Question
You want to find out if the encryption level used to store jobs in Pharos collectors FIPS 140-2 validated or not.
Information
Following is the scenario in which things work in our FIPS 140-2 compliance:
Windows has a FIPS 140-2 registry key that can be enabled. This changes the way Windows works to try to be compliant with FIPS 140-2. An example of the effect of that change is that .Net disables non-FIPS 140-2 compliant algorithms. Although Blueprint does rely on some non-FIPS 140-2 compliant algorithms in specific places. Blueprint can successfully run on windows with the FIPS 140-2 flag enabled, but we do this by using 3rd party implementations of those non-FIPS 140-2 algorithms.
To answer the specific question, "Is the encryption level used to store jobs in Pharos collectors FIPS 140-2 validated?"
The answer to this specific question is yes. We use the AesCryptoServiceProvider, which is FIPS 140-2 compliant, for encrypting print jobs. This link https://learn.microsoft.com/en-us/dotnet/standard/security/cryptography-model talks more about which algorithms are compliant.
To explain this further, customers can enable a FIPS flag in windows if they require a FIPS 140-2 compliant environment.
This causes .NET cryptography libraries to disable all algorithms and features that are not FIPS 140-2 complaint.
Pharos Blueprint Encryption and FIPS 140-2
Pharos Blueprint will operate properly with the FIPS 140-2 flag on. We are using the FIPS compliant AesCryptoServiceProvider class (i.e. the AES algorithm) for print jobs, with key size of 256 bits and block size of 128 bits.
Therefore, all print jobs (and all other data encrypted in Blueprint) are encrypted using a FIPS 140-2 compliant algorithm and parameters.
Other Algorithms
Blueprint does include a non-FIPS compliant algorithm as explained below. In FIPS compliant environments, this use is not considered a violation (again - explained below). Because of these requirements, Pharos does include a library to implement the MD5 algorithm.
SNMP V3 Encrypted and Authentication Communication
When using SNMP V3 to communicate securely to printers (rather than unencrypted v2 or v1), the site administrator can select MD5 Authentication at the printer. If this happens, then Pharos Blueprint is forced to use MD5 to match the authentication choice.
This is not normally a problem in FIPS compliant environments because customers should not enable MD5 authentication, and so this auth algorithm will not be used.
MD5 used to index a cache
MD5 is used to create an index for data stored in an internal cache. This is not a cryptographic use, and therefore does not represent a FIPS violation.