Regarding MessageDigest MD5 and SHA-1 Supported with OpenJCEPlusFIPS provider

[vramasam]

According to FIPS 140-3 standards MD5 and SHA-1 not in the approved list. But it was supported by OpenJCEPlusFIPS. Can you please clarify the reason for it.

[johnpeck-us-ibm]

Please see the Security policy for IBM Crypto for C - https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755. These are part of the FIPS module but are not FIPS approved. These are there because there are cases where non-FIPS approved algorithms can be used like using MD5 or SHA1 for a hash table. NIST has exceptions on where these and other non-FIPS approved algorithms can be used.

[jasonkatonica]

Hi @vramasam This project makes use of the Open Cryptography Kit C project. The Open Cryptography Kit C project does have code to handle the case ( If FIPS certified by a user through the NIST process ) could achieve FIPS certification. In general if a set of code was certified, the FIPS module could run in either approved and non approved modes. The subtle difference here is that the FIPS module may contain non approved algorithms for use in non cryptographic scenarios. When running in unapproved mode both MD5 and SHA-1 are available to be run and the OpenJCEPlusFIPS provider as seen in this project does allow those algorithms to be called. You are correct that MD-5 and SHA-1 are not approved for general cryptographic use in the FIPS 140-3 standard.