How to enforce FIPS in asp.net code (This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.)

Question

My company has project created with ASP.NET in .Net Framework 3.5 and a windows web server 2008 r2 to host the project.

In the web server, we enabled the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

After after that the application does not run. it shows the following error

Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Stack Trace:

[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.]
   System.Security.Cryptography.RijndaelManaged..ctor() +7715396
   System.Web.Configuration.MachineKeySection.ConfigureEncryptionObject() +232
   System.Web.Configuration.MachineKeySection.EnsureConfig() +156
   System.Web.Configuration.MachineKeySection.GetEncodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32& length) +37
   System.Web.UI.ObjectStateFormatter.Serialize(Object stateGraph) +166
   System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Serialize(Object state) +4
   System.Web.UI.Util.SerializeWithAssert(IStateFormatter formatter, Object stateGraph) +37
   System.Web.UI.HiddenFieldPageStatePersister.Save() +79
   System.Web.UI.Page.SavePageStateToPersistenceMedium(Object state) +105
   System.Web.UI.Page.SaveAllState() +236
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1099

We are looking for the solutions for this. Most of the solutions we found online are suggesting to disable FIPS checking by disabling the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". Or by adding these two lines in web.config.

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
<enforceFIPSPolicy enabled="false"/>

But we don't want to disable FIPS checking for our code for security purpose. Instead we want to adjust our code or server setting so that it will enforce the FIPS policy in the project with interpreting its functionalities.

Can anyone provide me any idea on this?

Answer 1

There is a relevant MSDN blog. Try the following registry changes:

• HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.
• HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.

After you enable or disable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security setting, you must restart your application, such as Internet Explorer, for the new setting to take effect.

In your case, it should be sufficient to recycle your website's app domain.

Note also the comment from @Basic, that enabling FIPS mode while potentially necessary to interact with government systems, can cause other security headaches.