How do you use FIPS validated cryptographic algorithms with Visual Studio 2010 and Windows 7?

S

3

6

I've enabled FIPS compliance mode in Windows 7, but now my code fails to compile with the following error:

Source file 'whatever.cs' could not be opened ('This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.')

I'm using SHA1 (hashing) and TripleDes (encryption) encryption. I also tried SHA512 and AES (256 bit key).

I can't get the project to build any more, but I need to compile it to use FIPS Compliant algorithms.

Spooner answered 17/2, 2011 at 20:54 Comment(0)

T

8

Try making a blank C# app and compiling it, it should fail for the same reason. Ultimately the problem is Visual Studio, not your code. Follow the instructions here and add this to your IDE's config file (Devenv.exe.config/VCSExpress.exe.config/vbexpress.exe.config):

<enforceFIPSPolicy enabled="false"/>

This doesn't mean that your app isn't running in FIPS compliant mode, it means that Visual Studio isn't now. Non-compliant code will still compile but if it tries to execute you'll receive an System.InvalidOperationException exception.

I think, but don't know for sure, that the algorithms that VS uses to generate certain hashes in libraries isn't actually FIPS compliant.

Thoroughpaced answered 17/2, 2011 at 21:39 Comment(5)

You can also try closing all open files in the IDE and then building. Someone wrote up the issue recently at Microsoft Connect: connect.microsoft.com/VisualStudio/feedback/details/644602/… – Jhelum 17/2, 2011 at 21:42

Setting that to false will prevent the CLR from throwing InvalidOperationExceptions from the constructor of uncertified algorithms and implementations. I'm not sure this is what you want to do if you are required to actually use FIPS certified algorithms. – Maggs 18/2, 2011 at 3:23

@SwDevMan81, that is true to a degree. However, that setting will only affect Visual Studio and not the program being created within. If you turn this policy on for VS and try to use MD5 you will get an error. – Thoroughpaced 18/2, 2011 at 13:58

The workaround in the link that indiv posted seems to work for me. If I close all the files, it builds successfully. – Epigraphy 22/6, 2011 at 20:55

Ugh. It's enforceFIPSPolicy, not enableFIPSPolicy. Thanks! – Mendelian 11/12, 2013 at 18:57

M

9

This has a list of FIPS compliant algorithms. A more complete list is here

FIPS compliant Algorithms:

Hash algorithms

HMACSHA1

MACTripleDES

SHA1CryptoServiceProvider

Symmetric algorithms (use the same key for encryption and decryption)

DESCryptoServiceProvider

TripleDESCryptoServiceProvider

Asymmetric algorithms (use a public key for encryption and a private key for decryption)

DSACryptoServiceProvider

RSACryptoServiceProvider

So you will need to use SHA1CryptoServiceProvider and TripleDESCryptoServiceProvider to be FIPS compliant

Maggs answered 17/2, 2011 at 20:57 Comment(3)

When using that combination of algorithms I still receive the error I listed above. – Spooner 17/2, 2011 at 21:10

As indiv pointed out you might need to close all the files and restart VS. You might even want to create a new csproj and sln files. – Maggs 18/2, 2011 at 3:27

I believe HMACSHA1 corresponds to SHA1CSP algorithm. I hate how .net documentation doesn't tell you what algorithms official names are, and what version is approved by FIPS etc. – Shani 17/7, 2012 at 17:2

T

8

Try making a blank C# app and compiling it, it should fail for the same reason. Ultimately the problem is Visual Studio, not your code. Follow the instructions here and add this to your IDE's config file (Devenv.exe.config/VCSExpress.exe.config/vbexpress.exe.config):

<enforceFIPSPolicy enabled="false"/>

This doesn't mean that your app isn't running in FIPS compliant mode, it means that Visual Studio isn't now. Non-compliant code will still compile but if it tries to execute you'll receive an System.InvalidOperationException exception.

I think, but don't know for sure, that the algorithms that VS uses to generate certain hashes in libraries isn't actually FIPS compliant.

Thoroughpaced answered 17/2, 2011 at 21:39 Comment(5)

You can also try closing all open files in the IDE and then building. Someone wrote up the issue recently at Microsoft Connect: connect.microsoft.com/VisualStudio/feedback/details/644602/… – Jhelum 17/2, 2011 at 21:42

Setting that to false will prevent the CLR from throwing InvalidOperationExceptions from the constructor of uncertified algorithms and implementations. I'm not sure this is what you want to do if you are required to actually use FIPS certified algorithms. – Maggs 18/2, 2011 at 3:23

@SwDevMan81, that is true to a degree. However, that setting will only affect Visual Studio and not the program being created within. If you turn this policy on for VS and try to use MD5 you will get an error. – Thoroughpaced 18/2, 2011 at 13:58

The workaround in the link that indiv posted seems to work for me. If I close all the files, it builds successfully. – Epigraphy 22/6, 2011 at 20:55

Ugh. It's enforceFIPSPolicy, not enableFIPSPolicy. Thanks! – Mendelian 11/12, 2013 at 18:57

B

0

You can also try closing all open files in the IDE and then building. Someone wrote up the >issue recently at Microsoft Connect: connect.microsoft.com/VisualStudio/feedback/details/644602/… – indiv

That also worked for me with Visual Studio 2010. In my case I had to close all open files and also restart Visual Studio

Bramble answered 3/1, 2013 at 18:22 Comment(0)

Recommended topics

Hot tags