Compliance

Pleasant Password Server uses only FIPS 140-2 validated encryption and hashing algorithms. This includes AES-256 and SHA-512.

To ensure the system selects FIPS compliant algorithm implementations:

  • Run Windows in FIPS mode.
  • Use Microsoft SQL Server to store your password data and it will automatically use FIPS-compliant algorithms selected by Windows.
  • To see the certificates assocated with the algorithms, reference this list.  To determine the certificate number, cross reference your operating system version with the following algorithm names:
    • AES-256 (see table 12)
    • SHA-512 (see table 21)

Certification

Pleasant Password Server exceeds the FIPS 140-2 requirements and can be run in FIPS 140-2 compliant mode where required as indicated above.
Note that FIPS mode is no longer recommended, via Microsoft, as the industry standard as it requires adhering to algorithms and practices which have not been revised since 2002. Certification would require strict adherence to only these encryption methods and as such it is no longer enforced as the default.

For example, FIPS does not enforce encryption of data cached by an application. Our KeePass client caches in part with the ChaCha20 algorithm, released 2015. As this is not on the approved list from 2002, the data would have to be cached without encryption to meet compliance. 

​For meeting security standards we recommend testing a fully functional trial installation in your local environment to ensure our software will exceed your requirements. A trial key can be provided upon request.
 

Additional Technical Information

If using Pleasant Password Server with the default SQLite database, the entire database is encrypted using AES-256. This configuration has is not FIPS-certified. If you need a FIPS compliant database, use Microsoft SQL Server as described above.

Pleasant Password Server does not perform any encryption on its own and uses the standard Microsoft .NET libraries to acquire encryption providers. If desired, you can override the exact encryption algorithms using the standard .NET techniques, though be aware that changing these after storing data with the original algorithm will make the data unreadable.

For reference, we attempt to use the configured providers, but in FIPS-mode, we fall back to use the following classes when acquiring crypto providers:

  • System.Security.Cryptography.AesCryptoServiceProvider
  • System.Security.Cryptography.SHA512Cng
  • SHA512CryptoServiceProvider on systems lacking CNG support
Tag page
You must login to post a comment.