Enforcing FIPS Certified Cryptography

re: Enforcing FIPS Certified Cryptography

Nicole Calinoiu — Tue, 17 May 2005 14:58:35 GMT

"which showed up for the first time in beta 2"

Umm... Beta 2 of which product? Certainly not Whidbey...

re: Enforcing FIPS Certified Cryptography

Anon — Tue, 17 May 2005 16:33:08 GMT

Web service calls over https fail with this flag enabled! Is there any way to force these to use FIPS crypto? Thanks for the useful info.

re: Enforcing FIPS Certified Cryptography

shawnfa — Tue, 17 May 2005 18:18:59 GMT

Yep -- should be in Whidbey beta 2.

-Shawn

re: Enforcing FIPS Certified Cryptography

shawnfa — Tue, 17 May 2005 18:19:47 GMT

HTTPS with this flag enabled will require the use of TLS instead of SSL. So you'll need to ensure that both ends of your connection support using that protocol.

-Shawn

re: Enforcing FIPS Certified Cryptography

Nicole Calinoiu — Tue, 17 May 2005 18:58:28 GMT

Sorry about the ambiguity... It's actually an option that's available on at least Windows XP SP2 that's never had Whidbey installed, so it can't be new to Whidbey.

re: Enforcing FIPS Certified Cryptography

shawnfa — Tue, 17 May 2005 19:08:54 GMT

Ahh ... right. This time the ambiguity is my fault :-)

The option will be available on the Windows policy settings on XP+. However, the CLR won't pay attention to it until Whidbey beta 2.

-Shawn

What's New in Security for v2.0

.Net Security Blog — Wed, 24 Aug 2005 17:46:50 GMT

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.&nbsp; However,...

What's New in Security for v2.0

.Net Security Blog — Thu, 01 Sep 2005 00:08:39 GMT

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.&nbsp; However,...

re: Enforcing FIPS Certified Cryptography

dls — Thu, 15 Dec 2005 18:41:40 GMT

Is this check available as a CAS attribute so that ecryption libraries external to the .NET framework's BCL, but written in managed code can take advantage of it?

re: Enforcing FIPS Certified Cryptography

Jerry — Wed, 22 Feb 2006 03:12:25 GMT

Well thats great that you enforce it with fips. Is there a managed provider than that is fips compliant? Wouldn't that be important if your locking it down?!?

re: Enforcing FIPS Certified Cryptography

shawnfa — Wed, 22 Feb 2006 20:25:17 GMT

Hi Jerry,

None of the pure managed algorithms are FIPS certified, however several of the CSP classes are. For instance, RSACryptoServiceProvider and SHA1CryptoServiceProvider.

Also note that FIPS is not on by default, it must either be turned on by the machine admin or a network admin via group policy.

-Shawn

re: Enforcing FIPS Certified Cryptography

Bob Larkin — Fri, 12 May 2006 20:19:27 GMT

Can anybody tell me the fix? I am trying to convince my employer to move from Classic ASP to Framework 2 but they continue new development in Classic ASP. Thanks!

mailTo:bob@hcdinc.com?subject=Enforcing%20FIPS%20Certified%20Cryptography

re: Enforcing FIPS Certified Cryptography

shawnfa — Mon, 15 May 2006 19:39:27 GMT

This isn't a bug, it's a new feature of the .NET framework 2.0. If you need to use non-FIPS certified algorithms, you should not set the registry key. This will prevent the CLR from throwing the exception.

-Shawn

re: Enforcing FIPS Certified Cryptography

Bob Larkin — Thu, 27 Jul 2006 20:30:09 GMT

FIPS Crytography is set by Group Policy. We have a test server outside the boundary with Framework 2 'allowed.' Unfortunately, my development work station is within the boundary. How can I comply with FIPS and use my work station to write .NET Framework 2 applications within this Group Policy?

Enabling FIPS for use in IIS 6.0 with SSL

Livin life... — Mon, 31 Jul 2006 22:42:27 GMT

Hey all~
Recently, a question was asked here to the Microsoft IIS experts that I found to be pretty...

re: Enforcing FIPS Certified Cryptography

shawnfa — Sat, 05 Aug 2006 01:42:47 GMT

Bob -- you can use FIPS aproved algorithms in your development. For instance, use SHA1Managed for hashing, TripleDESCryptoServiceProvider for symmetric encryption, and RSACryptoServiecProvider for asymmetric encryption.

-Shawn

re: Enforcing FIPS Certified Cryptography

Bill — Fri, 15 Sep 2006 01:34:38 GMT

Newbie warning: We constantly get the error 'This implementation is not part of the windows platform fips validated cryptographic algorithms' even when we aren't using any cryptographic functions. And we can't turn off the FIPS switch. Is there some setting we have to change in our VS05 config so that we can publish our code? These are small local windows applications, with no security related functions whatsoever... Please help!

re: Enforcing FIPS Certified Cryptography

Bill — Fri, 15 Sep 2006 17:47:13 GMT

Another FIPS related issue...

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=682308&SiteID=1

New Crypto Algorithms in Orcas

.Net Security Blog — Wed, 17 Jan 2007 21:21:06 GMT

The January CTP of Orcas is now available , and with it comes a total of 12 new cryptography algorithm

re: Enforcing FIPS Certified Cryptography

Brett — Wed, 31 Jan 2007 08:54:33 GMT

Has anyone successfully accomplished deploying an VB.NET ASP.NET website with FIPS enabled? I have tried changing the Web.Config file ViewState encryption to 3DES but to no avail. The pages still fail with the same warning. If you have found a way to deploy an ASP.NET application using Framework 2.0 PLEASE, PLEASE respond with how you were able to accomplish this.

re: Enforcing FIPS Certified Cryptography

gaddu — Sat, 10 Feb 2007 04:56:47 GMT

I have enabled FIPS in windows XP machine and created a new asp.net application. When I build the solution, I keep getting the FIPS error....Please help.......

re: Enforcing FIPS Certified Cryptography

shawnfa — Tue, 20 Feb 2007 22:20:36 GMT

At this point your only options is to disable FIPS on the machine unfortunately.

-Shawn

re: Enforcing FIPS Certified Cryptography

Patrick Allmond — Thu, 22 Feb 2007 01:00:55 GMT

Shawn,

Looking for some insight there that you might have. Lamont Harrington sent me over to your blog.

We have an n-tier application and have had everything running under FIPS for a couple of months just fine. Now we are trying add web services and all of our web service calls are failing. When we turn FIPS off the web service calls are able to be consumed OK.

I see an earlier post as where somebody was having a similair issue but I am not sure what the resolution was. Our browser that we are using has TLS on.

Do you have any suggestions as to where we might look for assistance?

Patrick

re: Enforcing FIPS Certified Cryptography

shawnfa — Fri, 23 Feb 2007 20:18:15 GMT

I'm not an expert in how the rest of Windows interacts with the FIPS setting, so I won't be able to provide you with much assistance. I know ASP.NET has some issues with FIPS on, so you might try asking over on the ASP.NET forums.

-Shawn

re: Enforcing FIPS Certified Cryptography

Khushboo Agarwal — Fri, 11 May 2007 12:42:31 GMT

I did have the same problem.But somehow by changing some of the settings ,I got it solved.

The IIS connection should be made correct(make sure it is installed).Disabled the FIPS in the local security settings and then reset the iis that is RUN >iisreset and then restart the system.Try it out.

Try enabling terminal services also.

re: Enforcing FIPS Certified Cryptography

Mike Lonergan — Fri, 24 Apr 2009 09:17:55 GMT

Hi there Shawn, I realize this article is ancient moldy old, but I am hoping you might be able to clarify something for us.

I've crawled through the info & articles you reference and tried to figure out exactly which framework classes are FIPS compliant (i.e. that implement FIPS-certified CSP code), and the best I've come up with so far is this:

FIPS-compliant classes in the System.Security.Cryptography namespace:

o TripleDESCryptoServiceProvider

o DSACryptoServiceProvider

o RSACryptoServiceProvider

o RNGCryptoServiceProvider

o AesCryptoServiceProvider (first implemented in .NET Framework 3.5)

o SHA256CryptoServiceProvider (first implemented in .NET Framework 3.5)

o SHA384CryptoServiceProvider (first implemented in .NET Framework 3.5)

o SHA512CryptoServiceProvider (first implemented in .NET Framework 3.5)

Non-FIPS-compliant classes in the System.Security.Cryptography namespace:

o AesManaged

o RijndaelManaged

o DESCryptoServiceProvider

o RC2CryptoServiceProvider

???

o HMACSHA1

o MACTripleDES

o MD5CryptoServiceProvider

o RIPEMD160

o SHA1Managed

o SHA256Managed

o SHA384Managed

o SHA512Managed

o ECDiffieHellman

o ECDiffieHellmanCng

o ECDiffieHellmanCngPublicKey

o ECDiffieHellmanKeyDerivationFunction

o ECDsa

o ECDsaCng

It's that last group under the ??? heading that's got me stumped. Are *NONE* of these classes invoking the FIPS-certified CSPs? If not, where's a guy supposed to get a FIPS-certified SHA-1 implementation through managed code?

Hope things are going well among the security denizens on campus - some days I really miss being up there...

re: Enforcing FIPS Certified Cryptography

shawnfa — Fri, 22 May 2009 00:22:44 GMT

The easy way to figure out if an algorithm is compliant or not is to look at the suffix. None of the *Managed types are FIPS certified. The *CryptoServiceProvider and *Cng types however, may well be FIPS certified. If they implement an algorithm that FIPS allows, and are using the default Microsoft providers, then they will be.

For instance, SHA256Managed is not (because it is *Managed). SHA256CryptoServiceProvider and SHA256Cng are. MD5CryptoServiceProvider is not (because MD5 is not a FIPS algorithm).

On your list above, the ECC CNG algorithms are FIPS certified, so you should be fine to use those.

-Shawn

re: Enforcing FIPS Certified Cryptography

r4 revolution for ds — Mon, 05 Oct 2009 09:20:37 GMT

Please provide some more information over FIPS. Provide links to related topics if possible. Thanx for the information any ways. Keep posting.