ASP.NET 2.0 RijndaelManaged encryption algorithm vs. FIPS

Question

I'm running into an issue with an ASP.NET 2.0 application. Our network folks just upped our security, and now I get the floowing error whenever I try to access the app:

"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."

I've done a little research, and it sounds like ASP.NET uses the RijndaelManaged AES encryption algorithm to encrypt the ViewState of pages... and RijndaelManaged is on the list of algorithms that aren't FIPS compliant. We're certainly not explicitly calling any encryption algorithm... much less anything on the non-compliant list.

This ViewState business makes sense to me, I guess. The thing I can't muddle out, though, is what to do about it. I've found a KB article that suggests using a web.config setting to specify a different algorithm... but either that didn't stick, or that algorithm isn't up to snuff, either.

So:

1) Is the RijndaelManaged / ViewState thing actually the problem? Or am I barking up the wrong tree?

2) How to I specify what algorithm to use instead of RijndaelManaged? I've got a list of algorithms that are and aren't compliant; I'm just not sure where to plug that information in.

Thanks!

Richard

Answer 1

Double check that you don't have <compilation debug="true" /> in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.

Answer 2

Regarding your 2nd question: Maybe this MSDN Article helps.

According to the docs you can configure the encryption algorithm like this:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

For validation, you can use one of the following: [SHA1 | MD5 | 3DES | AES]

For decryption, you can use one of te following: [Auto | DES | 3DES | AES]

So in order to be FIPS compliant, you might use 3DES (although AFAIK theoretically less secure).

Answer 3

Source: Link

You could add the following to your web.config or machine config so your ASP.Net applications will stop failing due to the FIPs compliance checks.

<configuration>   

  <runtime>
        <enforceFIPSPolicy enabled="false"/>
    </runtime>

Your machine.config can be found here: \Microsoft.NET\Framework<version>\config\machine.config

If you change your machine.config, an iisreset may be required for the settings to take effect. Note: changing your maching.config will effect all .NET applications on the system.

---

To get your application to be FIPs compliant without having to disable FIPs, you can try the following:

1. Configure your machine key to use 3DES for decryption and SHA1 for validation.

EDIT (2018-04-05): The new IIS8.5 STIG says you should set your Machine Key settings to Validation: HMACSHA256, Encryption: Auto.

<configuration>
<system.web>
    <authentication mode="Windows" />
    <machineKey decryption="3DES" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" validationKey="AutoGenerate,IsolateApps" />
</system.web>
</configuration>

NOTE: if you are using a web farm environment, you can use IIS GUI and go to the Machine Keys configuration section to generate a set of keys and use the same keys across your web farm.

2. Ensure that your compilation debug="false", and all page directives have debug="false". Setting debug to true will also kick off the FIPs compliance check.