2

Hey all i am getting this error when trying to compare a password in my database using my ASP.net page.

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

The code looks like this:

Public Shared Function UserAuthentication(ByVal user As String, ByVal pass As String) As WebUserSession
  Dim strSQL As String = ""
  Dim strForEncryption As String = pass
  Dim result As Byte()
  Dim sHA1Managed As SHA1 = New SHA1Managed()
  Dim encryptedString As New System.Text.StringBuilder()

  result = sHA1Managed.ComputeHash(ASCIIEncoding.ASCII.GetBytes(pass))

  For Each outputByte As Byte In result
    'convert each byte to a Hexadecimal upper case string
    encryptedString.Append(outputByte.ToString("x2").ToUpper())
  Next

  strSQL &= "SELECT email, name, id, permission_id, username FROM (user) INNER JOIN user_per ON user.id = user_per.user_id "
  strSQL &= "WHERE(username = '" & user & "' And password = '" & encryptedString.ToString() & "')"

We recently had to update/lock down our server to be compliance with security holes and the like. But doing so caused this error for one of the websites we are hosting on the same server. Prior to all these security settings the web site worked just fine.

The odd part is that i am able to run the website local (debug mode) within VS 2010 and it does just fine. No errors at all.

Would anyone have any tips on how to go around this to make the website work again as it did before we added all these security settings to be complaint? We simply can not just disable it because that would cause our other websites to go out of compliance.

I've already tried the suggestions on these pages: http://blogs.msdn.com/b/brijs/archive/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010.aspx

http://social.msdn.microsoft.com/Forums/en/clr/thread/7a62c936-b3cc-4493-a3cd-cc5fd18b6b2a

http://support.microsoft.com/kb/935434

http://blogs.iis.net/webtopics/archive/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debug-true.aspx

http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

Thanks.

Tried using this code as well

Dim p As String = Password.Text.ToString
Dim data(p) As Byte
Dim result() As Byte
Dim sha As New SHA1CryptoServiceProvider()

result = sha.ComputeHash(data)

The error is:

Conversion from string "S51998Dg5" to type 'Integer' is not valid.

And that error is on the line: Dim data(p) As Byte

StealthRT
  • 10,108
  • 40
  • 183
  • 342

1 Answers1

3

According to this sha1managed is not fips compliant. It throws an InvalidOperationException because this class is not compliant with the FIPS algorithm.

You need to either disalbe FIPS compliance or use a FIPS compliant implementation. sha1cryptoserviceprovider I think is FIPS complaint.

imichaelmiers
  • 3,449
  • 2
  • 19
  • 25
  • That doesn't seem to work (or i cant get it working within code). We already have passwords hashed in SHA1 so they do not come out the same when comparing the users typed in password to the hash on the db. The error i keep getting is **Conversion from string "S51998Dg5" to type 'Integer' is not valid.** – StealthRT Oct 23 '12 at 12:30
  • So I don't now VB, just C#, but it looks like you should just be able to replace sha1managed with sha1cryptoserviceprovider (in c# you'd need to change the type on the variable the instance it) in the original code you posted. You don't need to add the data call, just use ASCIIEncoding.ASCII.GetBytes(pass). If that doesn't work, you can disable FIPS compliance on the system. Unless your writing code for the DOD or maybe a bank, no on should care. – imichaelmiers Oct 23 '12 at 14:39
  • I used **sha1cryptoserviceprovider** and it ended up working after that. Thanks, imichaelmiers! – StealthRT Oct 24 '12 at 13:37