1

I am looking for a FIPS validated hash algorithm to store passwords in the database. I did use the following code but I still get the error

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

SHA1CryptoServiceProvider Testsha1 = new SHA1CryptoServiceProvider();
byte[] hashedBytes;
UTF8Encoding encoder = new UTF8Encoding();
hashed = Testsha1.ComputeHash(encoder.GetBytes(strPassword));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hashed.Length; i++)
{
    sbuilder.Append(hashed[i].ToString("x2"));
}
string Password = sb.ToString();
mkj
  • 2,761
  • 5
  • 24
  • 28
Macnique
  • 1,028
  • 2
  • 19
  • 44
  • Where exactly do you see that error message? – n8wrl Sep 21 '11 at 19:13
  • @n8wrl that exception is thrown by some Security Classes, like SHA1Managed, when the EnableFIPS security policy is enforced. – vcsjones Sep 21 '11 at 19:16
  • I did see the error when i try to run my web application. – Macnique Sep 21 '11 at 19:17
  • @Macnique - That code posted should not cause that exception - `SHA1CryptoServiceProvider` will use Window's CSP. Please verify that in the stack trace, and post it in your question as well. – vcsjones Sep 21 '11 at 19:17
  • @vcsjones I am using the SHA1 as i read that its FIPS compliant.Does it have something to do with the IIS ? – Macnique Sep 21 '11 at 19:42
  • it looks like adding the following in web.config under system.web section solved my problem – Macnique Sep 22 '11 at 20:00

3 Answers3

3

Plain SHA-1 should not be used to store passwords. PBKDF2 is a good choice. In .net you can use it with the Rfc2898DeriveBytes class. See https://security.stackexchange.com/questions/2131/reference-implementation-of-c-password-hashing-and-verification/2136#2136

You might need to change the underlying hash function to SHA-256. From what I remember SHA-1 isn't NIST approved.

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • 2
    SHA1 is acceptable by NIST (part of FIPS Pub 180) - it would be nice if Microsoft gave control of the HMAC algorithm used for it to use SHA256. Microsoft's implementation of it in the CSP is [140-2 approved](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2004.htm#405). – vcsjones Sep 21 '11 at 19:28
  • it looks like adding the following in web.config under system.web section solved my problem – Macnique Sep 22 '11 at 20:02
2

Adding the following line in web.config under system.web section

<machineKey validationKey="AutoGenerate,IsolateApps" ecryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>

solved my problem

Macnique
  • 1,028
  • 2
  • 19
  • 44
0

I am looking for a FIPS validated hash algorithm to store passwords in the database.

Use one of the hashes from the SHA-2 family. For example, SHA256.

Do not use a managed class - they are not FIPS validated. Instead, use SHA256CryptoServiceProvider and friends.

jww
  • 97,681
  • 90
  • 411
  • 885