FIPS-Compliant SHA256 in .NET 4.6.2

Contrary to what you may read about, you don’t need SHA256CryptoServiceProvider to create a FIPS-compliant SHA-256 hasher in .NET 4.6.2. You can continue to use RSACryptoServiceProvider, which has a number of other convenience methods on it (like SignData and ToXmlString).

If you use RSACryptoServiceProvider today, you can pass in an instance of a new SHA1Managed() to hash the data with SHA1. If you want to switch over to SHA-256, with FIPS compliance, you can’t use SHA256Managed (because it’s not FIPS-compliant). SHA256Cng is FIPS compliant, but unmanaged (slower performance) and it doesn’t work with RSACryptoServiceProvider. (This is probably because RSACryptoServiceProvider doesn’t know about SHA-256 at all.)

You can read this Microsoft Connect issue about how to get this to work by specifying the OID for SHA-256 as a parameter to the RSACryptoServiceProvider. This is the only workable solution on .NET versions prior to 4.x. You can see another, similar example on Stack Overflow.

On 4.6.2 (I didn’t test on older versions), you actually don’t need this! If you can simply update your projects to the latest .NET, everything will work as you wish.

Also, I don’t suggest using SHA256.Create, because it can give you non-FIPS-compliant SHA hashers in certain situations. Using SHA256Cng is safer (guarantees compliance).

About Ashiq Alibhai, PMP

Ashiq has been coding C# since 2005. A desktop, web, and RIA application developer, he's touched ASP.NET MVC, ActiveRecord, Silverlight, NUnit, and all kinds of exciting .NET technologies. He started C# City in order to accelerate his .NET learning.
This entry was posted in Core .NET and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *