When will C# AES algorithm be FIPS compliant?

Question

Right now the only way I can get the RijndaelManaged algorithm to work on a computer with the Local Security Setting for FIPS turned on, is to disable it. It is a governmen

Answer 1

This problem is much more complex than most of those responding understand. Here is the true reason why most of people's answers just won't work (I just spent a nearly 48-hour marathon session trying to understand and fix this problem):

1. C# Under Windows has basically 3 encryption providers that "support" AES: RijndaelManaged, AesManaged, AesCryptoServiceProvider.
2. RijndaelManaged implements the full Rijnadael Algorithm (All Options) and so it is a super-set of AES capabilities; however, it is not certified FIPS compliant (because it is capable of doing things not in the FIPS-approved AES specification, like having block size other than 128 bits)
3. AesManaged is nothing more than a decorator/wrapper over RijndaelManaged that restrict it to a block-size of 128 bits, but, because RijndaelManaged is not FIPS approved, neither is AesManaged
4. AesCryptoServiceProvider is a C# wrapper over the C-library on Windows for AES that IS FIPS approved; however, in CFB Mode, it only supports 8|16|24|32|40|48|56|64 bits for the FeedbackSize (I can find no documentation that says that FIPS is restricted thusly, so, it's questionable how AesCryptoServiceProvider passsed the FIPS certification - probably somebody played midnight golf with someone else to have it pushed through the certification)
5. If FIPS mode is turned on on Windows, then RijndaelManaged (and thereby AesManaged) will throw and exception saying they are not FIPS compliant when you attempt to instantiate them.
6. Some things require AES-128 with CFB of 128-bits FeedbackSize (e.g. SNMPv3 AES according the the RFC).

So, if you are in an environment where the following is true:

1. You need AES-128 with CFB-128 (SNMPv3 for example)
2. You need to do the Crypto from C# without using Non-Microsoft Libs
3. You need to have FIPS mode turned on on the OS (Gov't requirements for example)

Then, your ONLY option (or at least the only I could find after extensive searching and much wailing and gnashing of teeth) is to use RijndaelManaged AND use the " " in the Application.exe.config to turn-off FIPS forced compliance for that particular application.

What a nightmare! I hope this answer helps the next unfortunate soul to run into this problem.

Keywords: Cisco IOS SNMPv3 FIPS AES 128 CFB 128 AesCryptoServiceProvider Rijndael