Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I never realized this before this question, but you're right. The constructor has this:</p> <pre><code>public RijndaelManaged() { if (Utils.FipsAlgorithmPolicy == 1) { throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm")); } } </code></pre> <p><a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged.aspx" rel="noreferrer">System.Security.Cryptography.AesManaged</a> has something similar:</p> <pre><code>public AesManaged() { if (CoreCryptoConfig.EnforceFipsAlgorithms) { throw new InvalidOperationException(SR.GetString("Cryptography_NonCompliantFIPSAlgorithm")); } this.m_rijndael = new RijndaelManaged(); this.m_rijndael.BlockSize = this.BlockSize; this.m_rijndael.KeySize = this.KeySize; } </code></pre> <p>Have you tried <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.aescryptoserviceprovider.aspx" rel="noreferrer">System.Security.Cryptography.AesCryptoServiceProvider</a>? It should work since it's using the <a href="http://en.wikipedia.org/wiki/Cryptographic_API" rel="noreferrer">CAPI</a> based FIPS AES implementation built into Windows.</p> <p><a href="http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/e0b4493f-6e20-4b75-a118-6b6e5d26a2a6" rel="noreferrer">This question</a> on Microsoft's .NET Base Class Library forum discusses which algorithms are FIPS compliant and has good links.</p> <p>It appears that Microsoft is making <a href="http://support.microsoft.com/kb/811833" rel="noreferrer">a consistent effort to obey the setting</a> of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on pre-Vista machines and use of the <a href="http://msdn.microsoft.com/en-us/library/aa375460(VS.85).aspx" rel="noreferrer">BCryptGetFipsAlgorithmMode</a> API for post-Vista.</p> <p>I assume there is non-trivial effort involved in certifying an implementation as FIPS compliant, that is why Microsoft probably doesn't want to repeat the process and only offers the AesCryptoServiceProvider for customers that absolutely need this requirement.</p> <p><a href="http://blogs.msdn.com/shawnfa/archive/2005/05/16/417975.aspx" rel="noreferrer">This MSDN blog post</a> has a comment that makes it clearer:</p> <blockquote> <p>The easy way to figure out if an algorithm is compliant or not is to look at the suffix. None of the *Managed types are FIPS certified. The *CryptoServiceProvider and *Cng types however, may well be FIPS certified. If they implement an algorithm that FIPS allows, and are using the default Microsoft providers, then they will be.</p> <p>For instance, SHA256Managed is not (because it is *Managed). SHA256CryptoServiceProvider and SHA256Cng are.<br> MD5CryptoServiceProvider is not (because MD5 is not a FIPS algorithm).</p> </blockquote>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload