We have a few sections of our application that are using AJAX.NET 5.7.25.1. Our server administrators have enabled FIPS and we are running into the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Call stack:
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at MS.Utilities.MD5Helper.GetHash(Byte[] data)
at Ajax.AjaxRequestProcessor.Run()
at Ajax.AjaxHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Are the newer versions of the AJAX.NET libraries FIPS compliant?
The fastest way to done here may be to just modify the AJAX.Net pro source directly to remove the offending call that uses the MD5 algorithm. Go get the source for the version of AJax.NET pro you're using from Codeplex. In AjaxPro/Utilities/MD5Helper.cs:
Replace the line...
MD5 md5 = new MD5CryptoServiceProvider();
with the line...
SHA1 md5 = new SHA1CryptoServiceProvider();
That should fix it. SHA1 is FIPS compliant per this page
In this case... the only API that is being used is the ComputeHash() method, which both providers implement so...
Just by switching the crypto providers you should be able to compile and use the code without any other changes and without any annoying FIPS policy violation flags.