Revised standards for hashing algorithms get final approval

Technical specifics for hashing algorithms are moved from FIPS to NIST special publications

A revised and streamlined federal standard for secure hash
algorithms has been approved by the secretary of Commerce, adding a
new algorithm to the list of those approved for use in federal IT
systems and removing many of the technical specifics to make the
standard more flexible.

Federal Information Processing StandardPublication 180-3, which replaces FIPS 180-2, goes into
effect today.

FIPS standards are developed by the National Institute of
Standards and Technology, which also produces the 800-series of
special publications that define technical specifications for the

Cryptographic hash functions compute a message digest, or hash,
of a fixed length when run against the contents of a message.
Because contents of the original message cannot be derived from the
digest, and because of the rare possibility that two messages could
produce the same digest, hashing provides a secure way to
authenticate that a message has not been changed since it was
digitally signed. Government systems, except national security
systems, must use approved cryptographic hash functions specified
in FIPS 180-3.

FIPS 180-3 specifies five approved hash algorithms. Those
include the four originally specified in FIPS 180-2 and one that
was added later. Approved algorithms are SHA-1, SHA-224, SHA-256,
SHA-384, and SHA-512.

Changes in the standard reflect weaknesses that have been
discovered in hashing functions and the fact that technical changes
take place at a rate that are not easily accommodated under the
FIPS program.

“Some technical information in FIPS 180-2 about the
security of the hash algorithms may no longer be accurate, as shown
by recent research results, and it is possible that further
research may indicate additional changes,” the Commerce
Department wrote in announcing the approval of the new standard.
“Therefore, the technical information has been removed from
the revised standard, and will be provided in Special Publications
800-107 and 800-57, which can be updated in a timely fashion as the
technical conditions change.”

The final draft version of the standard was released for comment
in June 2007, and comments were received from two government
organizations, three private-sector organizations and one
individual. The comments asked for clarification and suggested
editorial rather than technical changes.

A primary difference between FIPS 180-2 and 180-3 is that the
security strengths of the five secure hash algorithms are not
described in the standards because of the possibility that they
could change before the standard is updated. Instead, that issue is
discussed in NIST SP 800-107, which is referenced in Appendix A of
the standard. Examples of the hash values generated by the approved
algorithms also were removed and are posted on a Website so that they can be conveniently updated. A link to
the Web site was added in the implementation notes in the

NIST released a second draft version for SP 800-107 titled “Recommendations
for Applications Using Approved Hash Algorithms,” in July. It
provides guidelines for achieving the appropriate level of security
when using approved hash functions and will included updated
technical data on algorithms. The comment period on the publication
closed Oct. 9.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected