CreateMarker and Windows Platform FIPS validated cryptographic algorithms

MartinChapman · ‎05-20-2011

First of all let me comment that ArcGIS Explorer is an awesome tool. Much kudos to the developers. Currently I am using ArcExplorer build 1500 to display MILSTD 2525C symbology on the map. I am using the Symbol.CreateMarker() method to load the png symbol files from a file path. This works fine on my work computer but when I deploy to a secure government computer the CreateMarker method throws the following error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algoithms.

I've tried loading the marker into a bitmap first and then passing the bitmap to the CreateMarker method but I get the same error. My guess is that the implementation of CreateMarker is using an MD5 algorithm under the hood or some other algorithm that is violating the security policy of the DISA hardened machine. I am able to use one of the stock symbols like square or sphere ok so somehow the implementation of the those symbols is different. Maybe they are stored as resource files embedded in the application. If anyone has any insite to this problem that can help me overcome my problem I would be very appreciative.

Best regards,
Marty

I also wanted to add that you can re-create the problem by editing your Local Security Policy settings under Administrative Tools by going to:

Security Settings->Local Policies->Security Options->System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

and enabling the setting. Note, you will need to re-start ArcExplorer for the change to take effect. Then just try the following code:

string symbolFilePath = <path to some png file>;
Symbol symbol = Symbol.CreateMarker(symbolFilePath);

this will throw an InvalidOperationException exception.

Marty

AndreiIvanov · ‎05-20-2011

Marty,

I could verify the issue. I am not familiar with this specific encryption system, but the exception is thrown due to the fact that when bitmap is loaded it uses SHA256Managed hash which is not compliant with FIPS. I am not even sure what to suggest besides sticking to our symbols.

MartinChapman · ‎05-21-2011

Andriy,

Thanks for your timely response.

The answer is I went to my security administrator and told him I needed an exception to turn FIPS crypto compliance off. Problem solved.

That said, I imagine that other government users will run into this problem so I would request that a work around be considered for a future release of the product if possible. I read somewhere on the web that you can turn FIPS checking on somewhere in visual studio when compiling your project and it will prevent you from using non-fips compliant algorithms. Maybe that could help you guys stay fips compliant in future releases....just a thought.

Thanks again,
Marty

AndreiIvanov · ‎05-23-2011

Marty, I am going to take a look at this issue. Will update.

MartinChapman · ‎05-23-2011

Thanks Andriy. By the way, I released my plug-ins to my users today and they all really like Arc Explorer. None of them had used it before and they all think it's better than Google Earth.

Best regards,
Marty

AndreiIvanov · ‎05-24-2011

Marty, this issue has been fixed. It will be available in the next release of AGX. Glad you are liking ArcGIS Explorer. Any issues - post it on this forum.