ASP.NET 2.0 RijndaelManaged encryption algorithm vs. FIPS
ASP.NET 2.0 RijndaelManaged encryption algorithm vs. FIPS
I'm running into an issue with an ASP.NET 2.0 application. Our network folks just upped our security, and now I get the floowing error whenever I try to access the app:
"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
I've done a little research, and it sounds like ASP.NET uses the RijndaelManaged AES encryption algorithm to encrypt the ViewState of pages... and RijndaelManaged is on the list of algorithms that aren't FIPS compliant. We're certainly not explicitly calling any encryption algorithm... much less anything on the non-compliant list.
This ViewState business makes sense to me, I guess. The thing I can't muddle out, though, is what to do about it. I've found a KB article that suggests using a web.config setting to specify a different algorithm... but either that didn't stick, or that algorithm isn't up to snuff, either.
So:
1) Is the RijndaelManaged / ViewState thing actually the problem? Or am I barking up the wrong tree?
2) How to I specify what algorithm to use instead of RijndaelManaged? I've got a list of algorithms that are and aren't compliant; I'm just not sure where to plug that information in.
Thanks!
Richard
8 Answers
8
Double check that you don't have <compilation debug="true" />
in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.
<compilation debug="true" />
Regarding your 2nd question: Maybe this MSDN Article helps.
According to the docs you can configure the encryption algorithm like this:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="3DES"
decryption="3DES"/>
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="3DES"
decryption="3DES"/>
For validation, you can use one of the following:
[SHA1 | MD5 | 3DES | AES]
For decryption, you can use one of te following:
[Auto | DES | 3DES | AES]
So in order to be FIPS compliant, you might use 3DES (although AFAIK theoretically less secure).
Source:
http://blogs.msdn.com/b/shawnfa/archive/2008/03/14/disabling-the-fips-algorithm-check.aspx
You could add the following to your web.config or machine config so your ASP.Net applications will stop failing due to the FIPs compliance checks.
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
Your machine.config can be found here:
Microsoft.NETFramework\configmachine.config
If you change your machine.config, an iisreset may be required for the settings to take effect. Note: changing your maching.config will effect all .NET applications on the system.
To get your application to be FIPs compliant without having to disable FIPs, you can try the following:
1) Configure your machine key to use 3DES for decryption and SHA1 for validation.
EDIT (2018-04-05): The new IIS8.5 STIG says you should set your Machine Key settings to Validation: HMACSHA256, Encryption: Auto.
<configuration>
<system.web>
<authentication mode="Windows" />
<machineKey decryption="3DES" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" validationKey="AutoGenerate,IsolateApps" />
</system.web>
</configuration>
NOTE: if you are using a web farm environment, you can use IIS GUI and go to the Machine Keys configuration section to generate a set of keys and use the same keys across your web farm.
2) Ensure that your compilation debug="false", and all page directives have debug="false". Setting debug to true will also kick off the FIPs compliance check.
you will also need to do this on the box
Enforcing FIPS Certified Cryptography
We've tried the machineKey you suggest. It's helped with some web applications (when paired with ), which is great, but not all of them, which is frustrating.
I'm missing something, but danged if I can tell what.
Some sites like SharePoint sites have the SHA1 machine key already in the web config so check to see if there is already an algorythm there if there is delete it and add the above.
The viewstate machine key and compilation="debug" config issues are the most common causes of this problem from what I've seen. As far as I know, in .NET 2.0, the 3DES algorithm for viewstate validation/encryption is the ONLY one that is FIPS compliant. So the SHA1, MD5, and AES options won't work there.
It's also important to realize that if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.
Here's a handy site that lists all of the FIPS and non-FIPS algorithms in .NET
http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html
According to this answer no managed implementation is FIPS-certified for the algorithms in the Cryptography namespace.
Using a non-managed implementation should solve your problem: Rijnaed is the precursor of AES - maybe try AesCng?
The drawback with unmanaged implementations is that they may not be compliant with older versions of windows.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Though not terribly relevant, hardly worthy of a -1, whoever you are - so balancing out by upvoting (if the -1er comes back and explains, I'm happy to remove my upvote). (The link explains how the network folks in question would have switched this policy on in the first place)
– Ruben Bartelink
Dec 4 '09 at 13:50