I'm building a FIPS validated application and have the FIPS mode turned on on my computer. I need an HMAC function hopefully based on SHA512. I understand that the HMAC SHA1 function is FIPS validated but I have a hash function SHA512CryptoServiceProvider which is FIPS validated and I know that FIPS does in fact allow for SHA512. Is there a similar HMAC function in C# that does FIPS validated HMAC SHA512?
Asked
Active
Viewed 2,520 times
2 Answers
7
There is a HMACSHA512 Class, but it uses the SHA512Managed Class internally, which is not FIPS certified.
You could try to create your own HMACSHA512 Class based on the SHA512CryptoServiceProvider Class:
public class MyHMACSHA512 : HMAC
{
public MyHMACSHA512(byte[] key)
{
HashName = "System.Security.Cryptography.SHA512CryptoServiceProvider";
HashSizeValue = 512;
BlockSizeValue = 128;
Key = key;
}
}
dtb
- 213,145
- 36
- 401
- 431
-
Yah thats true the only problem with it is that with FIPS compatibility turned on it doesn't work. I need an HMAC SHA512 that is FIPS compatible. For instance, SHA512Cng breaks in FIPS compatibility mode, SHA512CryptoServiceProvider does not. HMACSHA512 breaks in FIPS compatibility mode HMACSHA1 does not. I would like to find an HMAC based on SHA512 that does not break FIPS compatibility. – hobeau Jan 31 '12 at 14:00
-
I see. The HMACSHA512 class internally uses the SHA512Managed class by default, which is not FIPS validated. You could try to create your own HMACSHA512 class based on the SHA512CryptoServiceProvider class. – dtb Jan 31 '12 at 14:22
-
Thanks for the response. I tried that method but I got exceptions. It looks like SHA512CryptoServiceProvider isn't a valid hash name http://msdn.microsoft.com/en-us/library/kczffhwa.aspx – hobeau Jan 31 '12 at 15:20
-
It seems you have to specify the class name including its namespace. http://msdn.microsoft.com/en-us/library/wet69s13.aspx – dtb Jan 31 '12 at 15:25
-
When we do this, we side-step the FIPS compatibility error, but is it truly FIPS-compatible? – tofutim Jan 24 '14 at 05:25
-
1HashName should be AssemblyQualifiedName. It would be better to write like this: `HashName = typeof(SHA256CryptoServiceProvider).AssemblyQualifiedName;` – Sergey Shandar May 19 '16 at 21:56
2
The following worked for me - I was able to create both an AES and SHA256 FIPS happy HMAC:
/// <summary>Computes a Hash-based Message Authentication Code (HMAC) using the AES hash function.</summary>
public class AesHmac : HMAC
{
/// <summary>Initializes a new instance of the AesHmac class with the specified key data.</summary>
/// <param name="key">The secret key for AesHmac encryption.</param>
public AesHmac(byte[] key)
{
HashName = "System.Security.Cryptography.AesCryptoServiceProvider";
HashSizeValue = 128;
BlockSizeValue = 128;
Initialize();
Key = (byte[])key.Clone();
}
}
/// <summary>Computes a Hash-based Message Authentication Code (HMAC) using the SHA256 hash function.</summary>
public class ShaHmac : HMAC
{
/// <summary>Initializes a new instance of the ShaHmac class with the specified key data.</summary>
/// <param name="key">The secret key for ShaHmac encryption.</param>
public ShaHmac(byte[] key)
{
HashName = "System.Security.Cryptography.SHA256CryptoServiceProvider";
HashSizeValue = 256;
BlockSizeValue = 128;
Initialize();
Key = (byte[])key.Clone();
}
}
Thanks, Ritchie
J. Ritchie Carroll
- 31
- 1