Is there a keyed SHA256 hash algorithm that is FIPS compliant for .NET?
I am creating a keyed SHA256 hash using HMACSHA256 with the following code:
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey);
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(data));
string hashResult = string.Empty;
for (int i = 0; i < hash.Length; i++)
{
hashResult += hash[i].ToString("x2"); // hex format
}
This is working just fine, however, it fails in a FIPS enabled environment because HMACSHA256 uses an underlying SHA256Managed implementation which is itself not FIPS compliant.
Searching through MSDN documentation I find that the only SHA256 implementation of KeyedHashAlgorithm is HMACSHA256.
I am required to sign web service requests with a keyed SHA256 hash (so I can't change the hash type), and I must be able to run in a FIPS enabled environment.
Googling shows that both SHA256CryptoServiceProvider and SHA256Cng are FIPS compliant ways to create SHA256 hashes, but neither seem to support the creation of keyed hashes.
Answer
I know this is old but it looks like Microsoft addressed this issue. I'm running .NET 4.5.1 on Windows 8. I can't speak to what version of the BCL this was fixed or OS.
this.m_hash1 = HMAC.GetHashAlgorithmWithFipsFallback((Func<HashAlgorithm>) (() => (HashAlgorithm) new SHA256Managed()), (Func<HashAlgorithm>) (() => HashAlgorithm.Create("System.Security.Cryptography.SHA256CryptoServiceProvider")));