Detecting if FIPS is being enforced via .NET C#

Question

Is there a way to determine from the .NET framework whether or not the FIPS policy is being enforced on the windows computer?

Check the Registry value at `HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled`? — Camilo Terevinto, Jan 09 '19 at 23:32
FWIW If you're dealing with FIPS enforcing certain classes be used in .NET, [.NET 4.8](https://blogs.msdn.microsoft.com/dotnet/2018/11/28/announcing-net-framework-4-8-early-access-build-3694/) fixes this: *the SHA256Managed class (and the other managed cryptography classes) will redirect the cryptographic operations to a system cryptography library.* — ta.speot.is, Jan 10 '19 at 10:29
Otherwise this might do https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/cryptoconfig.cs,60dba5f3579c03b5 — ta.speot.is, Jan 10 '19 at 10:31
@ta.speot.is If I interpret your .Net4.8 link correctly, it no longer matters whether we use AESManaged, and SHA256Managed or not as the system will now automatically choose the FIPS variant on a FIPS system, and the normal variant on a normal system. - Is this correct? — Reahreic, Feb 08 '23 at 18:41

score 5 · Answer 1 · answered Apr 25 '20 at 13:29

It has already been answered by @ta-speot-is in the comments, adding it as an answer if someone overlooks that comment.

To know if FIPS is enabled we can simply check the boolean flag CryptoConfig.AllowOnlyFipsAlgorithms available in .Net Framework 4.0 and higher versions.

score 1 · Accepted Answer · edited Jan 10 '19 at 10:22

1

You can use this code to check whether FIPS is enabled or not:

public static object getKey(string Name)
{
    RegistryKey uac = Registry.LocalMachine.OpenSubKey(@"System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy", true);
    if (uac == null)
    {
        uac = Registry.LocalMachine.CreateSubKey(@"System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy");
    }
    return uac.GetValue(Name);
}

Just pass "Enabled" key into it and it will return 1 or 0 based on the enabled or disabled.

edited Jan 10 '19 at 10:22

Wai Ha Lee

8,598
83
57
92

answered Jan 10 '19 at 10:17

Gaurav

782
5
12

1

You might not want to create that key if it doesn't exist. – CodeCaster Jan 10 '19 at 10:25
Yeah its fine we can remove the if condition if user don't want to create the key. – Gaurav Jan 10 '19 at 10:29

Detecting if FIPS is being enforced via .NET C#

2 Answers2