问题描述

现在的唯一途径我可以得到RijndaelManaged算法与本地安全设置为开启FIPS的计算机上工作，是disable它的。这是政府的电脑，所以我不知道如何将飞。我见过的msdn 说，他们是在一个AES工作博客网站FIPS兼容的版本，但我似乎无法找出什么。有谁知道什么时候这可能发生吗？

Right now the only way I can get the RijndaelManaged algorithm to work on a computer with the Local Security Setting for FIPS turned on, is to disable it. It is a government computer, so I'm not sure how that will fly. I've seen posts on the msdn blog sites that say they are working on an AES FIPS compliant version, but I cant seem to find out anything more. Does anyone know when this might happen?

推荐答案

我从来没有这个问题之前意识到了这一点，但你说得对。构造函数有这样的：

I never realized this before this question, but you're right. The constructor has this:

public RijndaelManaged()
{
    if (Utils.FipsAlgorithmPolicy == 1)
    {
        throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
    }
}

System.Security.Cryptography.AesManaged有类似的东西：

public AesManaged()
{
    if (CoreCryptoConfig.EnforceFipsAlgorithms)
    {
        throw new InvalidOperationException(SR.GetString("Cryptography_NonCompliantFIPSAlgorithm"));
    }
    this.m_rijndael = new RijndaelManaged();
    this.m_rijndael.BlockSize = this.BlockSize;
    this.m_rijndael.KeySize = this.KeySize;
}

你试过System.Security.Cryptography.AesCryptoServiceProvider?它应该因为它使用基于FIPS AES实现Windows内置的工作。

Have you tried System.Security.Cryptography.AesCryptoServiceProvider? It should work since it's using the CAPI based FIPS AES implementation built into Windows.

This微软的.NET基础类库论坛的问题讨论哪些算法符合FIPS并具有良好的联系。

This question on Microsoft's .NET Base Class Library forum discusses which algorithms are FIPS compliant and has good links.

看来，微软正在 \\ CURRENTCONTROLSET \\控制\\ LSA \\ FIPSAlgorithmPolicy在pre-Vista计算机和使用的BCryptGetFipsAlgorithmMode API为岗位Vista操作系统。

It appears that Microsoft is making a consistent effort to obey the setting of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on pre-Vista machines and use of the BCryptGetFipsAlgorithmMode API for post-Vista.

我假设有参与为符合FIPS认证的实现不平凡的努力，这就是为什么微软可能并不想重复这一过程，仅提供了AesCryptoServiceProvider对于绝对需要这一要求的客户。

I assume there is non-trivial effort involved in certifying an implementation as FIPS compliant, that is why Microsoft probably doesn't want to repeat the process and only offers the AesCryptoServiceProvider for customers that absolutely need this requirement.

有一个评论，使得它更清晰：

This MSDN blog post has a comment that makes it clearer:

最简单的方式如果弄清楚
  算法是符合还是不就是
  看后缀。的无
  *托管类型，均符合FIPS。该* CryptoServiceProvider和*压缩天然气
  然而类型，可能是FIPS
  认证。如果他们实施
  算法的FIPS允许，并且
  使用默认的Microsoft商，
  那么他们将。

有关实例，SHA256Managed是不
  （因为它是*管理）。
  SHA256CryptoServiceProvider和
  SHA256Cng的。

  MD5CryptoServiceProvider不
  （因为MD5不是FIPS算法）。

For instance, SHA256Managed is not (because it is *Managed). SHA256CryptoServiceProvider and SHA256Cng are.
MD5CryptoServiceProvider is not (because MD5 is not a FIPS algorithm).

这篇关于当将C＃AES算法符合FIPS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！