English 中文(简体)
AJAX.NET and FIPS
原标题:

We have a few sections of our application that are using AJAX.NET 5.7.25.1. Our server administrators have enabled FIPS and we are running into the following error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Call stack:

at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()     
at MS.Utilities.MD5Helper.GetHash(Byte[] data)     
at Ajax.AjaxRequestProcessor.Run()     
at Ajax.AjaxHandler.ProcessRequest(HttpContext context)     
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Are the newer versions of the AJAX.NET libraries FIPS compliant?

最佳回答

The fastest way to done here may be to just modify the AJAX.Net pro source directly to remove the offending call that uses the MD5 algorithm. Go get the source for the version of AJax.NET pro you re using from Codeplex. In AjaxPro/Utilities/MD5Helper.cs:

Replace the line...

MD5 md5 = new MD5CryptoServiceProvider();

with the line...

SHA1 md5 = new SHA1CryptoServiceProvider();

That should fix it. SHA1 is FIPS compliant per this page

In this case... the only API that is being used is the ComputeHash() method, which both providers implement so...

Just by switching the crypto providers you should be able to compile and use the code without any other changes and without any annoying FIPS policy violation flags.

问题回答

Use of ANY MD5 hash algorithm in .NET is considered NON-FIPS compliant so this will always give that error. I m not sure if the AjaxRequestProcessor might be doing with MD5, it might be some kind of viewstate operation. Altering your viewstate encryption algorithm to use 3DES instead of MD5 may help.

Try adding this key in your system.web section of the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Full article about the workaround HERE.

Also, just having debug="true" in your webconfig can cause this error to crop up as .NET uses MD5 for some debugging operations. Is debug="false" in your web.config?

<system.web>
    <compilation debug="false">
</system.web>




相关问题
Which is best Ajax Framework? [closed]

I am going to use the ajax for simply refresh the multiple element on the page based on synchronous or asynchronous . I want to refresh the page When the ajax request in completed. Is there any ...

ValidationAttribute + Ajax trouble

I tried to make ValidationAttribute which would check the database whether such an object. And it even works only if you do not include <% Html.EnableClientValidation ();%> Can Someone tells ...

CascadingDropDownList and Control-Click

我有2名CascadingDropDownList,以搜索形式,我谨让用户有能力“控制-click”一个项目,从搜索结果中删除选定的项目。

热门标签