FIPS-validated cryptographic algorithms

Overview

Self-hosted clients that need to implement LearningBuilder in a FedRAMP-compliant architecture will need to enable “FIPS mode” in Windows. When this mode is enabled, any code paths that execute a non-FIPS-compliant cryptographic algorithm will fail at runtime.

LearningBuilder generates hash values in different features for different purposes. Most of those features use FIPS-validated implementations and will work fine in “FIPS mode”, with a few exceptions:

Feature

Supports FIPS mode?

Notes

Feature

Supports FIPS mode?

Notes

Login / authentication

Yes

Uses SHA256Cng as part of password hashing

Bulk Payments

Yes

Creates hashes of cart items for verification

Public links to render Template attributes as a PDF

Yes

Security hashes for request signing

SSO / Demographic Sync

Yes

Security hashes for request signing

Upload Attributes

Yes

SHA256 hash used for de-duplication purposes only

External Message Queues

Yes

RabbitMQ service uses SHA256 hash for a de-duplication token

Address Verification

No

Uses MD5 hashes for verification

USAePay Payments

Maybe

USAePay sends a hash code in payment responses, and comments indicate that it can contain SHA1 or MD5. Additional testing is needed to determine which code they send under which conditions, and whether or not we actually process the hash in a way that would fail with FIPS mode.

Static images uploaded through the rich text editor

No

Images uploaded through the rich text editor (and stored in the database via SQL File store) will fail in FIPS mode because a 3rd party library uses an MD5 hash for de-duplication.

Address Data Type

No