VS development on FDCC compliant Workstation

Question

Hi, I have a FDCC compliant workstation with FIPS 140-1 (Level 1) enabled.

Now, i cannot run/debug any VS 2005/2008 applications on my machine

I get the following error message on my browser

Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

the Error points to line no 1 of default.aspx.cs file

using system;

The only way to successfully debug/run my application is to set the following registry key to 0

HKLM\System\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy

I understand that there are some Cryptographic algorithms that are not FIPS compliant on XP SP2 but i am not using cryptography at all. For that matter, the solution contains just default.aspx page with default code in .cs file, and even that fails to run.

So my question is why the webpage fails to load, and why the error points to line #1 "using System;" statement?

My next question is how can i develop on FIPS compliant locked down maching where i do not have edit rights on registry

Thanks kudlur

Answer 1

There appears to be a hotfix related to the WFC using MD5.

Answer 2

Apparently, on top of using non-fips encryption algorithms, just having debug="true" in your webconfig can cause this to happen in .NET 2.0 web apps

<system.web>
    <compilation debug="true">
</system.web>

Plus, if you are using the viewstate then you will need this key in your system.web section of the web.config as well:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

So in effect you CANNOT run apps in debug mode on FIPS compliant machines. I'd plead with your Group Policy admin to turn this off for dev machines or at least allow you to turn it on and off so you can still test running with fips enforcement on. This goes back to the debate over developing on machines without full admin privileges, this is a prime example of the kind of hurdles and annoyances that crop up without admin rights... but I digress.

here are some reference articles about this FIPS thing:

http://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx

http://blogs.msdn.com/shawnfa/archive/2008/03/14/disabling-the-fips-algorithm-check.aspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;811833

http://support.microsoft.com/kb/911722

http://blogs.iis.net/webtopics/archive/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debug-true.aspx

Answer 3

We have had these same issues at our location. In a nutshell, viewstate data in your web form is encrypted using the RijndaelManaged implementation of the AES algorithm, which is NOT FIPS compliant. The easiest solution is to add the following (or similiar) line to your web.config file specifying 3DES encryption. 3DES is FIPS compliant.

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

You can get more info about the various FIPS compliant algorithms at http://csrc.nist.gov/groups/STM/cavp/index.html.

Hope that helps.