On Tue, Jul 3, 2012 at 7:33 PM, Jennings, Jared L CTR USAF AFMC 46 SK/CCI < jared.jennings....@eglin.af.mil> wrote:
> On hosts configured for compliance with U.S. Federal Information > Processing Standard (FIPS) 140-2 > <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>, like > those in some banks and, yes, the U.S. Department of Defense, > cryptographic modules (such as OpenSSL, which underlies hashlib) are not > allowed to calculate MD5 digests, because MD5 is no longer a FIPS > Approved digest algorithm. > So if it's not a cryptographic module, it's okay? ;-) I know no one is trying here to lean on MD5 for security, but the > standard says nothing about the reason why you're using MD5: just that > you can't. > > No one expects a digest algorithm to fail, and Python 2.x may not have > been fixed to check for that before being frozen > <https://bugzilla.redhat.com/show_bug.cgi?id=746118#c3>, so if you run > an MD5 checksum on a FIPS-compliant system with an unpatched Python 2.x, > the Python interpreter will segfault. (Ruby, too, had this problem and > was itself only recently fixed, > <http://bugs.ruby-lang.org/issues/4944>.) > > I have to configure hosts in accordance with FIPS 140-2, so the more > places I can get rid of MD5, the less headaches I have. > If we replace it with something else, then I suggest we replace it with something that's even MORE braindead than md5 so that nobody will mistake it for a secure hash. Otherwise, we will have this exact same problem all over again when the replacement "secure" hash is disabled by a newer version of FIPS. The other option is simply to forego a checksum altogether and assume same size = same file. Honestly, I don't remember why we cared about detecting such modifications in the first place: neither PEP 376 nor 262 explain why, and 376 doesn't explain why it went with md5 instead of sha1 (as in PEP 262).
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig