NIST moves to stronger hashing

R.A. Hettinga rah at shipwright.com
Mon Feb 7 12:39:36 EST 2005 

<http://www.fcw.com/print.asp>

Federal Computer Week




Monday, February 7, 2005


NIST moves to stronger hashing


 BY  Florence Olsen
 Published on Feb. 7, 2005


Federal agencies have been put on notice that National Institute of
Standards and Technology officials plan to phase out a widely used
cryptographic hash function known as SHA-1 in favor of larger and stronger
hash functions such as SHA-256 and SHA-512.

 The change will affect many federal cryptographic functions that
incorporate hashes, particularly digital signatures, said William Burr,
manager of NIST's security technology group, which advises federal agencies
on electronic security standards.

"There's really no emergency here," Burr said. "But you should be planning
how you're going to transition - whether you're a vendor or a user - so
that you can do better cryptography by the next decade."

Hashing is used to prevent tampering with electronic messages. A hash is a
numerical code generated from a string of text when a message is sent. The
receiving system checks it against a hash it creates from the same text,
and if they match, the message was sent intact.

Speaking at a recent meeting of the federal Public Key Infrastructure
Technical Working Group at NIST, Burr said some critics have questioned the
security of the government-developed SHA-1 after some researchers managed
to break a variant of the SHA-1 hash function last year.

But Burr said no complete implementation of the SHA-1 function has been
successfully attacked. "SHA-1 is not broken," he said, "and there is not
much reason to suspect that it will be soon." But advances in computer
processing capability make it prudent to phase out SHA-1 by 2010, he said.

 Burr said other widely used hash functions such as MD5 are vulnerable to
attack and their use should be discontinued. "If by some chance you are
still using MD5 in certificates or for digital signatures, you should
stop," he said.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list