Issue connecting to SFTP in production environment

Question

I am having an issue connecting to an SFTP in a production environment. My code works fine in my development area.
When I try connecting to the server in production I get the following error:

System.Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at h.a(String A_0, Int32 A_1)
at h.a(Byte[] A_0, String A_1)
at f5.a(String A_0, String A_1)
at hh.e()
at hh.a(a2 A_0)
at a8.a(ai A_0, b8 A_1, gx A_2, a2 A_3)
at a8.a(ai A_0, b8 A_1, Socket A_2)
at EnterpriseDT.Net.Ftp.Ssh.SSHFTPClient.Connect()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
at Utility.SFTPWrapper.OpenConnection()
at AutomatedTravelApplication.RunFTP.UploadDailyTravelDataSFTP()

Is there anyway to have the connect method call a different hashing algorithm other than MD5? I could not seem to find any settings to set this.
I am using edtFTPnetPRO v4.2.1.0. My code looks similiar to this:

SecureFTPConnection.LogLevel = EnterpriseDT.Util.Debug.LogLevel.All;
SecureFTPConnection.LogFile = logfile;  
SecureFTPConnection ftpCon = new SecureFTPConnection();
ftpCon.ServerValidation = SecureFTPServerValidationType.Automatic;
ftpCon.Protocol = FileTransferProtocol.SFTP;
ftpCon.AuthenticationMethod = AuthenticationType.PublicKey;
ftpCon.PreferredHostKeyAlgorithms = SSHPublicKeyAlgorithm.RSA;

ftpCon.KnownHosts.AddKnownHost(hostName, serverPublicKeyLocation);
ftpCon.ClientPrivateKeyFile = clientPrivateKeyLocation;  

try
{                    
     this.ftpCon.UserName = this.userName;
     this.ftpCon.Password = this.password;
     this.ftpCon.ServerAddress = this.serverAddress;                    
     this.ftpCon.Connect();
}
catch (Exception ex)
{
     this.errorText = ex.Message;
     this.errorString = ex.ToString();
}

There is not much in the log as it errors out before it can connect.
Thanks in advance to anyone who might have some insight to my issue.

Answer 1

Your Windows box must be running in FIPS compliant mode. This problem occurs because the MD5 algorithm is not FIPS compliant.

Not sure if your version has it, but there is a property PreferredMACAlgorithms which you can set to SSHMACAlgorithm.HMACSHA1 to avoid using MD5.

As your version is quite old it may be time to upgrade.

Answer 2

My version does not have this property. I will have to talk to the people in charge to see if we can upgrade. Thank you for your reply.

Answer 3

I downloaded a trial of version 7.2.0.20 and I configured the PreferredMACAlgorithms property to SSHMACAlgorithm.HMACSHA1 and it still flagged a FIPS compliant error. The exact error is this:

9/20/2010 6:56:27 AM , System.Exception: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at 3EECr2SEXroInesKkjM.q3QrWXSY0cUSguL2HRt.Nwrd6nJuA(String , Int32 )
at 3EECr2SEXroInesKkjM.q3QrWXSY0cUSguL2HRt.rCm77DMuWB(Byte[] , String )
at v5tqSguFWNib3vhequs.ELg42eujSF4E8RBabag.Nwrd6nJuA(String , String )
at 5NTMU3ciYr3VV4nfIao.wRnE02cUpsQGgQ0s5mG.o0PdjfWE1(AuthenticationType )
at 5NTMU3ciYr3VV4nfIao.wRnE02cUpsQGgQ0s5mG.Connect(4pjX4LE2Wy4NRjBbCKJ )
at bRTPZmEMlkuKe9PMCtk.sVt7HQEnDuhSNnEFSgM.FA9vkN09t(DCyWsVEKmyAs3e4hBum , 3j9EIEEGGRcY0FWSbcv , bEeuXhEQ6NA6HMC6d9h , 4pjX4LE2Wy4NRjBbCKJ )
at bRTPZmEMlkuKe9PMCtk.sVt7HQEnDuhSNnEFSgM.NmH9Zmbyq(DCyWsVEKmyAs3e4hBum , 3j9EIEEGGRcY0FWSbcv , Socket )
at EnterpriseDT.Net.Ftp.Ssh.SSHFTPClient.Connect()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()

My code is still very similar but here are the changes:

SecureFTPConnection.LogLevel = EnterpriseDT.Util.Debug.LogLevel.All; 
SecureFTPConnection.LogFile = logfile;  
SecureFTPConnection ftpCon = new SecureFTPConnection(); 
ftpCon.ServerValidation = SecureFTPServerValidationType.Automatic; 
ftpCon.Protocol = FileTransferProtocol.SFTP; 
ftpCon.AuthenticationMethod = AuthenticationType.PublicKey; 
ftpCon.PreferredHostKeyAlgorithms = SSHPublicKeyAlgorithm.RSA; 
ftpCon.PreferredMACAlgorithms = SSHMACAlgorithm.HMACSHA1;
ftpCon.PreferredCipherAlgorithms = SSHCipherAlgorithm.AES256;
ftpCon.PreferredCompressionAlgorithms = SSHCompressionAlgorithm.None;
ftpCon.PreferredKeyExchangeMethods = SSHKeyExchangeMethod.DiffieHellmanGroup14Sha1; 

ftpCon.KnownHosts.AddKnownHost(hostName, serverPublicKeyLocation); 
ftpCon.ClientPrivateKeyFile = clientPrivateKeyLocation;  

try 
{                    
     this.ftpCon.UserName = this.userName; 
     this.ftpCon.Password = this.password; 
     this.ftpCon.ServerAddress = this.serverAddress;                    
     this.ftpCon.Connect(); 
} 
catch (Exception ex) 
{ 
     this.errorText = ex.Message; 
     this.errorString = ex.ToString(); 
} 

This code does work on a Windows Box that doesn't have a FIPS compliancy policy in place. Any clue why it is still calling the MD5CryptoService?

Answer 4

Unfortunately this is another place where MD5 is used - decoding the private key using the passphrase.

This is a little harder to get around.

The only way I can see is to convert the private key format to PuTTY format as this format uses SHA1 rather than MD5.

You can use PuTTYGen to do the conversion of the private key format:

http://the.earth.li/~sgtatham/putty/lat ... ttygen.exe

Answer 5

That worked. I imported my key into PuTTYGen and saved it as a putty key. Thank you for your help.

Answer 6

You can also try reading this blog, http://blogs.msdn.com/b/shawnfa/archive ... 17975.aspx

There is a setting in the registry to only allow cryptographic algorithms which are FIPS compliant that you can turn off. You can toggle this switch off by setting the DWORD FIPSAlgorithmPolicy under "HKey_Local_Machine\System\CurrentControlSet\Control\Lsa" to be equal to 0.