MD5 Algorithms available in FIPS approved mode

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

MD5 Algorithms available in FIPS approved mode

Romulus Corvo

Hi all,

 

In the following documentation (https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3152.pdf)

we can read that MD5 is part of the Table #8 (page 13/26 - Non-Approved Cryptographic Functions for use in non-FIPS mode only).

 

When running some tests in FIPS approved mode, MD5 are available in algorithms list (provided by BCFIPS and SUN) and this should not be the case giving the documentation.

 

We can read the following lines in the program output:

....

               Ligne # 206: Available Algorithm:MD5 / BCFIPS version 1.0002

....

Ligne #386: Available Algorithm:MD5 / SUN version 11

....

 

In the "java.security" file, I set the providers:

security.provider.1=BCFIPS
security.provider.2=BCJSSE fips:BCFIPS
security.provider.3=SUN

 

The following permissions in the "java.policy" file seems to have no effect (I disabled or enabled those lines by two different tests):

....

    permission java.lang.RuntimePermission "getProtectionDomain";

    permission java.lang.RuntimePermission "accessDeclaredMembers";

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";

    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

    permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";

    permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";

    permission java.security.SecurityPermission "putProviderProperty.BCFIPS";

    permission java.security.SecurityPermission "putProviderProperty.BCJSSE";

....

 

Your help will be much appreciated

Regards,

Romain

 

 

--- Java Program (Open JDK v11):


System.out.println("System property: " + System.getProperty("org.bouncycastle.fips.approved_only"));

System.out.println("Fips ready: " + FipsStatus.isReady());

System.out.println("Is approved only mode: " + CryptoServicesRegistrar.isInApprovedOnlyMode);

 

System.out.println("Display Providers:");

Provider[] list = Security.getProviders();

for (Provider p : list){

   System.out.println(p.getName());

}

 

for (Provider provider : list) {

   for (Provider.Service service : provider.getServices()) {

      String algorithm = service.getAlgorithm() + " / " + service.getProvider();

      System.out.println("Available Algorithm:" + algorithm);

}


Reply | Threaded
Open this post in threaded view
|

Re: MD5 Algorithms available in FIPS approved mode

David Hook-3


No, the document does not say that.

MD5 is also listed in Table 7 on page 14, as allowed under IG D.2 for use with TLS in accordance with SP 800-52.

Note this is the only use of MD5 for a cryptographic purpose that is allowed, which is why it is also in Table 8. While the module does it's best to disable things which are not approved while it is in approved mode in many cases this is a courtesy and not mandated. There are, and probably always will be, circumstances like this where an algorithm is available but only for a specific circumstance. It's one of the reasons why there is a security policy. For FIPS compliance you need to use a certified module and you need to use it in accordance with the security policy for it - it's not an either/or thing the two things always go together.

Regards,

David

On 5/10/20 8:11 pm, Romulus Corvo wrote:

Hi all,

 

In the following documentation (https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3152.pdf)

we can read that MD5 is part of the Table #8 (page 13/26 - Non-Approved Cryptographic Functions for use in non-FIPS mode only).

 

When running some tests in FIPS approved mode, MD5 are available in algorithms list (provided by BCFIPS and SUN) and this should not be the case giving the documentation.

 

We can read the following lines in the program output:

....

               Ligne # 206: Available Algorithm:MD5 / BCFIPS version 1.0002

....

Ligne #386: Available Algorithm:MD5 / SUN version 11

....

 

In the "java.security" file, I set the providers:

security.provider.1=BCFIPS
security.provider.2=BCJSSE fips:BCFIPS
security.provider.3=SUN

 

The following permissions in the "java.policy" file seems to have no effect (I disabled or enabled those lines by two different tests):

....

    permission java.lang.RuntimePermission "getProtectionDomain";

    permission java.lang.RuntimePermission "accessDeclaredMembers";

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";

    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

    permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";

    permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";

    permission java.security.SecurityPermission "putProviderProperty.BCFIPS";

    permission java.security.SecurityPermission "putProviderProperty.BCJSSE";

....

 

Your help will be much appreciated

Regards,

Romain

 

 

--- Java Program (Open JDK v11):


System.out.println("System property: " + System.getProperty("org.bouncycastle.fips.approved_only"));

System.out.println("Fips ready: " + FipsStatus.isReady());

System.out.println("Is approved only mode: " + CryptoServicesRegistrar.isInApprovedOnlyMode);

 

System.out.println("Display Providers:");

Provider[] list = Security.getProviders();

for (Provider p : list){

   System.out.println(p.getName());

}

 

for (Provider provider : list) {

   for (Provider.Service service : provider.getServices()) {

      String algorithm = service.getAlgorithm() + " / " + service.getProvider();

      System.out.println("Available Algorithm:" + algorithm);

}