Revised standards for hashing algorithms get final approval
Technical specifics for hashing algorithms are moved from FIPS to NIST special publications
- By William Jackson
- Oct 17, 2008
A revised and streamlined federal standard for secure hash
algorithms has been approved by the secretary of Commerce, adding a
new algorithm to the list of those approved for use in federal IT
systems and removing many of the technical specifics to make the
standard more flexible.
Federal Information Processing StandardPublication 180-3, which replaces FIPS 180-2, goes into
FIPS standards are developed by the National Institute of
Standards and Technology, which also produces the 800-series of
special publications that define technical specifications for the
Cryptographic hash functions compute a message digest, or hash,
of a fixed length when run against the contents of a message.
Because contents of the original message cannot be derived from the
digest, and because of the rare possibility that two messages could
produce the same digest, hashing provides a secure way to
authenticate that a message has not been changed since it was
digitally signed. Government systems, except national security
systems, must use approved cryptographic hash functions specified
in FIPS 180-3.
FIPS 180-3 specifies five approved hash algorithms. Those
include the four originally specified in FIPS 180-2 and one that
was added later. Approved algorithms are SHA-1, SHA-224, SHA-256,
SHA-384, and SHA-512.
Changes in the standard reflect weaknesses that have been
discovered in hashing functions and the fact that technical changes
take place at a rate that are not easily accommodated under the
“Some technical information in FIPS 180-2 about the
security of the hash algorithms may no longer be accurate, as shown
by recent research results, and it is possible that further
research may indicate additional changes,” the Commerce
Department wrote in announcing the approval of the new standard.
“Therefore, the technical information has been removed from
the revised standard, and will be provided in Special Publications
800-107 and 800-57, which can be updated in a timely fashion as the
technical conditions change.”
The final draft version of the standard was released for comment
in June 2007, and comments were received from two government
organizations, three private-sector organizations and one
individual. The comments asked for clarification and suggested
editorial rather than technical changes.
A primary difference between FIPS 180-2 and 180-3 is that the
security strengths of the five secure hash algorithms are not
described in the standards because of the possibility that they
could change before the standard is updated. Instead, that issue is
discussed in NIST SP 800-107, which is referenced in Appendix A of
the standard. Examples of the hash values generated by the approved
algorithms also were removed and are posted on a Website so that they can be conveniently updated. A link to
the Web site was added in the implementation notes in the
NIST released a second draft version for SP 800-107 titled “Recommendations
for Applications Using Approved Hash Algorithms,” in July. It
provides guidelines for achieving the appropriate level of security
when using approved hash functions and will included updated
technical data on algorithms. The comment period on the publication
closed Oct. 9.
William Jackson is a Maryland-based freelance writer.