With v16.2.5 and v17.1, we have extended the DevExpress.Persistent.Base.PasswordCryptographer class to support FIPS compatibility (this XAF API is used by security system user classes). Take special note that we have NOT switched to the new FIPS-compliant algorithm by default to avoid breaking a lot of existing customer applications. We have also introduced various static options to allow our users to switch a required password encryption algorithm depending on various business needs.
The DevExpress.Persistent.Base.PasswordCryptographer.EnableRfc2898 property enables using the standard System.Security.Cryptography.Rfc2898DeriveBytes API that implements a more secure password-based key derivation functionality, PBKDF2, by using a pseudo-random number generator based on HMACSHA1. The EnableRfc2898 property is set to False in our code by default to provide backward compatibility and avoid breaking changes.
The DevExpress.Persistent.Base.PasswordCryptographer.SupportLegacySha512 property is working together with the EnableRfc2898 property. This setting is intended to support existing passwords created by the former encryption algorithm, which is not FIPS-compliant. The SupportLegacySha512 property is set to True in our code by default to provide backward compatibility and avoid breaking changes.
For the maximum flexibility there are also two static properties (HashPasswordDelegate and VerifyHashedPasswordDelegate) that allow registering custom functions for creating and comparing a password hash (learn more...).
With v17.1, the EnableRfc2898 and SupportLegacySha512 properties are overridden to True and False respectively by the Solution Wizard for only newly created projects.
As a less critical, but related note, starting with v16.1.10, v16.2.4 and v17.1, we have extended our DevExpress.ExpressApp.Utils.ImageLoader class to support FIPS compatibility. By default, to create a hash for images, we use the System.Security.Cryptography.MD5 algorithm, which is very fast, but is not FIPS-compliant. The FIPS-compliant System.Security.Cryptography.SHA1 algorithm will automatically be used in environments where MD5 usage is prohibited. For better flexibility, users can also handle the static CustomCreateHashAlgorithm event to provide a custom hash creation algorithm.
Take special note that for correct operation of your apps in such highly secured environments, you may also need to additionally customize settings of DevExpress controls (example). We are ready and more than happy to consider further improvements in this regard based on real user requests. Feel free to contact us if you encounter any further difficulties with XAF or other DevExpress products.