I have fips-updates
enabled on an Ubuntu 20.04.2 EC2 instance through Ubuntu Advantage, but MD5 still seems to be allowed and working.
$ sudo ua status
SERVICE ENTITLED STATUS DESCRIPTION
...
fips yes n/a NIST-certified core packages
fips-updates yes enabled NIST-certified core packages with priority security updates
...
$ cat /proc/sys/crypto/fips_enabled
1
However, I'm still able to obtain the md5 digest of a byte string (the following command does not error).
$ python3 -c 'import hashlib; hashlib.md5(b"foo").digest()'
On RHEL systems with FIPS enabled, running this same command was an easy smoke-test to see that FIPS was actually being enforced, as the call to hashlib.md5()
would break entirely with a ValueError.
What accounts for this difference? Is the assumption with Ubuntu that it is up to the user to decide whether Md5 is being used to cryptographically protect data, rather than disabling it outright?
Best Answer
The Ubuntu docs imply that only a subset of packages are FIPS 140 validated components available with Ubuntu Advantage and Ubuntu Pro, including:
with
python3
not being one of them. And with Python's_md5
module implemented from scratch in C, it seems to be able to exist outside of FIPS 140-2 enforcement currently.