English 中文(简体)
Make ASP.NET web application FIPS Compliant?
原标题:
  • 时间:2010-06-25 17:21:17
  •  标签:
  • asp.net
  • fips

I need to understand how to make an ASP.NET web application FIPS compliant. To keep it simple, I created a new web application within VS 2008. I have FIPS enabled on my development machine, as the client using the web application will be a Federal agency that will enforce FIPS.

I can not even compile the new web application - as it gives me the error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

I have read documentation and added the following elements to the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

<enforceFIPSPolicy enabled="false" /> (also tried <enforceFIPSPolicy enabled="0" />)

But I still get this error. Again, I want to get this to work with a brand new web application before I attempt to get it to work with my actual solution.

I am using .NET 3.5 SP1 for the framework.

Any help would be greatly appreciated.

Thanks.

Chris

问题回答

if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.

Here s a handy site that lists all of the FIPS and non-FIPS algorithms in .NET http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

There are two things to make a new.NET application FIPs compliant.

1) In your machine key settings, use 3DES for decryption and SHA1 for validation, as you mentioned in the question. (There is a STIG out that says you should use SHA1. https://www.stigviewer.com/stig/iis_7.0_web_site/2014-03-25/finding/V-26026)

2) Ensure that the code is not in debug mode. The compilation section of your web.config and the page directives should all have debug="false". Debug="true" will kick off the FIPs compliance error before .Net can even run the first line of code.

For visual studio to compile the code, you may need to disable fips on visual studio.

For visual studion 2010:

  • Open Devenv.exe.config from C:Program Files (x86)Microsoft Visual Studio 10.0Common7IDE if you are on x64 OS or C:Program FilesMicrosoft Visual Studio 10.0Common7IDE on x86 OS

  • Find </runtime> tag and add the following above that line:

    <enforceFIPSPolicy enabled="false"/> 
    
  • After the above modification devenv config would look like:

    <configuration> 
    <runtime> 
    . 
    . 
    . 
    <enforceFIPSPolicy enabled="false"/> 
    </runtime> 
    </configuration> 
    
  • Restart Visual Studio

https://blogs.msdn.microsoft.com/brijs/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010/

Sources: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

https://blogs.msdn.microsoft.com/webtopics/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debugtrue/

http://forums.asp.net/t/1778719.aspx?+FIPS+validated+cryptographic+algorithms+3DES+machinekey+solution+didnt+work





相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

热门标签