开发者

ASPX pages fail due to FIPS 140 security policy

开发者 https://www.devze.com 2023-02-18 05:25 出处:网络
I am working on a government site and am having some problems with my local security policy interferring with my web application.There is a setting called \"System cryptography: Use FIPS 140 compliant

I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" which is enabled on my server.

Since that has been enabled, most of my aspx pages are returning the error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." These pages aren't accessing any cryptographic methods. T开发者_运维问答hey do communicate with another database server, but that's it.

My problem is similar to the one described here. However, I don't have the option of disabling this FIPS security setting.

I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?

Update

Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.

I found two hotfixes which may be related. I will try to install these and see what happens.

  • SQL Server Reporting Services R2 hotfix
  • ScriptManager Control hotfix


Refer to Microsoft's knowledge base article: KB 811833 - The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing...". Excerpt:

Microsoft .NET Framework applications such as Microsoft ASP.NET only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant. Specifically, the only cryptographic algorithm classes that can be instantiated are those that implement FIPS-compliant algorithms. The names of these classes end in "CryptoServiceProvider" or "Cng". Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed", cause an InvalidOperationException exception to occur. Additionally, any attempt to create an instance of a cryptographic algorithm that is not FIPS compliant, such as MD5, also causes an InvalidOperationException exception.

By default, ASP.NET wants to use algorithms that are incompatible with FIPS compliance. To solve your problem, you'll need to change ASP.NET configuration to use a compatible algorithm instead. Refer to machineKey Element on how to configure another algorithm.

This MSDN forum post suggests 3DES ought to be compatible... although the machineKey documentation listed previously does say about AES (the default in ASP.NET 4.0) "This algorithm is compliant with the United States Federal Information Processing Standards (FIPS)".

I've also heard that having debug="true" in your web.config may cause the error.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号