How to check that an Asp.NET application is FIPS-ready

Question

I am using .net 3.5 and I'm trying to make my app FIPS compliant.I don't use any of the non FIPS algorithms but I still get this error when I run it on the production server.

This implementation is not the part of the Windows platform FIPS validated cryptographic algorithms.

Here is the List of algorithms that I have checked and I am sure that I haven't used them.

• HMACMD5
• HMACRIPEMD160
• HMACSHA256
• HMACSHA384
• HMACSHA512
• MD5CryptoServiceProvider
• RC2CryptoServiceProvider
• RijndaelManaged
• RIPEMD160Managed
• SHA1Managed

How can I find exactly where the problem is or any other ideas?

Answer 1

When you say "FIPS compliant", I assume you want to enforce FIPS 140 compliance in Windows and .Net cryptographic libraries mode by changing the Local Security Policy settings.

The challenge with FIPS 140 compliance (usually level 1 of the latest version of the standard, FIPS 140-2) using this mechanism, as you have discovered, is that it prevents the instantiation of non-FIPS 140 compliant algorithms, even if they are not used for a security-related purpose.

Presumably you have checked your code for any references to non-compliant algorithms using a tool like ildasm or Reflector. Otherwise, debug your code and look at the stack trace of the thrown InvalidOperationException to see where the problem lies.

One easy way to accomplish this is use the generic classes and avoid calling constructors directly. For example, if you want to use Advanced Encryption Standard (AES), instead of:

// Use the faster .Net implementation of AES. Not FIPS 140 compliant.
using (AesManaged aesManaged = new AesManaged())
{
    // Do something
}

use:

// Let .Net workout which implementation of AES to use. Will use
// a FIPS compliant implementation if FIPS is turned on.
using (Aes aes = Aes.Create())
{
    // Do something
}

Beyond your code, check third party libraries you use. You can use similar tools to the above to check any references from their code. If you have checked your code thoroughly, this is likely where the problem lies. Note that disassembling third party code could be a breach of copyright or license agreements.

Also check your SSL configuration. For example, the digital certificate used for SSL cannot used MD5. You also must use TLS 1.0 or later.

However, forcing Windows FIPS 140 compliance is doing it the hard way. Most customers, including the US government, do not require only FIPS compliant algorithms (or technically, implementations of these algorithms) to be used. For example, they are perfectly happy for you to use MD5 to create a hash key of a string.

Instead, customers want anything your product protects using cryptography to be protected by FIPS 140 complaint implementations of approved algorithms. In other words:

1. Identify each thing your product should protect
2. Protect them using FIPS 140 compliant libraries
3. Use tooling (e.g. static analysis), code review and/or third party audit to demonstrate enforcement.

Also note that turning on FIPS 140 mode does not necessarily make Windows or your product more secure. Security is much more complicated than choosing one cryptographic algorithm over another (or, specifically, a particular implementation of an algorithm over another implementation). Microsoft no longer recommends this be turned on by default.