Monday, March 28, 2016

Encryption on Windows

Why You Shouldn’t Enable “FIPS-compliant” Encryption on Windows




Windows has a hidden setting that will enable only government-certified “FIPS-compliant” encryption. It may sound like a way to boost your PC’s security, but it isn’t. You shouldn’t enable this setting unless you work in government or need to test how software will behave on government PCs.

This tweak fits right alongside other useless Windows tweaking myths. If you’ve stumbled across this setting in Windows or seen it mentioned elsewhere, don’t enable it. If you already have enabled it without a good reason, use the steps below to disable “FIPS mode”.

What Is FIPS-compliant Encryption?


FIPS stands for “Federal Information Processing Standards.” It’s a set of government standards that define how certain things are used in the government–for example, encryption algorithms. FIPS defines certain specific encryption methods that can be used, as well as methods for generating encryption keys. It’s published by the National Institute of Standards and Technology, or NIST.

The setting in Windows complies with the US government FIPS 140 standard. When it’s enabled, it forces Windows to only use FIPS-validated encryption schemes and advises applications to do so, as well.

“FIPS mode” doesn’t make Windows more secure. It just blocks access to newer cryptography schemes that haven’t been FIPS-validated. That means it won’t be able to use new encryption schemes, or faster ways of using the same encryption schemes. In other words, it makes your computer slower, less functional, and arguably less secure.


How Windows Behaves Differently If You Enable This Setting

Microsoft explains what this setting actually does in a blog post entitled “Why We’re Not Recommending “FIPS Mode” Anymore.” Microsoft only recommends you use FIPS mode if you have to. For example, if you’re using a US government computer, that computer is supposed to have “FIPS mode” enabled according to the government’s own regulations. There’s no real case where you’d want to enable this on your own personal computer–unless you were testing how your software behaves on US government computers with this setting enabled.

This setting does two things to Windows itself. It forces Windows and Windows services to use only FIPS-validated cryptography. For example, the Schannel service built into Windows won’t work with older SSL 2.0 and 3.0 protocols, and will require at least TLS 1.0 instead.

Microsoft’s .NET framework will also block access to algorithms that aren’t FIPS-validated. The .NET framework offers several different algorithms for most cryptography algorithms, and not all of them have even been submitted for validation. As an example, Microsoft notes that there are three different versions of the SHA256 hashing algorithm in the .NET framework. The fastest one hasn’t been submitted for validation, but should be just as secure. So enabling FIPS mode will either break .NET applications that use the more efficient algorithm or force them to use the less efficient algorithm and be slower.

Aside from those two things, enabling FIPS mode recommends to applications that they use only FIPS-validated encryption, too. But it doesn’t force anything else. Traditional Windows desktop applications can choose to implement any encryption code they want–even horrifically vulnerable encryption–or no encryption at all. FIPS mode doesn’t do anything to other applications unless they obey this setting.


How to Disable FIPS Mode (or Enable It, If You Have To)

You shouldn’t enable this setting unless you’re using a government computer and are forced to. If you do enable this setting, some consumer applications may actually ask you to disable FIPS mode so they can function properly.

If you need to enable or disable FIPS mode–maybe you’ve seen an error message after you enabled it, you need to test how your software will behave on a computer with FIPS mode enabled, or you’re using a government computer and have to enable it–you can do so in several ways. FIPS mode can be enabled only when connected to a specific network, or via a system-wide setting that will always apply.

To enable FIPS mode only when connected to a specific network, perform the following steps:


  1. Open the Control Panel window.
  2. Click “View network status and tasks” under Network and Internet.
  3. Click “Change adapter settings.”
  4. Right-click the network you want to enable FIPS for and select “Status.”
  5. Click the “Wireless Properties” button in the Wi-Fi Status window.
  6. Click the “Security” tab in the network properties window.
  7. Click the “Advanced settings” button.
  8. Toggle the “Enable Federal Information Processing Standards (FIPS) compliance for this network” option under 802.11 settings.




This setting can also be changed system-wide in the group policy editor. This tool is only available on Professional, Enterprise, and Education versions of Windows–not Home versions. You can only use the local group policy editor to change this tool if you’re on a computer that isn’t joined to a domain that’s managing your computer’s group policy settings for you. If your computer is joined to a domain and the group policy settings are centrally managed by your organization, you won’t be able to change it yourself. To change this setting in Group Policy:


  1. Press Windows Key+R to open the Run dialog.
  2. Type “gpedit.msc” into the Run dialog box (without the quotes) and press Enter.
  3. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options” in the Group Policy Editor.
  4. Locate the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting in the right pane and double-click it.
  5. Set the setting to “Disabled” and click “OK.”
  6. Restart the computer.




On Home versions of Windows, you can still enable or disable the FIPS setting via a registry setting. To check whether FIPS is enabled or disabled in the registry, follow the following steps:


  1. Press Windows Key+R to open the Run dialog.
  2. Type “regedit” into the Run dialog box (without the quotes) and press Enter.
  3. Navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\”.
  4. Look at the “Enabled” value in the right pane. If it’s set to “0”, FIPS mode is disabled. If it’s set to “1”, FIPS mode is enabled. To change the setting, double-click the “Enabled” value and set it to either “0” or “1”.
  5. Restart the computer.


By: How to Geek

No comments:

Post a Comment