3

I have a C# website where I need to create a md5 hash value for a file but my web server has FIPS enabled. Changing to md5 is not an option due to server requirements and for some reason changing the file to FIPS its also out of the table.

Can I create a small desktop or command application where I am able to setup the hash value manually? Is there any alternative to accomplish this task?

Edgar J. Rodriguez
  • 285
  • 1
  • 2
  • 13
  • 1
    You can import, or write, a custom implementation of the MD5 algorithm. FIPS only disables the official .NET framework objects which perform this task. There are probably several other implementations available; find one, drop it in. – RogerN Feb 15 '17 at 18:11
  • 1
    Possible duplicate of [Is there an alternate hashing algorithm to MD5 for FIPS-enabled systems?](https://stackoverflow.com/questions/4893088/is-there-an-alternate-hashing-algorithm-to-md5-for-fips-enabled-systems) – Frédéric Jul 16 '18 at 15:45

2 Answers2

3

Yeah this is important because sometimes you need to transfer passwords into the new format. I have a large database of user accounts that all use MD5, and our new server has FIPS enabled in secpol. So how can one verify that the user/pass combo provided is valid and needs converted, if one cannot create an MD5 hash...

I have found an alternative library to get the job done. https://rosettacode.org/wiki/MD5/Implementation#C.23

And you can source the additional required items from here: https://github.com/webbers/dongle.net/tree/master/src/Dongle/Criptography

Barry
  • 362
  • 3
  • 14
  • 1
    If you work around the block of MD5 then you are not compliant with FIPS. – HackSlash Apr 30 '20 at 17:04
  • Of course, but if you are to convert, as stated above, non-compliant passwords, which are by nature a one way hash, you must be able to validate them once, then convert them using raw text from input form. Meaning you require Md5, to remove Md5. Hence my need for this solution, and hence my solution. You are not wrong. – Barry May 01 '20 at 18:15
  • 1
    I would never handle the raw text or conversion. Simply force all users to change their passwords. As you're not doing a verification that the password has actually changed, they could just pick the same password. You don't care because you only want to update the hash anyways. – HackSlash May 04 '20 at 15:11
  • Perhaps I'm missing something, but are you suggesting that regardless of user count, you force all users in a mass email of sorts to update their passwords? Because if you cannot verify their md5 legacy password, how are you to provision authenticity for them to perform a password change against their own account? Strange. In general I agree with you. But I believe we are now tangential to the topic being asked and answered. Ethics vs Reality is not something I care to divulge into at this time. Good day. – Barry May 04 '20 at 18:01
1

.net 4.8 allows you to opt out of the "throw exception" behavior

<runtime>
<AppContextSwitchOverrides value="Switch.System.Security.Cryptography.UseLegacyFipsThrow=false" />
</runtime>

https://learn.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.7.2-4.8

Mark Nadig
  • 4,901
  • 4
  • 37
  • 46
  • Not sure this is correct, 4.8 automatically opts you out, you can opt back in by setting to true or prior to 4.8 opt out by setting to false. Also I think that's only if you are using SHA managed library, not Md5. – alanh Oct 06 '21 at 22:31