ASP.NET 2.0 RijndaelManaged 加密算法与 FIPS
我遇到了 ASP.NET 2.0 应用程序的问题。 我们的网络人员刚刚提高了安全性,现在每当我尝试访问该应用程序时都会收到以下错误:
“此实现不是 Windows 平台 FIPS 验证的加密算法的一部分。”
我做了一些研究,听起来 ASP.NET 使用 RijndaelManaged AES 加密算法来加密页面的 ViewState...而 RijndaelManaged 位于不符合 FIPS 的算法列表中。 我们当然不会明确调用任何加密算法...更不用说不合规列表中的任何算法了。
我想这个 ViewState 业务对我来说很有意义。 不过,我无法弄清楚的是该怎么办。 我发现了一篇知识库文章,建议使用 web.config 设置来指定不同的算法。 ..但要么没有坚持下去,要么该算法也不符合要求。
所以:
1) RijndaelManaged / ViewState 真的是问题所在吗? 还是我找错了树?
2) 如何指定使用什么算法来代替 RijndaelManaged? 我有一份合规和不合规的算法列表; 我只是不确定在哪里插入这些信息。
谢谢!
理查德
I'm running into an issue with an ASP.NET 2.0 application. Our network folks just upped our security, and now I get the floowing error whenever I try to access the app:
"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
I've done a little research, and it sounds like ASP.NET uses the RijndaelManaged AES encryption algorithm to encrypt the ViewState of pages... and RijndaelManaged is on the list of algorithms that aren't FIPS compliant. We're certainly not explicitly calling any encryption algorithm... much less anything on the non-compliant list.
This ViewState business makes sense to me, I guess. The thing I can't muddle out, though, is what to do about it. I've found a KB article that suggests using a web.config setting to specify a different algorithm... but either that didn't stick, or that algorithm isn't up to snuff, either.
So:
1) Is the RijndaelManaged / ViewState thing actually the problem? Or am I barking up the wrong tree?
2) How to I specify what algorithm to use instead of RijndaelManaged? I've got a list of algorithms that are and aren't compliant; I'm just not sure where to plug that information in.
Thanks!
Richard
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
仔细检查您的 Web.config 中是否没有
。 当设置调试编译时,.NET 使用 MD5 哈希值进行某些内部记录。 MD5 不符合 FIPS,因此您会收到此错误。Double check that you don't have
<compilation debug="true" />
in your Web.config. When debug compilation is set, .NET uses an MD5 hash for some internal bookkeeping. MD5 is not FIPS compliant so you get this error.关于你的第二个问题:也许这篇MSDN文章有帮助。
根据文档,您可以像这样配置加密算法:
对于验证,您可以使用以下其中一项:
[SHA1 | MD5 | 3DES | AES]
对于解密,您可以使用以下其中一项:
[汽车| DES | 3DES | AES]
因此,为了符合 FIPS 标准,您可以使用 3DES(尽管 AFAIK 理论上不太安全)。
Regarding your 2nd question: Maybe this MSDN Article helps.
According to the docs you can configure the encryption algorithm like this:
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="3DES"
decryption="3DES"/>
For validation, you can use one of the following:
[SHA1 | MD5 | 3DES | AES]
For decryption, you can use one of te following:
[Auto | DES | 3DES | AES]
So in order to be FIPS compliant, you might use 3DES (although AFAIK theoretically less secure).
来源:
链接
您可以添加将以下内容添加到您的 web.config 或计算机配置中,以便您的 ASP.Net 应用程序将不再因 FIP 合规性检查而失败。
您的 machine.config 可以在这里找到:\config\machine.config
\Microsoft.NET\Framework
如果更改 machine.config,可能需要 iisreset 才能使设置生效。 注意:更改 maching.config 将影响系统上的所有 .NET 应用程序。
要使您的应用程序符合 FIP 且无需禁用 FIP,您可以尝试以下操作:
编辑(2018-04-05):新的 IIS8.5 STIG 表示您应该将计算机密钥设置设置为验证:HMACSHA256,加密:自动。
注意:如果您使用的是网络场环境,则可以使用 IIS GUI 并转到计算机密钥配置部分来生成一组密钥,并在整个网络场中使用相同的密钥。
Source:
Link
You could add the following to your web.config or machine config so your ASP.Net applications will stop failing due to the FIPs compliance checks.
