Microsoft Windows SChannel SSPI Self test?

486 views Asked by At

The question pertains to some specs (FIPS) that require the SChannel modules used for TLS perform a self test prior to use to validate that they have not been compromised. FIPS is one example. In the Open source libraries there are self tests built in. Does SChannel have this capability? I am not able to find any reference to this, yet it seems odd that this would be left out.

I hope that makes the question less vague and ambiguous. I believe this is a question that can reasonably be answered by someone that has deep knowledge of the SChannel API.

Added: My understanding of FIPS level 1 and certainly level 2 is that the operation of the algorithms needs to be verified at run time (self test) not just when originally certified. Additionally, the image in memory needs to be validated with a hash or some such to make sure it has not been changed.

If these things are not done a run time, the potential for a patched library exists does it not?

1

There are 1 answers

2
ixe013 On

FIPS certification is acheived for a given cipher suite on a given OS configuration. Certification will give you a level a It will give you a level, 1 being the highest you can acheive on regular hardware, but the lowest level security wise.

Now back to your question...

Starting from the cipher suites used SChannel, we can work our way up to the FIPS certificate from this page.

According to the PDF scan of the FIPS certificate (for Windows 7 Ultimate) or the 1337 certificate of Windows Server 2008 R2 64bits, you see on their second page that Self-Tests were certified at level 1.

So yes, SChannel does have self test capability, because it leverages the self-test capabilities of lower components. But if shifts some of the burden to you to validate that your software uses only certified components in a certified environment.