[CSHARP-1703] SCRAM-SHA-1 fails on FIPS machines Created: 11/Jul/16  Updated: 08/Jul/21  Resolved: 05/Feb/18

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Craig Wilson Assignee: Robert Stam
Resolution: Won't Fix Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by CSHARP-3729 Connection fails when using authentic... Closed
Related
is related to CSHARP-1331 Use of SHA256Managed is not FIPS comp... Closed
is related to CSHARP-1937 C# Driver 2.X does not allow upload t... Closed
is related to CSHARP-573 Change MD5 Hash for Machine Key to So... Closed
Case:

 Description   

MD5 is used in the SCRAM-SHA-1 implementation in a non-cryptographic manner. As such, when the machine is in FIPS compliance mode, we still fail to authenticate because we are using the managed MD5 implementation. We need to write a custom MD5 implementation for use in non-cryptographic scenarios.



 Comments   
Comment by Dustin Smith [X] [ 04/Apr/18 ]

Is this a permanent change in direction? If so, are there alternate non-enterprise (mongo internal) level authentication mechanisms that are FIPS compliant?

Comment by Robert Stam [ 05/Feb/18 ]

We no longer plan to write our own MD5 implementation to bypass FIPS mode enforcement by the OS.

Instead, an application would use alternative auth mechanisms that are FIPS compliant.

Comment by Robert Stam [ 10/Mar/17 ]

Another place where a custom MD5 implementation should be used is when calculating MD5 hashes for GridFS files.

Generated at Wed Feb 07 21:40:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.