WebCrypto / FIPS 140-2 in Edge and Edge/Chromium

%3CLINGO-SUB%20id%3D%22lingo-sub-1057586%22%20slang%3D%22en-US%22%3EWebCrypto%20%2F%20FIPS%20140-2%20in%20Edge%20and%20Edge%2FChromium%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1057586%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20Windows%2010%20is%20running%20in%20%22FIPS%20140-2%20mode%22%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcsrc.nist.gov%2FCSRC%2Fmedia%2Fprojects%2Fcryptographic-module-validation-program%2Fdocuments%2Fsecurity-policies%2F140sp3544.pdf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcsrc.nist.gov%2FCSRC%2Fmedia%2Fprojects%2Fcryptographic-module-validation-program%2Fdocuments%2Fsecurity-policies%2F140sp3544.pdf%3C%2FA%3E%2C%20does%20that%20mean%20that%20Edge%20is%20also%20only%20using%20FIPS%20140-2%20approved%20algorithms%20and%20it%20is%20actually%20using%20the%26nbsp%3B%20Microsoft%20Windows%20Cryptographic%20Primitives%20Library%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAssuming%20the%20answer%20is%20yes%2C%20does%20the%20WebCrypto%20API%20in%20Edge%20actually%20use%20the%26nbsp%3B%3CSPAN%3ECryptographic%20Primitives%20Library%3F%3CBR%20%2F%3E%3CBR%20%2F%3ELast%20question%2C%20does%20this%20change%20at%20all%20for%20the%20new%20version%20of%20Edge%20based%20on%20Chromium%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068830%22%20slang%3D%22en-US%22%3ERe%3A%20WebCrypto%20%2F%20FIPS%20140-2%20in%20Edge%20and%20Edge%2FChromium%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068830%22%20slang%3D%22en-US%22%3E%3CP%3EWould%20be%20great%20if%20anyone%20could%20actually%20help%20and%2For%20voice%20an%20opinion%20as%20to%20whether%20or%20not%20I'm%20thinking%20about%20this%20correctly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078421%22%20slang%3D%22en-US%22%3ERe%3A%20WebCrypto%20%2F%20FIPS%20140-2%20in%20Edge%20and%20Edge%2FChromium%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078421%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20looking%20for%20some%20information%20on%20that%20topic%2C%20%3CFONT%3Eunfortunately%3C%2FFONT%3E%20there%20is%20not%20much%20information%26nbsp%3B%3CFONT%3Eavailable%3C%2FFONT%3E%20online%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1653670%22%20slang%3D%22en-US%22%3ERe%3A%20WebCrypto%20%2F%20FIPS%20140-2%20in%20Edge%20and%20Edge%2FChromium%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1653670%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20anyone%20(Microsoft%20or%20Others)%20answer%20this%20question%20as%20to%20FIPS%20140-2%20validated%20Cryptographic%20Module%20usage%20by%20EDGE.%26nbsp%3B%20Is%20it%20using%20Windows%20Crypto%20under%20the%20hood%20on%20Windows%20Platforms%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1676259%22%20slang%3D%22en-US%22%3ERe%3A%20WebCrypto%20%2F%20FIPS%20140-2%20in%20Edge%20and%20Edge%2FChromium%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1676259%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F789121%22%20target%3D%22_blank%22%3E%40j_hawkins%3C%2FA%3E%26nbsp%3BMicrosoft%20Edge%20Legacy%20uses%20the%20Windows%20Cryptographic%20libraries%20that%20are%20a%20part%20of%20the%20Windows%20operating%20system.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EMicrosoft%20Edge%20(version%2076%2B)%20instead%20uses%20the%20Chromium%20cryptographic%20libraries%20and%20does%20not%20rely%20upon%20the%20Windows%20system%20cryptographic%20libraries%20or%20configuration.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

If Windows 10 is running in "FIPS 140-2 mode" per https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security..., does that mean that Edge is also only using FIPS 140-2 approved algorithms and it is actually using the  Microsoft Windows Cryptographic Primitives Library?


Assuming the answer is yes, does the WebCrypto API in Edge actually use the Cryptographic Primitives Library?

Last question, does this change at all for the new version of Edge based on Chromium?

4 Replies
Highlighted

Would be great if anyone could actually help and/or voice an opinion as to whether or not I'm thinking about this correctly.

Highlighted

I am also looking for some information on that topic, unfortunately there is not much information available online

Highlighted

Can anyone (Microsoft or Others) answer this question as to FIPS 140-2 validated Cryptographic Module usage by EDGE.  Is it using Windows Crypto under the hood on Windows Platforms?   

 

 

Highlighted

@j_hawkins Microsoft Edge Legacy uses the Windows Cryptographic libraries that are a part of the Windows operating system. 

Microsoft Edge (version 76+) instead uses the Chromium cryptographic libraries and does not rely upon the Windows system cryptographic libraries or configuration.