Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using MD5 for the FileCacheHash causes exception to be throw if FIPS compliance group policy is enabled #182

Closed
RPrimrose opened this issue Nov 3, 2015 · 4 comments
Closed

Using MD5 for the FileCacheHash causes exception to be throw if FIPS compliance group policy is enabled #182

RPrimrose opened this issue Nov 3, 2015 · 4 comments

Comments

@RPrimrose
Copy link

Hi,
we recently tried installing an application using ReactJS.NET on a machine with the "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" Group Policy enabled. There's more information on that policy here https://support.microsoft.com/en-us/kb/811833

The policy is causing the following exception to be thrown "System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithm" when trying to render components.

The issue is that in FileCacheHash.cs the hash algorithm used is MD5 and this isn't certified as FIPS compliant.

I believe it's a one-line change to fix this, I've tested changing creation of _hash to
private readonly HashAlgorithm _hash = SHA512.Create("System.Security.Cryptography.SHA512CryptoServiceProvider"); and that seems to work fine.

If that change sounds reasonable let me know and I'll submit a pull request.

(You can recreate this error by following the instructions to turn on the group policy at http://stackoverflow.com/a/13635742 and then trying to render any MVC page that includes a @HTML.React() line in it.)
@Daniel15
Copy link
Member

Daniel15 commented Nov 3, 2015

Interesting, I didn't know about that setting. I used MD5 because it's fast and fine to use for file hashing (doesn't need to be cryptographically secure) but it's probably fine to change it to SHA512 instead. Feel free to send a pull request 😄

Do you know which algorithms are allowed when FIPS-compliant algorithms are enforced? I think using whichever one is fastest would be sufficient for this use case.

@RPrimrose RPrimrose mentioned this issue Nov 4, 2015
Merged
@RPrimrose
Copy link
Author

Yeah, it was a new one to me as well.

Strangely MSDN doesn't seem to have an official list of FIPS-compliant algorithms but http://blogs.msdn.com/b/icumove/archive/2009/01/31/working-with-fips-in-net-c.aspx has some info.

I've gone with SHA1Cng in the pull-request, should be a bit faster than SHA512.

@PeteDuncanson
Copy link

This ones gold dust. Great find.

@Daniel15
Copy link
Member

Daniel15 commented Nov 8, 2015

Fixed in 96b6f56, thanks @RPrimrose!

@Daniel15 Daniel15 closed this as completed Nov 8, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Daniel15 @RPrimrose @PeteDuncanson