Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 1 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Microsoft Windows FIPS 140 Validation Microsoft Windows 11 Windows Server 2022 Microsoft Windows 10 (versions 20H2 and 21H1) Microsoft Windows Server (version 20H2) Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 Azure Virtual Desktop Non-Proprietary Security Policy Document Version Number 1.1 Updated On August 23, 2024 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 2 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2024 Microsoft Corporation. All rights reserved. Microsoft, Azure, Windows, the Windows logo, Windows Server, and BitLocker are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 3 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Version History Version Date Summary of changes 1.0 March 25, 2022 Draft sent to NIST CMVP 1.1 August 23, 2024 Updates in response to NIST feedback Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 4 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). TABLE OF CONTENTS 1 INTRODUCTION...................................................................................................................8 1.1 LIST OF CRYPTOGRAPHIC MODULE BINARY EXECUTABLES..................................................................9 1.2 VALIDATED PLATFORMS............................................................................................................9 1.3 CONFIGURE WINDOWS TO USE FIPS-APPROVED CRYPTOGRAPHIC ALGORITHMS ..................................11 2 CRYPTOGRAPHIC MODULE SPECIFICATION.........................................................................11 2.1 CRYPTOGRAPHIC BOUNDARY....................................................................................................12 2.2 FIPS 140-2 APPROVED ALGORITHMS ........................................................................................12 2.3 NON-APPROVED ALGORITHMS .................................................................................................19 2.4 FIPS 140-2 APPROVED ALGORITHMS FROM BOUNDED MODULES ....................................................20 2.5 CRYPTOGRAPHIC BYPASS.........................................................................................................21 2.6 HARDWARE COMPONENTS OF THE CRYPTOGRAPHIC MODULE..........................................................22 3 CRYPTOGRAPHIC MODULE PORTS AND INTERFACES ..........................................................22 3.1 EXPORT FUNCTIONS ...............................................................................................................22 3.2 CNG PRIMITIVE FUNCTIONS ....................................................................................................23 3.2.1 ALGORITHM PROVIDERS AND PROPERTIES ...........................................................................................24 3.2.1.1 BCryptOpenAlgorithmProvider...................................................................................................24 3.2.1.2 BCryptCloseAlgorithmProvider...................................................................................................24 3.2.1.3 BCryptSetProperty ......................................................................................................................24 3.2.1.4 BCryptGetProperty......................................................................................................................25 3.2.1.5 BCryptFreeBuffer ........................................................................................................................25 3.2.2 KEY AND KEY-PAIR GENERATION........................................................................................................25 3.2.2.1 BCryptGenerateSymmetricKey ...................................................................................................25 3.2.2.2 BCryptGenerateKeyPair ..............................................................................................................25 3.2.2.3 BCryptFinalizeKeyPair .................................................................................................................26 3.2.2.4 BCryptDuplicateKey ....................................................................................................................26 3.2.2.5 BCryptDestroyKey.......................................................................................................................26 3.2.3 RANDOM NUMBER GENERATION .......................................................................................................26 3.2.3.1 BCryptGenRandom .....................................................................................................................26 3.2.4 KEY ENTRY AND OUTPUT ..................................................................................................................27 3.2.4.1 BCryptImportKey.........................................................................................................................27 3.2.4.2 BCryptImportKeyPair ..................................................................................................................27 3.2.4.3 BCryptExportKey.........................................................................................................................27 3.2.5 ENCRYPTION AND DECRYPTION..........................................................................................................28 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 5 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 3.2.5.1 BCryptEncrypt .............................................................................................................................28 3.2.5.2 BCryptDecrypt.............................................................................................................................28 3.2.6 HASHING AND MESSAGE AUTHENTICATION .........................................................................................28 3.2.6.1 BCryptCreateHash.......................................................................................................................28 3.2.6.2 BCryptHashData..........................................................................................................................29 3.2.6.3 BCryptDuplicateHash..................................................................................................................29 3.2.6.4 BCryptFinishHash........................................................................................................................29 3.2.6.5 BCryptDestroyHash.....................................................................................................................29 3.2.6.6 BCryptHash..................................................................................................................................29 3.2.6.7 BCryptCreateMultiHash..............................................................................................................30 3.2.6.8 BCryptProcessMultiOperations...................................................................................................30 3.2.7 SIGNING AND VERIFICATION ..............................................................................................................30 3.2.7.1 BCryptSignHash...........................................................................................................................30 3.2.7.2 BCryptVerifySignature.................................................................................................................31 3.2.8 SECRET AGREEMENT AND KEY DERIVATION..........................................................................................31 3.2.8.1 BCryptSecretAgreement .............................................................................................................31 3.2.8.2 BCryptDeriveKey .........................................................................................................................31 3.2.8.3 BCryptDestroySecret...................................................................................................................31 3.2.8.4 BCryptKeyDerivation...................................................................................................................32 3.2.8.5 BCryptDeriveKeyPBKDF2.............................................................................................................32 3.2.9 CRYPTOGRAPHIC TRANSITIONS...........................................................................................................32 3.2.9.1 KAS-FFC and KAS-ECC..................................................................................................................32 3.2.9.2 SHA-1...........................................................................................................................................33 3.3 CONTROL INPUT INTERFACE .....................................................................................................33 3.4 STATUS OUTPUT INTERFACE.....................................................................................................33 3.5 DATA OUTPUT INTERFACE .......................................................................................................33 3.6 DATA INPUT INTERFACE ..........................................................................................................33 3.7 NON-SECURITY RELEVANT CONFIGURATION INTERFACES.................................................................33 4 ROLES, SERVICES AND AUTHENTICATION...........................................................................34 4.1 ROLES.................................................................................................................................34 4.2 SERVICES.............................................................................................................................35 4.2.1 MAPPING OF SERVICES, ALGORITHMS, AND CRITICAL SECURITY PARAMETERS ...........................................35 4.2.2 MAPPING OF SERVICES, EXPORT FUNCTIONS, AND INVOCATIONS ............................................................38 4.2.3 NON-APPROVED SERVICES................................................................................................................39 4.3 AUTHENTICATION..................................................................................................................39 5 FINITE STATE MODEL.........................................................................................................40 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 6 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 5.1 SPECIFICATION......................................................................................................................40 6 OPERATIONAL ENVIRONMENT...........................................................................................40 6.1 SINGLE OPERATOR.................................................................................................................40 6.2 CRYPTOGRAPHIC ISOLATION.....................................................................................................41 6.3 INTEGRITY CHAIN OF TRUST .....................................................................................................41 7 CRYPTOGRAPHIC KEY MANAGEMENT ................................................................................43 7.1 ACCESS CONTROL POLICY........................................................................................................44 7.2 KEY MATERIAL......................................................................................................................45 7.3 KEY GENERATION ..................................................................................................................45 7.4 KEY ESTABLISHMENT ..............................................................................................................45 7.4.1 NIST SP 800-132 PASSWORD BASED KEY DERIVATION FUNCTION (PBKDF) ...........................................46 7.4.2 NIST SP 800-38F AES KEY WRAPPING..............................................................................................47 7.5 KEY ENTRY AND OUTPUT.........................................................................................................47 7.6 KEY STORAGE .......................................................................................................................47 7.7 KEY ARCHIVAL ......................................................................................................................47 7.8 KEY ZEROIZATION..................................................................................................................47 8 SELF-TESTS........................................................................................................................47 8.1 POWER-ON SELF-TESTS ..........................................................................................................47 8.2 CONDITIONAL SELF-TESTS........................................................................................................48 9 DESIGN ASSURANCE..........................................................................................................49 10 MITIGATION OF OTHER ATTACKS.......................................................................................49 11 SECURITY LEVELS...............................................................................................................50 12 ADDITIONAL DETAILS ........................................................................................................50 13 APPENDIX A – HOW TO VERIFY WINDOWS VERSIONS AND DIGITAL SIGNATURES ...............51 13.1 HOW TO VERIFY WINDOWS VERSIONS .......................................................................................51 13.2 HOW TO VERIFY WINDOWS DIGITAL SIGNATURES .........................................................................51 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 7 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 14 APPENDIX B – REFERENCES................................................................................................52 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 8 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 1 Introduction The Microsoft Windows Cryptographic Primitives Library is a general purpose, software-based cryptographic module. The Cryptographic Primitives Library provides cryptographic services to user- mode applications running on the Windows operating system. The Cryptographic Primitives Library encapsulates several different cryptographic algorithms accessible via the Microsoft CNG (Cryptography, Next Generation) API which are exported by BCRYPT.DLL. BCRYPT.DLL is an API wrapper for BCRYPTPRIMITIVES.DLL and can be linked into applications by software developers to permit the use of general-purpose FIPS 140-2 Level 1 compliant cryptography. The relationship between the Cryptographic Primitives Library and other components is shown in the following diagram: Application Application layer CNG API router (BCRYPT.DLL) BCRYPTPRIMITIVES.DLL Other provider(s) CNG API Kernel CNG Provider Layer CNG API Layer CNG Provider Interface CNG.SYS Driver Provider Registration RNG Entropy Source Entropy Source Crpyto Provider Installer Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 9 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 1.1 List of Cryptographic Module Binary Executables The Microsoft Windows Cryptographic Primitives Library cryptographic module contains the following binary. Each binary has a distinct implementation per build. • BCRYPTPRIMITIVES.DLL The Windows products covered by this validation are: • Build 10.0.22000 o Windows 11 • Build 10.0.20348 o Windows Server 2022 o Windows Server Azure Edition o Azure Host 2021 o Azure Stack HCI version 21H2 • Build 10.0.19043: o Windows 10 version 21H1 • Build 10.0.19042 o Windows 10 version 20H2 o Windows Server version 20H2 1.2 Validated Platforms The Windows editions covered by this validation are: • Microsoft Windows 11 • Windows Server 2022 • Microsoft Windows 10 Pro Edition (64-bit version) • Microsoft Windows 10 Enterprise Edition (64-bit version) • Windows Server Core Standard • Windows Server Core Datacenter • Windows Server Azure Edition • Azure Host 2021 • Azure Stack HCI The Cryptographic Primitives Library components listed in Section 1.1 were validated using the combination of computers and Windows operating system editions specified in the tables below. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 10 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). All the computers for Windows 10 and Windows Server listed in the tables below are 64-bit Intel architecture and implement the AES-NI instruction set but not the SHA Extensions, with the following exception: • HPE ProLiant E910 (Edgeline EL8000) - Intel Xeon Gold 6248: AES-NI disabled and no SHA Extensions. Table 1 Validated Platforms for Windows 10 and Windows Server version 20H2 Computer Windows 10 Pro Windows 10 Enterprise Windows Server Core Windows Server Core Datacenter Microsoft Surface Laptop 4 - Intel i5- 1145G7 √ Microsoft Windows Server 2019 Hyper-V on Dell R630 - Intel Xeon E5-2660 v4 √ √ Dell Latitude 3520 - Intel i3-1115G4 √ Dell Latitude 9520 - Intel i7-1185G7 √ Dell Latitude 7420 - Intel i7-1185G7 √ HP EliteBook x360 830 G8 - Intel i7-1165G7 √ Table 2 Validated Platforms for Windows 10 version 21H1 and Windows Server 2022 Computer Windows 10 Pro Windows Server 2022 Core Windows Server 2022 Core Datacenter HPE ProLiant E910 (Edgeline EL8000) - Intel Xeon Gold 6248 √ Microsoft Surface Laptop 4 - Intel i5- 1145G7 √ Microsoft Windows Server 2019 Hyper-V on Dell R630 - Intel Xeon E5-2660 v4 √ √ HP EliteBook x360 830 G8 - Intel i7- 1165G7 √ Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 11 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Table 3 Validated Platforms for Windows 11 and Azure Computer Windows 11 Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 Microsoft Surface Laptop 4 - Intel i5- 1145G7 √ Dell PowerEdge R840 - Intel Xeon Platinum 8260 √ √ HPE ProLiant DL380 - Intel Xeon Platinum 8276L √ 1.3 Configure Windows to use FIPS-Approved Cryptographic Algorithms There are two methods to enable FIPS-Approved mode for the Cryptogrpahic Primitives Library. The first is to use FIPS Local/Group Security Policy setting or a Mobile Device Management (MDM) to enable FIPS-Approved mode for the Cryptographic Primitives Library. The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”. The second method to enable FIPS-Approved mode for the Cryptographic Primitives Library is to set the following registry key to 1: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\STE. When this registry key exists and is set to 1, the selftests in Cryptogaphic Primitives Library will run in compliance with FIPS 140-2 Implementation Guidance section 9.11 and the module will be in FIPS Approved mode. In addition to these methods, Consult the MDM documentation for information on how to enable FIPS- Approved mode. The Policy CSP - Cryptography includes the setting AllowFipsAlgorithmPolicy. Changes to either Approved mode security policy setting do not take effect until the computer has been rebooted. 2 Cryptographic Module Specification The Cryptographic Primitives Library is a multi-chip standalone module that operates in FIPS-Approved mode during normal operation of the computer and Windows operating system and when Windows is configured to use FIPS-Approved cryptographic algorithms as described in Configure Windows to use FIPS-Approved Cryptographic Algorithms. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 12 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). In addition to configuring Windows to use FIPS-Approved Cryptographic Algorithms, third-party applications and drivers installed on the Windows platform must not use any of the non-Approved algorithms implemented by this module. Windows will not operate in an Approved mode when the operators chooses to use a non-Approved algorithm or service. The following configurations and modes of operation will cause the Cryptographic Primitives Library to operate in a non-Approved mode of operation: • Boot Windows in Debug mode • Boot Windows with Driver Signing disabled • Windows enters the ACPI S4 power state Cryptographic Boundary 2.1 Cryptographic Boundary The software cryptographic boundary for the Cryptographic Primitives Library is defined as the binary BCRYPTPRIMITIVES.DLL. 2.2 FIPS 140-2 Approved Algorithms The Cryptographic Primitives Library implements the following FIPS-140-2 Approved algorithms:1 Table 4 Algorithm Certificates for Windows 10, Windows Server, and Azure Virtual Desktop Algorithm Windows 10 and Windows Server version 20H2 Windows 10 version 21H1 and Azure Virtual Desktop version 21H1 FIPS 180-4 SHS SHA-1, SHA-256, SHA-384, and SHA-512 #A2066 #A2025 FIPS PUB 198-1 HMAC-SHA-12 , HMAC-SHA- 256, HMAC-SHA-384, and HMAC-SHA-512 #A2066 #A2025 FIPS 197 AES-128, AES-192, and AES-256 in ECB, CBC, CFB8, CFB128, and CTR modes #A2066 #A2025 NIST SP 800-38B and SP 800-38C AES-128, AES-192, and AES-256 in CCM and CMAC modes #A2066 #A2025 NIST SP 800-38D AES-128, AES-192, and AES- 256 GCM and GMAC #A2066 #A2025 NIST SP 800-38E XTS-AES XTS-128 and XTS- 2563 #A2066 #A2025 1 This module may not use some of the capabilities described in each CAVP certificate. Only those algorithms/modes listed in the tables below are utilized by the module. 2 For HMAC, only key sizes that are >= 112 bits in length are used by the module in FIPS mode. 3 AES XTS must be used only to protect data at rest and the caller needs to ensure that the length of data encrypted does not exceed 220 AES blocks. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 13 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 10 and Windows Server version 20H2 Windows 10 version 21H1 and Azure Virtual Desktop version 21H1 FIPS 186-4 RSA PKCS#1 (v1.5) digital signature generation and verification with 1024, 2048, 3072, and 4096 moduli; supporting SHA-14 , SHA-256, SHA-384, and SHA-512 #A2066 #A2025 Safe primes key generation with groups ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, MODP-2048, MODP-3072, and MODP-4096 #A2066 #A2025 FIPS 186-4 RSA key-pair generation with 2048 and 3072 moduli #A2066 #A2025 FIPS 186-4 ECDSA key pair generation and verification, signature generation and verification with the following NIST curves: P- 256, P-384, P-521 #A2066 #A2025 FIPS 186-4 DSA Key Generation with modulus lengths of 2048 or 3072 bits (subprime 256); PQG generation and verification with modulus lengths of 2048 or 3072 bits (subprime 256) and SHA2-256 hash; signature generation and verification with modulus lengths of 2048 or 3072 bits (subprime 256) and SHA2-256 hash. #A2066 #A2025 NIST SP 800-56Arev3 KAS – Diffie-Hellman Key Agreement; Finite Field Cryptography (FFC) with domain parameters FB (p=2048, q=224), FC (p=2048, q=256), and safe primes (ffdhe2048, MODP-2048, ffdhe3072, MODP- 3072, ffdhe4096, and MODP-4096); key establishment methodology provides at least 112 bits of encryption strength #A2066 #A2025 NIST SP 800-56A rev3 KAS – EC Diffie-Hellman Key Agreement; Elliptic Curve Cryptography (ECC) with domain parameters EC (P-256 w/ SHA-256), ED (P-384 w/ SHA-384), and EE (P- 521 w/ SHA-512); key establishment methodology provides between 128 and 256- bits of encryption strength #A2066 #A2025 4 SHA-1 is only acceptable for legacy signature verification. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 14 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 10 and Windows Server version 20H2 Windows 10 version 21H1 and Azure Virtual Desktop version 21H1 NIST SP 800-56A rev3 KAS-FFC-SSC key agreement (dhEphem, dhOneFlow, and dhStatic; KAS Roles: initiator, responder), with domain parameters FB, FC, and safe primes (ffdhe2048, MODP-2048) #A2066 #A2025 NIST SP 800-56A rev3 KAS-ECC-SSC key agreement (ephemeralUnified; KAS roles: initiator, responder), with domain parameters P-256 (hash functions SHA2-256, SHA2-384, SHA2-512), P-384 (hash functions SHA2-384, SHA2-512), and P-521 (hash function SHA2-512) #A2066 #A2025 NIST SP 800-56B RSADP (CVL) mod 2048 #A2066 #A2025 NIST SP 800-90A AES-256 counter mode DRBG #A2066 #A2025 NIST SP 800-67r1 Triple-DES (2 key legacy-use decryption5 and 3 key encryption/decryption) in ECB, CBC, CFB8 and CFB64 modes #A2066 #A2025 NIST SP 800-108 Key Derivation Function (KBKDF) CMAC-AES (128, 192, 256), HMAC (SHA1, SHA-256, SHA-384, SHA-512) #A2069 #A2031 NIST SP 800-38F AES Key Wrapping (KW) (128, 192, and 256), KTS (key establishment methodology provides between 128 and 256 bits of encryption strength) #A2069 #A2031 NIST SP 800-135 IKEv1, IKEv2 TLS 1.0/1.1, and TLS 1.2 KDF primitives (CVL)6 #A2066 #A2025 NIST SP 800-132 KDF (also known as PBKDF) with HMAC (SHA-1, SHA-256, SHA-384, SHA- 512) as the pseudo-random function #A2066 #A2025 5 Two-key Triple-DES Decryption is only allowed for Legacy-usage (as per SP 800-131A). The use of two-key Triple- DES Encryption is disallowed. The caller is responsible for following the 2^16 guidelines in all uses. 6 This cryptographic module supports the TLS, IKEv1, and IKEv2 protocols with SP 800-135 rev 1 KDF primitives, however, the protocols have not been reviewed or tested by the NIST CAVP and CMVP. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 15 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 10 and Windows Server version 20H2 Windows 10 version 21H1 and Azure Virtual Desktop version 21H1 NIST SP 800-133 (Sections 5.1, 5.2, 6.1, and 6.2) Cryptographic Key Generation (CKG) Vendor Affirmed Vendor Affirmed NIST SP 800-90B Entropy Source (ENT (P)) N/A N/A NIST SP 800-90B AES-CBC-MAC Conditioning Component #A1791, #A2165, #A2138, #A2668 #A1791, #A2165, #A2138, #A2668 Table 5 Algorithm Certificates for Windows 11, Windows Server 2022, and Azure Algorithm Windows 11 Windows Server version 2022 and Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 FIPS 180-4 SHS SHA-1, SHA- 256, SHA-384, and SHA-512 #A2004 #A2019 #A2019 #A2019 FIPS PUB 198-1 HMAC-SHA-17 , HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 #A2004 #A2019 #A2019 #A2019 FIPS 197 AES-128, AES-192, and AES-256 in ECB, CBC, CFB8, CFB128, and CTR modes #A2004 #A2019 #A2019 #A2019 NIST SP 800-38B and SP 800- 38C AES-128, AES-192, and AES-256 in CCM and CMAC modes #A2004 #A2019 #A2019 #A2019 NIST SP 800-38D AES-128, AES- 192, and AES-256 GCM and GMAC #A2004 #A2019 #A2019 #A2019 NIST SP 800-38E XTS-AES XTS- 128 and XTS-2568 #A2004 #A2019 #A2019 #A2019 7 For HMAC, only key sizes that are >= 112 bits in length are used by the module in FIPS mode. 8 AES XTS must be used only to protect data at rest and the caller needs to ensure that the length of data encrypted does not exceed 220 AES blocks. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 16 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 11 Windows Server version 2022 and Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 FIPS 186-4 RSA PKCS#1 (v1.5) digital signature generation and verification with 1024, 2048, 3072, and 4096 moduli; supporting SHA-19 , SHA-256, SHA-384, and SHA-512 #A2004 #A2019 #A2019 #A2019 Safe primes key generation with groups ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, MODP-2048, MODP-3072, MODP- 4096 #A2004 #A2019 #A2019 #A2019 FIPS 186-4 RSA key-pair generation with 2048 and 3072 moduli #A2004 #A2019 #A2019 #A2019 FIPS 186-4 ECDSA key pair generation and verification, signature generation and verification with the following NIST curves: P-256, P-384, P- 521 #A2004 #A2019 #A2019 #A2019 FIPS 186-4 DSA Key Generation with modulus lengths of 2048 or 3072 bits (subprime 256); PQG generation and verification with modulus lengths of 2048 or 3072 bits (subprime 256) and SHA2-256 hash; signature generation and verification with modulus lengths of 2048 or 3072 bits (subprime 256) and SHA2-256 hash. #A2004 #A2019 #A2019 #A2019 9 SHA-1 is only acceptable for legacy signature verification. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 17 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 11 Windows Server version 2022 and Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 NIST SP 800-56Arev3 KAS – Diffie-Hellman Key Agreement; Finite Field Cryptography (FFC) with domain parameters FB (p=2048, q=224), FC (p=2048, q=256), and safe primes (ffdhe2048, MODP-2048, ffdhe3072, MODP-3072, ffdhe4096, and MODP-4096); key establishment methodology provides at least 112 bits of encryption strength #A2004 #A2019 #A2019 #A2019 NIST SP 800-56Arev3 KAS – EC Diffie-Hellman Key Agreement; Elliptic Curve Cryptography (ECC) with domain parameters EC (P-256 w/ SHA-256), ED (P-384 w/ SHA-384), and EE (P-521 w/ SHA-512); key establishment methodology provides between 128 and 256-bits of encryption strength #A2004 #A2019 #A2019 #A2019 NIST SP 800-56A rev3 KAS-FFC- SSC key agreement (dhEphem, dhOneFlow, and dhStatic KAS Roles: initiator, responder), with domain parameters FB, FC, and safe primes (ffdhe2048, MODP-2048) #A2004 #A2019 #A2019 #A2019 NIST SP 800-56B RSADP (CVL) mod 2048 #A2004 #A2019 #A2019 #A2019 NIST SP 800-90A AES-256 counter mode DRBG #A2004 #A2019 #A2019 #A2019 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 18 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 11 Windows Server version 2022 and Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 NIST SP 800-67r1 Triple-DES (2 key legacy-use decryption10 and 3 key encryption/decryption) in ECB, CBC, CFB8 and CFB64 modes #A2004 #A2019 #A2019 #A2019 NIST SP 800-108 Key Derivation Function (KBKDF) CMAC-AES (128, 192, 256), HMAC (SHA1, SHA-256, SHA- 384, SHA-512) #A2001 #A2023 #A2023 #A2023 NIST SP 800-38F AES Key Wrapping (KW) (128, 192, and 256), KTS (key establishment methodology provides between 128 and 256 bits of encryption strength) #A2001 #A2023 #A2023 #A2023 NIST SP 800-135 IKEv1, IKEv2 TLS 1.0/1.1, and TLS 1.2 KDF primitives (CVL)11 #A2004 #A2019 #A2019 #A2019 NIST SP 800-132 KDF (also known as PBKDF) with HMAC (SHA-1, SHA-256, SHA-384, SHA-512) as the pseudo- random function #A2004 #A2019 #A2019 #A2019 NIST SP 800-133 (Sections 5.1, 5.2, 6.1, and 6.2) Cryptographic Key Generation (CKG) Vendor Affirmed Vendor Affirmed Vendor Affirmed Vendor Affirmed NIST SP 800-90B Entropy Source (ENT (P)) N/A N/A N/A N/A 10 Two-key Triple-DES Decryption is only allowed for Legacy-usage (as per SP 800-131A). The use of two-key Triple- DES Encryption is disallowed. The caller is responsible for following the 2^16 guidelines in all uses. 11 This cryptographic module supports the TLS, IKEv1, and IKEv2 protocols with SP 800-135 rev 1 KDF primitives, however, the protocols have not been reviewed or tested by the NIST CAVP and CMVP. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 19 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Algorithm Windows 11 Windows Server version 2022 and Windows Server Azure Edition Azure Host 2021 Azure Stack HCI version 21H2 NIST SP 800-90B AES-CBC-MAC Conditioning Component #A1791, #A2165, #A2138, #A2668 #A1791, #A2165, #A2138, #A2668 #A1791, #A2165, #A2138, #A2668 #A1791, #A2165, #A2138, #A2668 2.3 Non-Approved Algorithms The Cryptographic Primitives Library implements the following non-Approved but allowed algorithms: • SHA-1 hash, which is disallowed for use in digital signature generation. It can be used for legacy digital signature verification. Its use is acceptable for non-digital signature generation applications. • MD5 and HMAC-MD5 – allowed for TLS and EAP-TLS (no security claimed) • KAS-ECC with the following curves that are allowed in FIPS mode as per FIPS 140-2 IG A.2 Curve Security Strength (bits) Allowed in FIPS mode brainpoolP160r1 80 No brainpoolP192r1 96 No brainpoolP192t1 96 No brainpoolP224r1 112 Yes brainpoolP224t1 112 Yes brainpoolP256r1 128 Yes brainpoolP256t1 128 Yes brainpoolP320r1 160 Yes brainpoolP320t1 160 Yes brainpoolP384r1 192 Yes brainpoolP384t1 192 Yes brainpoolP512r1 256 Yes brainpoolP512t1 256 Yes ec192wapi 96 No nistP192 96 No nistP224 112 Yes numsP256t1 128 Yes numsP384t1 192 Yes numsP512t1 256 Yes secP160k1 80 No secP160r1 80 No secP160r2 80 No secP192k1 96 No secP192r1 96 No Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 20 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Curve Security Strength (bits) Allowed in FIPS mode secP224k1 112 Yes secP224r1 112 Yes secP256k1 128 Yes secP256r1 128 Yes secP384r1 192 Yes secP521r1 256 Yes wtls12 112 Yes wtls7 80 No wtls9 80 No x962P192v1 96 No x962P192v2 96 No x962P192v3 96 No x962P239v1 120 Yes x962P239v2 120 Yes x962P239v3 120 Yes x962P256v1 128 Yes The Cryptographic Primitives Library implements the following non-Approved algorithms but should not be used: • Non-compliant HMAC. If HMAC-SHA1 is used, key sizes less than 112 bits (14 bytes) are not allowed for usage in HMAC generation, as per SP 800-131A. • RC2, RC4, MD2, MD4 • 2-Key Triple-DES Encryption, which is disallowed for usage altogether as of the end of 2015. • DES in ECB, CBC, CFB8 and CFB64 modes • Non-complaint RSA encrypt/decrypt • Non-complaint IEEE 1619-2007 XTS-AES, XTS-128 and XTS-256 • Non-compliant AES GCM encryption except when the module operator does not follow the FIPS 140-2 Implementation Guidance A.5 scenario 4 for generating initialization vectors. • Non-compliant RSA 1024-bits for digital signature generation, which is disallowed. • Non-compliant FIPS 186-2 DSA with key length of 1024 bits • Legacy CAPI KDF (proprietary) • Non-complaint HKDF • Non-compliant ANSI X9.63 and X9.42 key derivation • NIST SP 800-56A Key Agreement using Finite Field Cryptography (FFC) with parameter FA (p=1024, q=160). The key establishment methodology provides 80 bits of encryption strength instead of the Approved 112 bits of encryption strength listed above. 