Make ASP.NET web application FIPS Compliant?

Question

I need to understand how to make an ASP.NET web application FIPS compliant. To keep it simple, I created a new web application within VS 2008. I have FIPS enabled on my development machine, as the client using the web application will be a Federal agency that will enforce FIPS.

I can not even compile the new web application - as it gives me the error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

I have read documentation and added the following elements to the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

<enforceFIPSPolicy enabled="false" /> (also tried <enforceFIPSPolicy enabled="0" />)

But I still get this error. Again, I want to get this to work with a brand new web application before I attempt to get it to work with my actual solution.

I am using .NET 3.5 SP1 for the framework.

Any help would be greatly appreciated.

Thanks.

Chris

Answer 1

Hey,

Check this out: http://forums.asp.net/t/1265047.aspx

HTH.

Answer 2

if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.

Here's a handy site that lists all of the FIPS and non-FIPS algorithms in .NET http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html