lilith
commented
1 year ago It's been a while since I've seen this kind of issue arise - FIPS validation is a tad bogus and not used very often anymore, not recommended by MSFT either. For hash algorithms it's a patently absurd concept... Mathematically identical algorithms with identical output in all cases... yet it doesn’t matter.
That said, we can certainly switch to factory methods that use FIPS validated algorithms for customers still using those versions of windows and wanting to check that legacy compliance box.
I'd want to make sure that the changes are .NET Standard 2.0 compatible for Imageflow projects, though, and that if the default implementation changes that the startup costs don't incur a performance penalty compared to the C# implementation on any OS platform.
If you want to submit PRs for these I will prioritize them.
On Tue, Jan 31, 2023, 2:57 AM iJungleboy @.***> wrote:
2sxc https://2sxc.org/ is an open source CMS plugin for DNN. It uses ImageFlow for image resizing.
It appears that recently it was installed on a government website which enabled FIPS compliance in the registry. This seems to tell Windows to complain whenever encryption or hashes are created which are deemed insecure.
Here's the original issue on 2sxc 2sic/2sxc#2988 https://github.com/2sic/2sxc/issues/2988
After some research we discovered that certain APIs are not FIPS compliant, such as
- SHA1
- AesManaged, RjindalManaged etc. - basically any .net cryto class with ...Managed as they also allow API uses which are not compliant. Usually switching to ...CrytpoServiceProvider should do the trick
2sxc itself had to be updated to match these requirements, but it appears that ImageFlow on .net uses some non-FIPS APIs such as SHA1.
Here's an image from the current release:
[image: Load-Images-with-Params-Fail-(20230130)] https://user-images.githubusercontent.com/4568451/215554572-aefca366-3a5b-4dfe-a60a-f7e0e65c60b1.jpg
According to my quick review of the API, there are certain obvious places where this should (and could easily) be fixed:
1. https://github.com/imazen/imageflow-dotnet-server/blob/71865b556c810a4d8436a2a1f3c2d9b9453ce2af/src/Imazen.HybridCache/BucketCounter.cs#L105-L113 should be changed to not use the Managed class, and use SHA256 2. https://github.com/imazen/resizer/blob/92bbf3a275801a41a331137243dec461ec4eceea/plugins/Security/SimpleSecureEncryption.cs#L70-L81 should change from RijndaelManaged to the AesCrytpoServiceProvider - probably https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aescryptoserviceprovider?view=net-7.0
I'm not sure if I caught all the use cases. @lilith https://github.com/lilith What's your take on this? Would it be possible to get this fixed soon?
— Reply to this email directly, view it on GitHub https://github.com/imazen/imageflow-dotnet-server/issues/71, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA2LHYDR75OBT62MWZRIJDWVDOYRANCNFSM6AAAAAAUMG4HXQ . You are receiving this because you were mentioned.Message ID: @.***>
iJungleboy
david-poindexter
2sxc is an open source CMS plugin for DNN. It uses ImageFlow for image resizing.
It appears that recently it was installed on a government website which enabled FIPS compliance in the registry. This seems to tell Windows to complain whenever encryption or hashes are created which are deemed insecure.
Here's the original issue on 2sxc https://github.com/2sic/2sxc/issues/2988
After some research we discovered that certain APIs are not FIPS compliant, such as
...Managedas they also allow API uses which are not compliant. Usually switching to...CrytpoServiceProvidershould do the trick2sxc itself had to be updated to match these requirements, but it appears that ImageFlow on .net uses some non-FIPS APIs such as SHA1.
Here's an image from the current release:
According to my quick review of the API, there are certain obvious places where this should (and could easily) be fixed:
SHA256I'm not sure if I caught all the use cases. @lilith What's your take on this? Would it be possible to get this fixed soon?