2.4 FIPS 140-2 Approved Algorithms from Bounded Modules A bounded module is a FIPS 140 module which provides cryptographic functionality that is relied on by a downstream module. As described in the Integrity Chain of Trust section, the Cryptographic Primitives Library depends on the following modules and algorithms: Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 21 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). When Memory Integrity, called HVCI in previous Windows 10 versions, is not enabled, Code Integrity (module certificate #4511) provides: • CAVP certificates #A2066 (Windows 10 and Windows Server version 20H2) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2066 (Windows 10 and Windows Server version 20H2) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2025 (Windows 10 version 21H1 and Windows Server 2022) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2025 (Windows 10 version 21H1 and Windows Server 2022) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2004 (Windows 11) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2004 (Windows 11) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2019 (Microsoft Azure operating systems) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2019 (Microsoft Azure operating systems) for FIPS 180-4 SHS SHA-256 When Memory Integrity is enabled, Secure Kernel Code Integrity (module certificate #4512) provides: • CAVP certificates #A2066 (Windows 10 and Windows Server version 20H2) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2066 (Windows 10 and Windows Server version 20H2) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2025 (Windows 10 version 21H1 and Windows Server 2022) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2025 (Windows 10 version 21H1 and Windows Server 2022) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2004 (Windows 11) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2004 (Windows 11) for FIPS 180-4 SHS SHA-256 • CAVP certificates #A2019 (Microsoft Azure operating systems) for FIPS 186-4 RSA PKCS#1 (v1.5) digital signature verification with 2048 moduli; supporting SHA-256 • CAVP certificates #A2019 (Microsoft Azure operating systems) for FIPS 180-4 SHS SHA-256 The Cryptographic Primitives Library depends on Kernel Mode Cryptographic Primitives (module certificate #4766) for an entropy source (ENT (P)) for AES-CTR DRBG Entropy Input. 2.5 Cryptographic Bypass Cryptographic bypass is not supported by Cryptographic Primitives Library. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 22 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 2.6 Hardware Components of the Cryptographic Module The physical boundary of the module is the physical boundary of the computer that contains the module. The following diagram illustrates the hardware components used by the Cryptographic Primitives Library module: 3 Cryptographic Module Ports and Interfaces 3.1 Export Functions The Cryptographic Primitives Library module implements a set of algorithm providers for the Cryptography Next Generation (CNG) framework in Windows. Each provider in this module represents a single cryptographic algorithm or a set of closely related cryptographic algorithms. These algorithm providers are invoked through the CNG algorithm primitive functions, which are sometimes collectively referred to as the BCrypt API. For a full list of these algorithm providers, see https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers The Cryptographic Primitives Library module exposes its cryptographic services to the operating system through a set of exported functions. These functions are used by the CNG framework to retrieve references to the different algorithm providers, in order to route BCrypt API calls appropriately to Cryptographic Primitives Library. These functions return references to implementations of cryptographic functions that correspond directly to functions in the BCrypt API. For details, please see the CNG SDK for Windows 10, available at https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal The following functions are exported by the Cryptographic Primitives Library: Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 23 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). • GetAsymmetricEncryptionInterface • GetCipherInterface • GetHashInterface • GetKeyDerivationInterface • GetRngInterface • GetSecretAgreementInterface • GetSignatureInterface • ProcessPrng • ProcessPrngGuid 3.2 CNG Primitive Functions The following list contains the CNG functions which can be used by callers to access the cryptographic services in the Cryptographic Primitives Library. • BCryptCloseAlgorithmProvider • BCryptCreateHash • BCryptCreateMultiHash • BCryptDecrypt • BCryptDeriveKey • BCryptDeriveKeyPBKDF2 • BCryptDestroyHash • BCryptDestroyKey • BCryptDestroySecret • BCryptDuplicateHash • BCryptDuplicateKey • BCryptEncrypt • BCryptExportKey • BCryptFinalizeKeyPair • BCryptFinishHash • BCryptFreeBuffer • BCryptGenerateKeyPair • BCryptGenerateSymmetricKey • BCryptGenRandom • BCryptGetProperty • BCryptHash • BCryptHashData • BCryptImportKey • BCryptImportKeyPair • BCryptKeyDerivation • BCryptOpenAlgorithmProvider • BCryptProcessMultiOperations • BCryptSecretAgreement • BCryptSetProperty • BCryptSignHash Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 24 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). • BCryptVerifySignature All of these functions are used in the Approved mode. Furthermore, these are the only Approved functions that this module can perform. The Cryptographic Primitives Library has additional export functions described in Non-Security Relevant Configuration Interfaces. 3.2.1 Algorithm Providers and Properties 3.2.1.1 BCryptOpenAlgorithmProvider NTSTATUS WINAPI BCryptOpenAlgorithmProvider( BCRYPT_ALG_HANDLE *phAlgorithm, LPCWSTR pszAlgId, LPCWSTR pszImplementation, ULONG dwFlags); The BCryptOpenAlgorithmProvider() function has four parameters: algorithm handle output to the opened algorithm provider, desired algorithm ID input, an optional specific provider name input, and optional flags. This function loads and initializes a CNG provider for a given algorithm, and returns a handle to the opened algorithm provider on success. See https://docs.microsoft.com/en- us/windows/win32/seccng/cng-portal for CNG providers. Unless the calling function specifies the name of the provider, the default provider is used. The default provider is the first provider listed for a given algorithm. The calling function must pass the BCRYPT_ALG_HANDLE_HMAC_FLAG flag in order to use an HMAC function with a hash algorithm. 3.2.1.2 BCryptCloseAlgorithmProvider NTSTATUS WINAPI BCryptCloseAlgorithmProvider( BCRYPT_ALG_HANDLE hAlgorithm, ULONG dwFlags); This function closes an algorithm provider handle opened by a call to BCryptOpenAlgorithmProvider() function. 3.2.1.3 BCryptSetProperty NTSTATUS WINAPI BCryptSetProperty( BCRYPT_HANDLE hObject, LPCWSTR pszProperty, PUCHAR pbInput, ULONG cbInput, ULONG dwFlags); The BCryptSetProperty() function sets the value of a named property for a CNG object, e.g., a cryptographic key. The CNG object is referenced by a handle, the property name is a NULL terminated string, and the value of the property is a length-specified byte string. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 25 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 3.2.1.4 BCryptGetProperty NTSTATUS WINAPI BCryptGetProperty( BCRYPT_HANDLE hObject, LPCWSTR pszProperty, PUCHAR pbOutput, ULONG cbOutput, ULONG *pcbResult, ULONG dwFlags); The BCryptGetProperty() function retrieves the value of a named property for a CNG object, e.g., a cryptographic key. The CNG object is referenced by a handle, the property name is a NULL terminated string, and the value of the property is a length-specified byte string. 3.2.1.5 BCryptFreeBuffer VOID WINAPI BCryptFreeBuffer( PVOID pvBuffer); Some of the CNG functions allocate memory on caller’s behalf. The BCryptFreeBuffer() function frees memory that was allocated by such a CNG function. 3.2.2 Key and Key-Pair Generation 3.2.2.1 BCryptGenerateSymmetricKey NTSTATUS WINAPI BCryptGenerateSymmetricKey( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_KEY_HANDLE *phKey, PUCHAR pbKeyObject, ULONG cbKeyObject, PUCHAR pbSecret, ULONG cbSecret, ULONG dwFlags); The BCryptGenerateSymmetricKey() function generates a symmetric key object directly from a DRBG for use with a symmetric encryption algorithm or key derivation algorithm from a supplied cbSecret bytes long key value provided in the pbSecret memory location. The calling application must specify a handle to the algorithm provider opened with the BCryptOpenAlgorithmProvider() function. The algorithm specified when the provider was opened must support symmetric key encryption or key derivation. 3.2.2.2 BCryptGenerateKeyPair NTSTATUS WINAPI BCryptGenerateKeyPair( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_KEY_HANDLE *phKey, ULONG dwLength, ULONG dwFlags); The BCryptGenerateKeyPair() function creates a public/private key pair object without any cryptographic keys in it. After creating such an empty key pair object using this function, call the Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 26 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). BCryptSetProperty() function to set its properties. The key pair can be used only after BCryptFinalizeKeyPair() function is called. Note: for when generating a key pair with “BCRYPT_DSA_ALGORITHM” If the key length is 1024 bits, then a process conformant with FIPS 186-2 DSA will be used to generate the key pair and perform subsequent DSA operations12 . If the key length is 2048 or 3072 bits, then a process conformant with FIPS 186-4 DSA is used to generate the key pair and perform subsequent DSA operations. 3.2.2.3 BCryptFinalizeKeyPair NTSTATUS WINAPI BCryptFinalizeKeyPair( BCRYPT_KEY_HANDLE hKey, ULONG dwFlags); The BCryptFinalizeKeyPair() function completes a public/private key pair import or generation directly from the output of a DRBG. The key pair cannot be used until this function has been called. After this function has been called, the BCryptSetProperty() function can no longer be used for this key pair. 3.2.2.4 BCryptDuplicateKey NTSTATUS WINAPI BCryptDuplicateKey( BCRYPT_KEY_HANDLE hKey, BCRYPT_KEY_HANDLE *phNewKey, PUCHAR pbKeyObject, ULONG cbKeyObject, ULONG dwFlags); The BCryptDuplicateKey() function creates a duplicate of a symmetric key object. 3.2.2.5 BCryptDestroyKey NTSTATUS WINAPI BCryptDestroyKey( BCRYPT_KEY_HANDLE hKey); The BCryptDestroyKey() function destroys a key. 3.2.3 Random Number Generation 3.2.3.1 BCryptGenRandom NTSTATUS WINAPI BCryptGenRandom( BCRYPT_ALG_HANDLE hAlgorithm, PUCHAR pbBuffer, ULONG cbBuffer, ULONG dwFlags); The BCryptGenRandom() function fills a buffer with random bytes. BCRYPTPRIMITVES.DLL implements the following random number generation algorithm: 12 1024 bits is not an approved key length for DSA. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 27 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). • BCRYPT_RNG_ALGORITHM. This is the AES-256 counter mode based random generator as defined in SP 800-90A. 3.2.4 Key Entry and Output 3.2.4.1 BCryptImportKey NTSTATUS WINAPI BCryptImportKey( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_KEY_HANDLE hImportKey, LPCWSTR pszBlobType, BCRYPT_KEY_HANDLE *phKey, PUCHAR pbKeyObject, ULONG cbKeyObject, PUCHAR pbInput, ULONG cbInput, ULONG dwFlags); The BCryptImportKey() function imports a symmetric key from a key blob. 3.2.4.2 BCryptImportKeyPair NTSTATUS WINAPI BCryptImportKeyPair( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_KEY_HANDLE hImportKey, LPCWSTR pszBlobType, BCRYPT_KEY_HANDLE *phKey, PUCHAR pbInput, ULONG cbInput, ULONG dwFlags); The BCryptImportKeyPair() function is used to import a public/private key pair from a key blob. 3.2.4.3 BCryptExportKey NTSTATUS WINAPI BCryptExportKey( BCRYPT_KEY_HANDLE hKey, BCRYPT_KEY_HANDLE hExportKey, LPCWSTR pszBlobType, PUCHAR pbOutput, ULONG cbOutput, ULONG *pcbResult, ULONG dwFlags); The BCryptExportKey() function exports a key to a memory blob that can be persisted for later use. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 28 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 3.2.5 Encryption and Decryption 3.2.5.1 BCryptEncrypt NTSTATUS WINAPI BCryptEncrypt( BCRYPT_KEY_HANDLE hKey, PUCHAR pbInput, ULONG cbInput, VOID *pPaddingInfo, PUCHAR pbIV, ULONG cbIV, PUCHAR pbOutput, ULONG cbOutput, ULONG *pcbResult, ULONG dwFlags); The BCryptEncrypt() function encrypts a block of data of given length. 3.2.5.2 BCryptDecrypt NTSTATUS WINAPI BCryptDecrypt( BCRYPT_KEY_HANDLE hKey, PUCHAR pbInput, ULONG cbInput, VOID *pPaddingInfo, PUCHAR pbIV, ULONG cbIV, PUCHAR pbOutput, ULONG cbOutput, ULONG *pcbResult, ULONG dwFlags); The BCryptDecrypt() function decrypts a block of data of given length. 3.2.6 Hashing and Message Authentication 3.2.6.1 BCryptCreateHash NTSTATUS WINAPI BCryptCreateHash( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_HASH_HANDLE *phHash, PUCHAR pbHashObject, ULONG cbHashObject, PUCHAR pbSecret, ULONG cbSecret, ULONG dwFlags); The BCryptCreateHash() function creates a hash object with an optional key. The optional key is used for HMAC, AES GMAC and AES CMAC. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 29 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 3.2.6.2 BCryptHashData NTSTATUS WINAPI BCryptHashData( BCRYPT_HASH_HANDLE hHash, PUCHAR pbInput, ULONG cbInput, ULONG dwFlags); The BCryptHashData() function performs a one way hash on a data buffer. Call the BCryptFinishHash() function to finalize the hashing operation to get the hash result. 3.2.6.3 BCryptDuplicateHash NTSTATUS WINAPI BCryptDuplicateHash( BCRYPT_HASH_HANDLE hHash, BCRYPT_HASH_HANDLE *phNewHash, PUCHAR pbHashObject, ULONG cbHashObject, ULONG dwFlags); The BCryptDuplicateHash()function duplicates an existing hash object. The duplicate hash object contains all state and data that was hashed to the point of duplication. 3.2.6.4 BCryptFinishHash NTSTATUS WINAPI BCryptFinishHash( BCRYPT_HASH_HANDLE hHash, PUCHAR pbOutput, ULONG cbOutput, ULONG dwFlags); The BCryptFinishHash() function retrieves the hash value for the data accumulated from prior calls to BCryptHashData() function. 3.2.6.5 BCryptDestroyHash NTSTATUS WINAPI BCryptDestroyHash( BCRYPT_HASH_HANDLE hHash); The BCryptDestroyHash() function destroys a hash object. 3.2.6.6 BCryptHash NTSTATUS WINAPI BCryptHash( BCRYPT_ALG_HANDLE hAlgorithm, PUCHAR pbSecret, ULONG cbSecret, PUCHAR pbInput, ULONG cbInput, PUCHAR pbOutput, ULONG cbOutput); Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 30 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). The function BCryptHash() performs a single hash computation. This is a convenience function that wraps calls to the BCryptCreateHash(), BCryptHashData(), BCryptFinishHash(), and BCryptDestroyHash() functions. 3.2.6.7 BCryptCreateMultiHash NTSTATUS WINAPI BCryptCreateMultiHash( BCRYPT_ALG_HANDLE hAlgorithm, BCRYPT_HASH_HANDLE *phHash, ULONG nHashes, PUCHAR pbHashObject, ULONG cbHashObject, PUCHAR pbSecret, ULONG cbSecret, ULONG dwFlags); BCryptCreateMultiHash() is a function that creates a new MultiHash object that is used in parallel hashing to improve performance. The MultiHash object is equivalent to an array of normal (reusable) hash objects. 3.2.6.8 BCryptProcessMultiOperations NTSTATUS WINAPI BCryptProcessMultiOperations( BCRYPT_HANDLE hObject, BCRYPT_MULTI_OPERATION_TYPE operationType, PVOID pOperations, ULONG cbOperations, ULONG dwFlags ); The BCryptProcessMultiOperations() function is used to perform multiple operations on a single multi- object handle such as a MultiHash object handle. If any of the operations fail, then the function will return an error. 3.2.7 Signing and Verification 3.2.7.1 BCryptSignHash NTSTATUS WINAPI BCryptSignHash( BCRYPT_KEY_HANDLE hKey, VOID *pPaddingInfo, PUCHAR pbInput, ULONG cbInput, PUCHAR pbOutput, ULONG cbOutput, ULONG *pcbResult, ULONG dwFlags); The BCryptSignHash() function creates a signature of a hash value. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 31 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Note: this function accepts SHA-1 hashes, which according to NIST SP 800-131A is disallowed for digital signature generation. SHA-1 is currently legacy-use for digital signature verification. 3.2.7.2 BCryptVerifySignature NTSTATUS WINAPI BCryptVerifySignature( BCRYPT_KEY_HANDLE hKey, VOID *pPaddingInfo, PUCHAR pbHash, ULONG cbHash, PUCHAR pbSignature, ULONG cbSignature, ULONG dwFlags); The BCryptVerifySignature() function verifies that the specified signature matches the specified hash. Note: this function accepts SHA-1 hashes, which according to NIST SP 800-131A is disallowed for digital signature generation. SHA-1 is currently legacy-use for digital signature verification. 3.2.8 Secret Agreement and Key Derivation 3.2.8.1 BCryptSecretAgreement NTSTATUS WINAPI BCryptSecretAgreement( BCRYPT_KEY_HANDLE hPrivKey, BCRYPT_KEY_HANDLE hPubKey, BCRYPT_SECRET_HANDLE *phAgreedSecret, ULONG dwFlags); The BCryptSecretAgreement() function creates a secret agreement value from a private and a public key. This function is used with KAS-FFC and KAS-ECC algorithms. 3.2.8.2 BCryptDeriveKey NTSTATUS WINAPI BCryptDeriveKey( BCRYPT_SECRET_HANDLE hSharedSecret, LPCWSTR pwszKDF, BCryptBufferDesc *pParameterList, PUCHAR pbDerivedKey, ULONG cbDerivedKey, ULONG *pcbResult, ULONG dwFlags); The BCryptDeriveKey() function derives a key from a secret agreement value. 3.2.8.3 BCryptDestroySecret NTSTATUS WINAPI BCryptDestroySecret( BCRYPT_SECRET_HANDLE hSecret); Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 32 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). The BCryptDestroySecret() function destroys a secret agreement handle that was created by using the BCryptSecretAgreement() function. 3.2.8.4 BCryptKeyDerivation NTSTATUS WINAPI BCryptKeyDerivation( _In_ BCRYPT_KEY_HANDLE hKey, _In_opt_ BCryptBufferDesc *pParameterList, _Out_writes_bytes_to_(cbDerivedKey, *pcbResult) PUCHAR pbDerivedKey, _In_ ULONG cbDerivedKey, _Out_ ULONG *pcbResult, _In_ ULONG dwFlags); The BCryptKeyDerivation() function executes a Key Derivation Function (KDF) on a key generated with BCryptGenerateSymmetricKey() function. It differs from the BCryptDeriveKey() function in that it does not require a secret agreement step to create a shared secret. 3.2.8.5 BCryptDeriveKeyPBKDF2 NTSTATUS WINAPI BCryptDeriveKeyPBKDF2( BCRYPT_ALG_HANDLE hPrf, PUCHAR pbPassword, ULONG cbPassword, PUCHAR pbSalt, ULONG cbSalt, ULONGLONG cIterations, PUCHAR pbDerivedKey, ULONG cbDerivedKey, ULONG dwFlags); The BCryptDeriveKeyPBKDF2() function derives a key from a hash value by using the password based key derivation function as defined by NIST SP 800-132 PBKDF and IETF RFC 2898 (specified as PBKDF2). 3.2.9 Cryptographic Transitions 3.2.9.1 KAS-FFC and KAS-ECC Through the year 2010, implementations of KAS-FFC and KAS-ECC were allowed to have an acceptable bit strength of at least 80 bits of security (for KAS-FFC at least 1024 bits and for KAS-ECC at least 160 bits). From 2011 through 2013, 80 bits of security strength was considered deprecated, and was disallowed starting January 1, 2014. As of that date, only security strength of at least 112 bits is acceptable. KAS-ECC uses curve sizes of at least 256 bits (that means it has at least 128 bits of security strength), so that is acceptable. However, KAS-FFC has a range of 1024 to 4096 and that changed to 2048 to 4096 after 2013. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 33 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 3.2.9.2 SHA-1 From 2011 through 2013, SHA-1 could be used in a deprecated mode for use in digital signature generation. As of Jan. 1, 2014, SHA-1 is no longer allowed for digital signature generation, and it is allowed for legacy use only for digital signature verification. 3.3 Control Input Interface The Control Input Interface are the functions in Algorithm Providers and Properties. Options for control operations are passed as input parameters to these functions. 3.4 Status Output Interface The Status Output Interface for the Cryptographic Primitives Library consists of the CNG primitive functions listed in CNG Primitive Functions. For each function, the status information is returned to the caller as the return value from the function. 3.5 Data Output Interface The Data Output Interface for the Cryptographic Primitives Library consists of the Cryptographic Primitives Library export functions except for the Control Input Interfaces. Data is returned to the function’s caller via output parameters. 3.6 Data Input Interface The Data Input Interface for the Cryptographic Primitives Library consists of the Cryptographic Primitives Library export functions except for the Control Input Interfaces. Data and options are passed to the interface as input parameters to the export functions. Data Input is kept separate from Control Input by passing Data Input in separate parameters from Control Input. 3.7 Non-Security Relevant Configuration Interfaces These non-cryptographic functions are used to configure cryptographic providers on the system. Note that these functions are interfaces exported by the module, but are implemented in CNG.SYS. See the the Cryptographic Primitives Library Security Policy Document for details on the services provided by these functions. Function Name Description BCryptEnumAlgorithms Enumerates the algorithms for a given set of operations. BCryptEnumProviders Returns a list of CNG providers for a given algorithm. BCryptRegisterConfigChangeNotify This is deprecated beginning with Windows 10. BCryptResolveProviders Resolves queries against the set of providers currently registered on the local system and the configuration information specified in the machine and domain configuration tables, returning an ordered list of references to one or more providers matching the specified criteria. BCryptAddContextFunctionProvider Adds a cryptographic function provider to the list of providers that are supported by an existing CNG context. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 34 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). BCryptRegisterProvider Registers a CNG provider. BCryptUnregisterProvider Unregisters a CNG provider. BCryptUnregisterConfigChangeNotify Removes a CNG configuration change event handler. BCryptGetFipsAlgorithmMode Determines whether the Cryptographic Primitives Library is operating in FIPS mode. Some applications use the value returned by this API to alter their own behavior, such as blocking the use of some SSL versions. BCryptQueryProviderRegistration Retrieves information about a CNG provider. BCryptEnumRegisteredProviders Retrieves information about the registered providers. BCryptCreateContext Creates a new CNG configuration context. BCryptDeleteContext Deletes an existing CNG configuration context. BCryptEnumContexts Obtains the identifiers of the contexts in the specified configuration table. BCryptConfigureContext Sets the configuration information for an existing CNG context. BCryptQueryContextConfiguration Retrieves the current configuration for the specified CNG context. BCryptAddContextFunction Adds a cryptographic function to the list of functions that are supported by an existing CNG context. BCryptRemoveContextFunction Removes a cryptographic function from the list of functions that are supported by an existing CNG context. BCryptEnumContextFunctions Obtains the cryptographic functions for a context in the specified configuration table. BCryptConfigureContextFunction Sets the configuration information for the cryptographic function of an existing CNG context. BCryptQueryContextFunctionConfiguration Obtains the cryptographic function configuration information for an existing CNG context. BCryptEnumContextFunctionProviders Obtains the providers for the cryptographic functions for a context in the specified configuration table. BCryptSetContextFunctionProperty Sets the value of a named property or a cryptographic function in an existing CNG context. BCryptQueryContextFunctionProperty Obtains the value of a named property for a cryptographic function in an existing CNG context. BCryptSetAuditingInterface Sets the auditing interface. 4 Roles, Services and Authentication 4.1 Roles When an application requests the cryptographic module to generate keys for a user, the keys are generated, used, and deleted as requested by applications. There are no implicit keys associated with a user. Each user may have numerous keys, and each user’s keys are separate from other users’ keys. FIPS 140 validations define formal “User” and “Cryptographic Officer” roles. Both roles can use any of this module’s services. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 35 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 4.2 Services The Cryptographic Primitives Library services are described below. 1. Algorithm Providers and Properties – This module provides interfaces to register algorithm providers 2. Random Number Generation 3. Key and Key-Pair Generation 4. Key Entry and Output 5. Encryption and Decryption 6. Hashing and Message Authentication 7. Signing and Verification 8. Secret Agreement and Key Derivation 9. Show Status – The module provides a show status service that is automatically executed by the module to provide the status response of the module either via output to the computer monitor or to log files. 10. Self-Tests - The module provides a power-up self-tests service that is automatically executed when the module is loaded into memory. 11. Zeroizing Cryptographic Material - This service is executed as part of the module shutdown. See Cryptographic Key Management 4.2.1 Mapping of Services, Algorithms, and Critical Security Parameters The following table maps the services to their corresponding algorithms and critical security parameters (CSPs). Service Algorithms CSPs Algorithm Providers and Properties None None Random Number Generation AES-256 CTR DRBG ENT (P) AES-CTR DRBG Seed AES-CTR DRBG Entropy Input AES-CTR DRBG V AES-CTR DRBG Key Key and Key-Pair Generation RSA, KAS-FCC, KAS-ECC, DSA, ECDSA, RC2, RC4, DES, Triple-DES, AES, and HMAC (RC2, RC4, and DES cannot be used in FIPS mode.) Symmetric encryption/decryption keys HMAC keys Asymmetric DSA Public Keys Asymmetric DSA Private Keys Asymmetric ECDSA Public Keys Asymmetric ECDSA Private Keys Asymmetric RSA Public Keys Asymmetric RSA Private Keys DH Private and Public values ECDH Private and Public values Key Entry and Output SP 800-38F AES Key Wrapping (128, 192, and 256) Symmetric encryption/decryption Keys Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 36 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). HMAC keys Asymmetric DSA Public Keys Asymmetric DSA Private Keys Asymmetric ECDSA Public Keys Asymmetric ECDSA Private Keys Asymmetric RSA Public Keys Asymmetric RSA Private Keys DH Private and Public values ECDH Private and Public values Encryption and Decryption • Triple-DES with 2 key (encryption disallowed) and 3 key in ECB, CBC, CFB8 and CFB64 modes; • AES-128, AES-192, and AES- 256 in ECB, CBC, CFB8, CFB128, and CTR modes; • AES-128, AES-192, and AES- 256 in CCM, CMAC, GCM,13 and GMAC modes; • XTS-AES XTS-128 and XTS- 256; • SP 800-56B RSADP mod 2048 (IEEE 1619-2007 XTS-AES, AES GCM encryption14 , RC2, RC4, RSA, and DES, which cannot be used in FIPS mode) Symmetric encryption/decryption Keys Asymmetric RSA Public Keys Hashing and Message Authentication • FIPS 180-4 SHS SHA-1, SHA- 256, SHA-384, and SHA-512; • FIPS 180-4 SHA-1, SHA-256, SHA-384, SHA-512 HMAC; • AES-128, AES-192, and AES- 256 in CCM, CMAC, and GMAC; • MD5 and HMAC-MD5 (allowed in TLS and EAP-TLS); • MD2 and MD4 (disallowed in FIPS mode) Symmetric encryption/decryption keys (for AES CCM, AES CMAC, and AES GMAC) HMAC keys Signing and Verification • FIPS 186-4 RSA (RSASSA- PKCS1-v1_5 and RSASSA-PSS) Asymmetric RSA Public Keys Asymmetric RSA Private Keys 13 If the initialization vector was not generated according to IG A.5 Scenario 4, refer to section 7.3 for additional information about generating IVs. 14 Idem. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 37 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). digital signature generation and verification with 2048 and 3072 modulus; supporting SHA-115 , SHA-256, SHA-384, and SHA-512 • FIPS 186-4 ECDSA with the following NIST curves: P-256, P-384, P-521 • FIPS 186-4 DSA signature generation and verification with 2048/256 and 3072/256 primes supporting SHA-256. Asymmetric ECDSA Public Keys Asymmetric ECDSA Private keys Asymmetric DSA Public Keys Asymmetric DSA Private Keys Secret Agreement and Key Derivation • KAS-FFC – SP 800-56Arev3 Diffie-Hellman Key Agreement, Finite Field Cryptography (FFC); 2048- 4096-bit key size • KAS-ECC – SP 800-56Arev3 EC Diffie-Hellman Key Agreement with the following NIST curves: P-256, P-384, P-521 and the FIPS non-Approved curves listed in Non-Approved Algorithms • SP 800-56A rev3 KAS-FFC-SSC key agreement (dhEphem, dhOneFlow, and dhStatic; KAS Roles: initiator, responder), with domain parameters FB, FC, and safe primes (ffdhe2048, MODP- 2048) • SP 800-56A rev3 KAS-ECC-SSC key agreement (ephemeralUnified; KAS roles: initiator, responder), with domain parameters P- 256 (hash functions SHA2- 256, SHA2-384, SHA2-512), P- 384 (hash functions SHA2- 384, SHA2-512), and P-521 (hash function SHA2-512) • SP 800-108 Key Derivation Function (KDF) CMAC-AES (128, 192, 256), HMAC DH Private and Public Values, ECDH Private and Public Values, Z, Key Derivation Key, and TLS Pre-Master Secret 15 SHA-1 is only acceptable for signature verification. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 38 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). (SHA1, SHA-256, SHA-384, SHA-512) • SP 800-132 PBKDF • Legacy CAPI KDF (cannot be used in FIPS mode) • HKDF (cannot be used in FIPS mode) Show Status None None Self-Tests See Section Self-Tests for the list of algorithms None Zeroizing Cryptographic Material None None 4.2.2 Mapping of Services, Export Functions, and Invocations The following table maps the services to their corresponding export functions and invocations. Service Export Functions Invocations Algorithm Providers and Properties BCryptOpenAlgorithmProvider BCryptCloseAlgorithmProvider BCryptSetProperty BCryptGetProperty BCryptFreeBuffer This service is executed whenever one of these exported functions is called. Random Number Generation BcryptGenRandom This service is executed whenever one of these exported functions is called. Key and Key-Pair Generation BCryptGenerateSymmetricKey BCryptGenerateKeyPair BCryptFinalizeKeyPair BCryptDuplicateKey BCryptDestroyKey This service is executed whenever one of these exported functions is called. Key Entry and Output BCryptImportKey BCryptImportKeyPair BCryptExportKey This service is executed whenever one of these exported functions is called. Encryption and Decryption BCryptEncrypt BCryptDecrypt This service is executed whenever one of these exported functions is called. Hashing and Message Authentication BCryptCreateHash BCryptHashData BCryptDuplicateHash BCryptFinishHash BCryptDestroyHash BCryptHash BCryptCreateMultiHash BCryptProcessMultiOperations This service is executed whenever one of these exported functions is called. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 39 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Signing and Verification BCryptSignHash BCryptVerifySignature This service is executed whenever one of these exported functions is called. Secret Agreement and Key Derivation BCryptSecretAgreement BCryptDeriveKey BCryptDestroySecret BCryptKeyDerivation BCryptDeriveKeyPBKDF2 This service is executed whenever one of these exported functions is called. Show Status All Exported Functions This service is executed upon completion of an exported function. Self-Tests DllMain This service is executed upon startup of this module. Zeroizing Cryptographic Material BCryptDestroyKey BCryptDestroySecret This service is executed whenever one of these exported functions is called. 4.2.3 Non-Approved Services The following table lists other non-approved APIs exported from the crypto module. Function Name Description BCryptDeriveKeyCapi Derives a key from a hash value. This function is provided as a helper function to assist in migrating from legacy Cryptography API (CAPI) to CNG. BCRYPT_KDF_HKDF Derives a key from a hash value. This function is provided to support potential enhancements to Windows. 4.3 Authentication The Cryptographic Primitives Library does not provide authentication of users. Roles are implicitly assumed based on the services that are executed. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 40 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 5 Finite State Model 5.1 Specification The following diagram shows the finite state model for the Cryptographic Primitives Library: 6 Operational Environment The operational environment for the Cryptographic Primitives Library is the Windows 10 operating system running on a supported hardware platform. 6.1 Single Operator The for the Cryptographic Primitives Library is loaded into process memory for a single application. The “single operator” for the module is the identity associated with the parent process. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 41 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 6.2 Cryptographic Isolation Windows dynamic link libraries, which includes BCRYPTPRIMITIVES.DLL, are loaded into a user-mode process to expose the services offered by that DLL. The operating system environment enforces process isolation including memory (where keys and intermediate key data are stored) and CPU scheduling. 6.3 Integrity Chain of Trust Windows uses several mechanisms to provide integrity verification depending on the stage in the boot sequence and also on the hardware and configuration. The following diagram describes the Integrity Chain of trust for each supported configuration for the following versions: • Windows 11 build 10.0.22000 • Windows Server 2022 build 10.0.20348 • Windows 10 version 20H2 build 10.0.19042 • Windows Server version 20H2 build 10.0.19042 • Windows 10 version 21H1 build 10.0.19043 • Windows Server Azure Edition build 10.0.20348 • Azure Host 2021 build 10.0.20348 • Azure Stack HCI version 21H2 build 10.0.20348 • Azure Virtual Desktop version 21H1 build 10.0.19043 Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 42 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 43 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). The integrity of the Cryptographic Primitives Library is checked by Code Integrity or Secure Kernel Code Integrity before it is loaded into process memory. Windows binaries include a SHA-256 hash of the binary signed with the 2048 bit Microsoft RSA code- signing key (i.e., the key associated with the Microsoft code-signing certificate). The integrity check uses the public key component of the Microsoft code signing certificate to verify the signed hash of the binary. 7 Cryptographic Key Management The Cryptographic Primitives Library module uses the following critical security parameters (CSPs) for FIPS Approved security functions: Security Relevant Data Item Description Symmetric encryption/decryption keys Keys used for AES or Triple-DES encryption/decryption. Key sizes for AES are 128, 192, and 256 bits, and key sizes for Triple-DES are 192 and 128 bits. HMAC keys Keys used for HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 Asymmetric DSA Public Keys Keys used for the verification of DSA digital signatures. Key sizes are 2048 and 3072 bits. Asymmetric DSA Private Keys Keys used for the calculation of DSA digital signatures. Key sizes are 2048 and 3072 bits. Asymmetric ECDSA Public Keys Keys used for the verification of ECDSA digital signatures. Curve sizes are P-256, P-384, and P-521. Asymmetric ECDSA Private Keys Keys used for the calculation of ECDSA digital signatures. Curve sizes are P-256, P-384, and P-521. Asymmetric RSA Public Keys Keys used for the verification of RSA digital signatures. Key sizes are 2048 and 3072 bits. These keys can be produced using RSA Key Generation. Asymmetric RSA Private Keys Keys used for the calculation of RSA digital signatures. Key sizes are 2048 and 3072 bits. These keys can be produced using RSA Key Generation. AES-CTR DRBG Entropy Input A secret value that is at least 256 bits and maintained internal to the module that provides the entropy material for AES-CTR DRBG output16 AES-CTR DRBG Seed A 384 bit secret value maintained internal to the module that provides the seed material for AES-CTR DRBG output17 AES-CTR DRBG V A 128 bit secret value maintained internal to the module that provides the entropy material for AES-CTR DRBG output18 16 Microsoft Common Criteria Windows Security Target, Page 29. 17 Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST SP 800-90A Revision 1, page 49. 18 Ibid. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 44 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). AES-CTR DRBG key A 256 bit secret value maintained internal to the module that provides the entropy material for AES-CTR DRBG output19 DH Private and Public values Private and public values used for KAS-FFC key establishment. Key sizes are 2048 to 4096 bits. ECDH Private and Public values Private and public values used for KAS-ECC key establishment. Curve sizes are P-256, P-384, and P-521 and the ones listed in section 0. Z Shared secret input for KDFs and shared secret calculation output for SP 800-56Ar3 key agreement. Key size for KAS-FFC is 2048-4096 bits (input key size 2048, 3072, or 4096 bits); curves for KAS-ECC include P-256, P-384, and P-521 (input key size 256, 384, or 521 bits). Key Derivation Key Internal key for two-step KDFs. 256 or 384 bits. TLS Pre-Master Secret Shared secret input to the TLS KDF. Input size is dependent on the key exchange method of the chosen TLS cipher suite: for TLS_ECDHE_*, see the ECDH curve sizes listed above; for TLS_DHE_*, see the DH key sizes listed above; for TLS_RSA_*, the pre-master secret size is 384 bits. 7.1 Access Control Policy The Cryptographic Primitives Library module allows controlled access to security relevant data items contained within it. The following table defines the access that a service has to each. The permissions are categorized as a set of four separate permissions: read (r), write (w), execute (x), delete (d). If no permission is listed, the service has no access to the item. Cryptographic Primitives Library crypto module Service Access Policy Symmetric encryption and decryption keys HMAC keys Asymmetric DSA Public Keys Asymmetric DSA Private Keys Asymmetric ECDSA Public keys Asymmetric ECDSA Private keys Asymmetric RSA Public Keys Asymmetric RSA Private Keys AES-CTR DRBG Seed, AES-CTR DRBG Entropy Input, AES-CTR DRBG V, & AES-CTR DRBG key DH Public and Private values ECDH Public and Private values Z Key Derivation Key TLS Pre-Master Secret Algorithm Providers and Properties Random Number Generation x Key and Key-Pair Generation wd wd wd wd wd wd wd wd x wd wd 19 Ibid. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 45 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Key Entry and Output rw rw rw rw rw rw rw rw rw rw Encryption and Decryption x Hashing and Message Authentication xw Signing and Verification x x x x x x x Secret Agreement and Key Derivation x x x rw rw r Show Status Self-Tests Zeroizing Cryptographic Material wd wd wd wd wd wd wd wd wd wd wd wd wd wd 7.2 Key Material Each time an application links with Cryptographic Primitives Library, the DLL is instantiated and no keys exist within it. The user application is responsible for importing keys into the Cryptographic Primitives Library or using Cryptographic Primitives Library’s functions to generate keys. 7.3 Key Generation The Cryptographic Primitives Library can create and use keys for the following algorithms: RSA, DSA, KAS-FFC, KAS-ECC, ECDSA, RC2, RC4, DES, Triple-DES, AES, and HMAC. However, RC2, RC4, and DES cannot be used in FIPS mode. Random keys can be generated by calling the BCryptGenerateSymmetricKey() and BCryptGenerateKeyPair() functions. Random data generated by the BCryptGenRandom() function is provided to BCryptGenerateSymmetricKey() function to generate symmetric keys. DES, Triple-DES, and AES keys. When the operator chooses to have this cryptographic module generate initialization vectors for AES GCM mode in accordance with FIPS 140-2 Implementation Guidance A.5 scenario 4, then the call BCryptGenerateSymmetricKey() must set dwFlags to 0x00000020, and then BCryptEncrypt with the same value for dwFlags. Aymmetric key-pairs are generated following the techniques given in SP 800-56Arev3 (Section 5.8). RSA, DSA, and ECDSA keys and key-pairs are generated following the techniques given in FIPS 186-4. KAS-FFC and KAS-ECC keys and key-pairs are generated following the techniques given in SP 800-56Arev3. Keys generated while not operating in the FIPS mode of operation (as described in section 2) cannot be used in FIPS mode, and vice versa. 7.4 Key Establishment The Cryptographic Primitives Library can use FIPS approved KAS-FFC and KAS-ECC key agreement, RSA key transport and manual methods to establish keys. Alternatively, the module can also use Approved KDFs to derive key material from a specified secret value or password. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 46 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). The Cryptographic Primitives Library can use the following FIPS approved key derivation functions (KDF) from the common secret that is established during the execution of KAS-FFC and KAS-ECC key agreement algorithms: • BCRYPT_KDF_SP80056A_CONCAT. This KDF supports the Concatenation KDF as specified in SP 800-56Arev3 (Section 5.8). • BCRYPT_KDF_HMAC. This KDF supports the IPsec IKEv1 key derivation that is non-Approved but is an allowed legacy implementation in FIPS mode when used to establish keys for IKEv1 as per scenario 4 of IG D.8. • BCRYPT_KDF_TLS_PRF. This KDF supports the SSLv3.1 and TLSv1.0 key derivation that is non- Approved but is an allowed legacy implementation in FIPS mode when used to establish keys for SSLv3.1 or TLSv1.0 as specified in as per scenario 4 of IG D.8. The Cryptographic Primitives Library can use the following FIPS approved key derivation functions (KDF) from a key handle created from a specified secret or password: • BCRYPT_SP800108_CTR_HMAC_ALGORITHM. This KDF supports the counter-mode variant of the KDF specified in SP 800-108r1 (Section 4.1) with HMAC as the underlying PRF. • BCRYPT_SP80056A_CONCAT_ALGORITHM. This KDF supports the Concatenation KDF as specified in SP 800-56Arev3 (Section 5.8). • BCRYPT_PBKDF2_ALGORITHM. This KDF supports the Password Based Key Derivation Function specified in SP 800-132 (Section 5.3). In addition, the industry standard KDF, HKDF (CNG flag BCRYPT_KDF_HKDF), and the legacy proprietary CryptDerive Key KDF, (BCRYPT_CAPI_KDF_ALGORITHM, described at https://docs.microsoft.com/en- us/windows/win32/api/wincrypt/nf-wincrypt-cryptderivekey). cannot be used in a FIPS Approved mode. 7.4.1 NIST SP 800-132 Password Based Key Derivation Function (PBKDF) There are two options presented in NIST SP 800-132, pages 8 – 10, that are used to derive the Data Protection Key (DPK) from the Master Key. With the Cryptographic Primitives Library, it is up to the caller to select the option to generate/protect the DPK. For example, DPAPI uses option 2a. The Cryptographic Primitives Library provides all the building blocks for the caller to select the desired option. The Cryptographic Primitives Library supports the following HMAC hash functions as parameters for PBKDF: • SHA-1 HMAC • SHA-256 HMAC • SHA-384 HMAC • SHA-512 HMAC Keys derived from passwords, as described in SP 800-132, may only be used for storage applications. In order to run in a FIPS-Approved manner, strong passwords must be used and they may only be used for Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 47 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). storage applications. The password/passphrase length is enforced by the caller of the PBKDF interfaces when the password/passphrase is created and not by this cryptographic module.20 7.4.2 NIST SP 800-38F AES Key Wrapping As outlined in FIPS 140-2 IG, D.2 and D.9, AES key wrapping serves as a form of key transport, which in turn is a form of key establishment. This implementation of AES key wrapping is in accordance with NIST SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping. 7.5 Key Entry and Output Keys can be both exported and imported out of and into the Cryptographic Primitives Library via BCryptExportKey(), BCryptImportKey(), and BCryptImportKeyPair() functions. Symmetric key entry and output can also be done by exchanging keys using the recipient’s asymmetric public key via BCryptSecretAgreement() and BCryptDeriveKey() functions. Exporting the RSA private key by supplying a blob type of BCRYPT_PRIVATE_KEY_BLOB, BCRYPT_RSAFULLPRIVATE_BLOB, or BCRYPT_RSAPRIVATE_BLOB to BCryptExportKey() is not allowed in FIPS mode. 7.6 Key Storage The Cryptographic Primitives Library does not provide persistent storage of keys. 7.7 Key Archival The Cryptographic Primitives Library does not directly archive cryptographic keys. The Authenticated User may choose to export a cryptographic key (cf. “Key Entry and Output” above), but management of the secure archival of that key is the responsibility of the user. 7.8 Key Zeroization All keys are destroyed and their memory location zeroized when the operator calls BCryptDestroyKey() or BCryptDestroySecret() on that key handle. 