Disabling the FIPS Algorithm Check

.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them.  This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException from their constructors.

In some cases this isn’t a desirable behavior.  For instance, some applications need to use the MD5 hashing algorithm for compatibility with an older communication protocol or file format.  Prior to .NET 3.5, the AES algorithm was only available in an implementation which was not FIPS certified, and if you needed to use that algorithm the FIPS check could also block you.

To help these cases, we added a configuration file switch to .NET 2.0 SP 1 (and therefore .NET 3.5) which allows an application to say “I know what I’m doing, please don’t enforce FIPS for me”.  For these applications, they can setup a configuration file similar to:

        <enforceFIPSPolicy enabled="false"/>

Which will prevent the CLR from throwing InvalidOperationExceptions from the constructor of uncertified algorithms and implementations.

Comments (4)

  1. Eric says:

    WOW… this setting has SAVED us.  

    Even asp.net 3.5 uses Page.EncryptString in several places, which creates a Rj algorithm even though it won’t be used.  Without this switch, we couldn’t even use a lot of asp.net.

  2. What is the Full form of FIPS .

  3. Federal Information Processing Standard


  4. digirati82 says:

    Fixes this error:

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

    Thank you!