Dalli uses MD5 which is not permitted in FIPS mode #723
Comments
- MD5 is not permitted in FIPS mode, nor is the Digest class. When operating with FIPS mode, only OpenSSL::Digest::SHAxxx is permitted. -Closes petergoldstein#723
|
So I'd reframe this a bit in a couple of key ways:
Not entirely sure why you'd have this expectation. Rails 5.2 compatibility doesn't imply that a library (or more accurately, a system using that library) is or is not FedRAMP compatible. This is further complicated by the nature of FedRAMP certification, which include multiple levels (Low, Medium, High), as well as 'tailored' levels like the Li-SaaS Tailored level. Not to mention that you can list exceptions to the standards on your system's POA&M, and depending on your ATOs stance on that exception you may need to remediate it immediately, eventually, or not at all. FedRAMP is complicated.
The line you reference is not used for identity, access control, digital signature, or any other cryptographically secure operation. That said, because of the broad nature of NIST's definition of cryptographic operation, this line would fall under that definition. I'm fine with making it configurable, with a default matching the historical value of MD5. I see you've put up a PR (#724), which addresses this. I really appreciate that. Will give some feedback there. |
- MD5 is not permitted in FIPS mode, nor is the Digest class. When operating with FIPS mode, only OpenSSL::Digest::SHAxxx is permitted. -Closes petergoldstein#723
- MD5 is not permitted in FIPS mode, nor is the Digest class. When operating with FIPS mode, only OpenSSL::Digest::SHAxxx is permitted. -Closes petergoldstein#723
- MD5 is not permitted in FIPS mode, nor is the Digest class. When operating with FIPS mode, only OpenSSL::Digest::SHAxxx is permitted. -Closes petergoldstein#723
|
@petergoldstein Given that you've previously mentioned replacing the DalliStore adapater with the Rail MemCacheStore adapater, and that they're nearly functionally identical, I think the expectation that they behave the same is quite reasonable. Yes, you're very much correct about the implications of FedRAMP. However, if one were to simply turn on FIPS mode in the process, any call to the Digest class will segfault. Consequently, even if Dalli is using MD5 in a way that doesn't implement a FedFAMP control, it's still problematic for those who would attempt FIPS compliance. I'm happy that you're open to the change. Thank you for your time and consideration. |
When providing services to United States federal agencies, you must implement FedRAMP controls, one of which requires using FIPS for cryptographic operations. In Rails 5.2 work was done to remove explicit calls to MD5 and replace them with the
ActiveSupport::Digestclass.As there are comments in the change log indicating Rails 5.2 support https://github.com/petergoldstein/dalli/blob/master/History.md#278, I would expect that Dalli would also implement similar mechanisms as Rails did with their mem_cache_store adapter.
https://github.com/rails/rails/blob/v5.2.0/activesupport/lib/active_support/cache/mem_cache_store.rb#L188
Perhaps instead of fixing the
DalliStoreclass, #573 should be finally completed?However, I do notice that the
Dalli::Clientclass also calls MD5 https://github.com/petergoldstein/dalli/blob/master/lib/dalli/client.rb#L382, and given that Dalli is intended to be used independent of Rails, I'm not sure what the correct solution would be for that. Perhaps a configuration options can be set to pass in the desired Digest class? This way a default can be set and in Rails both methods will callActiveSupport::Digest, but in non-Rails envs the client can use whatever Digest class the user prefers. Moreover, this solution would also support older versions of Rails that may not haveActiveSupport::Digest.I am presently working on a PR to address this oversight. I hope that you can provide guidance on how you want to move forward with a solution that makes Dalli FIPS compatible. Thank you for your time.
The text was updated successfully, but these errors were encountered: