FIPS 140-2 Validation

The Microsoft Information Protection SDK version 1.14 and above can be configured to use the FIPS validated version of OpenSSL 3.0. To use the FIPS validated OpenSSL 3.0 module, developers must install and load the FIPS module.

FIPS 140-2 Compliance

The Microsoft Information Protection SDK uses OpenSSL to implement all cryptographic operations. OpenSSL isn't FIPS compliant without more configuration by the developer. To develop a FIPS 140-2 compliant application, OpenSSL in the MIP SDK must be configured to load the FIPS module to perform cryptographic operations instead of the default OpenSSL ciphers.

Install and configure the FIPS Module

Applications using OpenSSL can install and load the FIPS module with the following procedure published by OpenSSL:

1. Install FIPS module following Appendix A: Installation and Usage Guidance
2. Load FIPS module in MIP SDK by Making all applications use the FIPS module by default. Configure the OpenSSL_MODULES environment variable to the directory containing the fips.dll.
3. (Optional) Configure the FIPS module for some applications only by Selectively making applications use the FIPS module by default

When the FIPS module is successfully loaded, the MIP SDK log declares FIPS as the OpenSSL provider.

"OpenSSL provider loaded: [fips]"

If installation fails, the OpenSSL provider remains default.

 "OpenSSL provider loaded: [default]"

Limitations of MIP SDK with FIPS 140-2 validated ciphers:

• Android and macOS are not supported. The FIPS module is available on Windows, Linux, and Mac.

TLS Requirements

MIP SDK prohibits the use of TLS versions prior to 1.2 unless the connection is made to an Active Directory Rights Management server.

Cryptographic Algorithms in MIP SDK

Next Steps

For details on the internals and specifics of how AIP protects content, review the following documentation:

• How Azure RMS Works
• MS-RMPR Protocol Specification
• Licenses, Certificates, and how AD RMS protects and consumes documents