AJAX.NET and FIPS
We have a few sections of our application that are using AJAX.NET 5.7.25.1. Our server administrators have enabled FIPS and we are running into the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Call stack:
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at MS.Utilities.MD5Helper.GetHash(Byte[] data)
at Ajax.Ajax开发者_运维问答RequestProcessor.Run()
at Ajax.AjaxHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Are the newer versions of the AJAX.NET libraries FIPS compliant?
The fastest way to done here may be to just modify the AJAX.Net pro source directly to remove the offending call that uses the MD5 algorithm. Go get the source for the version of AJax.NET pro you're using from Codeplex. In AjaxPro/Utilities/MD5Helper.cs:
Replace the line...
MD5 md5 = new MD5CryptoServiceProvider();
with the line...
SHA1 md5 = new SHA1CryptoServiceProvider();
That should fix it. SHA1 is FIPS compliant per this page
In this case... the only API that is being used is the ComputeHash() method, which both providers implement so...
Just by switching the crypto providers you should be able to compile and use the code without any other changes and without any annoying FIPS policy violation flags.
Use of ANY MD5 hash algorithm in .NET is considered NON-FIPS compliant so this will always give that error. I'm not sure if the AjaxRequestProcessor might be doing with MD5, it might be some kind of viewstate operation. Altering your viewstate encryption algorithm to use 3DES instead of MD5 may help.
Try adding this key in your system.web section of the web.config file:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
Full article about the workaround HERE.
Also, just having debug="true" in your webconfig can cause this error to crop up as .NET uses MD5 for some debugging operations. Is debug="false" in your web.config?
<system.web>
<compilation debug="false">
</system.web>
精彩评论