[Federal Register Volume 60, Number 73 (Monday, April 17, 1995)]
[Notices]
[Pages 19211-19213]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-9386]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 950215050-5050-01]
RIN 0693-AB33
Approval of Federal Information Processing Standards Publication
180-1, Secure Hash Standard (SHS)
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: The purpose of this notice is to announce that the Secretary of
Commerce has approved a new standard, which will be published as FIPS
Publication 180-1, Secure Hash Standard (SHS).
-----------------------------------------------------------------------
SUMMARY: On July 11, 1994 (59 FR 35317-35319), and August 5, 1994 (59
FR 40084) notices were published in the Federal Register that a
revision of Federal Information Processing Standards Publication FIPS
PUB 180, Secure Hash Standard (SHS), was being proposed for Federal
use.
The written comments submitted by interested parties and other
material available to the Department relevant to this revised standard
were reviewed by NIST. On the basis of this review, NIST recommended
that the Secretary approve the revised standard as Federal Information
Processing Standards Publication (FIPS PUB) 180-1, and prepare a
detailed justification document for the Secretary's review in support
of that recommendation.
The detailed justification document which was presented to the
Secretary is part of the public record and is available for inspection
and copying in the Department's Central Reference and Records
Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street
between Pennsylvania and Constitution Avenues, NW., Washington, DC
20230.
This FIPS contains two sections: (1) An announcement section, which
provides information concerning the applicability, implementation, and
maintenance of the standard; and (2) a specifications section which
deals with the technical requirements of the standard. Only the
announcement section of the standard is provided in this notice.
EFFECTIVE DATES: This revised standard is effective October 2, 1995.
ADDRESSES: Interested parties may purchase copies of this standard,
including the technical specifications section, from the National
Technical Information Service (NTIS). Specific ordering information
from NTIS for this standard is set out in the Where to Obtain Copies
Section of the announcement section of the standard.
FOR FURTHER INFORMATION CONTACT:
Mr. Miles Smid, telephone (301) 975-2938, National Institute of
Standards and Technology, Gaithersburg, MD 20899.
SUPPLEMENTARY INFORMATION: NIST has been notified that Department of
Defense authorities have approved the use of the SHS with the DSS to
sign unclassified data processed by ``Warner Amendment'' systems (10
U.S.C. 2315 and 44 U.S.C. 3502(2)) as well as classified data in
selected applications.
Dated: April 11, 1995.
Samuel Kramer,
Associate Director.
Federal Information Processing Standards Publication 180-1
(Date)
Announcing the Secure Hash Standard
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology (NIST)
after approval by the Secretary of Commerce pursuant to Section 111(d)
of the Federal Property and Administrative Services Act of 1949 as
amended by the Computer Security Act of 1987, Public Law 100-235.
Name of Standard: Secure Hash Standard.
Category of Standard: Computer Security.
Explanation: This Standard specifies a secure hash algorithm, SHA-
1, for computing a condensed representation of a message or a data
file. When a message of any length < 2\64\="" bits="" is="" input,="" the="" sha-1="" produces="" a="" 160-bit="" output="" called="" a="" message="" digest.="" the="" message="" digest="" can="" then="" be="" input="" to="" the="" digital="" signature="" algorithm="" (dsa)="" which="" generates="" or="" verifies="" the="" signature="" for="" the="" message="" (see="" figure="" 1).="" signing="" the="" message="" digest="" rather="" than="" the="" message="" often="" improves="" the="" efficiency="" of="" the="" process="" because="" the="" message="" digest="" is="" usually="" much="" smaller="" in="" size="" than="" the="" message.="" the="" same="" hash="" algorithm="" must="" be="" used="" by="" the="" verifier="" of="" a="" digital="" signature="" as="" was="" used="" by="" the="" creator="" of="" the="" digital="" signature.="" the="" sha-1="" is="" called="" secure="" because="" it="" is="" computationally="" infeasible="" to="" find="" a="" message="" which="" corresponds="" to="" a="" given="" message="" digest,="" or="" to="" find="" two="" different="" messages="" which="" produce="" the="" same="" message="" digest.="" any="" change="" to="" a="" message="" in="" transit="" will,="" with="" very="" high="" probability,="" result="" in="" a="" different="" message="" digest,="" and="" the="" signature="" will="" fail="" to="" verify.="" sha-1="" is="" a="" technical="" revision="" of="" sha="" (fips="" 180).="" a="" circular="" left="" shift="" operation="" has="" been="" added="" to="" the="" specifications="" in="" section="" 7,="" line="" b,="" page="" 9="" of="" fips="" 180="" and="" its="" equivalent="" in="" section="" 8,="" line="" c,="" page="" 10="" of="" fips="" 180.="" this="" revision="" improves="" the="" security="" provided="" by="" this="" standard.="" the="" sha-1="" is="" based="" on="" principles="" similar="" to="" those="" used="" by="" professor="" ronald="" l.="" rivest="" of="" mit="" when="" designing="" the="" md4="" message="" digest="" algorithm,\1\="" and="" is="" closely="" modelled="" after="" that="" algorithm.="" \1\``the="" md4="" message="" digest="" algorithm,''="" advances="" in="" cryptology-="" crypto="" '90="" proceedings,="" springer-verlag,="" 1991,="" pp.="" 303-311.="" billing="" code="" 3510-cn-m="" [[page="" 19212]]="" [graphic][tiff="" omitted]tn17ap95.022="" billing="" code="" 3510-cn-c="" figure="" 1:="" using="" the="" sha-1="" with="" the="" dsa="" approving="" authority:="" secretary="" of="" commerce.="" maintenance="" agency:="" u.s.="" department="" of="" commerce,="" national="" institute="" of="" standards="" and="" technology,="" computer="" systems="" laboratory.="" applicability:="" this="" standard="" is="" applicable="" to="" all="" federal="" departments="" and="" agencies="" for="" the="" protection="" of="" unclassified="" information="" that="" is="" not="" subject="" to="" section="" 2315="" of="" title="" 10,="" united="" states="" code,="" or="" section="" 3502(2)="" of="" title="" 44,="" united="" states="" code.="" this="" standard="" is="" required="" for="" use="" with="" the="" digital="" signature="" algorithm="" (dsa)="" as="" specified="" in="" the="" digital="" signature="" standard="" (dss)="" and="" whenever="" a="" secure="" hash="" algorithm="" is="" required="" for="" federal="" applications.="" private="" and="" commercial="" organizations="" are="" encouraged="" to="" adopt="" and="" use="" this="" standard.="" applications:="" the="" sha-1="" may="" be="" used="" with="" the="" dsa="" in="" electronic="" mail,="" electronic="" funds="" transfer,="" software="" distribution,="" data="" storage,="" and="" other="" applications="" which="" require="" data="" integrity="" assurance="" and="" data="" origin="" authentication.="" the="" sha-1="" may="" also="" be="" used="" whenever="" it="" is="" necessary="" to="" generate="" a="" condensed="" version="" of="" a="" message.="" implementations:="" the="" sha-1="" may="" be="" implemented="" in="" software,="" firmware,="" hardware,="" or="" any="" combination="" thereof.="" only="" implementations="" of="" the="" sha-1="" that="" are="" validated="" by="" nist="" will="" be="" considered="" as="" complying="" with="" this="" standard.="" information="" about="" the="" requirements="" for="" validating="" implementations="" of="" this="" standard="" can="" be="" obtained="" from="" the="" national="" institute="" of="" standards="" and="" technology,="" computer="" systems="" laboratory,="" attn:="" shs="" validation,="" gaithersburg,="" md="" 20899.="" export="" control:="" implementations="" of="" this="" standard="" are="" subject="" to="" federal="" government="" export="" controls="" as="" specified="" in="" title="" 15,="" code="" of="" federal="" regulations,="" parts="" 768="" through="" 799.="" exporters="" are="" advised="" to="" contact="" the="" department="" of="" commerce,="" bureau="" of="" export="" administration="" for="" more="" information.="" patents:="" implementations="" of="" the="" sha-1="" in="" this="" standard="" may="" be="" covered="" by="" u.s.="" and="" foreign="" patents.="" implementation="" schedule:="" this="" standard="" becomes="" effective="" october="" 2,="" 1995.="" specifications:="" federal="" information="" processing="" standard="" (fips)="" 180-="" 1,="" secure="" hash="" standard="" (affixed).="" cross="" index="" a.="" fips="" pub="" 46-2,="" data="" encryption="" standard.="" b.="" fips="" pub="" 73,="" guidelines="" for="" security="" of="" computer="" applications.="" c.="" fips="" pub="" 140-1,="" security="" requirements="" for="" cryptographic="" modules.="" d.="" fips="" pub="" 186,="" digital="" signature="" standard.="" e.="" federal="" information="" resources="" management="" regulations="" (firmr)="" subpart="" 201.20.303,="" standards,="" and="" subpart="" 201.39.1002,="" federal="" standards.="" objectives:="" the="" objectives="" of="" this="" standard="" are="" to:="" a.="" specify="" the="" secure="" hash="" algorithm="" required="" for="" use="" with="" the="" digital="" signature="" standard="" (fips="" 186)="" in="" the="" generation="" and="" verification="" of="" digital="" signatures:="" b.="" specify="" the="" secure="" hash="" algorithm="" to="" be="" used="" whenever="" a="" secure="" hash="" algorithm="" is="" required="" for="" federal="" applications;="" and="" c.="" encourage="" the="" adoption="" and="" use="" of="" the="" specified="" secure="" hash="" algorithm="" to="" private="" and="" commercial="" organizations.="" qualifications:="" while="" it="" is="" the="" intent="" of="" this="" standard="" to="" specify="" a="" secure="" hash="" algorithm,="" conformance="" to="" this="" standard="" does="" not="" assure="" that="" a="" particular="" [[page="" 19213]]="" implementation="" is="" secure.="" the="" responsible="" authority="" in="" each="" agency="" or="" department="" shall="" assure="" that="" an="" overall="" implementation="" provides="" an="" acceptable="" level="" of="" security.="" this="" standard="" will="" be="" reviewed="" every="" five="" years="" in="" order="" to="" assess="" its="" adequacy.="" waiver="" procedure:="" under="" certain="" exceptional="" circumstances,="" the="" heads="" of="" federal="" departments="" and="" agencies="" may="" approve="" waivers="" to="" federal="" information="" processing="" standards="" (fips).="" the="" head="" of="" such="" agency="" may="" redelegate="" such="" authority="" only="" to="" a="" senior="" official="" designated="" pursuant="" to="" section="" 3506(b)="" of="" title="" 44,="" united="" states="" code.="" waiver="" will="" be="" granted="" only="" when:="" a.="" compliance="" with="" a="" standard="" would="" adversely="" affect="" the="" accomplishment="" of="" the="" mission="" of="" an="" operator="" of="" a="" federal="" computer="" system;="" or="" b.="" compliance="" with="" a="" standard="" would="" cause="" a="" major="" adverse="" financial="" impact="" on="" the="" operator="" which="" is="" not="" offset="" by="" governmentwide="" savings.="" agency="" heads="" may="" act="" upon="" a="" written="" waiver="" request="" containing="" the="" information="" detailed="" above.="" agency="" heads="" may="" also="" act="" without="" a="" written="" waiver="" request="" when="" they="" determine="" that="" conditions="" for="" meeting="" the="" standard="" cannot="" be="" met.="" agency="" heads="" may="" approve="" waivers="" only="" by="" a="" written="" decision="" which="" explains="" the="" basis="" on="" which="" the="" agency="" head="" made="" the="" required="" finding(s).="" a="" copy="" of="" each="" decision,="" with="" procurement="" sensitive="" or="" classified="" portions="" clearly="" identified,="" shall="" be="" sent="" to:="" national="" institute="" of="" standards="" and="" technology;="" attn:="" fips="" waiver="" decisions,="" technology="" building,="" room="" b-154,="" gaithersburg,="" md="" 20899.="" in="" addition,="" notice="" of="" each="" waiver="" granted="" and="" each="" delegation="" of="" authority="" to="" approve="" waivers="" shall="" be="" sent="" promptly="" to="" the="" committee="" on="" government="" operations="" of="" the="" house="" of="" representatives="" and="" the="" committee="" on="" governmental="" affairs="" of="" the="" senate="" and="" shall="" be="" published="" promptly="" in="" the="" federal="" register.="" when="" the="" determination="" on="" a="" waiver="" applies="" to="" the="" procurement="" of="" equipment="" and/or="" services,="" a="" notice="" of="" the="" waiver="" determination="" must="" be="" published="" in="" the="" commerce="" business="" daily="" as="" a="" part="" of="" the="" notice="" of="" solicitation="" for="" offers="" of="" an="" acquisition="" or,="" if="" the="" waiver="" determination="" is="" made="" after="" that="" notice="" is="" published,="" by="" amendment="" to="" such="" notice.="" a="" copy="" of="" the="" waiver,="" any="" supporting="" documents,="" the="" document="" approving="" the="" waiver="" and="" any="" accompanying="" documents,="" with="" such="" deletion="" as="" the="" agency="" is="" authorized="" and="" decides="" to="" make="" under="" 5="" united="" states="" code="" section="" 552(b),="" shall="" be="" part="" of="" the="" procurement="" documentation="" and="" retained="" by="" the="" agency.="" where="" to="" obtain="" copies="" of="" the="" standard:="" copies="" of="" this="" publication="" are="" for="" sale="" by="" the="" national="" technical="" information="" service,="" u.s.="" department="" of="" commerce,="" springfield,="" va="" 22161.="" when="" ordering,="" refer="" to="" federal="" information="" processing="" standards="" publication="" 180-1="" (fipspub180-="" 1),="" and="" identify="" the="" title.="" when="" microfiche="" is="" desired,="" this="" should="" be="" specified.="" prices="" are="" published="" by="" ntis="" in="" current="" catalogs="" and="" other="" issuances.="" payment="" may="" be="" made="" by="" check,="" money="" order,="" deposit="" account="" or="" charged="" to="" a="" credit="" card="" accepted="" by="" ntis.="" [fr="" doc.="" 95-9386="" filed="" 4-14-95;="" 8:45="" am]="" billing="" code="" 3510-cn-m="">