Score:0

fips-updates UA service does not seem to disable MD5

pt flag

I have fips-updates enabled on an Ubuntu 20.04.2 EC2 instance through Ubuntu Advantage, but MD5 still seems to be allowed and working.

$ sudo ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
...
fips          yes       n/a       NIST-certified core packages
fips-updates  yes       enabled   NIST-certified core packages with priority security updates
...

$ cat /proc/sys/crypto/fips_enabled
1

However, I'm still able to obtain the md5 digest of a byte string (the following command does not error).

$ python3 -c 'import hashlib; hashlib.md5(b"foo").digest()'

On RHEL systems with FIPS enabled, running this same command was an easy smoke-test to see that FIPS was actually being enforced, as the call to hashlib.md5() would break entirely with a ValueError.

What accounts for this difference? Is the assumption with Ubuntu that it is up to the user to decide whether Md5 is being used to cryptographically protect data, rather than disabling it outright?

Score:1
pt flag

The Ubuntu docs imply that only a subset of packages are FIPS 140 validated components available with Ubuntu Advantage and Ubuntu Pro, including:

  • Linux Kernel Crypto API
  • OpenSSH client
  • OpenSSH server
  • OpenSSL
  • libcrypt
  • StrongSwan

with python3 not being one of them. And with Python's _md5 module implemented from scratch in C, it seems to be able to exist outside of FIPS 140-2 enforcement currently.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.