ASPX pages fail due to FIPS 140 security policy

2019-07-02 01:54发布

I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" which is enabled on my server.

Since that has been enabled, most of my aspx pages are returning the error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." These pages aren't accessing any cryptographic methods. They do communicate with another database server, but that's it.

My problem is similar to the one described here. However, I don't have the option of disabling this FIPS security setting.

I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?

Update

Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.

I found two hotfixes which may be related. I will try to install these and see what happens.

1条回答
Viruses.
2楼-- · 2019-07-02 02:29

Refer to Microsoft's knowledge base article: KB 811833 - The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing...". Excerpt:

Microsoft .NET Framework applications such as Microsoft ASP.NET only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant. Specifically, the only cryptographic algorithm classes that can be instantiated are those that implement FIPS-compliant algorithms. The names of these classes end in "CryptoServiceProvider" or "Cng". Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed", cause an InvalidOperationException exception to occur. Additionally, any attempt to create an instance of a cryptographic algorithm that is not FIPS compliant, such as MD5, also causes an InvalidOperationException exception.

By default, ASP.NET wants to use algorithms that are incompatible with FIPS compliance. To solve your problem, you'll need to change ASP.NET configuration to use a compatible algorithm instead. Refer to machineKey Element on how to configure another algorithm.

This MSDN forum post suggests 3DES ought to be compatible... although the machineKey documentation listed previously does say about AES (the default in ASP.NET 4.0) "This algorithm is compliant with the United States Federal Information Processing Standards (FIPS)".

I've also heard that having debug="true" in your web.config may cause the error.

查看更多
登录 后发表回答