Have you ever got the "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." exception while trying to use some of the classes in the "System.Security.Cryptography" namespace?
The exception normally thrown is a "TargetInvocationException" exception and the message that accompanies it is usually the unhelpful "Exception has been thrown by the target of an invocation". It is only when you drill down into the InnerException that you see the "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." message. The reason that this exception is thrown is that you have tried to use a cryptographic algorithm that is not FIPS compliant.
What is FIPS compliance? FIPS stands for Federal Information Processing Standards. (link to more information) and are US Government standards that provide a benchmark for implementing cryptographic software.
WindowsXP and later operating systems have both FIPS compliant and non-compliant algorithms that can be used by developers. FIPS compliant algorithms are those that have been validated by the FIPS 140 program. One can call both the compliant and non-compliant algorithms as the check for FIPS compliance is by default turned off.
How do you turn on and off FIPS compliance checking:
Two methods:
1. Go to Control Panel -> Administrative Tools -> Local Security Policy
Enable the setting for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
2. Another method is to directly edit the registry by setting the following value to 0 (disable) or 1 (enable)
HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
Alternatively you can copy the following lines into a registry script file (.reg) and run it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"fipsalgorithmpolicy"=dword:00000001
Note: One thing that I am not certain off is that this option might be available only on Windows XP Professional OSs and not in the basic Windows XP OS. I havent been able to confirm this via documentation - but the option is not available on my home machine (Windows XP), but is available on my work machine (Windows XP Pro).
For Developers:
So what does this mean for developers? If you ever envision your software running on a government computer (especially in the US), you should turn on FIPS compliance checking. This way, your application that uses cryptography algorithms provided by the OS will work on all machines and you wont have to deal with the "Exception has been thrown by the target of an invocation".
For .NET Developers:
FIPS compliance checking (if turned on in the local security policy) I think was introduced starting in version 2.0 of .NET. Unfortunately, the MSDN documentation on FIPS compliance is pretty skimpy and there is no list of the algorithms in the "System.Security.Cryptography" namespace that are FIPS compliant. (Also there is no property that can be checked or an interface or base class that FIPS compliant algorithms implement - which would allow for runtime checking - hint, hint MS).
So here is a quick list that I obtained by using reflection (C# code is below)
FIPS compliant Algorithms:
Hash algorithms
HMACSHA1
MACTripleDES
SHA1CryptoServiceProvider
Symmetric algorithms (use the same key for encryption and decryption)
DESCryptoServiceProvider
TripleDESCryptoServiceProvider
Asymmetric algorithms (use a public key for encryption and a private key for decryption)
DSACryptoServiceProvider
RSACryptoServiceProvider
Algorithms that are not FIPS compliant
HMACMD5
HMACRIPEMD160
HMACSHA256
HMACSHA384
HMACSHA512
MD5CryptoServiceProvider
RC2CryptoServiceProvider
RijndaelManaged
RIPEMD160Managed
SHA1Managed
Useful Links:
- The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and later versions (link)
- FIPS 140 evaluation (link)
- Enforcing FIPS Certified Cryptography (link)
- .NET 2.0 and FIPS (link)
Code:
Here is some quick C# code to help you test for FIPS compliance:
Remember to enable FIPS compliance using one of the methods suggested above before running this code, otherwise all the algorithms will come up as being FIPS compliant.