If you enabled the “fipsalgorithmpolicy” sub key in registry location “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” to “1”, the applications that used the RijndaelManaged class give an exception saying:
“Error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms”
The RijindaelManaged class is NOT FIPS complaint. Instead you can use the AesCryptoServiceProvider class which is an FIPS equivalent of RijindaelManaged.
AesCryptoServiceProvider calls the Crypto API, which uses RSAENH.DLL, which has been validated by NIST in the Cryptographic Module Validation Program. Of Couse, it will only work on systems where AES was implemented in RSAENH.DLL (Windows XP and higher). It will not run on Windows 2000.
Related question that comes up are:
· If we encrypt data using the RijndaelManaged class can we can decrypt it using the FIPS complaint AesCryptoServiceProvider class and vice versa?
The answer is YES.
However the RijindaelManaged class implements the AES algorithm, but the implementation has not been verified under the NIST Cryptographic Module Verification Program. So, if there was a subtle difference in handling certain key values, for example, it may not work.
· What does FIPS compliance mean?
FIPS compliance means the implementation of the algorithm itself has been tested by the US Government’s NIST agency for all known conditions and produces the correct result. This testing helps ensure compatibility between implementations that receive validated status. Non-validated implementations have not received this testing and therefore may, or may not be 100% completely interoperable.
For reference on AesCryptoServiceProvider class please see the link