Problems with FOG client and FIPS validation



  • Fog Version: 1.5.0-RC-9
    Fog Client Version: 0.11.12
    Server: Ubuntu Server 16.04.3 LTS

    We recently used GPO to force all our computers to require FIPS compliant encryption suites whenever using encryption to communicate (this is a requirement for PCI compliance). Unfortunately, this seems to have broken the FOG Client. Here are the relevant log entries:

    ----------------------------------------------------------------
    ----------------------------------UserTracker-------------------
    ----------------------------------------------------------------
     11/4/2017 5:27 PM Client-Info Client Version: 0.11.12
     11/4/2017 5:27 PM Client-Info Client OS:      Windows
     11/4/2017 5:27 PM Client-Info Server Version: 1.5.0-RC-9
     [...extraneous lines snipped...]
     11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&configure&newService&json
     11/4/2017 5:29 PM Middleware::Response Success
     11/4/2017 5:29 PM Middleware::Communication URL: http://fog/fog/management/index.php?sub=requestClientInfo&mac=40:8D:5C:D5:08:9B&newService&json
     11/4/2017 5:29 PM Data::AES ERROR: Could not decrypt AES
     11/4/2017 5:29 PM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
    

    I don’t suppose anyone else has run into this issue and has any workarounds?


  • Senior Developer

    @Brian-David alright, thanks for testing. This will require a bit more work than I was hoping for it seems.



  • @joe-schmitt Followed your instructions, but unfortunately I am getting the same FIPS error when the client tries to authenticate:

    11/15/2017 8:44 AM Data::AES ERROR: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
    

  • Senior Developer

    @Brian-David thanks for the logs, could you try installing a new nightly build? Steps are as follows:

    1. Uninstall the client on a computer
    2. Under the computer’s host page in the fog dashboard, hit Reset Encryption Data
    3. Download and run: https://build.jbob.io/Client/nightly/11-13-2017-pci-compliance-01/SmartInstaller.exe
    4. Restart the computer

    It will likely still fail, but it should be a step in the right direction.



  • @joe-schmitt I followed your instructions, but the FOG Service won’t start after the .dll file is replaced. There were two relevant errors in the event log.

    First:

    Log Name:      Application
    Source:        .NET Runtime
    Date:          11/6/2017 8:24:03 AM
    Event ID:      1026
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:     xxx
    Description:
    Application: FOGService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.IO.FileLoadException
       at Zazzles.Settings..cctor()
    
    Exception Info: System.TypeInitializationException
       at Zazzles.Settings.get_Location()
       at FOG.Program.Main()
    
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name=".NET Runtime" />
        <EventID Qualifiers="0">1026</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-06T14:24:03.000000000Z" />
        <EventRecordID>4459</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Application: FOGService.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.IO.FileLoadException
       at Zazzles.Settings..cctor()
    
    Exception Info: System.TypeInitializationException
       at Zazzles.Settings.get_Location()
       at FOG.Program.Main()
    
    </Data>
      </EventData>
    </Event>
    

    Second:

    Log Name:      Application
    Source:        Application Error
    Date:          11/6/2017 8:24:18 AM
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      xxx
    Description:
    Faulting application name: FOGService.exe, version: 0.0.0.0, time stamp: 0x58f267cf
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.18666, time stamp: 0x58f32841
    Exception code: 0xe0434352
    Fault offset: 0x00015608
    Faulting process id: 0xa6c
    Faulting application start time: 0x01d3570ae56270de
    Faulting application path: C:\Program Files (x86)\FOG\FOGService.exe
    Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll
    Report Id: 2c30df72-c2fe-11e7-8288-408d5cd5089b
    Faulting package full name: 
    Faulting package-relative application ID: 
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-06T14:24:18.000000000Z" />
        <EventRecordID>4460</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>FOGService.exe</Data>
        <Data>0.0.0.0</Data>
        <Data>58f267cf</Data>
        <Data>KERNELBASE.dll</Data>
        <Data>6.3.9600.18666</Data>
        <Data>58f32841</Data>
        <Data>e0434352</Data>
        <Data>00015608</Data>
        <Data>a6c</Data>
        <Data>01d3570ae56270de</Data>
        <Data>C:\Program Files (x86)\FOG\FOGService.exe</Data>
        <Data>C:\Windows\SYSTEM32\KERNELBASE.dll</Data>
        <Data>2c30df72-c2fe-11e7-8288-408d5cd5089b</Data>
        <Data>
        </Data>
        <Data>
        </Data>
      </EventData>
    </Event>
    

  • Senior Developer

    @Brian-David could you test this build https://build.jbob.io/Zazzles/nightly/PCI-Compliance-01/Zazzles.dll

    To test:

    • stop the client: net stop fogservice,
    • replace C:\Program Files (x86)\FOG\Zazzles.dll with the file I linked to
    • start the client : net start fogservice

    And then monitor the client logs / behavior for any more issues.


  • Senior Developer



  • @joe-schmitt Okay, sounds good. I’ll keep an eye out on future updates and I appreciate the work you do.


  • Senior Developer

    @brian-david said in Problems with FOG client and FIPS validation:

    This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

    The FOG Client uses a Managed AES Rijndael cipher to handle encryption and decryption. The issue you are facing is that the .NET RijndaelManaged implementation has not been certified by NIST (National Institute of Standards and Technology), which is a requirement for FIPS (Federal Information Processing Standard). Any workarounds that exist would likely break PCI compliance.

    I should be able to rewrite the client’s encryption methods to strictly use FIPS certified .NET code. It may require some work to do, so I can’t promise any timeline on this.


  • Moderator

    @Joe-Schmitt You better take a look at this one.


Log in to reply
 

407
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.