From: Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx>
Check out the recent vulnerability the NSA discovered in Microsoft CAPI, the attack uses an MD5 collision to introduce corrupted data into a cache. This is the correct behavior and it is specified for good reason. If there is a FIPS requirement, it very likely prohibits MD5. This is one of the many reasons we try to eliminate use of MD5 in specifications. I know about the MD5 collision vulnerability and why it’s been downgraded from SECURE applications. I am not talking about a secure application of MD5. I am talking about file hashing for reasonable assurance that the file has not been
corrupted by natural occurrences or transmission errors. We don’t even provide secret keying information, so it would be trivial for an “attacker” in this situation to simply hash the new contents and replace the checksum if so desired. That is true even
if SHA512 were chosen. So as I say, this is not within the scope of FIPS. |