17 October 2008
[Federal Register: October 17, 2008 (Volume 73, Number 202)]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No.: 070413090-8543-02]
Announcing Approval of Federal Information Processing Standard
(FIPS) Publication 180-3, Secure Hash Standard, a Revision of FIPS 180-
2, Secure Hash Standard
AGENCY: National Institute of Standards and Technology (NIST), Commerce
SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) Publication 180-3,
Secure Hash Standard, a revision of FIPS 180-2, Secure Hash Standard.
The FIPS specifies five secure hash algorithms for use in computing a
condensed representation of electronic data, or a message digest.
Secure hash algorithms are used with other cryptographic algorithms,
such as digital signature algorithms and keyed hash message
The revised FIPS incorporates the four hash algorithms that had
been specified in FIPS 180-2, and includes an additional algorithm that
had been specified in Change Notice 1 to FIPS 180-2. In addition, a
basic description of a truncation method that was provided in the
Change Notice has been incorporated into the standard. Some technical
information in FIPS 180-2 about the security of the hash algorithms may
no longer be accurate, as shown by recent research results, and it is
possible that further research may indicate additional changes.
Therefore, the technical information has been removed from the revised
standard, and will be provided in Special Publications
(SPs) 800-107 and 800-57, which can be updated in a timely fashion as
the technical conditions change.
DATES: The approved changes are effective as of October 17, 2008.
FOR FURTHER INFORMATION CONTACT: Elaine Barker, (301) 975-2911,
National Institute of Standards and Technology, 100 Bureau Drive, STOP
8930, Gaithersburg, MD 20899-8930, e-mail: firstname.lastname@example.org, or
Quynh Dang, (301) 975-3610, e-mail: email@example.com. FIPS 180-3 is
available electronically from the NIST Web site at: http://
csrc.nist.gov/publications/PubsFIPS.html. NIST Special Publications
(SPs) are available electronically from the NIST Web site at: http://
SUPPLEMENTARY INFORMATION: On June 12, 2007, NIST published a notice in
the Federal Register (72 FR 32282) announcing draft FIPS 180-3, and
soliciting comments on the draft standard from the public, research
communities, manufacturers, voluntary standards organizations and
Federal, State and local government organizations. In addition to being
published in the Federal Register, the notice was posted on the NIST
web pages. Information was provided about the submission of electronic
comments, and an email address was provided for the submission of
Comments, responses, and questions were received from two federal
government organizations, three private sector organizations and one
individual. The comments that were received asked for clarification of
the text of the standard, recommended editorial and formatting changes,
or raised issues unrelated to the revision of the FIPS. All of the
suggestions and recommendations were carefully reviewed, and changes
were made to the standard, where appropriate. None of the comments
opposed the approval of the revised standard. The following is a
summary of the specific comments and NIST's responses to them:
Comment: A number of editorial changes were suggested.
Response: NIST made the appropriate editorial changes such as page
numbering style changes for the preface and the main body of the FIPS
and adding a page break before the appendix section.
Comment: Was the specification for SHA-1 changed in FIPS 180-3?
Response: The SHA-1 algorithm remains the same in the FIPS 180-3.
Comment: What are the changes between FIPS 180-2 and 180-3?
Response: There are two main technical changes in FIPS 180-3 from
FIPS 180-2. The first change is that security strengths of the five
secure hash algorithms are not described in the FIPS because they could
change. Instead, the security strengths are discussed in NIST Special
Publication 800-107. A reference to the NIST Publication 800-107 was
added in Appendix A. The second change is that examples of the hash
values generated by the five hash algorithms were removed from the FIPS
and posted on a Web site so that they can be conveniently updated. The
link to the Web site was added in the FIPS under Implementation Notes
in the FIPS.
Comment: One commenter preferred having the examples of the five
hash algorithms included in the FIPS.
Response: The FIPS contains only the technical specifications for
the hash algorithms. NIST will provide examples on its Web site for
illustrative purposes only. Since NIST is providing a link to the Web
site within the standard, finding the examples should be no more
onerous than if they were included in the standard.
Comment: Add a footnote to describe the compromised security status
Response: This type of information will be provided in NIST Special
Publication 800-107; a reference to SP 800-107 is provided in the FIPS.
Authority: In accordance with the Information Technology
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal
Information Processing Standards (FIPS). NIST activities to develop
computer security standards to protect Federal sensitive
(unclassified) information systems are undertaken pursuant to
specific responsibilities assigned to NIST by section 20 of the
National Institute of Standards and Technology Act (5 U.S.C. 278g-
3), as amended by section 303 of the Federal Information Security
Management Act of 2002.
E.O. 12866: This notice has been determined not to be significant
for the purposes of E.O. 12866.
Dated: October 9, 2008.
[FR Doc. E8-24743 Filed 10-16-08; 8:45 am]
BILLING CODE 3510-13-P