<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
I find this conversation very interesting and insightful. I really do!… Kinda sick, I know. :-). I pretty much agree with Dr. Paul Dale, “<i class="">I suggest discussing the details with your FIPS lab. Like most things FIPS: it's murky, nuanced and awash
with pitfalls.</i>”…
<div class=""><br class="">
</div>
<div class="">What does the FIPS certificate security policy say in regards to the use of algs such as MD5? If you look at the FIPS Security policy for boring crypto (cert# 4407) Section 9.2 for example, it specifically states that MD5 is allowed for TLS1.0
and 1.1 although non-approved for FIPS140-2. Additionally, I find it extremely interesting that the table directly below that in Section 9.3, states MD5 is non-Approved and if you do use it you are in “non-Approved mode”. There is no FIPS enforcement by
the module. This puts the responsibility on application developer. The crypto module doesn’t claim to have knowledge of the use of the algorithm. </div>
<div class=""><br class="">
</div>
<div class="">Another interesting security policy is AWS. With this problem they take a similar approach. Their policy (cert# 3553) states in Section 4.3.2 that there are algorithms that are non-approved but allowed. MD5 in the table listed here for use
in TLS only. In section 4.3.3 there is a table of all the non-approved/non-allowed algs. The interesting part is the statement above this table… “<i class="">Table 8 lists the cryptographic algorithms that are not allowed to be used in the FIPS mode of operation.
Use of any of these algorithms (and corresponding services in Table 5) will <b class="">
implicitly</b> switch the module to the non-Approved mode.</i><span style="font-family: DejaVuSans; font-size: 10pt;" class=""> </span>“ Again, the crypto module is not doing any FIPS enforcement and punting to the application.</div>
<div class=""><br class="">
</div>
<div class="">This said there are some modules that do (or have done) enforcement. Then you get into the whole FIPS “distro” side…… see fun stuff!</div>
<div class=""><br class="">
</div>
<div class="">So as Dr. Paul Dale and Hebert have both said, it is best to discuss with your FIPS labs and auditors. </div>
<div class=""><br class="">
</div>
<div class="">thx,</div>
<div class="">-jj </div>
<div class=""><br class="">
</div>
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 2, 2023, at 11:12 AM, Hubert Kario <<a href="mailto:hkario@redhat.com" class="">hkario@redhat.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">On Thursday, 2 February 2023 16:31:20 CET, Matthew Heimlich wrote:<br class="">
<blockquote type="cite" class="">The question of whether or not non-FIPS-compliant algorithms should be allowed for non-cryptographic use is moot if you're deploying to environments requiring FIPS validation where the FIPS requirement is configured at the system
level. A full audit of every line of code of every application present on the system(s) is completely infeasible. There is no reasonable way to ensure that people are using insecure algorithms "the right way" in cases where security is a primary concern. A
blanket ban is the much more palatable option. And I can't think of a single case where one couldn't just as easily hash files using a compliant algorithm outside of support of legacy systems, in which case you'd have to go through the POAM/waiver process
anyway. You'll have a hard time convincing anyone that an application under active development will undergo enough inconvenience by switching to a compliant hashing algorithm that they'd waiver you these days.<br class="">
</blockquote>
<br class="">
What's compliant and what's not is between you and your auditor.<br class="">
<br class="">
I'm just mentioning the technical means how to use those algorithms<br class="">
with some older FIPS certified modules without getting the whole system out<br class="">
of FIPS mode.<br class="">
<br class="">
<blockquote type="cite" class="">On Thu, Feb 2, 2023 at 7:00 AM Hubert Kario <<a href="mailto:hkario@redhat.com" class="">hkario@redhat.com</a>> wrote:<br class="">
On Thursday, 2 February 2023 01:45:00 CET, Sands, Daniel via openssl-users wrote:<br class="">
<blockquote type="cite" class=""><br class="">
<blockquote type="cite" class="">-----Original Message-----<br class="">
From: openssl-users <<a href="mailto:openssl-users-bounces@openssl.org" class="">openssl-users-bounces@openssl.org</a>> On Behalf Of Dr<br class="">
Paul Dale<br class="">
Sent: Wednesday, February 1, 2023 2:33 PM<br class="">
To: <a href="mailto:openssl-users@openssl.org" class="">openssl-users@openssl.org</a><br class="">
Subject: [EXTERNAL] Re: MD5 and FIPS<br class="">
If you are using OpenSSL 1.0.2 and the old FOM, you're out of luck.<br class="">
If you are using OpenSSL 3.0 with the FIPS provider, you can still access MD5 by<br class="">
loading appropriate providers and specifying a property query. See the<br class="">
migration or FIPS guides.<br class="">
</blockquote>
<br class="">
This sounds like an acceptable workaround. So if I load the legacy provider, then request MD5 (or SHA1) explicitly through that provider, it should provide a working context?<br class="">
</blockquote>
<br class="">
For some old FIPS modules you can also re-enable the md5 hash by using<br class="">
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);<br class="">
<br class="">
Looking how Python handles the usedforsecurity keyword argument in hashlib<br class="">
module is a usually a good idea.<br class="">
</blockquote>
<br class="">
-- <br class="">
Regards,<br class="">
Hubert Kario<br class="">
Principal Quality Engineer, RHEL Crypto team<br class="">
Web: <a href="http://www.cz.redhat.com" class="">www.cz.redhat.com</a><br class="">
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>