[EXTERNAL] Re: MD5 and FIPS

[Michael Wojcik]

> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Jordan Brown
> Sent: Wednesday, 1 February, 2023 17:47

> It seems to me that at this point MD5 should be in the same category as those non-cryptographic checksums.

> It's a checksum algorithm.  It's not secure.  You must not use it for security-sensitive purposes.  But that
> shouldn't mean that you can't use it.

That's a reasonable argument (and we could add SHA1 and possibly others), which unfortunately means it's orthogonal to the question of FIPS 140 validation.

A system is FIPS 140 validated if the CMVP says it is. As we've seen in the past, the exact same system can pass validation in one environment and fail in another. It's simply not rigorous or consistent, much less reasonable.

Maybe the situation will be better with FIPS 140-3, but I'm not holding my breath.

The real questions here, I think, are: How important is FIPS 140 to Daniel's use? Sandia is a US Federal institution, so I assume the usual Federal requirement to be FIPS 140 validated applies; but in practice, there's a whole bunch of non-FIPS-140 stuff being run by Federal agencies hoping no one audits them. And, second, if the application in question went through CMVP or a FIPS 140 audit, would they catch this non-conforming use of MD5, and would they care, and what would be the adverse effect if they did?

Those are not questions which can be answered on openssl-users, and Daniel already has info on a technical workaround (for OpenSSL 3, but that's where everyone should be heading anyway, if they're not already there).