Web Forms :: This Implementation Is Not Part Of The Windows Platform FIPS Validated Cryptographic Algorithms?
Feb 25, 2011
Our asp.net 2.0 app encountered the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.After adding the following in web.config -> <system.web> section:
If you enable the "Use FIPS compliant algorithms for encryption, hashing, and signing" security policy option in Windows, attempting to use many of the cryptographic classes in the .NET Framework will result in an InvalidOperationException. By default, ASP.NET uses AES to encrypt the ViewState blob, so it fails. You can work around this by adding a key like this to web.config:
And that covers you for basic ASP.NET use. My problem is this: I have a large, complex ASP.NET web applications that makes heavy use of ScriptManagers (the foundation of ASP.NET AJAX) and needs to be deployed by a government customer who must enable this FIPS policy setting. Any ASP.NET page with a ScriptManager on it throws this exception:
[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.] System.Security.Cryptography.SHA1Managed..ctor() +3607454 System.Security.Policy.Hash.get_SHA1() +45 System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfoInternal(Assembly assembly) +85 System.Web.Handlers.ScriptResourceHandler.GetAssemblyInfo(Assembly assembly) +99 System.Web.Handlers.RuntimeScriptResourceHandler.GetScriptResourceUrlImpl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +525 System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(List`1 assemblyResourceLists, Boolean zip, Boolean notifyScriptLoaded) +910 System.Web.Handlers.RuntimeScriptResourceHandler.System.Web.Handlers.IScriptResourceHandler.GetScriptResourceUrl(Assembly assembly, String resourceName, CultureInfo culture, Boolean zip, Boolean notifyScriptLoaded) +193 System.Web.UI.ScriptReference.GetUrlFromName(ScriptManager scriptManager, IControl scriptManagerControl, Boolean zip) +306 System.Web.UI.ScriptManager.RegisterUniqueScripts(List`1 uniqueScripts) +169 System.Web.UI.ScriptManager.RegisterScripts() +407 System.Web.UI.ScriptManager.OnPagePreRenderComplete(Object sender, EventArgs e) +200 System.Web.UI.Page.OnPreRenderComplete(EventArgs e) +11041982 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3672
Even adding the <enforceFIPSPolicy enabled="false"/> element to web.config does not resolve the exception.
Is there any way to configure ASP.NET such that ScriptManager can be used with the Windows FIPS security policy?
I want to create a WebTV site in ASP.NET. At the moment I am thinking of using Flowplayer, serving .flv files. Since it will work with pseudostreaming, IIS will serve various .flv files in a schedule.
Is there a platform/open source package to provide all the clip (and advertisement) scheduling to create the WebTV program? Or do I need to create my own scheduling interface (backend) that will store the .flv schedule in a database, and create e.g. an .aspx that will read the current time and decide which clip to serve?
I wasnt sure where this question best belongs, in the end I figured this was the best place...
Say I have a utility dll that i might use in either a windows console application or in an asp.net web application - how can I programatically find whether it is running on web or windows, from within the dll?
I feel like this is something I should know by now, maybe some property of AppDomain.CurrentDomain, or Environment, but I just can't find it.
The reason I'm asking is because I'm playing around with nHibernate for asp and I seem to need different session handling when running in asp.net, compared to when i'm running integration tests. So if someone knows how i can solve this without programatically checking the context of the application, then that'd be great too.
I currently have a client with a SharePoint site that wants to incorporate an (already written) ASP.NET application within a webpart in the SharePoint site. The ASP.net application currently uses an IIS impersonation account to connect to the SQL database.
Some added functionality the client is requesting would require me to grab the user's windows login identity to use the SharePoint UserProfileWebService to query the PropertyPages for that specific user. Because the (already written) ASP.NET application uses impersonation, when I grab the WindowsIdentity.GetCurrent().Name, I get the impersonation account and not the actual user's account.
Is there a way to keep the current setup (impersonation account on IIS to connect to SQL) and still grab the logged in user's credentials? Or would a better way about this be to change IIS to consume the Windows Identity of the logged in user and encrypt the connection string in the web.config?
Also, compilation debug="false" ... > is set.No matter what I use (AES, MD5, SHA1, 3DES),it generates the same hash.Is there something I am missing out.And what is the default algorithm used if I don't specify anything?
I am working on a government site and am having some problems with my local security policy interferring with my web application. There is a setting called "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" which is enabled on my server.
Since that has been enabled, most of my aspx pages are returning the error "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." These pages aren't accessing any cryptographic methods. They do communicate with another database server, but that's it.
My problem is similar to the one described here. However, I don't have the option of disabling this FIPS security setting.
I am using .NET 4.0, IIS 7.0, and Windows Server 2008 R2, if that matters. Has anyone encountered this problem before?
Update
Unfortunately, correcting the machine key element to use a FIPS compliant algorithm did not completely solve my problem. I am still getting the error on alot of my pages.
I found two hotfixes which may be related. I will try to install these and see what happens.
