tags:

views:

65

answers:

2
+3  Q: 

AJAX.NET and FIPS

We have a few sections of our application that are using AJAX.NET 5.7.25.1. Our server administrators have enabled FIPS and we are running into the following error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Call stack:

at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()     
at MS.Utilities.MD5Helper.GetHash(Byte[] data)     
at Ajax.AjaxRequestProcessor.Run()     
at Ajax.AjaxHandler.ProcessRequest(HttpContext context)     
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Are the newer versions of the AJAX.NET libraries FIPS compliant?

+1  A: 

Use of ANY MD5 hash algorithm in .NET is considered NON-FIPS compliant so this will always give that error. I'm not sure if the AjaxRequestProcessor might be doing with MD5, it might be some kind of viewstate operation. Altering your viewstate encryption algorithm to use 3DES instead of MD5 may help.

Try adding this key in your system.web section of the web.config file:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

Full article about the workaround HERE.

Also, just having debug="true" in your webconfig can cause this error to crop up as .NET uses MD5 for some debugging operations. Is debug="false" in your web.config?

<system.web>
    <compilation debug="false">
</system.web>
zerrias
+1  A: 

The fastest way to done here may be to just modify the AJAX.Net pro source directly to remove the offending call that uses the MD5 algorithm. Go get the source for the version of AJax.NET pro you're using from Codeplex. In AjaxPro/Utilities/MD5Helper.cs:

Replace the line...

MD5 md5 = new MD5CryptoServiceProvider();

with the line...

SHA1 md5 = new SHA1CryptoServiceProvider();

That should fix it. SHA1 is FIPS compliant per this page

In this case... the only API that is being used is the ComputeHash() method, which both providers implement so...

Just by switching the crypto providers you should be able to compile and use the code without any other changes and without any annoying FIPS policy violation flags.

Jay Stevens