none
FIPS issues in Windows, .NET, and Visual Studio RRS feed

  • General discussion

  • FIPS issues in Windows, .NET, and Visual Studio

    (These are some issues and work-arounds I found while working with System.Security.Cryptography with FIPS enabled. Just wanted to pass them on to help anyone in a similar scenario.)

    FIPS (Federal Information Processing Standard) is a standard defined by NIST (National Institute of Standards and Technology) that specifies the security requirements for cryptographic modules. The FIPS standards are often required when working with government data.

    The following Microsoft articles provide some information on enabling/disabling the option and the affect it has.

    • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

      • Note that the "Managed" version of the System.Security.Cryptography classes will error with FIPS:

        "Microsoft .NET Framework applications such as Microsoft ASP.NET only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant. Specifically, the only cryptographic algorithm classes that can be instantiated are those that implement FIPS-compliant algorithms. The names of these classes end in "CryptoServiceProvider" or "Cng." Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed," cause an InvalidOperationException exception to occur. Additionally, any attempt to create an instance of a cryptographic algorithm that is not FIPS compliant, such as MD5, also causes an InvalidOperationException exception."
    • Why We’re Not Recommending “FIPS Mode” Anymore (read: "by default")
      Microsoft has decided not to enable FIPS by default…"we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make."
      This is likely due to the complications and problems it can cause for individuals and corporations who do not need to comply with governmental regulations for data processing.

    Enabling/Disabling FIPS in Windows

    Use the Group Policy Editor (gpedit.msc), set the following option to "Enabled".

    This will set the "Enabled" REG_DWORD value to 1 under the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy


    Example and Resolving Issues with Visual Studio's Code Analysis

    As stated above, the "Managed" cryptography classes are not FIPS compliant. For example, simply attempting to call the constructor for a SHA512Managed class will error:

    Dim nonFIPSCompliantHasher As New System.Security.Cryptography.SHA512Managed()

    The constructor, by design, throws an InvalidOperationException with a message like this: "This implementation is not part of the Windows Platform FIPS-validated cryptographic algorithms."

    Instead, use one of the following:

                    Dim cngHasher As New System.Security.Cryptography.SHA512Cng()

           Dim svcHasher As New System.Security.Cryptography.SHA512CryptoServiceProvider()

    In some cases, such as RijndaelManaged, there may not be a valid implementation. This may require selection of a FIPS compliant alternative.

    Note that the Microsoft Code Analysis functionality itself is not FIPS compliant. So, when enabling FIPS for testing in a development environment, you may receive compilation errors relating to this.

    While it may take some trial and error, the work-around is to locate the related MSBuild.exe.config and disable the FIPS compliancy for it. For example, Visual Studio 2015 appears to use the following:

    C:\Program Files (x86)\MSBuild\14.0\Bin\MsBuild.exe.config

    Edit this file and in the <runtime> section, add/set the enforceFIPSPolicy option to false.

    <configuration>                                                          
        <runtime>
            <!-- below tag will disable security policy checking for FIPS -->
            <enforceFIPSPolicy enabled="false"/>
        </runtime>
    </configuration>

    This same option can be used to disable FIPS enforcement in your application's app.config file. However, it's preferable to actually address your application's cryptography shortcomings rather than bypassing them.


    • Edited by emc3 Friday, January 27, 2017 1:32 PM Included InvalidOperationException message.
    Friday, January 27, 2017 3:56 AM

All replies

  • Hi MSDN Folks,

    I followed the steps mentioned above to test the FIPS compliant while enabling the option available in Security Options for FIPS.

    But unfortunalety, I could not able to build the application and getting an error stating " This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."

    Well, I tested by creating an default sample UWP application, still I was not able to build solution successfully.

    Could you help in this regards beacause, the error you mention was not expected for me.

    PFB the screenshot for your reference.

    Monday, April 16, 2018 6:32 AM
  • I wrote this as an overview/summary to provide some basic info based on my personal experience.
    If you have a specific issue, I suggest creating a separate thread (you can refer/link to this one) and provide some more detail, including at least the name of the cryptography class(es) you are using and some code snippets, and maybe the OS version, VS version, .NET Framework version, etc...the error message alone isn't very useful.

    Saturday, April 21, 2018 2:33 AM
  • Thanks for this post. It helped me figure out a problem we were having using managed Sha256 algorithm.
    Friday, December 21, 2018 8:58 PM