With v16.2.5 and v17.1, we have extended the DevExpress.Persistent.Base.PasswordCryptographer class to support FIPS compatibility (this XAF API is used by security system user classes). Take special note that we have NOT switched to the new FIPS-compliant algorithm by default to avoid breaking a lot of existing customer applications. We have also introduced various static options to allow our users to switch a required password encryption algorithm depending on various business needs.
The DevExpress.Persistent.Base.PasswordCryptographer.EnableRfc2898 property enables using the standard System.Security.Cryptography.Rfc2898DeriveBytes API that implements a more secure password-based key derivation functionality, PBKDF2, by using a pseudo-random number generator based on HMACSHA1. The EnableRfc2898 property is set to False in our code by default to provide backward compatibility and avoid breaking changes.
The DevExpress.Persistent.Base.PasswordCryptographer.SupportLegacySha512 property is working together with the EnableRfc2898 property. This setting is intended to support existing passwords created by the former encryption algorithm, which is not FIPS-compliant. The SupportLegacySha512 property is set to True in our code by default to provide backward compatibility and avoid breaking changes.
For the maximum flexibility there are also two static properties (HashPasswordDelegate and VerifyHashedPasswordDelegate) that allow registering custom functions for creating and comparing a password hash (learn more...).
With v17.1, the EnableRfc2898 and SupportLegacySha512 properties are overridden to True and False respectively by the Solution Wizard for only newly created projects. In existing apps created using older XAF versions and later upgraded to v17.1+, you can specify the aforementioned static options property values in one of the following locations:
- in the constructor of your platform-agnostic module located in the Module.cs (Module.vb) file;
- in the Main method of the WinForms application located in the Program.cs (Program.vb) file, before the WinApplication.Start call;
- in the Application_Start method of the ASP.NET application located in the Global.asax.cs (Global.asax.vb) file, before the WebApplication.Start call.
You can find examples for WinForms, Web and Mobile apps in XAF demos, e.g., check out the "C:\Users\Public\Documents\DevExpress Demos 17.1\Components\eXpressApp Framework\SimpleProjectManager\CS\SimpleProjectManager.Win\Program.cs" file.
As a less critical, but related note, starting with v16.1.10, v16.2.4 and v17.1, we have extended our DevExpress.ExpressApp.Utils.ImageLoader class to support FIPS compatibility. By default, to create a hash for images, we use the System.Security.Cryptography.MD5 algorithm, which is very fast, but is not FIPS-compliant. The FIPS-compliant System.Security.Cryptography.SHA1 algorithm will automatically be used in environments where MD5 usage is prohibited. For better flexibility, users can also handle the static CustomCreateHashAlgorithm event to provide a custom hash creation algorithm.
Take special note that for correct operation of your apps in such highly secured environments, you may also need to additionally customize settings of DevExpress controls (example). We are ready and more than happy to consider further improvements in this regard based on real user requests. Feel free to contact us if you encounter any further difficulties with XAF or other DevExpress products.