[CSHARP-1703] SCRAM-SHA-1 fails on FIPS machines Created: 11/Jul/16 Updated: 08/Jul/21 Resolved: 05/Feb/18 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Craig Wilson | Assignee: | Robert Stam |
| Resolution: | Won't Fix | Votes: | 3 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||
| Description |
|
MD5 is used in the SCRAM-SHA-1 implementation in a non-cryptographic manner. As such, when the machine is in FIPS compliance mode, we still fail to authenticate because we are using the managed MD5 implementation. We need to write a custom MD5 implementation for use in non-cryptographic scenarios. |
| Comments |
| Comment by Dustin Smith [X] [ 04/Apr/18 ] |
|
Is this a permanent change in direction? If so, are there alternate non-enterprise (mongo internal) level authentication mechanisms that are FIPS compliant? |
| Comment by Robert Stam [ 05/Feb/18 ] |
|
We no longer plan to write our own MD5 implementation to bypass FIPS mode enforcement by the OS. Instead, an application would use alternative auth mechanisms that are FIPS compliant. |
| Comment by Robert Stam [ 10/Mar/17 ] |
|
Another place where a custom MD5 implementation should be used is when calculating MD5 hashes for GridFS files. |