PowerShell 7 ignores Windows FIPS mode configuration

[zbalkan]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.
• Refer to the FAQ.
• Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

When Windows computers are in FIPS mode, the Powershell 5 prevents weak algorithms according to the FIPS mode to be used. But Powershell 7 ignores that setting.

• Under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy, set Enabled to 1.
• Start a PowerShell 5 console and paste [System.Security.Cryptography.MD5]::Create(). Expect an exception.
• Start a PowerShell 7 console [System.Security.Cryptography.MD5]::Create(). It should succeed.

Expected behavior

PS> [System.Security.Cryptography.MD5]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS
validated cryptographic algorithms."
At line:1 char:1
+ [System.Security.Cryptography.MD5]::Create()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

Actual behavior

PS> [System.Security.Cryptography.MD5]::Create()

HashSize                   : 128
Hash                       :
InputBlockSize             : 1
OutputBlockSize            : 1
CanTransformMultipleBlocks : True
CanReuseTransform          : True

Error details

-

Environment data

PS>  $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.5
PSEdition                      Core
GitCommitId                    7.4.5
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

FIPS mode.zip

[iSazonov]

.Net doesn't force FIPS https://learn.microsoft.com/en-us/dotnet/standard/security/fips-compliance
See also https://techcommunity.microsoft.com/t5/modern-work-app-consult-blog/fips-and-net-core/ba-p/1454638

FIPS compliance - .NET Core - .NET

Explains .NET Core Federal Information Processing Standard (FIPS) compliance.

TECHCOMMUNITY.MICROSOFT.COM

FIPs and .NET Core

FIPs stands for Federal Information Processing Standards. It is all about cryptographic algorithms.

[zbalkan]

So, you mean, a shell language and an engine that works on the operating system does not respect the OS-level configuration because of its dependencies? I do not think it is a good justification for the behavior of a shell.

[zbalkan]

Hi @iSazonov, the documents and blog articles mention that it is not a runtime concern, but the application. So, PowerShell being the application, it looks like it is the intention of the Dotnet team to push it to the upper layer, and PowerShell team should take over the responsibility at this point. While the links do not justify the default behavior of PowerShell, it helps clarify the ownership of responsibility. The ball is on PowerShell team.

[jborean93]

PowerShell is in the same boat as .NET here. It just exposes the types and is ultimately up to the end user to decide whether their scripts are FIPS compliant or not. PowerShell is probably in a worse position as it doesn’t control the classes themselves and trying to hook into them is a loosing battle.

While I personally don’t agree with this behaviour and I think ultimately the check should happen at the Win32 layer (if some Crypto APIs don’t already do so) but that’s a decision that sits outside of this repo.

[zbalkan]

While I agree that it would be better if it is handled on a lower level, that's not what the OS decided to do. It is similar on Linux as well. The crypto-policies on Linux systems is similar to the Windows way: a single point of truth for cryptography configuration where applications can refer to. One uses Registry while the other uses /etc/crypto-policies/config. At this point instead of making this a hot potato, I believe a crypto policy abstraction layer that would work cross platform for PowerShell makes more sense.

Also, for the .NET team, PowerShell is the app, not the scripts, modules or cmdlets running on top of it. So, the OS provided a reference point for the apps to refer to and did its part. Runtime design pushes the authority to the right, the application layer. In my opinion, PowerShell should read the settings and work accordingly. But that's an architectural decision.

These kind of configurations are always an issue as the OS does not enforce, but let the user space opt in to use the settings. To me, it should be an "opt out" setting: the apps must use defaults and choose the exception explicitly. But the OS teams chose this way, and shell should align with it, IMHO.

[iSazonov]

If an author of an PowerShell module imports some dll library, PowerShell cannot know whether there is an encryption algorithm in this library and what standards it meets.

[rhubarb-geek-nz]

Also, for the .NET team, PowerShell is the app, not the scripts, modules or cmdlets running on top of it.

However for the user, PowerShell is a shell and they run scripts, commands, assemblies and executables with it.

It is both unreasonable and impractical to expect PowerShell to police what scripts, cmdlets and assemblies do, that is down to the user and the privileges granted by the operating system.

For FIPS certification the system as a whole would have to be considered, that includes scripts, cmdlets, assemblies and executables. PowerShell is not a get-out-of-jail-free card for FIPS.

Now PowerShell 7 is not part of the operating system and is covered by the MIT License, so can simply claim

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND

However there are levels that the PowerShell project could claim:

1. This executable, its deployed packages and SDK are unsuitable for a FIPS environment and should be considered a red-flag for certification.

2. PowerShell itself is FIPS compliant, all packaged scripts and cmdlets abide by the operating system settings and do not permit unsafe protocols, ciphers or digests to be used. Eg Get-Hash, Invoke-WebRequest, Invoke-RestMethod, Get/Set-AuthenticodeSignature etc.

3. PowerShell itself is FIPS compliant because all components that may potentially use unsafe protocols, ciphers or digests are completely disabled when in FIPS mode, eg Get-Hash, Invoke-WebRequest, Invoke-RestMethod, Get/Set-AuthenticodeSignature etc.

[zbalkan]

Great arguments which are hard to disagree with. Thanks everyone for the discussion.

[microsoft-github-policy-service]

📣 Hey @zbalkan, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms