Enforcing FIPS Certified Cryptography

Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security.  To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce that only cryptograhic algorithms that have been FIPS 140-1 certified can be used.  Even if you're not developing government applications, it's good to prepare your application for a new exception that could result from creating a crypto object.

On Windows XP and higher this switch, which showed up for the first time in beta 2, is settable via Windows security settings or the registry.  To enable the setting in the Windows security settings, you should set the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security option to enabled.

Enabling FIPS via Windows Security Policy

In the registry, you can toggle this switch on by setting the DWORD FIPSAlgorithmPolicy under HKLM\System\CurrentControlSet\Control\Lsa to be equal to 1.

After enabling this seting, only cryptographic algorithms which are FIPS compliant will be allowed to be created in your managed applications.  As a general rule of thumb, this means that none of the *Managed algorithms can be created, but you can create the *CryptoServiceProvider algorithms.  Lets take a look at some quick sample code:

try
{
    MD5 md5 = new MD5CryptoServiceProvider();
    Console.WriteLine("Created algorithm");
}
catch(Exception e)
{
    Console.WriteLine(e);
}

If this code is run with the FIPS setting disabled, you'll see "Created algorithm" printed to the console as you would expect.  However, if the code is run with FIPS enforcement enabled, you'll get an InvalidOperationException:

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Note that you'll get this exception no matter how you attempt to create the algorithm. That means that even if you don't directly construct the alogrithm, but instead attempt to use one of the various Create() methods, you'll still be blocked.

Before enabling this setting, you should be aware that it will affect your entire system.  So any managed application running on the v2.0 framework which attempts to use a cryptographic algorithm that is not FIPS compliant will throw the InvalidOperationException.  Additionally, this setting affects other parts of Windows, including SSL/TLS in both IE and IIS, Terminal Server, and EFS.