Enforcing FIPS Certified Cryptography

Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security.  To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce that only cryptograhic algorithms that have been FIPS 140-1 certified can be used.  Even if you're not developing government applications, it's good to prepare your application for a new exception that could result from creating a crypto object.

On Windows XP and higher this switch, which showed up for the first time in beta 2, is settable via Windows security settings or the registry.  To enable the setting in the Windows security settings, you should set the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security option to enabled.

Enabling FIPS via Windows Security Policy

In the registry, you can toggle this switch on by setting the DWORD FIPSAlgorithmPolicy under HKLM\System\CurrentControlSet\Control\Lsa to be equal to 1.

After enabling this seting, only cryptographic algorithms which are FIPS compliant will be allowed to be created in your managed applications.  As a general rule of thumb, this means that none of the *Managed algorithms can be created, but you can create the *CryptoServiceProvider algorithms.  Lets take a look at some quick sample code:

try
{
    MD5 md5 = new MD5CryptoServiceProvider();
    Console.WriteLine("Created algorithm");
}
catch(Exception e)
{
    Console.WriteLine(e);
}

If this code is run with the FIPS setting disabled, you'll see "Created algorithm" printed to the console as you would expect.  However, if the code is run with FIPS enforcement enabled, you'll get an InvalidOperationException:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Note that you'll get this exception no matter how you attempt to create the algorithm. That means that even if you don't directly construct the alogrithm, but instead attempt to use one of the various Create() methods, you'll still be blocked.

Before enabling this setting, you should be aware that it will affect your entire system.  So any managed application running on the v2.0 framework which attempts to use a cryptographic algorithm that is not FIPS compliant will throw the InvalidOperationException.  Additionally, this setting affects other parts of Windows, including SSL/TLS in both IE and IIS, Terminal Server, and EFS.

Comments

  • Anonymous
    May 16, 2005
    "which showed up for the first time in beta 2"

    Umm... Beta 2 of which product? Certainly not Whidbey...

  • Anonymous
    May 17, 2005
    Web service calls over https fail with this flag enabled! Is there any way to force these to use FIPS crypto? Thanks for the useful info.

  • Anonymous
    May 17, 2005
    Yep -- should be in Whidbey beta 2.

    -Shawn

  • Anonymous
    May 17, 2005
    HTTPS with this flag enabled will require the use of TLS instead of SSL. So you'll need to ensure that both ends of your connection support using that protocol.

    -Shawn

  • Anonymous
    May 17, 2005
    Sorry about the ambiguity... It's actually an option that's available on at least Windows XP SP2 that's never had Whidbey installed, so it can't be new to Whidbey.

  • Anonymous
    May 17, 2005
    Ahh ... right. This time the ambiguity is my fault :-)

    The option will be available on the Windows policy settings on XP+. However, the CLR won't pay attention to it until Whidbey beta 2.

    -Shawn

  • Anonymous
    August 24, 2005
    There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.  However,...

  • Anonymous
    August 31, 2005
    There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.  However,...

  • Anonymous
    December 15, 2005
    Is this check available as a CAS attribute so that ecryption libraries external to the .NET framework's BCL, but written in managed code can take advantage of it?

  • Anonymous
    February 21, 2006
    Well thats great that you enforce it with fips.  Is there a managed provider than that is fips compliant?  Wouldn't that be important if your locking it down?!?

  • Anonymous
    February 22, 2006
    The comment has been removed

  • Anonymous
    May 12, 2006
    Can anybody tell me the fix? I am trying to convince my employer to move from Classic ASP to Framework 2 but they continue new development in Classic ASP. Thanks!

    mailTo:bob@hcdinc.com?subject=Enforcing%20FIPS%20Certified%20Cryptography

  • Anonymous
    May 15, 2006
    This isn't a bug, it's a new feature of the .NET framework 2.0.  If you need to use non-FIPS certified algorithms, you should not set the registry key.  This will prevent the CLR from throwing the exception.

    -Shawn

  • Anonymous
    July 27, 2006
    FIPS Crytography is set by Group Policy. We have a test server outside the boundary with Framework 2 'allowed.' Unfortunately, my development work station is within the boundary. How can I comply with FIPS and use my work station to write .NET Framework 2 applications within this Group Policy?

  • Anonymous
    July 31, 2006
    Hey all~
    Recently, a question was asked here to the Microsoft IIS experts that I found to be pretty...

  • Anonymous
    August 04, 2006
    Bob -- you can use FIPS aproved algorithms in your development.  For instance, use SHA1Managed for hashing, TripleDESCryptoServiceProvider for symmetric encryption, and RSACryptoServiecProvider for asymmetric encryption.

    -Shawn

  • Anonymous
    September 14, 2006
    Newbie warning: We constantly get the error 'This implementation is not part of the windows platform fips validated cryptographic algorithms' even when we aren't using any cryptographic functions.  And we can't turn off the FIPS switch. Is there some setting we have to change in our VS05 config so that we can publish our code? These are small local windows applications, with no security related functions whatsoever... Please help!

  • Anonymous
    September 15, 2006
    Another FIPS related issue...

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=682308&SiteID=1

  • Anonymous
    January 17, 2007
    The January CTP of Orcas is now available , and with it comes a total of 12 new cryptography algorithm

  • Anonymous
    January 30, 2007
    Has anyone successfully accomplished deploying an VB.NET ASP.NET website with FIPS enabled?  I have tried changing the Web.Config file ViewState encryption to 3DES but to no avail.  The pages still fail with the same warning. If you have found a way to deploy an ASP.NET application using Framework 2.0   PLEASE, PLEASE respond with how you were able to accomplish this.

  • Anonymous
    February 09, 2007
    I have enabled FIPS in windows XP machine and created a new asp.net application. When I build the solution, I keep getting the FIPS error....Please help.......

  • Anonymous
    February 20, 2007
    At this point your only options is to disable FIPS on the machine unfortunately. -Shawn

  • Anonymous
    February 21, 2007
    Shawn, Looking for some insight there that you might have. Lamont Harrington sent me over to your blog. We have an n-tier application and have had everything running under FIPS for a couple of months just fine. Now we are trying add web services and all of our web service calls are failing. When we turn FIPS off the web service calls are able to be consumed OK. I see an earlier post as where somebody was having a similair issue but I am not sure what the resolution was. Our browser that we are using has TLS on. Do you have any suggestions as to where we might look for assistance? Patrick

  • Anonymous
    February 23, 2007
    I'm not an expert in how the rest of Windows interacts with the FIPS setting, so I won't be able to provide you with much assistance.  I know ASP.NET has some issues with FIPS on, so you might try asking over on the ASP.NET forums. -Shawn

  • Anonymous
    May 10, 2007
    I did have the same problem.But somehow by changing some of the settings ,I got it solved. The IIS connection should be made correct(make sure it is installed).Disabled the FIPS in the local security settings and then reset the iis that is RUN >iisreset and then restart the system.Try it out. Try enabling terminal services also.

  • Anonymous
    April 23, 2009
    Hi there Shawn, I realize this article is ancient moldy old, but I am hoping you might be able to clarify something for us. I've crawled through the info & articles you reference and tried to figure out exactly which framework classes are FIPS compliant (i.e. that implement FIPS-certified CSP code), and the best I've come up with so far is this: FIPS-compliant classes in the System.Security.Cryptography namespace: o TripleDESCryptoServiceProvider o DSACryptoServiceProvider o RSACryptoServiceProvider o RNGCryptoServiceProvider o AesCryptoServiceProvider (first implemented in .NET Framework 3.5) o SHA256CryptoServiceProvider (first implemented in .NET Framework 3.5) o SHA384CryptoServiceProvider (first implemented in .NET Framework 3.5) o SHA512CryptoServiceProvider (first implemented in .NET Framework 3.5) Non-FIPS-compliant classes in the System.Security.Cryptography namespace: o AesManaged o RijndaelManaged o DESCryptoServiceProvider o RC2CryptoServiceProvider ??? o HMACSHA1 o MACTripleDES o MD5CryptoServiceProvider o RIPEMD160 o SHA1Managed o SHA256Managed o SHA384Managed o SHA512Managed o ECDiffieHellman o ECDiffieHellmanCng o ECDiffieHellmanCngPublicKey o ECDiffieHellmanKeyDerivationFunction o ECDsa o ECDsaCng It's that last group under the ??? heading that's got me stumped.  Are NONE of these classes invoking the FIPS-certified CSPs?  If not, where's a guy supposed to get a FIPS-certified SHA-1 implementation through managed code? Hope things are going well among the security denizens on campus - some days I really miss being up there...

  • Anonymous
    May 21, 2009
    The easy way to figure out if an algorithm is compliant or not is to look at the suffix.  None of the *Managed types are FIPS certified.  The *CryptoServiceProvider and *Cng types however, may well be FIPS certified.  If they implement an algorithm that FIPS allows, and are using the default Microsoft providers, then they will be. For instance, SHA256Managed is not (because it is *Managed).  SHA256CryptoServiceProvider and SHA256Cng are.   MD5CryptoServiceProvider is not (because MD5 is not a FIPS algorithm). On your list above, the ECC CNG algorithms are FIPS certified, so you should be fine to use those. -Shawn

  • Anonymous
    October 04, 2009
    Please provide some more information over FIPS. Provide links to related topics if possible. Thanx for the information any ways. Keep posting.

  • Anonymous
    November 19, 2009
    Iam getting an error that "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms" while building my .NET Webservice. The framework iam using is  3.5 SP1 with WSE 3.0. Can anyone please suggest if iam missing any thing?

  • Anonymous
    December 28, 2009
    The comment has been removed

  • Anonymous
    January 05, 2010
    SHA256CryptoServiceProvider is absolutely FIPS certified.  The problem that you're running into is that Windows XP doesn't support SHA-256 at the CAPI layer.  If you want to use that type, you need to use Windows 2003 Server or newer. -Shawn

  • Anonymous
    January 07, 2010
    http://blogs.msdn.com/shawnfa/archive/2008/03/14/disabling-the-fips-algorithm-check.aspx To to disable the fips check on an application level.

  • Anonymous
    January 12, 2010
    Is there a way to set AesCryptographicServiceProvider as the encryption algorhytm in web.config?

  • Anonymous
    March 26, 2010
    "SHA256CryptoServiceProvider is absolutely FIPS certified.  The problem that you're running into is that Windows XP doesn't support SHA-256 at the CAPI layer.  If you want to use that type, you need to use Windows 2003 Server or newer." -Shawn Our deployment environment is Windows Embedded (i.e Windows XP Service Pack 3 core). We must support the FIPS Security Policy but implement aes256-cbc cipher. It seems that the CAPI on Windows Embedded is truly the issue. Is there a way to upgrade the CAPI?

  • Anonymous
    December 10, 2013
    We do not want to disable FIPS flag as it is audit requirement. So does the below solution ok ? you can use FIPS aproved algorithms in your development.  For instance, use SHA1Managed for hashing, TripleDESCryptoServiceProvider for symmetric encryption, and RSACryptoServiecProvider for asymmetric encryption.