Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Revision to the Secure Hash Standard -- 2 msgs

From: David Farber <farber () central cis upenn edu>
Date: Sat, 21 May 1994 08:22:52 -0400
Date: Mon, 16 May 1994 02:48:15 -0700
From: Paul Carl Kocher <kocherp () leland Stanford EDU>
Subject: Revision to the Secure Hash Standard


The following notice was released by NIST a couple weeks ago, but
doesn't seem to have made it to RISKS yet.


No additional information is available regarding the nature of the "minor
flaw."  I called NIST and the NSA when the announcement first came out, but
was told that details of the problem were confidential.  They also didn't know
when a revised version would be available.


It will be very interesting to see whether non-NSA cryptographers find the
problem...


Paul Kocher, Data security consultant   kocherp () leland stanford edu


(The following bulletin is available via anonymous FTP at csrc.ncsl.nist.gov
as pub/nistnews/sec_hash.txt)


--- Begin Included Message ---


April 22, 1994                     Contact: Anne Enright Shepherd
                                            (301) 975-4858


                              MEDIA ADVISORY


        NIST ANNOUNCES TECHNICAL CORRECTION TO SECURE HASH STANDARD




     The National Institute of Standards and Technology today announced it
will initiate a technical modification to a computer security standard used to
support the authentication of electronic messages.  The revision will correct
a minor flaw that government mathematicians discovered in a formula that
underlies the standard.


     The Secure Hash Standard, adopted as a federal information processing
standard (FIPS 180) in May 1993, can be used for computing a digital signature
and remains a highly secure way to ensure the integrity and authenticity of
data used in electronic mail, electronic funds transfer, software distribution
and data storage applications.  NIST expects that products implementing the
current standard can be used until the technical correction becomes effective.


     Researchers at the National Security Agency, who developed the formula
and discovered the flaw in a continuing evaluation process, now believe that
although the formula in FIPS 180 is less secure than originally thought, it is
still extremely reliable as a technical computer security mechanism.  The
discovery of this flaw indicates the value of continued research on existing
and new standards.


     The Secure Hash Standard specifies a secure hash algorithm for computing
a condensed representation of a message or data file.  This 160-bit condensed
message "digest" represents the original message and can be used in computing
a digital signature to authenticate the integrity of the message.  It is
highly probable that any change to the message after it has been signed will
result in a different message digest, and the recipient will not be able to
verify the signature.  Signing the message digest rather than the whole
message usually improves the efficiency of the digital signature process.


     It is very highly improbable that today's computation equipment can
figure out any message that corresponds to a given message digest.


     The standard applies to agencies of the federal government for protecting
unclassified information when a secure hash algorithm is required.  Private
and commercial organizations have been encouraged to use this standard on a
voluntary basis.  The SHS was designed to be used with the proposed Digital
Signature Standard, which is based on the digital signature algorithm and has
not yet been approved.


     As a non-regulatory agency of the Commerce Department's Technology
Administration, NIST promotes U.S. economic growth by working with industry to
develop and apply technology, measurements and standards.  NIST also is
responsible, under the Computer Security Act of 1987, for developing standards
and guidelines for the cost-effective protection of unclassified federal
computer systems.


National Institute of Standards and Technology, Public Affairs Division
Admin. A903, Gaithersburg, MD 20899-0001


--- End Included Message ---


Date: Wed, 18 May 1994 10:39:28 -0400
From: pcw () access digex net (Peter Wayner)
Subject: FIPS to be tied... [hashing, Capstone]


There are two interesting lessons hidden in the fact that the NSA discovered
some flaw in the Secure Hash Algorithm (RISKS-16.07) and announced that
they were working on a fix:


*) They're become slightly more open-- if only to authentication technology.


*) This proves the RISK of using a hardware based standard. Apparently
there is a whole batch of now obsolete CAPSTONE chips sitting in a warehouse.
Capstone was supposed to be Clipper + authentication, but now it will have
to wait for a new version.


Imagine if Capstone was widely distributed when the error was found? Would
you replace your phone/modem/PCMCIA card is you had bought a version that
was made obsolete by progress? How long would it take the country to
recover from such a problem? What if the standard was blown wide-open?
Previous By Date Next
Previous By Thread Next

Current thread: