<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:37:14 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CSHARP-573] Change MD5 Hash for Machine Key to Something FIPS Compliant</title>
                <link>https://jira.mongodb.org/browse/CSHARP-573</link>
                <project id="10041" key="CSHARP">C# Driver</project>
                    <description>&lt;p&gt;See &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-6977&quot; title=&quot;Support for alternative hashing algorithm for authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-6977&quot;&gt;&lt;del&gt;SERVER-6977&lt;/del&gt;&lt;/a&gt; for reasons.&lt;/p&gt;</description>
                <environment></environment>
        <key id="50709">CSHARP-573</key>
            <summary>Change MD5 Hash for Machine Key to Something FIPS Compliant</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="craig.wilson@mongodb.com">Craig Wilson</assignee>
                                    <reporter username="craig.wilson@mongodb.com">Craig Wilson</reporter>
                        <labels>
                    </labels>
                <created>Mon, 17 Sep 2012 21:07:53 +0000</created>
                <updated>Thu, 18 Jun 2020 16:52:47 +0000</updated>
                            <resolved>Mon, 22 Jun 2015 16:33:51 +0000</resolved>
                                    <version>1.6</version>
                                    <fixVersion>2.0</fixVersion>
                                                        <votes>3</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="947097" author="craiggwilson" created="Mon, 22 Jun 2015 16:33:51 +0000"  >&lt;p&gt;Since we&apos;ve actually solved the problem identified by this ticket, I&apos;ve opened &lt;a href=&quot;https://jira.mongodb.org/browse/CSHARP-1331&quot; title=&quot;Use of SHA256Managed is not FIPS compliant.&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CSHARP-1331&quot;&gt;&lt;del&gt;CSHARP-1331&lt;/del&gt;&lt;/a&gt; to track this need.&lt;/p&gt;</comment>
                            <comment id="947069" author="craiggwilson" created="Mon, 22 Jun 2015 15:59:47 +0000"  >&lt;p&gt;Apparently, we changed MD5 for SHA256Managed which, while SHA-256 is FIPS compliant, this particular implementation hasn&apos;t been validated. We need to change to using the SHA256CryptoServiceProvider instead, which is FIPS validated.&lt;/p&gt;</comment>
                            <comment id="947018" author="jeremyh" created="Mon, 22 Jun 2015 15:27:46 +0000"  >&lt;p&gt;I&apos;m still seeing this error.  Any advice?&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;2015-06-22 09:50:04 ERROR - System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at System.Security.Cryptography.SHA256Managed..ctor()&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at MongoDB.Driver.PasswordEvidence.GenerateDigest(SecureString secureString)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at MongoDB.Driver.PasswordEvidence..ctor(SecureString password)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at MongoDB.Driver.MongoCredential.FromComponents(String mechanism, String source, String username, String password)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at MongoDB.Driver.MongoClientSettings.FromUrl(MongoUrl url)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;   at MongoDB.Driver.MongoClient..ctor(MongoUrl url)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;</comment>
                            <comment id="553513" author="xgen-internal-githook" created="Thu, 17 Apr 2014 19:08:09 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;craiggwilson&apos;, u&apos;name&apos;: u&apos;Craig Wilson&apos;, u&apos;email&apos;: u&apos;craiggwilson@gmail.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CSHARP-573&quot; title=&quot;Change MD5 Hash for Machine Key to Something FIPS Compliant&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CSHARP-573&quot;&gt;&lt;del&gt;CSHARP-573&lt;/del&gt;&lt;/a&gt;: changed the machine part of an ObjectId to come from the hash code of the machine name instead of the MD5 hash, which was causing issues in FIPS compliant organizations.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-csharp-driver/commit/f52547be87f99f0f933b6ad53d2967cfbbd9eb35&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-csharp-driver/commit/f52547be87f99f0f933b6ad53d2967cfbbd9eb35&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="431484" author="craiggwilson" created="Wed, 25 Sep 2013 21:39:57 +0000"  >&lt;p&gt;If this is a new project, then another option is to not use ObjectIds and instead use Guids.  We&apos;ll keep your needs in mine and perhaps accelerate a fix for this.&lt;/p&gt;</comment>
                            <comment id="431447" author="judsonp" created="Wed, 25 Sep 2013 21:13:16 +0000"  >&lt;p&gt;Understood - that doesn&apos;t relate to how we are using Mongo so I didn&apos;t think of that. I think it was mentioned in the original thread for this that it would be nice to have a configuration setting that could be used so if a client wanted to use a Mongo supplied FIPS algorithm they could - so have two code paths that depend on the configuration setting.&lt;/p&gt;

&lt;p&gt;That would allow people who wanted to accept the side-effects to do so. For us it would be a big win because we have federal customers who require FIPS. As a short term fix we are hoping they will accept us using the .NET configuration to ignore FIPS since the MD5 is only for generating unique ids and not for anything security related.&lt;/p&gt;</comment>
                            <comment id="431438" author="craiggwilson" created="Wed, 25 Sep 2013 21:03:35 +0000"  >&lt;p&gt;ObjectId provides access to the individual components.  We don&apos;t necessarily compare them internally, but it is potentially useful to determine if 2 documents were created on the same machine.  Unless we switch to a hash that generates the first 3 bytes identically to how MD5 does, then it is no longer possible to do this.  Probably not a large concern, but it is one.  In addition, other drivers also use MD5 to generate the machine hash, so we&apos;d no longer be generating identical ObjectIds.  Again, not sure how important this is.&lt;/p&gt;</comment>
                            <comment id="431435" author="judsonp" created="Wed, 25 Sep 2013 20:57:37 +0000"  >&lt;p&gt;The hash is only used to generate new IDs so I&apos;m not sure I understand where you would be comparing an existing ID with a newly generated one (I may be missing your point here). Also, the method is just returning the first 3 bytes of the hash as part of the generation process so as long as the new hash algorithm still generated a relatively unique first 3 bytes I&apos;m not sure there would be much difference from the client&apos;s point of view.&lt;/p&gt;</comment>
                            <comment id="431431" author="craiggwilson" created="Wed, 25 Sep 2013 20:49:41 +0000"  >&lt;p&gt;MD5 is used in two places in the driver, one for calculating the Machine Hash and one for authentication.  As long as you aren&apos;t using authentication, then changing the Machine hash to something other than MD5 will allow compliance with FIPS.&lt;/p&gt;

&lt;p&gt;The problem with changing MD5 in the has has to do with loading up ObjectIds that were created before the change.  The same machine will have 2 different hashes and thus comparing 2 ObjectIds becomes hit or miss.  &lt;/p&gt;

&lt;p&gt;Thoughts?&lt;/p&gt;</comment>
                            <comment id="431422" author="judsonp" created="Wed, 25 Sep 2013 20:39:28 +0000"  >&lt;p&gt;I have a question about this change. Is this directed at the method GetMachineHash in the default constructor of ObjectId()?&lt;/p&gt;

&lt;p&gt;We don&apos;t use authentication but obviously any time you want to let Mongo generate a new ID it eventually calls that default constructor which throws an exception.&lt;/p&gt;

&lt;p&gt;It doesn&apos;t sound to me like this would be related to authentication with the server but if it is I would like to understand how.&lt;/p&gt;

&lt;p&gt;The reason I&apos;m asking is it seems like changing just this method wouldn&apos;t require a server change since all it&apos;s being used for is generating a unique ID and we were hoping we might get a fix for this sooner than the next stable server release.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;/p&gt;

&lt;p&gt;Paul&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10020">
                    <name>Gantt Dependency</name>
                                                                <inwardlinks description="has to be done after">
                                        <issuelink>
            <issuekey id="14222">SERVER-2360</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="300017">CSHARP-1703</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="212258">CSHARP-1331</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="49984">SERVER-6977</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10011"><![CDATA[Minor Change]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrgghr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9584</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="130">Sprint 1 April 14 - May 2</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>