Your machine.config can be found here:
\Microsoft.NET\Framework<version>\config\machine.config
If you change your machine.config, an iisreset may be required for the settings to take effect. Note: changing your maching.config will effect all .NET applications on the system.
To get your application to be FIPs compliant without having to disable FIPs, you can try the following:
EDIT (2018-04-05): The new IIS8.5 STIG says you should set your Machine Key settings to Validation: HMACSHA256, Encryption: Auto.
NOTE: if you are using a web farm environment, you can use IIS GUI and go to the Machine Keys configuration section to generate a set of keys and use the same keys across your web farm.
您还需要在框中执行此操作
强制执行 FIPS 认证加密
you will also need to do this on the box
Enforcing FIPS Certified Cryptography
我们已经尝试过您建议的 machineKey。 它对某些 Web 应用程序(与 配合使用时)有帮助,这很好,但不是所有应用程序,这令人沮丧。
我错过了一些东西,但如果我能说出什么,那就很危险了。
We've tried the machineKey you suggest. It's helped with some web applications (when paired with ), which is great, but not all of them, which is frustrating.
I'm missing something, but danged if I can tell what.
某些网站(例如 SharePoint 网站)的 Web 配置中已存在 SHA1 计算机密钥,因此请检查那里是否已有算法(如果存在),请将其删除并添加上述算法。
Some sites like SharePoint sites have the SHA1 machine key already in the web config so check to see if there is already an algorythm there if there is delete it and add the above.
据我所知,viewstate 机器密钥和compilation="debug" 配置问题是导致此问题的最常见原因。 据我所知,在 .NET 2.0 中,用于视图状态验证/加密的 3DES 算法是唯一符合 FIPS 的算法。 因此 SHA1、MD5 和 AES 选项在那里不起作用。
同样重要的是要认识到,如果代码中引用了任何不符合 FIPS 的算法,即使从未实际使用/可达,也会导致 FIPS 合规性错误。 例如,仅声明 MD5CryptoServiceProvider 变量而不实例化它会导致错误。 这包括其他引用的 .NET 程序集,因此请确保没有引用的 dll 也可能使用不符合 fips 的算法。
这是一个方便的站点,列出了 .NET 中的所有 FIPS 和非 FIPS 算法
http://blog.aggreeratedintelligence.com/2007/10/ fips-validated-cryptography-algorithms.html
The viewstate machine key and compilation="debug" config issues are the most common causes of this problem from what I've seen. As far as I know, in .NET 2.0, the 3DES algorithm for viewstate validation/encryption is the ONLY one that is FIPS compliant. So the SHA1, MD5, and AES options won't work there.
It's also important to realize that if a reference to ANY non-FIPS compliant algorithm is in the code, even if never actually used/reachable will cause the FIPS compliance error. For example just declaring an MD5CryptoServiceProvider variable without even instantiating it will cause the error. This includes other referenced .NET assemblies, so be sure no referenced dlls are possibly using non-fips compliant algorithms as well.
Here's a handy site that lists all of the FIPS and non-FIPS algorithms in .NET
http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html
根据 此答案 没有托管实现经过 FIPS 认证密码学命名空间。
使用非托管实现应该可以解决您的问题:Rijnaed 是 AES 的前身 - 也许可以尝试 AesCng?
非托管实现的缺点是它们可能不兼容旧版本的 Windows< /a>.
According to this answer no managed implementation is FIPS-certified for the algorithms in the Cryptography namespace.
Using a non-managed implementation should solve your problem: Rijnaed is the precursor of AES - maybe try AesCng?
The drawback with unmanaged implementations is that they may not be compliant with older versions of windows.