Disabling the FIPS Algorithm Check
.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them. This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException from their constructors.
In some cases this isn't a desirable behavior. For instance, some applications need to use the MD5 hashing algorithm for compatibility with an older communication protocol or file format. Prior to .NET 3.5, the AES algorithm was only available in an implementation which was not FIPS certified, and if you needed to use that algorithm the FIPS check could also block you.
To help these cases, we added a configuration file switch to .NET 2.0 SP 1 (and therefore .NET 3.5) which allows an application to say "I know what I'm doing, please don't enforce FIPS for me". For these applications, they can setup a configuration file similar to:
<configuration>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
</configuration>
Which will prevent the CLR from throwing InvalidOperationExceptions from the constructor of uncertified algorithms and implementations.
Comments
Anonymous
April 22, 2009
WOW... this setting has SAVED us. Even asp.net 3.5 uses Page.EncryptString in several places, which creates a Rj algorithm even though it won't be used. Without this switch, we couldn't even use a lot of asp.net.Anonymous
May 18, 2009
What is the Full form of FIPS .Anonymous
May 21, 2009
Federal Information Processing Standard -ShawnAnonymous
March 17, 2010
Fixes this error: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. Thank you!