LibZ icon indicating copy to clipboard operation
LibZ copied to clipboard

Published 20 hours ago verified publisher icon MiloszKrajewski

Issue with compression

Open gregmcguffey opened this issue 8 years ago • 6 comments

I have a situation where the encryption used by LibZ was not FIPS compliant. I'm not sure what is being encrypted or if this can be changed. Do I have any options or do you know of a solution?

Thanks!

gregmcguffey avatar Oct 05 '16 23:10 gregmcguffey

LibZ does not use encryption at all, so it cannot be FIPS compliant. There is an MD5 calculated for identification only, it is not a signature or anything. By default it uses Deflate (zip) as compression algorithm. If you need dlls to be encrypted you would need to write encryption plugin yourself. Which is possible, yet not trivial.

As a starting point, how to write your own compression/encryption plugin, you can use this: https://libz.codeplex.com/wikipage?title=Plugging%20in%20your%20own%20compression%20algorithm&referringTitle=Documentation

MiloszKrajewski avatar Oct 06 '16 09:10 MiloszKrajewski

I did a bit more digging and FIPS (a US government security standard standard enforced at OS level) does not allow MD5. Here is a SO article on alternatives: http://stackoverflow.com/a/4893180/99559. I'll take a look and see if I can figure out how to use one of these alternatives. Thanks for the info.

gregmcguffey avatar Oct 06 '16 15:10 gregmcguffey

What we have here it seems like 'XY problem'. You raise a problem of LibZ not being FIPS compliant while the actual problem is that some machines do not have MD5 installed (or have it disabled).

That is a real problem. I guess I could change MD5 to something else, but what? Any suggestions for widely available 128-bit non-cryptographic hash? I guess MurMur might be an option.

MiloszKrajewski avatar Oct 06 '16 16:10 MiloszKrajewski

After doing a bunch more research, I've learned that FIPS disables MD5. Or more specifically, you set a security policy that .NET checks. If it is enabled, it won't run MD5. The security policy is:

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing = Enabled

I've done my best to change the hashing to use SHA1 and it appears to work with FIPS enabled (and appears to not break LibZ functionality). However, are there unit tests I can run, to see if I broke anything else? I can submit a pull request if you'd like, so you can take a look.

I'm looking into MurMur too.

gregmcguffey avatar Oct 07 '16 00:10 gregmcguffey

Any progress on this, I have a library that uses Libz that also is impacted by FIPS compliance.

dvbarnes avatar Oct 19 '18 16:10 dvbarnes

I forked the repo (https://github.com/gregmcguffey/LibZ-FIPS) and made some changes that allow it to be FIPS compliant. Our use case was pretty simple and it has been working well for a couple of years.

When I did a pull request, my solution would very likely break cases where there are composed LibZ libraries. I used SHA-1 instead of MD-5. There was a problem with existing libraries not getting resolved/loaded correctly. It’s been a long time since I looked at this. One thought I had was to replicate the MD-5 logic, so we don’t trigger FIPS checks, but also don’t break existing packages. The MD-5 is being used to create an ID, thus not a security risk at all (that I know of).

Greg McGuffey | Developer (o) 480.481.5927 | (m) 928.607.5589 [email protected]

From: dvbarnes [email protected] Sent: Friday, October 19, 2018 9:55 AM To: MiloszKrajewski/LibZ [email protected] Cc: Greg McGuffey [email protected]; Author [email protected] Subject: Re: [MiloszKrajewski/LibZ] Issue with compression (#12)

Any progress on this, I have a library that uses Libz that also is impacted by FIPS compliance.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MiloszKrajewski_LibZ_issues_12-23issuecomment-2D431428617&d=DwMCaQ&c=3osP8_fFVztkmLX-wblBSzVmg3E7zPSWQr9Be8oq6Ko&r=_DRtniQ8T0h2ziZaSRj4LkVUDFaWyVvowz7lR3dgEPk&m=Bx9q3UJxiwgkwN9Ehp571zIgAlnh2xJhS8am3aRiQng&s=z2fayysDLF0gjsS0vq3-Xuz78frBIx4fGOmaXS_mWzo&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AR0aqDjM1asOqEdhSk6dFIGco4RripEMks5umgP5gaJpZM4KPZd6&d=DwMCaQ&c=3osP8_fFVztkmLX-wblBSzVmg3E7zPSWQr9Be8oq6Ko&r=_DRtniQ8T0h2ziZaSRj4LkVUDFaWyVvowz7lR3dgEPk&m=Bx9q3UJxiwgkwN9Ehp571zIgAlnh2xJhS8am3aRiQng&s=0GSGkje5mOG7ekcuWYUAbGAuyzTrw10iFlFJOPbTDm4&e=.

CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential information of Cognosante Holdings, LLC and/or its subsidiaries, including Cognosante, LLC, Cognosante Consulting, LLC, and Cognosante MVH, LLC and is protected by law. If you have received this in error, please reply to the sender and delete it from your system. If you are the intended recipient, you may use the information contained in this message and any files attached only as authorized.

gregmcguffey avatar Oct 19 '18 17:10 gregmcguffey