none
Which implementation of SHA256 should I use on a FIPS enabled system? RRS feed

  • Question

  • Hello,

     

    I am trying to figure out which SHA256 implementation I should use on a FIPS enabled environment.  I have done some research, and everything points to my being able to use the SHA256CryptoServiceProvider or SHA256Cng classes in the System.Security.Cryptography namespace.

     

    See: http://support.microsoft.com/kb/811833

    Microsoft .NET Framework applications such as Microsoft ASP.NET only allow for using algorithm implementations that are certified by NIST to be FIPS 140 compliant. Specifically, the only cryptographic algorithm classes that can be instantiated are those that implement FIPS-compliant algorithms. The names of these classes end in "CryptoServiceProvider" or "Cng". Any attempt to create an instance of other cryptographic algorithm classes, such as classes with names ending in "Managed", cause an InvalidOperationException exception to occur. Additionally, any attempt to create an instance of a cryptographic algorithm that is not FIPS compliant, such as MD5, also causes an InvalidOperationException exception.

     

    As you can see, the guidance from Microsoft is that you can use the SHA256Cng or any algorithm class with the "Cng" or "CryptoServiceProvider" suffix.

     

    However, when I try to instantiate the SHA256Cng or SHA256CryptoServiceProvider, I get the error that I would normally get if I were instantiating a non-FIPS implementation of the algorithm.

     

    What I am looking for is a way to compute a SHA-256 hash in a FIPS enabled environment.  If it happens that I can only do that through some other method, and not the System.Security.Cryptography classes, I would like to know about it.

     

    Note: I do not have any problem creating an AES crypto object by using AesCryptoServiceProvider.Create().

     

    Thanks,

    Aron
    Thursday, May 6, 2010 8:49 PM

Answers

  • I cannot reproduce the issue on my Windows 7 box (Windows 7 Ultimate)... SHA256CryptoServiceProvider works as expected regardless of whether FIPS is enabled or not.

    My test code is the following:

      static void Main (string [] args) {
       SHA256CryptoServiceProvider provider = new SHA256CryptoServiceProvider ();
       byte [] hash = provider.ComputeHash (Encoding.Unicode.GetBytes ("Hello World"));
       Console.WriteLine (BitConverter.ToString (hash));
       Console.ReadLine ();
      }

    HTH
    --mc

    • Marked as answer by Aron Weiler Friday, May 7, 2010 11:12 PM
    Friday, May 7, 2010 8:42 PM

All replies

  • Aron,
    as far as I know, FIPS compliant algorithms in .NET are not implemented directly in the framework, but rely on the implementation provided by the OS. Absence of support by the OS may well generate the same exception.

    According to the table found on the .NET Security Blog, support for XP is extremely limited and seem to match what you are seeing (i.e. AES ok but no support for SHA256CryptoServiceProvider or all of the *Cng functions).

    Sorry for the bad news.
    --mc

     

    Friday, May 7, 2010 12:10 AM
  • So, I should have mentioned this in my first post, but I am running this on Windows Server 2003, which should have support for the FIPS compliant SHA256 algorithm.

     

    I've also tested this on my Windows 7 machine, and confirmed that I get the same error when it comes to trying to instantiate a SHA256Cng or SHA256CryptoServiceProvider class.

     

    The .NET Security Blog post clearly states that the SHA-2 implementation (which contains SHA-256) will work with FIPS turned on.  

    The big advantage here is that these hash algorithms are just wrappers around the Windows implementations of the algorithms, and therefore are FIPS compliant versions of the SHA-2 algorithms which had only managed versions in v2.0.

     

    So, I'm still not seeing a reason that the SHA256CryptoServiceProvider would not work in FIPS mode.

    Friday, May 7, 2010 5:55 PM
  • I cannot reproduce the issue on my Windows 7 box (Windows 7 Ultimate)... SHA256CryptoServiceProvider works as expected regardless of whether FIPS is enabled or not.

    My test code is the following:

      static void Main (string [] args) {
       SHA256CryptoServiceProvider provider = new SHA256CryptoServiceProvider ();
       byte [] hash = provider.ComputeHash (Encoding.Unicode.GetBytes ("Hello World"));
       Console.WriteLine (BitConverter.ToString (hash));
       Console.ReadLine ();
      }

    HTH
    --mc

    • Marked as answer by Aron Weiler Friday, May 7, 2010 11:12 PM
    Friday, May 7, 2010 8:42 PM
  • I want to thank you for posting the code... I'm an idiot.  I've been using the static SHA256CryptoProvider.Create() method, which apparently only uses the Managed version of the SHA-256 algorithm.

     

    Newing up a new SHA256CryptoProvider class itself actually works.

     

    Thanks again!

    • Proposed as answer by Gerboa Monday, September 24, 2012 11:05 AM
    Friday, May 7, 2010 11:14 PM
  • What about this?

    When I turn on the FIPS mode:http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

    and use FIps complaince implementation of SHA512 as shown below, it throws exception..target invocation...

    Dim s As System.Security.Cryptography.HashAlgorithm = System.Security.Cryptography.

    SHA512CryptoServiceProvider

    .Create()

    How can I use this FIPS Complaint SHA512CryptoServiceProvider hashing without exception when the FIPS mode is turned on.

    Environment: Windows 7. Asp.net 3.5/4.

    FIPS MODE : ENABLED


    Any recommendation is appreciated.


    Thanks,

    Isaac


    Isaac G

    Friday, February 10, 2012 4:45 PM
  • What about this?

    When I turn on the FIPS mode:http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

    and use FIps complaince implementation of SHA512 as shown below, it throws exception..target invocation...

    Dim s As System.Security.Cryptography.HashAlgorithm = System.Security.Cryptography.

    SHA512CryptoServiceProvider

    .Create()

    How can I use this FIPS Complaint SHA512CryptoServiceProvider hashing without exception when the FIPS mode is turned on.

    Environment: Windows 7. Asp.net 3.5/4.

    FIPS MODE : ENABLED


    Any recommendation is appreciated.


    Thanks,


    Isaac G

    Friday, February 10, 2012 4:46 PM
  • You are not using an instance of SHA512CryptoServiceProvider: the Create method is just inherited from the base class (SHA512). As the documentation will tell you, that method just returns an instance of the managed algorithm by default, and that will cause the method to throw when used with FIPS compliance enabled.

    If you want an instance of SHA512CryptoServiceProvider, the simplest way is to just instantiate one as in:

    Dim s As System.Security.Cryptography.HashAlgorithm = New System.Security.Cryptography.SHA512CryptoServiceProvider

    HTH
    --mc

    Friday, February 10, 2012 6:17 PM
  • Hi Mario,

    Thank you, I just thought about that and you also posted the same solution and that confirms my idea. Well, I would n't have realized how that worked but you gave me a good explanation on why Create method would not work.

    "that method just returns an instance of the managed algorithm by default, and that will cause the method to throw when used with FIPS compliance enabled."

    I do really appreciate your response. Have a good weekend.


    Isaac G

    Friday, February 10, 2012 7:24 PM