1

I am using MD5 for checksums. My software is FIPS 140-2 compliant and it doesn't throw any error / exception when I use MD5 for checksum. Where can I find a documentation which says FIPS 140-2 allows using MD5 for checksum.

Update:

Software as in the product for which I work. We have java running in strict FIPS mode and our application is deployed in tomcat. We calculate the MD5 checksum of all the downloadable artifacts and display it in our Administrative Console for the users to verify the artifacts after downloading.

Shreyas
  • 380
  • 1
  • 4
  • 15
  • 1
    **What** software would that be? Which version / date? What kind of checksum do you need, i.e. for what purpose? What software is do you use to validate the FIPS 140-2? It's an interesting question, but without more information it is likely to be closed. – Maarten Bodewes Sep 19 '22 at 11:02
  • Updated the question – Shreyas Sep 20 '22 at 12:17
  • 1
    Alright, that already cleared that up. Note that MD5 is an *algorithm*. As such, it isn't always detectable. E.g. there could be a difference if you would use the MD5 algorithm through the Java JCA (`MessageDigest` class) or through the lightweight Bouncy Castle library ( `org.bouncycastle.crypto.digests.MD5Digest` class). Not sure what you mean with "Java running in strict FIPS". Are you using the IBM runtime perhaps? – Maarten Bodewes Sep 20 '22 at 12:43
  • No. I am not running IBM runtime. Anyways, the requirement for which I needed the documentation has been deferred. So, I guess I'll just close this question. Thanks for your reply. – Shreyas Sep 21 '22 at 13:47
  • That's not very nice, we took the time to get into and answer the question. If the question is valid then please leave it open and don't close it just because it is not valuable for *you* anymore. – Maarten Bodewes Sep 21 '22 at 15:21
  • I apologize for trying to close it. I'll keep it open. If it helps, I tried to search it in the FIPS document provided by NIST, but didn't get any information which clarifies that it is okay to use MD5 for any purpose. But it does say that if the operation being performed is not cryptographic, then even weaker algorithms might be allowed. – Shreyas Sep 23 '22 at 10:07
  • 1
    Hmm, yeah, but note that a certification body would likely note that you are using it to verify the authenticity of an artifact, which **is** a cryptographic operation. – Maarten Bodewes Sep 23 '22 at 10:19

1 Answers1

5

FIPS 140-2 doesn't specify MD5 as an allowed cryptographic algorithm. MD5 is extremely weak and totally insecure, and thus it is not suitable for use in applications which require cryptographic security.

If you are using MD5 as a generic checksum or hash function without cryptographic needs, then that is not within the scope of FIPS 140-2. However, you are better off using a simpler and faster algorithm like CRC64 or another simple hash function. There really is no good reason to use MD5 for any purpose these days.

However, neither of those are suitable for cryptographic purposes. If you need a hash function for cryptographic purposes, you should use one of the SHA-2 or SHA-3 functions for FIPS compliance, or additionally BLAKE2 if you don't need FIPS compliance.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • I know for sure that, we don't use MD5 for hashing or for any cryptographic operation. Because our application is deployed in tomcat and java runs in strict fips mode. So, if we try to use any algorithms that are not allowed by FIPS, it will throw an exception. In this case, I am only trying to find out any documentation (if available) which mentions that in strict FIPS mode, we can use MD5 for checksum. – Shreyas Sep 20 '22 at 12:19
  • 1
    Not sure if that works in your situation. MD5 is trivially broken for collision, so you could download two different artifacts with the same MD5 hash. If you don't expect an attacker but just want to check that the artifacts was downloaded completely then MD5 is probably fine, but so is any CRC or even length check. – Maarten Bodewes Sep 20 '22 at 18:07
  • 1
    Yes. That makes sense. Even if FIPS isn't throwing any error / exception, I believe in future migrating from MD5 to some stronger algorithms like SHA-2 or SHA-3 would be better. – Shreyas Sep 21 '22 at 13:47