Don’t take encryption and hashing lightly


A word to the wise for framework and product-shipping designers: Don’t take encryption, signing, and hashing lightly. Also, choose your cryptographic algorithms well and even consider making the cryptographic algorithm choice a configurable item.

We were using a licensed 3rd party component that used RijndaelManaged for encryption of some sort (relating to the license key) and it turns out that our servers have the FIPS algorithm policy requirement enabled.  This means that when we deployed our code, we got the following somewhat cryptic error message: “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

I later found out that the RijndaelManaged symmetric encryption cryptographic algorithm used (hard-coded) by the 3rd party component vendor is not among the list of FIPS-certified cryptographic algorithms and is, therefore, disabled by Windows and .NET when the FIPS policy is enabled.

As you can imagine, this is cause for a lot of concern and consternation among the developers here as we try to find a suitable work around.

Moral of the Story: Use FIPS-certified algorithms or provide a special build that uses FIPS-ceritifed algorithms in case one of your customers runs into this problem. 

 

You need to blog. Now.