorithms and the requirements for using them in secure IT systems. It is widely adopted in government, defense, and regulated sectors to ensure trustworthy cryptographic operations.

Is CodeB Credential Provider FIPS 140-2 Certified? #

No. CodeB Credential Provider is not independently certified, because it does not implement its own cryptographic algorithms. Instead, it is FIPS 140-2 compliant by design, as it relies entirely on the FIPS-certified cryptographic modules provided by Windows (e.g., bcryptprimitives.dll).

What makes CodeB Credential Provider uniquely suited for FIPS compliance? #

Unlike most Credential Providers, CodeB is implemented entirely in managed code (based on Microsoft’s .NET Framework). This has a critical benefit:

➡️ The .NET runtime enforces FIPS compliance automatically when Windows is configured to run in FIPS mode. If any disallowed algorithm is used (e.g., MD5, SHA1Managed, RNGCryptoServiceProvider), the .NET Framework will throw a runtime exception and block execution.

This means:

• No risk of accidentally using non-compliant algorithms
• Compliance is enforced at runtime by Windows itself
• No need for manual review of algorithm usage

❗ Most Credential Providers use unmanaged/native code, which does not benefit from this built-in runtime enforcement.

How do I enable FIPS mode in Windows? #

You can enable FIPS-compliant mode via Group Policy or local security policy.

✅ Group Policy (Recommended for Domain Environments)

• Open Group Policy Management (gpmc.msc)
• Navigate to:
  Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
• Locate:
  System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
• Set this policy to Enabled
• Apply and reboot the system (required for some services)

✅ Local Security Policy (for standalone machines)

• Run secpol.msc
• Follow the same steps as above

How does this setting affect CodeB Credential Provider? #

Once FIPS mode is enabled:

• Windows restricts all cryptographic calls to FIPS-approved algorithms only
• The .NET runtime blocks use of disallowed algorithms (e.g., MD5, SHA1)
• Because CodeB is written entirely in managed code, this enforcement is automatic and cannot be bypassed

This guarantees that the CodeB Credential Provider:

• Cannot use insecure or non-compliant algorithms
• Operates in full conformance with FIPS 140-2 standards
• Fails safely (e.g., refuses execution) if policy is violated

What happens if non-FIPS algorithms are used accidentally? #

In FIPS mode:

• Any use of non-approved .NET cryptographic classes (e.g., SHA1Managed, MD5CryptoServiceProvider) will immediately raise a System.InvalidOperationException
• This protects the system from insecure or non-compliant behavior

CodeB Credential Provider is designed to avoid these algorithms entirely, but in the rare event of misconfiguration or legacy code paths, Windows will still enforce the policy at runtime.

What else should I know? #

• Windows FIPS mode affects all .NET and native code running on the system.
• You can verify FIPS mode by checking:
  reg query “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy”

A DWORD value of 1 means FIPS mode is enable

Do you offer tools or documentation for audit purposes? #

We do not publish our full cryptographic implementation documentation, since all cryptographic functions are delegated to Windows APIs. However, source code licenses are available for enterprise and government clients under NDA to support internal audits and compliance verification.

If you need assistance with FIPS configuration or testing in your environment, feel free to contact our support team.