MD5 and FIPS
Phillip Hallam-Baker
phill at hallambaker.com
Wed Feb 1 20:40:48 UTC 2023
Check out the recent vulnerability the NSA discovered in Microsoft CAPI,
the attack uses an MD5 collision to introduce corrupted data into a cache.
This is the correct behavior and it is specified for good reason. If there
is a FIPS requirement, it very likely prohibits MD5.
This is one of the many reasons we try to eliminate use of MD5 in
specifications.
On Wed, Feb 1, 2023 at 2:51 PM Sands, Daniel via openssl-users <
openssl-users at openssl.org> wrote:
> We use MD5 as a choice of file hashing. The problem is, that with FIPS
> enabled, the low-level routine doesn’t just refuse, but it even calls
> OpenSSL’s abort function, terminating the program with prejudice. The EVP
> routine is more reasonable, simply refusing to provide MD5. But as
> mentioned, I am not asking for MD5 as a cryptographic algorithm, but as a
> file hash. OpenSSL does not provide a way to differentiate that, though.
>
>
>
> It seems to me that it would be better if OpenSSL refused at a higher
> level such as when asking for an HMAC or TLS suite. If I want MD5 for
> digesting a file, it would be nice if OpenSSL didn’t refuse it.
>
>
>
> Are there any workarounds to this, other than disabling FIPS or rolling my
> own?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230201/35a8f31f/attachment.htm>
More information about the openssl-users
mailing list