[openssl-users] HMAC-MD5 OpenSSL 1.0.1e and FIPS 2.0.7
Gibbons, Lee D (Doug)
ldgibbons at avaya.com
Thu Jan 22 12:42:29 UTC 2015
NIST addresses TLS 1.0-1.2 KDFs in SP 800-135rev1. For 140-2 validation the KDF would be tested via NIST's ASKDFVS. For those riding on the shirttails of #1747, note that the TLS KDF component is implemented in the FIPS-capable OpenSSL library code *outside* of the FIPS Object Module. Though the TLS KDF algorithm may in general be Approved, the OpenSSL FIPS Object Module does not appear to provide a validated TLS KDF. I don't see a CVL cert for TLS KDF listed in #1747.
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Dave Thompson
Sent: Wednesday, January 21, 2015 11:21 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] HMAC-MD5 OpenSSL 1.0.1e and FIPS 2.0.7
> From: openssl-users On Behalf Of Dr. Stephen Henson
> Sent: Wednesday, January 21, 2015 09:28
> On Wed, Jan 21, 2015, John Laundree wrote:
> > Ok, so I will naively ask the question "How does one do TLS 1.0/1.1
> > in
> mode? Or is this no longer allowed, i.e. TLS 1.2 only?"
> The use of MD5 for TLS 1.0/1.1 is treated as an exception which is
> FIPS mode but general MD5 use is not.
To be exact, as I read it, the TLS1.0/1.1 *PRF* *combines* MD5+SHA1 for handshake/keyexchange, and is Approved on the basis that the combination is secure even if MD5 is not. The SSL3 PRF combines them more weakly and isn't Approved so SSL3 protocol is prohibited. Suites using (pure) HMAC-MD5 for data are not Approved, in any protocol version.
And as you say MD5 as such is not allowed anywhere.
openssl-users mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers&d=AwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=LlsENUS4HI1fg4eMsTxoSOs4zCv38ATLKf-JAHPNl7Q&m=QTOtp0d9KSfYrkzv8qkvuAeqCnPPdxocPR9NO4Au94o&s=08xVu7r1MvSU4yef2ePC4MW_OpSkYmSBF0NjkrWTOew&e=
More information about the openssl-users