This article explains the FIPS compatibility of the Progress Telerik® UI for ASP.NET AJAX suite.
Sections in this article:
FIPS stands for Federal Information Processing Standard. This standard imposes some restrictions on the algorithms used for encryption, decryption and hashing. Operating systems have many different algorithm types, but only part of them are FIPS compliant.
There are at least two ways to enforce the FIPS compliance mode:
Via security policies:
- Open Administrative Tools
- Go to Local Security Policy applet (or press
- Expand LocalPolicies > Security Options and scroll down to "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing".
By editing the corresponding registry key directly:
- Open the Registry Editor
- Expand HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Lsa then select the FIPSAlgorithmPolicy key.
- Find the DWORD value which should be set to 0 (0x00000000) for disabled and 1 for enabled.
Under .NET 3.5, the default ViewState validation algorithm (SHA1) is not FIPS-compliant. A FIPS-compliant algorithm means that it is supported by the FIPS 140 standard.
In this case, you may need to change the default algorithms to 3DES, as shown below, even though this may reduce the security of your site.
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES" />
Falling back to TrippleDES is not needed for .NET 4.0 and newer where the default validation is set to HMACSHA256.
<compilation debug="true" />in the web.config will cause a FIPS exception. You can find a possible workaround in the following forum thread: Visual Studio 2008 cannot debug with FIPS enabled.
Under .NET 3.5, setting a hardcoded
machineKeyin your web.config may cause FIPS exceptions. In such cases, you may need to fall back to an autogenerated key.
FIPS Compatibility of UI for ASP.NET AJAX
Telerik UI for ASP.NET AJAX officially supports the FIPS standard as of Q3 2011.
This includes Word and all Excel export formats, but not PDF.
The PDF export is FIPS-compliant as of Q2 2013.
Under .NET 3.5, FIPS-compliance cannot be guaranteed as of R1 2017. Since this version, the Telerik.Web.UI assembly uses the HMACSHA256 algorithm to provide secure encryption. This algorithm is not recognized by .NET 3.5 as FIPS-compliant.
The algorithms .NET 3.5 recognizes are considered outdated and weak, and we cannot fall back to them, because this will compromise security. The best advice we can offer is that you upgrade to a newer version of .NET, at least to .NET 4.0.
Thus, under .NET 3.5 you may get an exception similar to the following, and the solution is to upgrade to .NET 4.0 or later.
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Such an exception is most commonly encountered when using controls like RadAsyncUpload, RadCloudUpload, RadEditor, RadSpell.