AGENCY:

National Institute of Standards and Technology (NIST), Commerce Department.

ACTION:

Notice.

SUMMARY:

This notice announces the Secretary of Commerce's approval of Federal Information Processing Standard (FIPS) Publication 180-3, Secure Hash Standard, a revision of FIPS 180-2, Secure Hash Standard. The FIPS specifies five secure hash algorithms for use in computing a condensed representation of electronic data, or a message digest. Secure hash algorithms are used with other cryptographic algorithms, such as digital signature algorithms and keyed hash message authentication codes.

The revised FIPS incorporates the four hash algorithms that had been specified in FIPS 180-2, and includes an additional algorithm that had been specified in Change Notice 1 to FIPS 180-2. In addition, a basic description of a truncation method that was provided in the Change Notice has been incorporated into the standard. Some technical information in FIPS 180-2 about the security of the hash algorithms may no longer be accurate, as shown by recent research results, and it is possible that further research may indicate additional changes. Therefore, the technical information has been removed from the revised standard, and will be provided in Special Publications Start Printed Page 61784(SPs) 800-107 and 800-57, which can be updated in a timely fashion as the technical conditions change.

DATES:

The approved changes are effective as of October 17, 2008.

FOR FURTHER INFORMATION CONTACT:

Elaine Barker, (301) 975-2911, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930, e-mail: elaine.barker@nist.gov, or Quynh Dang, (301) 975-3610, e-mail: quynh.dang@nist.gov. FIPS 180-3 is available electronically from the NIST Web site at: http://csrc.nist.gov/​publications/​PubsFIPS.html. NIST Special Publications (SPs) are available electronically from the NIST Web site at: http://csrc.nist.gov/​publications/​PubsSPs.html.

SUPPLEMENTARY INFORMATION:

On June 12, 2007, NIST published a notice in the Federal Register (72 FR 32282) announcing draft FIPS 180-3, and soliciting comments on the draft standard from the public, research communities, manufacturers, voluntary standards organizations and Federal, State and local government organizations. In addition to being published in the Federal Register, the notice was posted on the NIST web pages. Information was provided about the submission of electronic comments, and an email address was provided for the submission of comments.

Comments, responses, and questions were received from two federal government organizations, three private sector organizations and one individual. The comments that were received asked for clarification of the text of the standard, recommended editorial and formatting changes, or raised issues unrelated to the revision of the FIPS. All of the suggestions and recommendations were carefully reviewed, and changes were made to the standard, where appropriate. None of the comments opposed the approval of the revised standard. The following is a summary of the specific comments and NIST's responses to them:

Comment: A number of editorial changes were suggested.

Response: NIST made the appropriate editorial changes such as page numbering style changes for the preface and the main body of the FIPS and adding a page break before the appendix section.

Comment: Was the specification for SHA-1 changed in FIPS 180-3?

Response: The SHA-1 algorithm remains the same in the FIPS 180-3.

Comment: What are the changes between FIPS 180-2 and 180-3?

Response: There are two main technical changes in FIPS 180-3 from FIPS 180-2. The first change is that security strengths of the five secure hash algorithms are not described in the FIPS because they could change. Instead, the security strengths are discussed in NIST Special Publication 800-107. A reference to the NIST Publication 800-107 was added in Appendix A. The second change is that examples of the hash values generated by the five hash algorithms were removed from the FIPS and posted on a Web site so that they can be conveniently updated. The link to the Web site was added in the FIPS under Implementation Notes in the FIPS.

Comment: One commenter preferred having the examples of the five hash algorithms included in the FIPS.

Response: The FIPS contains only the technical specifications for the hash algorithms. NIST will provide examples on its Web site for illustrative purposes only. Since NIST is providing a link to the Web site within the standard, finding the examples should be no more onerous than if they were included in the standard.

Comment: Add a footnote to describe the compromised security status of SHA-1.

Response: This type of information will be provided in NIST Special Publication 800-107; a reference to SP 800-107 is provided in the FIPS.

Authority: In accordance with the Information Technology Management Reform Act of 1996 (Pub. L. 104-106) and the Federal Information Security Management Act (FISMA) of 2002 (Pub. L. 107-347), the Secretary of Commerce is authorized to approve Federal Information Processing Standards (FIPS). NIST activities to develop computer security standards to protect Federal sensitive (unclassified) information systems are undertaken pursuant to specific responsibilities assigned to NIST by section 20 of the National Institute of Standards and Technology Act (5 U.S.C. 278g-3), as amended by section 303 of the Federal Information Security Management Act of 2002.

E.O. 12866: This notice has been determined not to be significant for the purposes of E.O. 12866.