tags:

views:

65

answers:

2
+3  Q: 

AJAX.NET and FIPS

We have a few sections of our application that are using AJAX.NET 5.7.25.1. Our server administrators have enabled FIPS and we are running into the following error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Call stack:

at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()     
at MS.Utilities.MD5Helper.GetHash(Byte[] data)     
at Ajax.AjaxRequestProcessor.Run()     
at Ajax.AjaxHandler.ProcessRequest(HttpContext context)     
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Are the newer versions of the AJAX.NET libraries FIPS compliant?

+1  A: 

Use of ANY MD5 hash algorithm in .NET is considered NON-FIPS compliant so this will always give that error. I'm not sure if the AjaxRequestProcessor might be doing with MD5, it might be some kind of viewstate operation. Altering your viewstate encryption algorithm to use 3DES instead of MD5 may help.

Try adding this key in your system.web section of the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Full article about the workaround HERE.

Also, just having debug="true" in your webconfig can cause this error to crop up as .NET uses MD5 for some debugging operations. Is debug="false" in your web.config?

<system.web>
    <compilation debug="false">
</system.web>
zerrias  2010-08-20 15:19:20
+1  A: 

The fastest way to done here may be to just modify the AJAX.Net pro source directly to remove the offending call that uses the MD5 algorithm. Go get the source for the version of AJax.NET pro you're using from Codeplex. In AjaxPro/Utilities/MD5Helper.cs:

Replace the line...

MD5 md5 = new MD5CryptoServiceProvider();

with the line...

SHA1 md5 = new SHA1CryptoServiceProvider();

That should fix it. SHA1 is FIPS compliant per this page

In this case... the only API that is being used is the ComputeHash() method, which both providers implement so...

Just by switching the crypto providers you should be able to compile and use the code without any other changes and without any annoying FIPS policy violation flags.

Jay Stevens  2010-08-25 19:01:15

related questions

Generics in asp.net ajax?
Call a javascript function from outside its object
$get() and $find() with AJAX.NET
does Ajax controls works if the allowjavascript option turned off in browser
AJAX.Net - UpdatePanel doesn't delete old content
Ajax and checking actions in Ispostback
Ajax.net but no script
Ajax on Mono
JQuery Ui or AjaxControlToolkit ?
How to: Back button support "Ajax"
ValidatorEnable is not defined when rolled with AJAX
What's Page __EVENTARGUMENT?
collection of system properties using web browser
How can I register nested listview
AjaxUploader.dll works with Anonymous authentication, fails with Integrated Windows
How do I add a Microsoft AJAX auto complete textbox to an existing ASP.NET 3.5 SP1 web application project?
Can I use UpdatePanel in MasterPage to wrap nested pages?
Yet another About ajax.net update panels performance thread
Ajax POST method
UpdatePanel doesn't Refresh
Check if page is in partial rendering mode ASP.NET 2.0 + AJAX.NET
ASP.NET Ajax Error: Sys.WebForms.PageRequestManagerParserErrorException
What is the best free, Ajax.NET (System.Web.Extensions 3.5) compatible Rich Text Box control?
AJAX.NET Subscribe to Reorderlist ItemCommand or DeleteCommand?
IndexOutOfRangeException in the Ajax.Net extensions framework