FIPS 140-2 Validation
The Microsoft Information Protection SDK version 1.14 and above can be configured to use the FIPS validated version of OpenSSL 3.0. To use the FIPS validated OpenSSL 3.0 module, developers must install and load the FIPS module.
FIPS 140-2 Compliance
The Microsoft Information Protection SDK uses OpenSSL to implement all cryptographic operations. OpenSSL isn't FIPS compliant without more configuration by the developer. To develop a FIPS 140-2 compliant application, OpenSSL in the MIP SDK must be configured to load the FIPS module to perform cryptographic operations instead of the default OpenSSL ciphers.
Install and configure the FIPS Module
Applications using OpenSSL can install and load the FIPS module with the following procedure published by OpenSSL:
- Install FIPS module following Appendix A: Installation and Usage Guidance
- Load FIPS module in MIP SDK by Making all applications use the FIPS module by default. Configure the OpenSSL_MODULES environment variable to the directory containing the fips.dll.
- (Optional) Configure the FIPS module for some applications only by Selectively making applications use the FIPS module by default
When the FIPS module is successfully loaded, the MIP SDK log declares FIPS as the OpenSSL provider.
"OpenSSL provider loaded: [fips]"
If installation fails, the OpenSSL provider remains default.
"OpenSSL provider loaded: [default]"
Limitations of MIP SDK with FIPS 140-2 validated ciphers:
- Android and macOS are not supported. The FIPS module is available on Windows, Linux, and Mac.
TLS Requirements
MIP SDK prohibits the use of TLS versions prior to 1.2 unless the connection is made to an Active Directory Rights Management server.
Cryptographic Algorithms in MIP SDK
| Algorithm | Key Length | Mode | Comment |
|---|---|---|---|
| AES | 128, 192, 256-bit | ECB, CBC | MIP SDK always protects by default with AES256 CBC. Legacy versions of Office (2010) require AES 128 ECB, and Office docs are still protected in this manner by Office apps. |
| RSA | 2048-bit | n/a | Used for signing and protecting session key that protects a symmetric key blob. |
| SHA-1 | n/a | n/a | Hash algorithm used in signature validation for legacy publishing licenses. |
| SHA-256 | n/a | n/a | Hash algorithm used in data validation, signature validation, and as database keys. |
Next Steps
For details on the internals and specifics of how AIP protects content, review the following documentation:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for