I have been working on making our .NET application FIPS compliant, and have found that the Managed Cryptography classes (such as AESManaged) are not FIPS compliant. I have read several other articles and questions on which classes are compliant, such as http://stackoverflow.com/questions/939040/when-will-c-aes-algorithm-be-fips-compliant and http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/e0b4493f-6e20-4b75-a118-6b6e5d26a2a6. It looks like the CryptoServiceProvider classes ARE FIPS compliant, but the Managed classes are not.
I am just wondering if someone can explain the difference between the CryptoServiceProvider classes and the Managed classes? And if someone can explain why the CryptoServiceProvider classes are FIPS compliant, but the Managed classes are not, so I can explain to my boss why I have to rewrite our encryption methods. Are they fundamentally different under the hood? Or has MS just not subjected the Managed classes to NIST certification? If the Managed classes just wrap the CryptoServiceProvider classes, then why aren't the Managed classes automatically FIPS compliant? And if I write a class to wrap a FIPS compliant class into a more easily usable class of my own, is my software no longer FIPS compliant?
Thanks.