ASPX pages fail due to FIPS 140 security policy

Question

I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" which is enabled on my server.

Since that has been enabled, most of my aspx pages are returning the error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." These pages aren't accessing any cryptographic methods. They do communicate with another database server, but that's it.

My problem is similar to the one described here. However, I don't have the option of disabling this FIPS security setting.

I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?

Update

Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.

I found two hotfixes which may be related. I will try to install these and see what happens.

We finally resolved this issue. It turned out that ComponentArts, a third party dll containing numerous web controls, was using a non-FIPS compliant algorithm for it's licensing stuff. — Slider345, May 18 '11 at 19:47

Chris W. Rea · Accepted Answer · 2011-03-18T18:00:58.727

Refer to Microsoft's knowledge base article: KB 811833 - The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing...". Excerpt:

Microsoft .NET Framework applications such as Microsoft ASP.NET only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant. Specifically, the only cryptographic algorithm classes that can be instantiated are those that implement FIPS-compliant algorithms. The names of these classes end in "CryptoServiceProvider" or "Cng". Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed", cause an InvalidOperationException exception to occur. Additionally, any attempt to create an instance of a cryptographic algorithm that is not FIPS compliant, such as MD5, also causes an InvalidOperationException exception.

By default, ASP.NET wants to use algorithms that are incompatible with FIPS compliance. To solve your problem, you'll need to change ASP.NET configuration to use a compatible algorithm instead. Refer to machineKey Element on how to configure another algorithm.

This MSDN forum post suggests 3DES ought to be compatible... although the machineKey documentation listed previously does say about AES (the default in ASP.NET 4.0) "This algorithm is compliant with the United States Federal Information Processing Standards (FIPS)".

I've also heard that having debug="true" in your web.config may cause the error.

Interesting. So the viewstate on my aspx pages is automatically getting encrypted by the machineKey? I wasn't aware of that, though it makes sense. — Slider345, Mar 18 '11 at 17:59
There are options for encryption and for tamper-detection (signature hash). — Chris W. Rea, Mar 18 '11 at 18:04
Hmm, unfortunately, that did not completely solve the issue. However, it may be because I haven't installed a some hotfixes which I have now listed in my question. — Slider345, Mar 18 '11 at 18:42
@Slider345 Did you also try setting debug="false" in your web.config? — Chris W. Rea, Mar 18 '11 at 19:44
Is this problem unique to ASPX pages, or could Apache/Tomcat-hosted webpages also encounter this problem? — Kevin Meredith, Jan 16 '13 at 18:24

ASPX pages fail due to FIPS 140 security policy

1 Answers1

Linked