FIPS-validated cryptographic algorithms
- Seth Petry-Johnson
- Brian Lytle
Overview
Self-hosted clients that need to implement LearningBuilder in a FedRAMP-compliant architecture will need to enable “FIPS mode” in Windows. When this mode is enabled, any code paths that execute a non-FIPS-compliant cryptographic algorithm will fail at runtime.
LearningBuilder generates hash values in different features for different purposes. Most of those features use FIPS-validated implementations and will work fine in “FIPS mode”, with a few exceptions:
Feature | Supports FIPS mode? | Notes |
|---|---|---|
Login / authentication | Yes | Uses |
Yes | Creates hashes of cart items for verification | |
Public links to render Template attributes as a PDF | Yes | Security hashes for request signing |
Yes | Security hashes for request signing | |
Yes | SHA256 hash used for de-duplication purposes only | |
External Message Queues | Yes | RabbitMQ service uses SHA256 hash for a de-duplication token |
No | Uses MD5 hashes for verification | |
Maybe | USAePay sends a hash code in payment responses, and comments indicate that it can contain SHA1 or MD5. Additional testing is needed to determine which code they send under which conditions, and whether or not we actually process the hash in a way that would fail with FIPS mode. | |
Static images uploaded through the rich text editor | No | Images uploaded through the rich text editor (and stored in the database via SQL File store) will fail in FIPS mode because a 3rd party library uses an MD5 hash for de-duplication. |
Address Data Type | No |
|