FIPS 180-2 and comments

despot at crosswinds.net despot at crosswinds.net
Wed Sep 4 21:34:56 EDT 2002 

> DEPARTMENT OF COMMERCE
>
> National Institute of Standards and Technology
>
> [Docket No. 001214352-2097-02]
>
>
> Announcing Approval of Federal Information Processing Standard
> (FIPS) 180-2, Secure Hash Standard; a Revision of FIPS 180-1
>
> AGENCY: National Institute of Standards and Technology (NIST),
> Commerce.

FIPS 180-2 has been approved. This revision to the standard adds the 256, 
384, and 512 bit output hash algorithms. Included in the announcement was a 
section of comments on the standard and responses by NIST to the comments.

Of note...

>     Comment: One comment suggested that there may be weaknesses in the
> algorithms, and proposed a method to change the standard to address the
> perceived weaknesses.
>     Response: It would be more appropriate for the perceived weaknesses
> to be addressed in application standards such as the Federal
> Information Processing Standard for the Keyed-Hash Message
> Authentication Code (HMAC), which has been approved as FIPS 198, as
> opposed to addressing this in FIPS 180-2 itself. Furthermore, NIST
> expects to issue guidance on the implementation of secure hash
> functions.

The comments received on the standard are available on the NIST Computer 
Security Research Center (CSRC) web site (http://csrc.nist.gov) in a pdf 
(http://csrc.nist.gov/encryption/shs/dfips-180-2-comments1.pdf). That 
document contains the message by John Kelsey that discusses the "perceived" 
weakness being referred to in this comment.

The hash algorithms will not be tweaked to prevent this property. Besides 
being addressed in FIPS (and potentially other) standards that build upon 
these hash algorithms, guidance may be issued and it will then be left in 
the hands of implementers and standards developers. (I guess I am still 
struck by how RC4 was used in WEP.)

Is there any new (within 6 months) research on SHA-1, SHA-256, SHA-384, 
and/or SHA-512? Strengths, weaknesses, etc.? Pointers would be appreciated.

-Andrew


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list