Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-60601

Tech debt: MD5 should be limited to non-cryptographic usage

    • Server Security
    • Security 2022-05-16, Security 2022-05-30, Security 2022-07-11

      MD5 algorithm is not FIPS compliant, has known weakness and should not be used for cryptographic functions, especially in FIPS mode. At the same time, MD5 is routinely used in lieu of a hash function, which is permissible.

      We need to make two copies of MD5 implementation: one as hash function, another as cryptographic. Copy/paste acceptable, but preferable mode for MD5-as-crypto function is to use OpenSSL of system-provided function, so that it could be disabled by system policy.

      Disabling MD5 for crypto purposes should not affect using MD5 as hash. Therefore we should rename MD5 as hash to make it clear that this is not cryptographic function.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            sergey.galtsev@mongodb.com Sergey Galtsev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: