Make ASP.NET web application FIPS Compliant?

I need to understand how to make an ASP.NET web application FIPS compliant. To keep it simple, I created a new web application within VS 2008. I have FIPS enabled on my development machine, as the client using the web application will be a Federal agency that will enforce FIPS.

I can not even compile the new web application - as it gives me the error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

I have rea开发者_JAVA技巧d documentation and added the following elements to the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

<enforceFIPSPolicy enabled="false" /> (also tried <enforceFIPSPolicy enabled="0" />)

But I still get this error. Again, I want to get this to work with a brand new web application before I attempt to get it to work with my actual solution.

I am using .NET 3.5 SP1 for the framework.

Any help would be greatly appreciated.

Thanks.

Chris

if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.

Here's a handy site that lists all of the FIPS and non-FIPS algorithms in .NET http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

There are two things to make a new.NET application FIPs compliant.

1) In your machine key settings, use 3DES for decryption and SHA1 for validation, as you mentioned in the question. (There is a STIG out that says you should use SHA1. https://www.stigviewer.com/stig/iis_7.0_web_site/2014-03-25/finding/V-26026)

2) Ensure that the code is not in debug mode. The compilation section of your web.config and the page directives should all have debug="false". Debug="true" will kick off the FIPs compliance error before .Net can even run the first line of code.

For visual studio to compile the code, you may need to disable fips on visual studio.

For visual studion 2010:

• Open Devenv.exe.config from C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE if you are on x64 OS or C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\ on x86 OS

• Find </runtime> tag and add the following above that line:

  <enforceFIPSPolicy enabled="false"/> 
  

• After the above modification devenv config would look like:

  <configuration> 
  <runtime> 
  . 
  . 
  . 
  <enforceFIPSPolicy enabled="false"/> 
  </runtime> 
  </configuration> 
  

• Restart Visual Studio

https://blogs.msdn.microsoft.com/brijs/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010/

Sources: https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

https://blogs.msdn.microsoft.com/webtopics/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debugtrue/

http://forums.asp.net/t/1778719.aspx?+FIPS+validated+cryptographic+algorithms+3DES+machinekey+solution+didnt+work