5

My company has project created with ASP.NET in .Net Framework 3.5 and a windows web server 2008 r2 to host the project.

In the web server, we enabled the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

After after that the application does not run. it shows the following error

Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Stack Trace:

[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
   System.Security.Cryptography.RijndaelManaged..ctor() +7715396
   System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +232
   System.Web.Configuration.MachineKeySection.EnsureConfig() +156
   System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +37
   System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +166
   System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Serialize(Object state) +4
   System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +37
   System.Web.UI.HiddenFieldPageStatePersister.Save() +79
   System.Web.UI.Page.SavePageStateToPersistenceMedium(Object state) +105
   System.Web.UI.Page.SaveAllState() +236
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1099

We are looking for the solutions for this. Most of the solutions we found online are suggesting to disable FIPS checking by disabling the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". Or by adding these two lines in web.config.

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
<enforceFIPSPolicy enabled="false"/>

But we don't want to disable FIPS checking for our code for security purpose. Instead we want to adjust our code or server setting so that it will enforce the FIPS policy in the project with interpreting its functionalities.

Can anyone provide me any idea on this?

monjuri
  • 121
  • 4
  • 7
  • "An implementation of an approved cryptographic algorithm is considered FIPS compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation." See [here](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/). I'm guessing your algorithms haven't been submitted, validated and signed? – Basic Jul 25 '16 at 18:09
  • Are you using the Managed Versions of the .Net Implementated hashing algorithms? This link here states that the full .net Implemented versions are not FIPS compliant basically methods ending in "Managed". https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/ – Bearcat9425 Jul 25 '16 at 18:15
  • 1
    @basic: going through the code, my understanding is that the code just uses default cryptographic algorithm under System.Security.Cryptography, – monjuri Jul 25 '16 at 18:41
  • @Bearcat9425 Sorry for my ignorance in this: what is Managed Versions of the .Net Implementated hashing algorithms? – monjuri Jul 25 '16 at 18:45
  • @monjuri Well my statement was more for example much like the article, but "For Instance" (This is from link) There are 3 implemented forms of SHA256 hashing algorithm SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. the First two use PInvoke where the last, SHA256Managed, is a purely .net implementation. The purely .net implemented algorithms have not been submitted to NIST for approval hence they are not FIPS approved, hence .net will raise an exception is FIPS is turned on. So if your code is using the purely .net implemented version of security algorithms it could be the issue. – Bearcat9425 Jul 25 '16 at 18:55
  • @Bearcat9425 yes my application is using System.Security.Cryptography.RijndaelManaged. – monjuri Jul 25 '16 at 19:52
  • That could be your culprit then. Taking from that link any of the implementations ending with "Managed" are not FIPS validated, meaning they will not work with the FIPS flag enabled. Here is another link referring to the same thing, http://stackoverflow.com/questions/939040/when-will-c-sharp-aes-algorithm-be-fips-compliant – Bearcat9425 Jul 25 '16 at 20:42
  • I found this page http://stackoverflow.com/questions/6652850/enforcefipspolicy-flag-in-web-config-doesnt-seem-to-working-for-web-application that says the machinekey enforces a FIPS friendly algorithm. So adding just this line should work . I removed from web.config file and seems it made the error message disappeared. – monjuri Jul 26 '16 at 18:19

2 Answers2

2

There is a relevant MSDN blog. Try the following registry changes:

  • HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.
  • HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.

After you enable or disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting, you must restart your application, such as Internet Explorer, for the new setting to take effect.

In your case, it should be sufficient to recycle your website's app domain.

Note also the comment from @Basic, that enabling FIPS mode while potentially necessary to interact with government systems, can cause other security headaches.

Eric J.
  • 147,927
  • 63
  • 340
  • 553
0

From the stack trace it seems like you are using the managed version of the Rijndael algorithm.
According to this answer no managed implementation is FIPS-certified.

Using a non-managed implementation should solve your problem: Rijnaed is the precursor of AES - maybe try AesCng?

The drawback with unmanaged implementations is that they may not be compliant with older versions of windows.

Ioanna
  • 1,311
  • 2
  • 23
  • 36