Module Name
Microsoft Windows Server 2008 R2 Kernel Mode Cryptographic Primitives Library (cng.sys)
Historical Reason
RNG SP800-131A Revision 1 Transition
Caveat
When operated in FIPS mode with Windows Server 2008 R2 Winload OS Loader (winload.exe) validated to FIPS 140-2 under Cert. #1333 operating in FIPS mode
Embodiment
Multi-chip standalone
Description
CNG.SYS runs as a kernel mode export driver, and provides cryptographic services, through their documented interfaces, to Windows Server 2008 R2 kernel components. It supports several cryptographic algorithms accessible via a FIPS function table request irp (I/O request packet).
Tested Configuration(s)
- Microsoft Windows Server 2008 R2 (IA64 version)
- Microsoft Windows Server 2008 R2 (x64 Version)
- Microsoft Windows Server 2008 R2 SP1 (IA64 version) (single-user mode)
- Microsoft Windows Server 2008 R2 SP1 (x64 version)
Approved Algorithms
AES |
Certs. #1168 and #1187 |
AES GCM |
Cert. #1168, vendor-affirmed |
AES GMAC |
Cert. #1168, vendor-affirmed |
DRBG |
Certs. #23 and #27 |
ECDSA |
Cert. #142 |
HMAC |
Cert. #686 |
KAS |
SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength |
RNG |
Cert. #649 |
RSA |
Certs. #559 and #567 |
SHS |
Cert. #1081 |
Triple-DES |
Cert. #846 |
Other Algorithms
AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Software Versions
6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076