Microsoft Windows Cryptographic Primitives Library (bcrypt.dll) Security Policy Document
This Security Policy is nonproprietary and may be reproduced only in its original entirety (without revision)
1CryptographicModuleSpecification
The Microsoft Windows Cryptographic Primitives Library is a general purpose, softwarebased, cryptographic module.
The primitive provider functionality is offered through one cryptographic module, BCRYPT.DLL (version 7.00.1687),
subject to FIPS1402 validation. BCRYPT.DLL provides cryptographic services, through its documented
interfaces, to Windows Embedded Compact 7 components and applications running on Windows Embedded Compact
7.
The cryptographic module, BCRYPT.DLL, encapsulates several different cryptographic algorithms in an easy
touse cryptographic module accessible via the Microsoft CNG (Cryptography, Next Generation) API. It can be
dynamically linked into applications by software developers to permit the use of general purpose FIPS 140
2 Level 1 compliant cryptography.
1.1 CryptographicBoundary
The Windows Embedded Compact 7 BCRYPT.DLL consists of a dynamicallylinked library (DLL). The cryptographic
boundary for BCRYPT.DLL is defined as the enclosure of the computer system, on which BCRYPT.DLL is to be
executed. The physical configuration of BCRYPT.DLL, as defined in FIPS1402, is multichip standalone.
2SecurityPolicy
BCRYPT.DLL operates under several rules that encapsulate its security policy.
BCRYPT.DLL is supported on Windows Embedded Compact 7.
Windows Embedded Compact 7 is an operating system supporting a "single user" mode where there is
only one interactive user during a logon session.
BCRYPT.DLL is only in its Approved mode of operation when Windows Embedded Compact 7 is booted
norm a ll y , meaning Debug mode is disabled.
All users assume either the User or Cryptographic Officer roles.
BCRYPT.DLL provides no authentication of users. Roles are assumed implicitly. The authentication
provided by the Windows Embedded Compact 7 operating system i s not in the scope of the validation.
All cryptographic services implemented within BCRYPT.DLL are available to the User and
Cryptographic Officer roles.
BCRYPT.DLL implements the following FIPS1402 Approved algorithms:
o
SHA1, SHA256, SHA384, SHA512 hash (Cert. #1773)
o
SHA1, SHA256, SHA384, SHA512 HM AC (Cert. #1364)
o
TripleDES (2 key and 3 key) in ECB and CBC modes (Cert. # 1307). 2 key is restricted to legacy use
per SP 800131. Users of the BCrypt.dll should transition away from 2 key algorithms in favor of
encryption algorithms.
o
AES128, AES192, AES256 in ECB and CBC modes (Cert. #
2023)
o
RSA (RSASSAPKCS1v1_5) di gital sign atures (C er t. 10 51 )
o
FIPS 1862 DSA (Cert. #645)
o
ECDSA with the following NIST curves: P256, P384, P521 (Cert. #295).
o
SP 80090 Deterministic Random Bit Generator (DRBG) with AESCTR (Cert. #193)
BCRYPT.DLL supports the following nonApproved algorithms allowed for use in FIPS mode:
o
DiffieHellman (DH) secret agreement (key agreement; key establishment methodology
provides between 80 and 150 bits of encryption strength; noncompliant less than 80bits
of encryption strength)
o
RSA Key wrapping (key agreement; key establishment methodology provides between 80 and 150
bits of encryption strength. Keys can be entered by using the recipient's public key, per Section
7.6)
o
ECDH with the following NIST curves: P256, P384, P521 (key agreement; key
establishment methodology provides between 128 and 256 bits of encryption strength)
o
FIPS SP80056A (Section 5.8), X9.63, and X9.42 key derivation
o
FIPS IPsec IKE v1 key derivation as specified in FIPS 1402 Implementation Guidance D.8