Don’t take encryption and hashing lightly

A word to the wise for framework and product-shipping designers: Don’t take encryption, signing, and hashing lightly. Also, choose your cryptographic algorithms well and even consider making the cryptographic algorithm choice a configurable item.

We were using a licensed 3rd party component that used RijndaelManaged for encryption of some sort (relating to the license key) and it turns out that our servers have the FIPS algorithm policy requirement enabled.  This means that when we deployed our code, we got the following somewhat cryptic error message: “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.”

I later found out that the RijndaelManaged symmetric encryption cryptographic algorithm used (hard-coded) by the 3rd party component vendor is not among the list of FIPS-certified cryptographic algorithms and is, therefore, disabled by Windows and .NET when the FIPS policy is enabled.

As you can imagine, this is cause for a lot of concern and consternation among the developers here as we try to find a suitable work around.

Moral of the Story: Use FIPS-certified algorithms or provide a special build that uses FIPS-ceritifed algorithms in case one of your customers runs into this problem. 


About Chad Myers

Chad Myers is the Director of Development for Dovetail Software, in Austin, TX, where he leads a premiere software team building complex enterprise software products. Chad is a .NET software developer specializing in enterprise software designs and architectures. He has over 12 years of software development experience and a proven track record of Agile, test-driven project leadership using both Microsoft and open source tools. He is a community leader who speaks at the Austin .NET User's Group, the ADNUG Code Camp, and participates in various development communities and open source projects.
This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • M

    Would you mind sharing the component authors so that others can be forewarned and forearmed?

  • @M:

    I’d rather not, because I didn’t want this to be an attack piece on a particular vendor.

    If you are planning any FIPS compliancy, make sure you ask your 3rd party component vendors if they are using any non-FIPS algorithms.