SQL Server Reporting Services R2 hotfix ScriptManager Control hotfix
I have four columns in database. Consider it as a,b,c and d. I'm trying to place a and b column values in TO part and c and d column values in CC part in outlook. a,b,c,d contains six digits numeric values. I just need to place a and b columns values in to and c and d values in cc part on click of a button.
my problem is that i have a dynamic controls(text boxes) that are generated depending on a dropdownlist
and upon generating the textboxes i have created a required field validator and associated it to the text box that is being generated,
when javascript is enabled in my browser, the client side validation works fine, but when i disable the javascript.. no server side validation occurs and the Page.IsValid gives true when the method Page.validate() is fired
i tried a new simple page with dynamic controls and seems to work fine, but i could not figure out whats wrong with this page.
private void generateFarmForm() { int numberOfFields = 9; Label[] labels = new Label[numberOfFields]; TextBox[] farmt = new TextBox[numberOfFields];
[Code]....
also the button that submits the form back has the same validation group,,, yet no luck with this... the page is in a content tag of a master page if this has any relation to the problem
I have created a page with a textbox and a button, when you enter a number in textbox and click on button, the onCommand event generates dynamic textboxes with dynamic requiredFieldValidators in the placeHolder and a newbutton. Now when I click on newButton, it does not validated dynamically generated textboxes, it does postback and every dynamic object disappear. The sample code is provided below.
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
i am trying to create a strong name for assembly.....by giving the below code----
assembly: AssemblyDelaySign(false)] assembly: AssemblyKeyFile(@"UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk")] assembly: AssemblyKeyName("")]
when i am compiling project i am getting this error........
Error 1 Cryptographic failure while signing assembly 'C:UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityobjReleasecodeaccesssecurity.exe' -- 'Error reading key file 'UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk' -- The system cannot find the path specified. '
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
We have developed a small method that pulls a cryptographic key from a signed xml document and then checks the signature using the SignedXml.CheckSignature method.
When run from a command line app the key validates properly. However as soon as I call it from a web app it stops working. Anybody know what could be happening?:
// Verify the signature of an XML file against an asymmetric // algorithm and return the result.XmlDocument Doc, RSA Key public static Boolean VerifyLicenceFile(string xmlLicFilePathArg) { bool isVerified = false;....
I'm not sure if this problem is isolated in MVC2 or if it's isolated with the DataType.EmailAddress, but that's what I'm working on.
Anyway, I noticed that no validation is performed at all on my field marked with [DataType(DataType.EmailAddress)], both on client and server.
Here is the Model:
[Code]....
Here is the View:
[Code]....
Here are the Controller Actions:
[Code]....
Validation for the [Required] attributes are working fine. It's the DataType.EmailAddress that never gets checked at all. My ModelState.IsValid returns true even if I enter "x" as my email address. Haven't tried the other DataTypes, so I dunno if this is just for the email or for all types.
We have several asp.net web applications we've built and we also want to embed them into various sharepoint pages. We need to have them look like standalone applications when viewed in their own pages, but also have them look like they fit within the sharepoint page when embedded. We are doing this currently with IFrames and it works ok, but I'm wondering if there is some sort of proxy web part where we can configure the web part to point to an existing web app and it will proxy the contents through from the web app into the sharepoint page removing the need for an IFrame. Possible?
Is it possible to change the CSS class of the validated control if it's not valid without codebehind or just with less code ex. Set automatic CSS class to "invalid" of all textboxes which have a required field validator? I don't like to make a check for each validator (isvalid) I have, manually.
I m new in web part tools in asp.net, i create a simple page using web part tools, but now i want in my web part zone too open a web site like I Google..
when u use i google there is a functionality to open a web site in web part zone.
I have used Expression Web to create a website with a standard .ASP form that saves data into an Access database using standard HTML controls. This works fine except there is no validation of the fields. A user can enter anything to get past the form.
I want to use ASP.NET to validate all of the fields in the form and then save to the same Access database. When I rename the webpage from .ASP to .ASPX, I am able to get the validation controls working properly by changing HTML controls to ASP.NET controls.
However, I cannot figure out how to get the form data submitted into the Access database because the code to connect to the database was removed when I inserted the first ASP.NET control.
What am I missing? It seems like a simple task but I haven't been able to figure it out. I have a couple books and they don't answer the question. Can someone guide me in the right direction?
When using SPWeb.GetCatalog(SPListTemplateType.WebPartCatalog), it returns an SPList which of course contains a SPListItemCollection of the web parts in the web part gallery. When looping through the items, is there any easy way to get properties of the web parts? Such as AllowClose, CatalogIconImageUrl, etc... I know I can probably accomplish this using the listItem.OpenBinaryStream etc and loading the xml of the .webpart file, but I wondered if there was an easier way to do this.
I am using the sqlmembership provider with the login control from the toolbox. I want to capture the validated username after the user is authenticated. I need the username so that when the user adds or modifies a record i can have an audit trail. where is the best place to capture the validated user right after authentication? Ideally, i would like to capture it on the login form but how?
I have a newuzerwizard with 3 steps. Step 1 = Create account, Step 2 = Personal Info, and Step 3 = Bio Information. On the second step (Personal Info) I validate the users address and get its latitude and longitude. I want to make sure that before they go onto step three their address can be geocoded. I have the code that tests the address, I just don't know how to stop the step from going to the next if they input a wrong address. Here is what I have: