Share via


FIPS compliant machinekey section for IIS Application

One of my customers needed to configure his ASP.NET site under FIPS. The information was scattered in various MSDN blogs and docs. To prevent the good work go to waste, I am blogging it here so that others can be benefited as well:

FIPS compliant machinekey section in web.config:

 <machineKey
validationKey="XXXXXXXXXXXXXXXXXXX"   (same key for all IIS servers)
decryptionKey="XXXXXXXXXXXXXXXXXXX" (same key for all IIS servers)
validation="HMACSHA256" (you can use any of the 3 validation options below based on your required encryption strength)
decryption="AES"
/>

Decryption:

AES Specifies that ASP.NET uses the AES (Rijndael) algorithm to encrypt and decrypt data. AES is the default algorithm and is the one that is used when the value of this attribute is Auto. This algorithm is compliant with the United States Federal Information Processing Standards (FIPS).

Validation:

  1. HMACSHA256 Specifies that ASP.NET uses the HMACSHA256 hash algorithm to validate data. This is the default value. This algorithm is compliant with the United Stated Federal Information Processing Standards (FIPS).
  2. HMACSHA384 Specifies that ASP.NET uses the HMACSHA384 hash algorithm to validate data. This option is available for applications that require stronger security than is provided by the HMACSHA256 algorithm. This algorithm is compliant with the United States Federal Information Processing Standards (FIPS).
  3. HMACSHA512 Specifies that ASP.NET uses the HMACSHA512 hash algorithm to validate data. This option is available for applications that require stronger security than is provided by the HMACSHA384 algorithm. This algorithm is compliant with the United States Federal Information Processing Standards (FIPS).

Do not forget:

  • Besides the above machinekey settings, you also need to ensure that the compilation section of your web.config and the page directives of individual aspx page should all have debug="false". A Debug="true" will throw a FIPs compliance error before any code in your ASPX pages can run.
  • If you like to test your code in Visual studio, please ensure FIPS is disabled
  • Also, FIPS needs to be enabled at the Machine/OS level.