Interesting People mailing list archives
Revision to the Secure Hash Standard -- 2 msgs
From: David Farber <farber () central cis upenn edu>
Date: Sat, 21 May 1994 08:22:52 -0400
Date: Mon, 16 May 1994 02:48:15 -0700 From: Paul Carl Kocher <kocherp () leland Stanford EDU> Subject: Revision to the Secure Hash Standard The following notice was released by NIST a couple weeks ago, but doesn't seem to have made it to RISKS yet. No additional information is available regarding the nature of the "minor flaw." I called NIST and the NSA when the announcement first came out, but was told that details of the problem were confidential. They also didn't know when a revised version would be available. It will be very interesting to see whether non-NSA cryptographers find the problem... Paul Kocher, Data security consultant kocherp () leland stanford edu (The following bulletin is available via anonymous FTP at csrc.ncsl.nist.gov as pub/nistnews/sec_hash.txt) --- Begin Included Message --- April 22, 1994 Contact: Anne Enright Shepherd (301) 975-4858 MEDIA ADVISORY NIST ANNOUNCES TECHNICAL CORRECTION TO SECURE HASH STANDARD The National Institute of Standards and Technology today announced it will initiate a technical modification to a computer security standard used to support the authentication of electronic messages. The revision will correct a minor flaw that government mathematicians discovered in a formula that underlies the standard. The Secure Hash Standard, adopted as a federal information processing standard (FIPS 180) in May 1993, can be used for computing a digital signature and remains a highly secure way to ensure the integrity and authenticity of data used in electronic mail, electronic funds transfer, software distribution and data storage applications. NIST expects that products implementing the current standard can be used until the technical correction becomes effective. Researchers at the National Security Agency, who developed the formula and discovered the flaw in a continuing evaluation process, now believe that although the formula in FIPS 180 is less secure than originally thought, it is still extremely reliable as a technical computer security mechanism. The discovery of this flaw indicates the value of continued research on existing and new standards. The Secure Hash Standard specifies a secure hash algorithm for computing a condensed representation of a message or data file. This 160-bit condensed message "digest" represents the original message and can be used in computing a digital signature to authenticate the integrity of the message. It is highly probable that any change to the message after it has been signed will result in a different message digest, and the recipient will not be able to verify the signature. Signing the message digest rather than the whole message usually improves the efficiency of the digital signature process. It is very highly improbable that today's computation equipment can figure out any message that corresponds to a given message digest. The standard applies to agencies of the federal government for protecting unclassified information when a secure hash algorithm is required. Private and commercial organizations have been encouraged to use this standard on a voluntary basis. The SHS was designed to be used with the proposed Digital Signature Standard, which is based on the digital signature algorithm and has not yet been approved. As a non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. economic growth by working with industry to develop and apply technology, measurements and standards. NIST also is responsible, under the Computer Security Act of 1987, for developing standards and guidelines for the cost-effective protection of unclassified federal computer systems. National Institute of Standards and Technology, Public Affairs Division Admin. A903, Gaithersburg, MD 20899-0001 --- End Included Message --- Date: Wed, 18 May 1994 10:39:28 -0400 From: pcw () access digex net (Peter Wayner) Subject: FIPS to be tied... [hashing, Capstone] There are two interesting lessons hidden in the fact that the NSA discovered some flaw in the Secure Hash Algorithm (RISKS-16.07) and announced that they were working on a fix: *) They're become slightly more open-- if only to authentication technology. *) This proves the RISK of using a hardware based standard. Apparently there is a whole batch of now obsolete CAPSTONE chips sitting in a warehouse. Capstone was supposed to be Clipper + authentication, but now it will have to wait for a new version. Imagine if Capstone was widely distributed when the error was found? Would you replace your phone/modem/PCMCIA card is you had bought a version that was made obsolete by progress? How long would it take the country to recover from such a problem? What if the standard was blown wide-open?
Current thread:
- Revision to the Secure Hash Standard -- 2 msgs David Farber (May 21)