8 Self-Tests 8.1 Power-On Self-Tests The Cryptographic Primitives Library module implements Known Answer Test (KAT) functions each time the module is loaded into a process and the default DLL entry point, DllMain is called. The Cryptographic Primitives Library performs the following power-on (startup) self-tests: • HMAC (SHA-1, SHA-256, and SHA-512) Known Answer Tests • Triple-DES encrypt/decrypt ECB Known Answer Tests 20 The probability of guessing a password is determined by its length and complexity, an organization should define a policy for these based based their threat model, suh as the example guidance in NIST SP800-63b, Appendix A. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 48 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). • AES-128 encrypt/decrypt ECB Known Answer Tests • AES-128 encrypt/decrypt CCM Known Answer Tests • AES-128 encrypt/decrypt CBC Known Answer Tests • AES-128 CMAC Known Answer Test • AES-128 encrypt/decrypt GCM Known Answer Tests • XTS-AES encrypt/decrypt Known Answer Tests • RSA sign/verify Known Answer Tests using RSA_SHA256_PKCS1 signature generation and verification • DSA sign/verify tests with 2048-bit key • ECDSA sign/verify Known Answer Tests on P256 curve • KAS-FFC secret agreement Known Answer Test with 2048-bit key • KAS-ECC secret agreement Known Answer Test on P256 curve • SP 800-56A concatenation KDF Known Answer Tests (same as Diffie-Hellman KAT) • SP 800-90A AES-256 based counter mode random generator Known Answer Tests (instantiate, generate and reseed) • SP800-90B startup health tests (APT/RCT) • SP 800-108 KDF Known Answer Test • SP 800-132 PBKDF Known Answer Test • SHA-256 Known Answer Test • SHA-512 Known Answer Test • SP800-135 TLS 1.0/1.1 KDF Known Answer Test • SP800-135 TLS 1.2 KDF Known Answer Test • IKE SP800_135 KDF Known Answer Test If any self-test fails, the Cryptographic Primitives Library DllMain returns an error code. The caller may attempt to reload the Cryptographic Primitives Library. 8.2 Conditional Self-Tests The Cryptographic Primitives Library performs the following conditional self-tests on key generation and import: • Pairwise consistency tests for DSA, ECDSA, and RSA keys • KAS-FFC and KAS-ECC key usage assurances (including pairwise consistency tests) according to NIST SP 800-56Arev3 sections 5.5.2, 5.6.2, and 5.6.3 A Continuous Random Number Generator Test (CRNGT) and the DRBG health tests are performed for SP 800-90A AES-256 CTR DRBG. The Entropy Source conducts Adaptive Proportion (APT) and Repetition Count (RCT) tests according to SP 800-90B. When BCRYPT_ENABLE_INCOMPATIBLE_FIPS_CHECKS flag (required by policy) is used with BCryptGenerateSymmetricKey, then the XTS-AES Key_1 ≠ Key_2 check is performed in compliance with FIPS 140-2 IG A.9. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 49 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). If the conditional self-test fails, the module will not load and a status code other than STATUS_SUCCESS will be returned. 9 Design Assurance The secure installation, generation, and startup procedures of this cryptographic module are part of the overall operating system secure installation, configuration, and startup procedures for the Windows 10 operating system. The Windows 10 operating system must be pre-installed on a computer by an OEM, installed by the end-user, by an organization’s IT administrator, or updated from a previous Windows 10 version downloaded from Windows Update. An inspection of authenticity of the physical medium can be made by following the guidance at this Microsoft web site: https://www.microsoft.com/en-us/howtotell/default.aspx The installed version of Windows 10 must be verified to match the version that was validated. See Appendix A – How to Verify Windows Versions and Digital Signatures for details on how to do this. For Windows Updates, the client only accepts binaries signed by Microsoft certificates. The Windows Update client only accepts content whose SHA-2 hash matches the SHA-2 hash specified in the metadata. All metadata communication is done over a Secure Sockets Layer (SSL) port. Using SSL ensures that the client is communicating with the real server and so prevents a spoof server from sending the client harmful requests. The version and digital signature of new cryptographic module releases must be verified to match the version that was validated. See Appendix A – How to Verify Windows Versions and Digital Signatures for details on how to do this. 10 Mitigation of Other Attacks The following table lists the mitigations of other attacks for this cryptographic module: Algorithm Protected Against Mitigation SHA1 Timing Analysis Attack Constant time implementation Cache Attack Memory access pattern is independent of any confidential data SHA2 Timing Analysis Attack Constant time implementation Cache Attack Memory access pattern is independent of any confidential data Triple-DES Timing Analysis Attack Constant time implementation AES Timing Analysis Attack Constant time implementation Cache Attack Memory access pattern is independent of any confidential data Protected against cache attacks only when used with AES NI Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 50 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 11 Security Levels The security level for each FIPS 140-2 security requirement is given in the following table. Security Requirement Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security NA Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 2 Mitigation of Other Attacks 1 12 Additional Details For the latest information on Microsoft Windows, check out the Microsoft web site at: https://www.microsoft.com/en-us/windows For more information about FIPS 140 validations of Microsoft products, please see: https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 51 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 13 Appendix A – How to Verify Windows Versions and Digital Signatures 13.1 How to Verify Windows Versions The installed version of Windows 10 must be verified to match the version that was validated using the following method: 1. In the Search box type "cmd" and open the Command Prompt desktop app. 2. The command window will open. 3. At the prompt, enter "ver”. 4. The version information will be displayed in a format like this: Microsoft Windows [Version 10.0.xxxxx] If the version number reported by the utility matches the expected output, then the installed version has been validated to be correct. 13.2 How to Verify Windows Digital Signatures After performing a Windows Update that includes changes to a cryptographic module, the digital signature and file version of the binary executable file must be verified. This is done like so: 1. Open a new window in Windows Explorer. 2. Type “C:\Windows\” in the file path field at the top of the window. 3. Type the cryptographic module binary executable file name (for example, “CNG.SYS”) in the search field at the top right of the window, then press the Enter key. 4. The file will appear in the window. 5. Right click on the file’s icon. 6. Select Properties from the menu and the Properties window opens. 7. Select the Details tab. 8. Note the File version Property and its value, which has a number in this format: xx.x.xxxxx.xxxx. 9. If the file version number matches one of the version numbers that appear at the start of this security policy document, then the version number has been verified. 10. Select the Digital Signatures tab. 11. In the Signature list, select the Microsoft Windows signer. 12. Click the Details button. 13. Under the Digital Signature Information, you should see: “This digital signature is OK.” If that condition is true, then the digital signature has been verified. Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 52 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). 14 Appendix B – References This table lists the specifications for each elliptic curve in section Non-Approved Algorithms Curve Specification brainpoolP160r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP192r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP192t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP224r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP224t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP256r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP256t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP320r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP320t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP384r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP384t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP512r1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf brainpoolP512t1 http://www.ecc-brainpool.org/download/Domain-parameters.pdf ec192wapi http://www.gbstandards.org/GB_standards/GB_standard.asp?id=900 (The GB standard is available here for purchase) nistP192 http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf nistP224 http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf numsP256t1 https://www.microsoft.com/en-us/research/wp- content/uploads/2016/02/curvegen.pdf numsP384t1 https://www.microsoft.com/en-us/research/wp- content/uploads/2016/02/curvegen.pdf numsP512t1 https://www.microsoft.com/en-us/research/wp- content/uploads/2016/02/curvegen.pdf secP160k1 http://www.secg.org/sec2-v2.pdf secP160r1 http://www.secg.org/sec2-v2.pdf secP160r2 http://www.secg.org/sec2-v2.pdf secP192k1 http://www.secg.org/sec2-v2.pdf secP192r1 http://www.secg.org/sec2-v2.pdf secP224k1 http://www.secg.org/sec2-v2.pdf secP224r1 http://www.secg.org/sec2-v2.pdf secP256k1 http://www.secg.org/sec2-v2.pdf secP256r1 http://www.secg.org/sec2-v2.pdf secP384r1 http://www.secg.org/sec2-v2.pdf secP521r1 http://www.secg.org/sec2-v2.pdf wtls12 http://www.openmobilealliance.org/tech/affiliates/wap/wap-261- wtls-20010406-a.pdf wtls7 http://www.openmobilealliance.org/tech/affiliates/wap/wap-261- wtls-20010406-a.pdf wtls9 http://www.openmobilealliance.org/tech/affiliates/wap/wap-261- wtls-20010406-a.pdf Cryptographic Primitives Library Security Policy Document © 2024 Microsoft Corporation. All Rights Reserved Page 53 of 53 This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision). Curve Specification x962P192v1 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P192v2 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P192v3 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P239v1 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P239v2 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P239v3 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase) x962P256v1 https://global.ihs.com/doc_detail.cfm?&item_s_key=00325725&item_ key_date=941231&input_doc_number=ANSI%20X9%2E62&input_doc _title= (The ANSI X9.62 standard is available here for purchase)