Disabling the FIPS Algorithm Check

.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them.  This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException from their constructors.

In some cases this isn't a desirable behavior.  For instance, some applications need to use the MD5 hashing algorithm for compatibility with an older communication protocol or file format.  Prior to .NET 3.5, the AES algorithm was only available in an implementation which was not FIPS certified, and if you needed to use that algorithm the FIPS check could also block you.

To help these cases, we added a configuration file switch to .NET 2.0 SP 1 (and therefore .NET 3.5) which allows an application to say "I know what I'm doing, please don't enforce FIPS for me".  For these applications, they can setup a configuration file similar to:

 <configuration>
     <runtime>
         <enforceFIPSPolicy enabled="false"/>
     </runtime>
 </configuration>

Which will prevent the CLR from throwing InvalidOperationExceptions from the constructor of uncertified algorithms and implementations.

Comments

  • Anonymous
    April 22, 2009
    WOW... this setting has SAVED us.   Even asp.net 3.5 uses Page.EncryptString in several places, which creates a Rj algorithm even though it won't be used.  Without this switch, we couldn't even use a lot of asp.net.

  • Anonymous
    May 18, 2009
    What is the Full form of FIPS .

  • Anonymous
    May 21, 2009
    Federal Information Processing Standard -Shawn

  • Anonymous
    March 17, 2010
    Fixes this error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. Thank you!