Which encryption works with FIPS?

[Leonidnei]

We use JweAlgorithm.A256KW, JweEncryption.A256CBC_HS512 encryption. On FIPS enabled environment this fails with:

Message=System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS

validated cryptographic algorithms. at System.Security.Cryptography.AesManaged..ctor() at Jose.AesKeyWrap.AesEnc(Byte[] sharedKey, Byte[] plainText) at Jose.AesKeyWrap.Wrap(Byte[] cek, Byte[] kek) at Jose.AesKeyWrapManagement.WrapNewKey(Int32 cekSizeBits, Object key, IDictionary2 header) at Jose.JWT.Encode(String payload, Object key, JweAlgorithm alg, JweEncryption enc, Nullable1

compression, IDictionary`2 extraHeaders)

Which encryption is FIPS compliant?

[dvsekhvalnov]

Hi @Leonidnei,

looks like AesManaged is not FIPS complaint. Need to check list of replacements, nobody asked about FIPS before.

[dvsekhvalnov]

@Leonidnei , i'll make update to use FIPS complaint CSP providers for AES in next version.

In the mean time you can use any CNG powered algos, for instance: RSA_OAEP_256 + A128GCM (or A192GCM or A256GCM)

[Leonidnei]

Great, thanks.

Leonid Neishtadt Next Generation Solution Group McKESSON IMAGING & WORKFLOW SOLUTIONS Phone: +972 3 679 7330 Cell phone: +972 52 600 6589 Fax: +972 3 647.8593 Email: Leonid.Neishtadt@McKesson.commailto:Leonid.Neishtadt@McKesson.com www.mckesson.com/cardiologyhttp://www.mckesson.com/cardiology

From: dvsekhvalnov [mailto:notifications@github.com] Sent: Wednesday, September 07, 2016 2:34 PM To: dvsekhvalnov/jose-jwt jose-jwt@noreply.github.com Cc: Neishtadt, Leonid Leonid.Neishtadt@mckesson.com; Mention mention@noreply.github.com Subject: Re: [dvsekhvalnov/jose-jwt] Which encryption works with FIPS? (#38)

@Leonidneihttp://cp.mcafee.com/d/5fHCMUSyMepjouKOCrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSzt4saECzAse5m6nSfgh82HHH8Ulopd7bMHHbPwGPGbHPHeKEnIrdCPpIDeqR4IMzapdIxO-1nWMAx3V6Pqa9EVjdCXCQPrNKVJUSyrh , i'll make update to use FIPS complaint CSP providers for AES in next version.

In the mean time you can use any CNG powered algos, for instance: RSA_OAEP_256 + A128GCM (or A192GCM or A256GCM)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttp://cp.mcafee.com/d/k-Kr4x0i6x8SyMepjouKOCrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSzt4saECzAse5m6nSfgh82HHH8Ulopd7bMHHbPwGPGbHPHeKEnIrdCPpIDeqR4IMzapdIxO-86qul9CtfxkPwzmDBN4Nf9kETZcpu0Olad-KHY9BQS7QTSnXLCPqa9EVjdCXCQPrNKVJUSyrh, or mute the threadhttp://cp.mcafee.com/d/k-Kr6hESyMepjouKOCrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSzt4saECzAse5m6nSfgh82HHH8Ulopd7bMHHbPwGPGbHPHeKEnIrdCPpIDeqR4IMzapdIxO-gHejIHrelokNK56O5bhAgYLHsOu20c0X8ubb8xAM18yp4G1R71k1nN01xgm6we6K1k28BqfyQ1oqYzE4b0idI0gC8xs4CPqa9EVjdCXCQPrNKVJUSyrh.

[andresjacobo]

@dvsekhvalnov,

First of all, your library is great! I'm currently heading a project at Robert McNeel & Associates. We make Rhino, a popular 3D modeling software.

I am using your library to create JWTs to represent license objects between the client and server. Everything is flawless. However, we have a lot of US Government contractors who have FIPS mode enabled on their machines. This is the exception we get:

I am willing to create a fork to fix the problem since the project is important to us if you are not willing or able to fix it in a timely manner.

I'm looking forward to your response.

[dvsekhvalnov]

Hi @andresjacobo , yeah there were couple requests about fixing FIPS non compliant algorithms in a library. You can track them via https://github.com/dvsekhvalnov/jose-jwt/labels/FIPS

I have another feature to put forward before FIPS, so i don't mind if you contribute pull request. I'll look again later today to check which algos are not compliant and can provide you some list.

[dvsekhvalnov]

So, with FIPS enabled mode i'm getting just 39 failed tests, it appears the offending stuff in:

1. AesKeyWrap.cs using AesManaged
2. RsaUsingSha.cs using SHA256.Create(), SHA384.Create(), SHA512.Create() that by default returning corresponding managed implementation of SHA.

[andresjacobo]

Thanks for the list! It's currently a holiday weekend here in the US, but I'll do a pull request first thing next week.

[dvsekhvalnov]

Thank you for contribution, release to nuget.org