When you say โFIPS-compliant,โ I assume that you want to meet FIPS 140 requirements in the Windows and .Net cryptographic library modes by changing the โLocal Security Policy Settingsโ .
The problem of complying with FIPS 140 (usually level 1 of the latest version of the standard, FIPS 140-2 ) using this mechanism is because you find that it prevents the creation of instances of incompatible with FIPS 140 algorithms, even if they are not used for security-related purposes.
Presumably, you checked your code for references to inappropriate algorithms with a tool such as ildasm or Reflector . Otherwise, debug your code and look at the InvalidOperationException stack InvalidOperationException to see where the problem is.
One easy way to achieve this is to use common classes and not access the constructors directly. For example, if you want to use Advanced Encryption Standard (AES) , instead of:
// Use the faster .Net implementation of AES. Not FIPS 140 compliant. using (AesManaged aesManaged = new AesManaged()) { // Do something }
using:
// Let .Net workout which implementation of AES to use. Will use // a FIPS compliant implementation if FIPS is turned on. using (Aes aes = Aes.Create()) { // Do something }
Beyond your code, check out the third-party libraries you use. You can use similar tools for the above to check any links from their code. If you have carefully checked your code, this is probably the problem. Please note that disassembling third-party code may violate copyright or license agreements.
Also check your SSL configuration. For example, the digital certificate used for SSL cannot use MD5. You must also use TLS 1.0 or later.
However, enforcing compliance with Windows FIPS 140 makes this difficult. Most customers, including the US government, do not require the use of only FIPS-compatible algorithms (or technically, implementations of these algorithms). For example, they are very happy to use MD5 to create a string hash key.
Instead, customers want your product to be protected with cryptography, which should be protected with the FIPS Complaint 140 approved algorithm fixes. In other words:
- Define every thing that your product should protect.
- Protect them using libraries compatible with FIPS 140.
- Use tools (such as static analysis), code verification, and / or third-party audits to demonstrate enforcement.
Also note that enabling FIPS 140 mode does not necessarily make Windows or your product more secure. Security is much more complicated than choosing one cryptographic algorithm over another (or, in particular, a specific implementation of the algorithm over another implementation). Microsoft no longer recommends enabling it by default .