Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-60601

Tech debt: MD5 should be limited to non-cryptographic usage

    XMLWordPrintableJSON

Details

    • Server Security
    • Security 2022-05-16, Security 2022-05-30, Security 2022-07-11

    Description

      MD5 algorithm is not FIPS compliant, has known weakness and should not be used for cryptographic functions, especially in FIPS mode. At the same time, MD5 is routinely used in lieu of a hash function, which is permissible.

      We need to make two copies of MD5 implementation: one as hash function, another as cryptographic. Copy/paste acceptable, but preferable mode for MD5-as-crypto function is to use OpenSSL of system-provided function, so that it could be disabled by system policy.

      Disabling MD5 for crypto purposes should not affect using MD5 as hash. Therefore we should rename MD5 as hash to make it clear that this is not cryptographic function.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            sergey.galtsev@mongodb.com Sergey Galtsev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: