Is there an alternate hashing algorithm to MD5 for FIPS-enabled systems?

Question

Whenever I try to use MD5 on a Windows XP machine that has FIPS enabled, I am getting a System.InvalidOperationException.

Is there an alternate algorithm that I should use instead of MD5 on FIPS?

QUICK NOTE: If FIPS Algorithm Policy is enabled on your Windows Server, the the default Cryptography Providers located within System.Cryptography library will SHUT OFF. Keep this in mind when choosing solutions because System.Cryptography providers will NO LONGER be available. TOO SEE POLICY STATUS: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy — Prisoner ZERO, Feb 08 '17 at 14:20
[This answer](/a/42568009/1178314) on a duplicated question provide an alternative. — Frédéric, Jul 16 '18 at 15:46

score 20 · Accepted Answer · answered Feb 04 '11 at 00:00

20

MD5 is not FIPS compliant. You can use instead of the MD5 one of the following hashing algorithms:

answered Feb 04 '11 at 00:00

Borja

2,188
1
18
21

3

HMACSHA1 and MACTripleDES are both keyed, and serve a different purpose to plain hashes. They're not really direct replacements for MD5. – LukeH Feb 04 '11 at 00:23
You are right, but using a constant key can be enough to be a valid replacement. The SHA1CryptoServiceProvider, probably is the most appropriated in this case. All the HMACSHAxxx need a key :( – Borja Feb 04 '11 at 08:47
Going with SHA1CryptoServiceProvider – qazwsx Feb 04 '11 at 13:44
@qazwsx: Why are you choosing not to go with `SHA512CryptoServiceProvider`? As I said before, I can't think of a compelling reason *not* to use SHA512. It's far more secure than SHA1, which has almost certainly been deprecated among security professionals. I imagine that future implementations of FIPS will disallow it as well. – Cody Gray - on strike Feb 05 '11 at 04:51
MD5 is 128 a bits algorithm, so if the md5 was enough the sha1 will be enough too, because it is 128 algorithm too. That's true that the sha1 is not a very secure hashing algorithm, maybe we can say that it is insecure, and maybe it's true but it is at least more secure than the initial algorithm, MD5. In some application where you only want to have a non-plain text can be enough, it's quick and small. You can always use a strongest version of the sha algorithm as you suggest, if the security is important you should do it. – Borja Feb 05 '11 at 13:32
@Borja: Maybe you didn't read the question. The MD5 was **not** enough. It fails to comply with FIPS standards for a reason. There's absolutely no reason to ever use anything but the most secure algorithm possible. It doesn't require any extra work, it already built-in to the Framework. All you have to do is type a different number. I don't really know what your point is about SHA1 being more secure than plain text. Yeah, sure, but that's not the standard by which we measure encryption. This is just generally bad advice. – Cody Gray - on strike Feb 08 '11 at 23:47
8

@CodyGray it's simply not true that there is 'absolutely no reason to ever use anything but the most secure algorithm' - security is always a tradeoff, and depending on the application, you need to consider such things as performance, storage requirements and interoperability – Cocowalla Aug 20 '12 at 18:08
5

@Cody Gray: Sometimes hashes are simply hashes for comparing fingerprints, not security-related or password hashes. – Scott Stafford Sep 11 '14 at 19:08
2

Be mindful of the context, @Scott. The question is about meeting mandated FIPS standards. – Cody Gray - on strike Sep 11 '14 at 20:30
1

I came across this post because I'm deploying to a FIPS-mandated machine. Here, the particular use case doesn't require strong cryptographic security, even though the machine simply blacklists MD5. Which, in my case, is overboard and a nuisance. – Scott Stafford Sep 12 '14 at 01:04
I can see blacklisting MD5 for new hashes...bu can you still check an MD5 hash that was PREVIOUSLY GENERATED back when MD5 was still recommended? – Jens Fiederer Mar 04 '19 at 14:18
1

@JensFiederer the answer is "no". You are only allowed to use FIPS validated methods. For example, when you enable FIPS mode on Windows it actually blocks certain functions, like MD5, so the software will just crash if it's not expecting the hash to throw an exception. Happens all the time. – HackSlash Mar 10 '21 at 22:15

score 13 · Answer 2 · answered Feb 03 '11 at 23:53

13

When you enforce FIPS compliance in the Windows security policy settings, you're asserting that you are only going to use FIPS-certified encryption and hashing algorithms. MD5 is not one of these approved hashing algorithms, and that's why the exception is being thrown.

The workaround is simple: choose a different hashing algorithm. The .NET Framework provides plenty of other options in the System.Security.Cryptography namespace. Select one of the SHA family of algorithms. I can't imagine any reason you would have to use MD5 as opposed to one of the alternatives.

answered Feb 03 '11 at 23:53

Cody Gray - on strike

239,200
50
490
574

1

Are they all FIPS compliant or which one is a better alternative to MD5 that is FIPS compliant? – qazwsx Feb 03 '11 at 23:56
2

@qazwsx: Any of the SHA family is FIPS compliant. They're sorted in alphabetical order on the page, so you'll see the whole group towards the bottom. I don't know any compelling reason not to use SHA512. – Cody Gray - on strike Feb 03 '11 at 23:57
14

@CodyGray "I can't imagine any reason you would have to use MD5 as opposed to one of the alternatives." When interacting with a third party system that wants something MD5 hashed. – Micah Zoltu Jul 09 '15 at 15:58
If FIPS Algorithm Policy is enabled on your Windows Server, the the default Cryptography Providers located within System.Cryptography library will SHUT OFF. – Prisoner ZERO Feb 08 '17 at 14:22

score 7 · Answer 3 · answered Sep 04 '18 at 12:25

7

You can use MD5Digest from Org.BouncyCastle.Crypto.Digests

MD5Digest hash = new MD5Digest();

public byte[] Hash(byte[] input)
{
     hash.BlockUpdate(input, 0, input.Length);
     byte[] result = new byte[hash.GetDigestSize()];
     hash.DoFinal(result, 0);
     return result;
}

public string Hash(string input)
{
     var data = System.Text.Encoding.Unicode.GetBytes(input);
     hash.BlockUpdate(data, 0, data.Length);
     byte[] result = new byte[hash.GetDigestSize()];
     hash.DoFinal(result, 0);

     return Hex.ToHexString(result).ToUpper();
}

answered Sep 04 '18 at 12:25

ManishM

583
5
7

1

This is the best answer to the issue that I've seen anywhere. – Mike Godin Dec 05 '19 at 16:36
10

You can use it and it will not error, but it is NOT fips compliant. – Brian White Apr 15 '20 at 16:59

score 3 · Answer 4 · answered Nov 19 '21 at 15:06

For cryptographic hashing purposes, you can use SHA1, SHA2, or SHA3, with HMAC if desired.

If you want to use MD5 for non-cryptographic purposes, then that is fine, but you will need to provide your own implementation. Examples include:

Hashing files to determine duplicates
Internal hash table implementations
Validating files from their provided MD5 hashes

The last point is questionable; validating SHA1/SHA2 hashes would be better, and it depends on the validation (e.g. was it corrupted in transit vs. packet authentication).

Is there an alternate hashing algorithm to MD5 for FIPS-enabled systems?

4 Answers4

Linked