Federal Information Processing Standards (FIPS) and MD5 Checksums
There is an old security requirement that the United States Federal government imposes that will affect the FDA. That security requirement, otherwise known as Federal Information Processing Standards (FIPS), does not allow any program to calculate MD5 checksums, as defined in the eCTD 3.2 specification. This is a potentially huge problem for everyone creating eCTD submissions.
What is the FIPS?
The Federal Information Processing Standards (FIPS) publications are guidelines that set best practices for software and hardware computer security products. FIPS is maintained by the National Institute of Standards and Technology (NIST), and is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002.
FIPS is applicable to any software that employs cryptography. In most cases, the United States government can only purchase FIPS certified products.
Why should you care?
According to NIST, 48% of cryptography functions have flaws and 30% of algorithms don’t conform to standards. MD5 checksum is considered a flawed algorithm. Nevertheless, eCTD submission requires you to calculate MD5 checksums. The MD5 checksum is used to detect whether messages have been changed since the checksums were generated. Checksums, or hash algorithms, are governed by the FIPS 180-3, Secure Hash Standard.
In FIPS 180-3, MD5 is not an approved hash algorithm. Accordingly, the U.S. government cannot use it.
Is MD5 Checksum a Thing of the Past?
For now, my crystal ball says no. I predict that for the next few years, the FDA will accept MD5 checksum. I also predict that sometime in the future, the FDA will stop accepting MD5 checksum for a FIPS compliant checksum.