[EXTERNAL] Re: MD5 and FIPS
Sands, Daniel
dnsands at sandia.gov
Thu Feb 2 00:16:25 UTC 2023
From: Phillip Hallam-Baker <phill at hallambaker.com>
Sent: Wednesday, February 1, 2023 1:41 PM
To: Sands, Daniel <dnsands at sandia.gov>
Cc: openssl-users at openssl.org
Subject: [EXTERNAL] Re: MD5 and FIPS
You don't often get email from phill at hallambaker.com<mailto:phill at hallambaker.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Check out the recent vulnerability the NSA discovered in Microsoft CAPI, the attack uses an MD5 collision to introduce corrupted data into a cache.
This is the correct behavior and it is specified for good reason. If there is a FIPS requirement, it very likely prohibits MD5.
This is one of the many reasons we try to eliminate use of MD5 in specifications.
I know about the MD5 collision vulnerability and why it's been downgraded from SECURE applications. I am not talking about a secure application of MD5. I am talking about file hashing for reasonable assurance that the file has not been corrupted by natural occurrences or transmission errors. We don't even provide secret keying information, so it would be trivial for an "attacker" in this situation to simply hash the new contents and replace the checksum if so desired. That is true even if SHA512 were chosen. So as I say, this is not within the scope of FIPS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230202/0651145e/attachment.htm>
More information about the openssl-users
mailing list