none
Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. RRS feed

  • Question

  • In C# code, trying to encrypt the data in the system where FIPS is enabled.

    internal byte[] MyKeyWrap(Aes aes)

            {

     

     byte[] keyData = this.protectedKeyData.GetPlaintext();

                try

                {

                    return EncryptedXml.EncryptKey(keyData, aes);

                }

    }

    Error message:

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    Inner call trace:

     

       at System.Security.Cryptography.RijndaelManaged..ctor()

       at System.Security.Cryptography.Xml.SymmetricKeyWrap.AESKeyWrapEncrypt(Byte[] rgbKey, Byte[] rgbWrappedKeyData)

     

    Enabled the FIPS in the Server 2016 with below details:

    change this setting in Group Policy:

    1. Press Windows Key+R to open the Run dialog.
    2. Type “gpedit.msc” into the Run dialog box (without the quotes) and press Enter.
    3. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options” in the Group Policy Editor.
    4. Locate the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting in the right pane and double-click it.
    5. Set the setting to “Disabled” and click “OK.”
    6. Restart the computer.


    Thanks, Harish

    Tuesday, September 3, 2019 10:19 AM

All replies

  • Anyone faced this issue previsouly?

    Thanks, Harish


    • Edited by Harish KC Wednesday, September 4, 2019 3:34 AM
    Wednesday, September 4, 2019 3:34 AM
  • In C# code, trying to encrypt the data in the system where FIPS is enabled.

    internal byte[] MyKeyWrap(Aes aes)

            {

     

     byte[] keyData = this.protectedKeyData.GetPlaintext();

                try

                {

                    return EncryptedXml.EncryptKey(keyData, aes);

                }

    }

    Error message:

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    Inner call trace:

     

       at System.Security.Cryptography.RijndaelManaged..ctor()

       at System.Security.Cryptography.Xml.SymmetricKeyWrap.AESKeyWrapEncrypt(Byte[] rgbKey, Byte[] rgbWrappedKeyData)

     

    Enabled the FIPS in the Server 2016 with below details:

    change this setting in Group Policy:

    1. Press Windows Key+R to open the Run dialog.
    2. Type “gpedit.msc” into the Run dialog box (without the quotes) and press Enter.
    3. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options” in the Group Policy Editor.
    4. Locate the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting in the right pane and double-click it.
    5. Set the setting to “Disabled” and click “OK.”
    6. Restart the computer.

    Thanks, Harish

    Wednesday, September 4, 2019 4:22 AM
  • Hi Harish KC,

    Apologies for the delayed response.

    For your question, not all AES implementations support FIPS.

    AESManaged is fully implemented in .NET, however the implementation is not FIPS compliant.

    AESCryptoServiceProvider use the Windows implementation which is FIPS compliant.

    Could you provide more details about your exception with which line of the code thrown the exception and some code about ‘this.protectedKeyData.GetPlaintext()’?  It will help us to do the test.

    Besides, I note that you have post a same question, and I will merge it with this case.

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Wednesday, September 4, 2019 9:15 AM
    Moderator
  • Hi,

    public static byte[] BackupEncryptionKey(ServiceEncryptionKey key, SecureString password)
            {
                byte[] passwordBytes = new byte[password.Length * 2];
                IntPtr passwordBytesPtr = Marshal.SecureStringToCoTaskMemUnicode(password);
                Marshal.Copy(passwordBytesPtr, passwordBytes, 0, passwordBytes.Length);
                Marshal.ZeroFreeCoTaskMemUnicode(passwordBytesPtr);
                Guid salt = Guid.NewGuid();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(passwordBytes, salt.ToByteArray(), PasswordHashIterations);
                Array.Clear(passwordBytes, 0, passwordBytes.Length);
                byte[] derivedBytes = pdb.GetBytes(32);

                byte[] wrappedKey;
                using (AesCryptoServiceProvider aes = new AesCryptoServiceProvider())
                {
                    aes.KeySize = 256;
                    aes.Key = derivedBytes;
                    wrappedKey = key.
    MyKeyWrap(aes);
                }

    }

    //ServiceEncryptionKey .cs

    internal byte[] GetPlaintext()
            {
                byte[] result = (byte[])this.ciphertext.Clone();
                ProtectedMemory.Unprotect(result, MemoryProtectionScope.SameProcess);
                if (result.Length > plaintextLength)
                {
                    byte[] temp = result;
                    result = new byte[this.plaintextLength];
                    Buffer.BlockCopy(temp, 0, result, 0, this.plaintextLength);
                    Array.Clear(temp, 0, temp.Length);
                }

                return result;
            }

    internal byte[] MyKeyWrap(AesCryptoServiceProvider aes)

            {

     

     byte[] keyData = this.protectedKeyData.GetPlaintext();

                try

                {

                    return EncryptedXml.EncryptKey(keyData, aes);

                }

    }

    Error message:

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    Inner call trace:

     

       at System.Security.Cryptography.RijndaelManaged..ctor()

       at System.Security.Cryptography.Xml.SymmetricKeyWrap.AESKeyWrapEncrypt(Byte[] rgbKey, Byte[] rgbWrappedKeyData)

      at EncryptedXml.EncryptKey(Byte[] keyData, AesCryptoServiceProvider aes);

    Note: Everything works fine if we disable "FIPS"


    Thanks, Harish

    Thursday, September 5, 2019 4:50 AM
  • On further analysis on this issue.

    It is noted that Microsoft does not support this in .NET framewrod < 4.8.

    It is support from .NET framework 4.8 onwards only.

    https://referencesource.microsoft.com/#System.Security/system/security/cryptography/xml/encryptedxml.cs,ca7338cd914910b2,references


    Thanks, Harish

    Thursday, September 5, 2019 5:27 AM
  • Hi Harish KC,

    Thanks for your feedback.

    Since the code you provided is not complete, I use the following code to make a test on my side with .NET Framework 4.8.

            static void Main(string[] args)
            {
                RijndaelManaged sessionKey = new RijndaelManaged();
                sessionKey.KeySize = 256;
                using (AesCryptoServiceProvider aes = new AesCryptoServiceProvider())
                {
                    aes.KeySize = 256;
                    byte[] wrappedKey = EncryptedXml.EncryptKey(sessionKey.Key, aes);
                }
            }

    I enable the 'FIPS' setting before the test, but I get no exception in the test.

    Result:

    Could you provide an sample to help us to reproduce your problem?

    Best Regards,

    Xingyu Zhao


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, September 5, 2019 8:17 AM
    Moderator
  • It is noted that Microsoft does not support this in .NET framewrod < 4.8.

    It is support from .NET framework 4.8 onwards only.

    You are right. In .NET Framework 4.7.2, the System.Security.Cryptography.Xml.SymmetricKeyWrap.AESKeyWrapEncrypt method always uses RijndaelManaged, which is not FIPS-certified. In .NET Framework 4.8, it calls Aes.Create(), which uses AesCryptoServiceProvider by default.

    This is related to but distinct from the documented .NET Framework 4.8 change "Managed cryptography classes do not throw a CryptographyException in FIPS mode".

    Monday, September 9, 2019 6:50 AM