FIPS-compliant HashAlgorithm on WinXP?
-
22-07-2019 - |
Question
How can I use C# on a FIPS-compliant WinXP SP2 box to uniquely hash the contents of a given file? I'm not concerned about performance (yet?).
Hopefully someone can point out an exception to the "rule", but it seems that the "*ServiceProvider" classes are FIPS-compliant and unavailable on WinXP, while the "*Managed" classes are available on WinXP and not FIPS-compliant.
And MD5 is out because it's not reliably unique (yes, even that small likelihood is unacceptable for my project).
Solution
It seems these are fips-compliant:
HMACSHA1, MACTripleDES, and SHA1CryptoServiceProvider
ref: http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html
OTHER TIPS
If all you need is a hashing provider that won't trip any errors when the Windows machine has the FIPS compliant policy setting in the registry turned on, then you can use SHA1CryptoServiceProvider, which is FIPS-compliant and only requires .Net 2.0 and XP SP2.
But - if you're actually needing a true FIPS-compliant implementation for security and policy reasons, then the short answer is either get the clients upgraded to Win XP SP3 (or newer OS) or look at using a third-party FIPS validated Cryptographic Service Providers (CSP).
While Win XP SP2 supports a FIPS compliant implementation of SHA1 (SHACryptoServiceProvider) that will work in FIPS compliant mode (registry setting), SHA1 is not supposed to be used for new implementations after 2010 and may no longer be FIPS compliant at all, depending on the usage (i.e. using for random number generation vs. hashing).
If you can get to at least XP SP3, then you can use SHA256CryptoServiceProvider or SHA512CryptoServiceProvider, which are both FIPS compliant.