I never realized this before this question, but you're right. The constructor has this:

在提出这个问题之前我从未意识到这一点，但你是对的。构造函数有这个：

public RijndaelManaged()
{
    if (Utils.FipsAlgorithmPolicy == 1)
    {
        throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
    }
}

System.Security.Cryptography.AesManagedhas something similar:

System.Security.Cryptography.AesManaged有类似的东西：

public AesManaged()
{
    if (CoreCryptoConfig.EnforceFipsAlgorithms)
    {
        throw new InvalidOperationException(SR.GetString("Cryptography_NonCompliantFIPSAlgorithm"));
    }
    this.m_rijndael = new RijndaelManaged();
    this.m_rijndael.BlockSize = this.BlockSize;
    this.m_rijndael.KeySize = this.KeySize;
}

Have you tried System.Security.Cryptography.AesCryptoServiceProvider? It should work since it's using the CAPIbased FIPS AES implementation built into Windows.

你试过System.Security.Cryptography.AesCryptoServiceProvider吗？它应该可以工作，因为它使用Windows 内置的基于CAPI的 FIPS AES 实现。

This questionon Microsoft's .NET Base Class Library forum discusses which algorithms are FIPS compliant and has good links.

Microsoft 的 .NET 基类库论坛上的这个问题讨论了哪些算法符合 FIPS 并且具有良好的链接。

It appears that Microsoft is making a consistent effort to obey the settingof HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy on pre-Vista machines and use of the BCryptGetFipsAlgorithmModeAPI for post-Vista.

微软似乎一直在努力遵守Vista 之前机器上的 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy的设置，并在 Vista 之后使用BCryptGetFipsAlgorithmModeAPI。

I assume there is non-trivial effort involved in certifying an implementation as FIPS compliant, that is why Microsoft probably doesn't want to repeat the process and only offers the AesCryptoServiceProvider for customers that absolutely need this requirement.

我认为将实现认证为符合 FIPS 需要付出不小的努力，这就是为什么 Microsoft 可能不想重复该过程并且只为绝对需要此要求的客户提供 AesCryptoServiceProvider。

This MSDN blog posthas a comment that makes it clearer:

这篇 MSDN 博客文章有一条评论更清楚：

The easy way to figure out if an algorithm is compliant or not is to look at the suffix. None of the *Managed types are FIPS certified. The *CryptoServiceProvider and *Cng types however, may well be FIPS certified. If they implement an algorithm that FIPS allows, and are using the default Microsoft providers, then they will be.

For instance, SHA256Managed is not (because it is *Managed). SHA256CryptoServiceProvider and SHA256Cng are.
MD5CryptoServiceProvider is not (because MD5 is not a FIPS algorithm).

确定算法是否合规的简单方法是查看后缀。*Managed 类型均未经过 FIPS 认证。然而，*CryptoServiceProvider 和 *Cng 类型很可能是 FIPS 认证的。如果他们实施 FIPS 允许的算法，并使用默认的 Microsoft 提供程序，那么他们将会这样做。

例如，SHA256Managed 不是（因为它是 *​​Managed）。SHA256CryptoServiceProvider 和 SHA256Cng 是。
MD5CryptoServiceProvider 不是（因为 MD5 不是 FIPS 算法）。

The unmanaged AesCryptoServiceProvider is certified if the OS itself is certified as it calls the OS. And it will be a darned site quicker as well, at the cost of cross platform compatibility.

如果操作系统本身在调用操作系统时获得认证，则非托管 AesCryptoServiceProvider 将获得认证。它也会更快地成为一个该死的站点，代价是跨平台兼容性。

My site had to get a waver for FIPS compliance in .net.

我的网站不得不对 .net 中的 FIPS 合规性有所动摇。

This problem is much more complex than most of those responding understand. Here is the true reason why most of people's answers just won't work (I just spent a nearly 48-hour marathon session trying to understand and fix this problem):

这个问题比大多数响应者所理解的要复杂得多。这是大多数人的答案不起作用的真正原因（我刚刚花了近 48 小时的马拉松会议试图理解和解决这个问题）：

1. C# Under Windows has basically 3 encryption providers that "support" AES: RijndaelManaged, AesManaged, AesCryptoServiceProvider.
2. RijndaelManaged implements the full Rijnadael Algorithm (All Options) and so it is a super-set of AES capabilities; however, it is not certified FIPS compliant (because it is capable of doing things not in the FIPS-approved AES specification, like having block size other than 128 bits)
3. AesManaged is nothing more than a decorator/wrapper over RijndaelManaged that restrict it to a block-size of 128 bits, but, because RijndaelManaged is not FIPS approved, neither is AesManaged
4. AesCryptoServiceProvider is a C# wrapper over the C-library on Windows for AES that IS FIPS approved; however, in CFB Mode, it only supports 8|16|24|32|40|48|56|64 bits for the FeedbackSize (I can find no documentation that says that FIPS is restricted thusly, so, it's questionable how AesCryptoServiceProvider passsed the FIPS certification - probably somebody played midnight golf with someone else to have it pushed through the certification)
5. If FIPS mode is turned on on Windows, then RijndaelManaged (and thereby AesManaged) will throw and exception saying they are not FIPS compliant when you attempt to instantiate them.
6. Some things require AES-128 with CFB of 128-bits FeedbackSize (e.g. SNMPv3 AES according the the RFC).

1. Windows 下的 C# 基本上有 3 个“支持”AES 的加密提供程序：RijndaelManaged、AesManaged、AesCryptoServiceProvider。
2. RijndaelManaged 实现了完整的 Rijnadael 算法（所有选项），因此它是 AES 功能的超集；但是，它没有经过认证的 FIPS 兼容（因为它能够执行 FIPS 批准的 AES 规范中没有的事情，例如具有 128 位以外的块大小）
3. AesManaged 只不过是 RijndaelManaged 上的装饰器/包装器，将其限制为 128 位的块大小，但是，由于 RijndaelManaged 未获得 FIPS 批准，因此 AesManaged 也未获得批准
4. AesCryptoServiceProvider 是 Windows 上 C 库的 C# 包装器，用于 FIPS 批准的 AES；但是，在 CFB 模式下，它仅支持 8|16|24|32|40|48|56|64 位的 FeedbackSize（我找不到任何说明 FIPS 受到如此限制的文档，因此，AesCryptoServiceProvider 如何通过FIPS 认证 - 可能有人和其他人打过午夜高尔夫球以通过认证）
5. 如果 FIPS 模式在 Windows 上打开，那么当您尝试实例化它们时，RijndaelManaged（以及 AesManaged）将抛出异常并指出它们不符合 FIPS。
6. 有些东西需要 AES-128 和 128 位反馈大小的 CFB（例如，根据 RFC 的 SNMPv3 AES）。

So, if you are in an environment where the following is true:

因此，如果您处于以下情况为真的环境中：

1. You need AES-128 with CFB-128 (SNMPv3 for example)
2. You need to do the Crypto from C# without using Non-Microsoft Libs
3. You need to have FIPS mode turned on on the OS (Gov't requirements for example)

1. 您需要 AES-128 和 CFB-128（例如 SNMPv3）
2. 您需要在不使用非 Microsoft Libs 的情况下从 C# 进行加密
3. 您需要在操作系统上打开 FIPS 模式（例如政府要求）

Then, your ONLY option (or at least the only I could find after extensive searching and much wailing and gnashing of teeth) is to use RijndaelManaged AND use the "<configuration> <runtime> <enforceFIPSPolicy enabled="false"/> <runtime> </configuration>" in the Application.exe.config to turn-off FIPS forced compliance for that particular application.

然后，你唯一的选择（或者至少我在广泛搜索和大量哀号和咬牙切齿之后唯一能找到的）是使用 RijndaelManaged 并使用<configuration> <runtime> <enforceFIPSPolicy enabled="false"/> <runtime> </configuration>Application.exe.config 中的“ ”来关闭 FIPS 强制合规性特殊应用。

What a nightmare! I hope this answer helps the next unfortunate soul to run into this problem.

什么样的恶梦！我希望这个答案可以帮助下一个不幸的灵魂遇到这个问题。

Keywords: Cisco IOS SNMPv3 FIPS AES 128 CFB 128 AesCryptoServiceProvider Rijndael

关键词：Cisco IOS SNMPv3 FIPS AES 128 CFB 128 AesCryptoServiceProvider Rijndael