Question

I need to understand how to make an ASP.NET web application FIPS compliant. To keep it simple, I created a new web application within VS 2008. I have FIPS enabled on my development machine, as the client using the web application will be a Federal agency that will enforce FIPS.

I can not even compile the new web application - as it gives me the error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

I have read documentation and added the following elements to the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

<enforceFIPSPolicy enabled="false" /> (also tried <enforceFIPSPolicy enabled="0" />)

But I still get this error. Again, I want to get this to work with a brand new web application before I attempt to get it to work with my actual solution.

I am using .NET 3.5 SP1 for the framework.

Any help would be greatly appreciated.

Thanks.

Chris

Answer 1

if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.

Here s a handy site that lists all of the FIPS and non-FIPS algorithms in .NET http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

Answer 2

There are two things to make a new.NET application FIPs compliant.

1) In your machine key settings, use 3DES for decryption and SHA1 for validation, as you mentioned in the question. (There is a STIG out that says you should use SHA1. https://www.stigviewer.com/stig/iis_7.0_web_site/2014-03-25/finding/V-26026)

2) Ensure that the code is not in debug mode. The compilation section of your web.config and the page directives should all have debug="false". Debug="true" will kick off the FIPs compliance error before .Net can even run the first line of code.

For visual studio to compile the code, you may need to disable fips on visual studio.

For visual studion 2010:

Open Devenv.exe.config from C:Program Files (x86)Microsoft Visual Studio 10.0Common7IDE if you are on x64 OS or C:Program FilesMicrosoft Visual Studio 10.0Common7IDE on x86 OS
Find </runtime> tag and add the following above that line:
```
<enforceFIPSPolicy enabled="false"/> 
```

After the above modification devenv config would look like:

<configuration> 
<runtime> 
. 
. 
. 
<enforceFIPSPolicy enabled="false"/> 
</runtime> 
</configuration>

Restart Visual Studio

https://blogs.msdn.microsoft.com/brijs/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010/

Sources: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

https://blogs.msdn.microsoft.com/webtopics/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debugtrue/

http://forums.asp.net/t/1778719.aspx?+FIPS+validated+cryptographic+algorithms+3DES+machinekey+solution+didnt+work

友情链接