<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:13:17 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-6977] Support for alternative hashing algorithm for authentication</title>
                <link>https://jira.mongodb.org/browse/SERVER-6977</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;MD5 is not an approved algorithm for the Federal Information Processing Standards, however, FIPS-140 compliance is a requirement for many federal government software projects.  A list of approved algorithms may be found here:&lt;br/&gt;
&lt;a href=&quot;http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Because MongoDB authentication uses MD5 hashing for the message digest, there is no way to meet FIPS-140 compliance with authentication enabled.&lt;/p&gt;

&lt;p&gt;In order to meet FIPS compliance, please add support for an alternative hashing algorithm to be optionally enabled in the server. Client drivers should follow suit. For example, a new option --authAlgorithm=HMACSHA256 could instruct the server to use the approved HMAC+SHA256 algorithm for the authentication message digest. I recommend this as an option rather than simply switching entirely from MD5 to HMAC+SHA256 because this would break existing clients until all drivers could upgrade.&lt;/p&gt;

&lt;p&gt;Here is a bit more background in order to recreate the issue:&lt;/p&gt;

&lt;p&gt;This affects servers and client libraries, and is simple to recreate by setting this registry bit on a Windows machine to 1 (enabled): &lt;/p&gt;

&lt;p&gt;HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled&lt;/p&gt;

&lt;p&gt;With this set, components that use non-compliant algorithms should fail. The .NET client will throw an exception when attempting to create the message digest for authentication.  Other drivers may or may not adhere to the policy, depending on whether their underlying crypto implementations or runtime libraries check for this.&lt;/p&gt;

&lt;p&gt;It is also worth noting that the MongoDB Server does not appear to check for the FIPS policy setting on Windows, and as such, even though this registry setting is enabled when running mongod.exe server on a Windows host, MongoDB continues to use MD5 hashing during the authentication process. Not adhering to this policy in mongod.exe on Windows Servers with FIPS enabled may also cause MongoDB to fail a FIPS audit. As such, it&apos;s also recommended that you use a cryptography library that has gained the FIPS-140 certification and adheres to this policy on Windows.&lt;/p&gt;</description>
                <environment>Windows Server 2008 with FIPS-140 Policy Enabled</environment>
        <key id="49984">SERVER-6977</key>
            <summary>Support for alternative hashing algorithm for authentication</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="schwerin@mongodb.com">Andy Schwerin</assignee>
                                    <reporter username="davec">Dave Curylo</reporter>
                        <labels>
                            <label>Windows</label>
                            <label>connection</label>
                            <label>driver</label>
                            <label>replicaset</label>
                    </labels>
                <created>Sun, 9 Sep 2012 12:27:50 +0000</created>
                <updated>Fri, 15 Feb 2013 15:06:28 +0000</updated>
                            <resolved>Sun, 16 Dec 2012 02:53:43 +0000</resolved>
                                    <version>2.2.0</version>
                                                    <component>Security</component>
                                        <votes>1</votes>
                                    <watches>11</watches>
                                                                                                                <comments>
                            <comment id="216153" author="eliot" created="Sun, 16 Dec 2012 02:53:43 +0000"  >&lt;p&gt;Kai - yes, agreed.&lt;br/&gt;
Resolving this as a dup though: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-2360&quot; title=&quot;Add a stronger password authentication scheme (replace md5 with sha?)&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-2360&quot;&gt;&lt;del&gt;SERVER-2360&lt;/del&gt;&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="216052" author="kvirkki" created="Sat, 15 Dec 2012 22:23:32 +0000"  >&lt;p&gt;It&apos;s not only the authentication with the client that uses MD5; MongoDB also stores passwords as MD5 hashes, which is not anymore considered to be secure. Something better should be used, like SHA256 or SHA512. Preferable a key derivation function like PBKDF2 or scrypt should be used as they can be parametrized to make it harder to brute-force the hashes when attackers&apos; machines get faster.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="56238">SERVER-7648</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="50709">CSHARP-573</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 10 Sep 2012 15:56:55 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        11 years, 9 weeks, 4 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ian@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 years, 9 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>schwerin@mongodb.com</customfieldvalue>
            <customfieldvalue>davec</customfieldvalue>
            <customfieldvalue>eliot</customfieldvalue>
            <customfieldvalue>kvirkki</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrnpfr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrh51j:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>13616</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hruyen:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>