My company has project created with ASP.NET in .Net Framework 3.5 and a windows web server 2008 r2 to host the project.
In the web server, we enabled the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
After after that the application does not run. it shows the following error
Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Stack Trace:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
System.Security.Cryptography.RijndaelManaged..ctor() +7715396
System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +232
System.Web.Configuration.MachineKeySection.EnsureConfig() +156
System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +37
System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +166
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Serialize(Object state) +4
System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +37
System.Web.UI.HiddenFieldPageStatePersister.Save() +79
System.Web.UI.Page.SavePageStateToPersistenceMedium(Object state) +105
System.Web.UI.Page.SaveAllState() +236
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1099
We are looking for the solutions for this. Most of the solutions we found online are suggesting to disable FIPS checking by disabling the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". Or by adding these two lines in web.config.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
<enforceFIPSPolicy enabled="false"/>
But we don't want to disable FIPS checking for our code for security purpose. Instead we want to adjust our code or server setting so that it will enforce the FIPS policy in the project with interpreting its functionalities.
Can anyone provide me any idea on this?
There is a relevant MSDN blog. Try the following registry changes:
After you enable or disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting, you must restart your application, such as Internet Explorer, for the new setting to take effect.
In your case, it should be sufficient to recycle your website's app domain.
Note also the comment from @Basic, that enabling FIPS mode while potentially necessary to interact with government systems, can cause other security headaches.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With