Federal Information Processing Standards (FIPS) and MD5 Checksums

Email this to someonePrint this pageShare on LinkedIn0Tweet about this on TwitterShare on Google+0

There is an old security requirement that the United States Federal government imposes that will affect the FDA. That security requirement, otherwise known as Federal Information Processing Standards (FIPS), does not allow any program to calculate MD5 checksums, as defined in the eCTD 3.2 specification. This is a potentially huge problem for everyone creating eCTD submissions.

What is the FIPS?
The Federal Information Processing Standards (FIPS) publications are guidelines that set best practices for software and hardware computer security products. FIPS is maintained by the National Institute of Standards and Technology (NIST), and is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002.

FIPS is applicable to any software that employs cryptography. In most cases, the United States government can only purchase FIPS certified products.

Why should you care?
According to NIST, 48% of cryptography functions have flaws and 30% of algorithms don’t conform to standards. MD5 checksum is considered a flawed algorithm. Nevertheless, eCTD submission requires you to calculate MD5 checksums. The MD5 checksum is used to detect whether messages have been changed since the checksums were generated. Checksums, or hash algorithms, are governed by the FIPS 180-3, Secure Hash Standard.

In FIPS 180-3, MD5 is not an approved hash algorithm. Accordingly, the U.S. government cannot use it.

Is MD5 Checksum a Thing of the Past?
For now, my crystal ball says no. I predict that for the next few years, the FDA will accept MD5 checksum. I also predict that sometime in the future, the FDA will stop accepting MD5 checksum for a FIPS compliant checksum.



Author: Jason Rock

Jason Rock is a pioneer in the field of electronic submissions. Mr. Rock has an extensive background working with global life sciences companies and regulatory agencies to promote eCTD adoption through the development of advanced applications. The commercial software Mr. Rock originally developed, and continues to improve, in his role as Chief Technical Officer for GlobalSubmit, is used exclusively by the U.S. Food & Drug Administration to review and validate all eCTD submissions the FDA receives.

Share This Post On

Submit a Comment

%d bloggers like this: