Is there a keyed SHA256 hash algorithm that is FIPS compliant for .NET?

Question

I am creating a keyed SHA256 hash using HMACSHA256 with the following code:

HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey);
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(data));

string hashResult = string.Empty;
for (int i = 0; i < hash.Length; i++)
{
    hashResult += hash[i].ToString("x2"); // hex format
}

This is working just fine, however, it fails in a FIPS enabled environment because HMACSHA256 uses an underlying SHA256Managed implementation which is itself not FIPS compliant.

Searching through MSDN documentation I find that the only SHA256 implementation of KeyedHashAlgorithm is HMACSHA256.

I am required to sign web service requests with a keyed SHA256 hash (so I can't change the hash type), and I must be able to run in a FIPS enabled environment.

Googling shows that both SHA256CryptoServiceProvider and SHA256Cng are FIPS compliant ways to create SHA256 hashes, but neither seem to support the creation of keyed hashes.

Answer 1

No, there is not. Here is a list of ones that are (scroll down to FIPS.sys Algorithms section).

A work around I've used int he past is here, but I'm not sure if that will work for web services. This solution could work.

Answer 2

I know this is old but it looks like Microsoft addressed this issue. I'm running .NET 4.5.1 on Windows 8. I can't speak to what version of the BCL this was fixed or OS.

this.m_hash1 = HMAC.GetHashAlgorithmWithFipsFallback((Func<HashAlgorithm>) (() => (HashAlgorithm) new SHA256Managed()), (Func<HashAlgorithm>) (() => HashAlgorithm.Create("System.Security.Cryptography.SHA256CryptoServiceProvider")));

Answer 3

Officially you may be out of luck, but it should be relatively easy to build a HMAC_SHA256 out of SHA-256. Just take a look at the Wikipedia page to see how easy this is.

Note that it may be the case that HMAC was not approved in FIPS mode because it is vulnerable to side channel attacks. In that case you should make sure that there is some protection against side channel attacks.

It is a bit dangerous to build your own crypto algorithms out of cryptographic primitives. If you yourself will try and claim FIPS level security then this may become an issue. But for most users it is enough if you say that you only use NIST compliant algorithms. It is up to you how far you are willing to go down this line...