[Federal Register Volume 73, Number 202 (Friday, October 17, 2008)]
[Notices]
[Pages 61783-61784]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-24743]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No.: 070413090-8543-02]


Announcing Approval of Federal Information Processing Standard 
(FIPS) Publication 180-3, Secure Hash Standard, a Revision of FIPS 180-
2, Secure Hash Standard

AGENCY: National Institute of Standards and Technology (NIST), Commerce 
Department.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice announces the Secretary of Commerce's approval of 
Federal Information Processing Standard (FIPS) Publication 180-3, 
Secure Hash Standard, a revision of FIPS 180-2, Secure Hash Standard. 
The FIPS specifies five secure hash algorithms for use in computing a 
condensed representation of electronic data, or a message digest. 
Secure hash algorithms are used with other cryptographic algorithms, 
such as digital signature algorithms and keyed hash message 
authentication codes.
    The revised FIPS incorporates the four hash algorithms that had 
been specified in FIPS 180-2, and includes an additional algorithm that 
had been specified in Change Notice 1 to FIPS 180-2. In addition, a 
basic description of a truncation method that was provided in the 
Change Notice has been incorporated into the standard. Some technical 
information in FIPS 180-2 about the security of the hash algorithms may 
no longer be accurate, as shown by recent research results, and it is 
possible that further research may indicate additional changes. 
Therefore, the technical information has been removed from the revised 
standard, and will be provided in Special Publications

[[Page 61784]]

(SPs) 800-107 and 800-57, which can be updated in a timely fashion as 
the technical conditions change.

DATES: The approved changes are effective as of October 17, 2008.

FOR FURTHER INFORMATION CONTACT: Elaine Barker, (301) 975-2911, 
National Institute of Standards and Technology, 100 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930, e-mail: [email protected], or 
Quynh Dang, (301) 975-3610, e-mail: [email protected]. FIPS 180-3 is 
available electronically from the NIST Web site at: http://csrc.nist.gov/publications/PubsFIPS.html. NIST Special Publications 
(SPs) are available electronically from the NIST Web site at: http://csrc.nist.gov/publications/PubsSPs.html.

SUPPLEMENTARY INFORMATION: On June 12, 2007, NIST published a notice in 
the Federal Register (72 FR 32282) announcing draft FIPS 180-3, and 
soliciting comments on the draft standard from the public, research 
communities, manufacturers, voluntary standards organizations and 
Federal, State and local government organizations. In addition to being 
published in the Federal Register, the notice was posted on the NIST 
web pages. Information was provided about the submission of electronic 
comments, and an email address was provided for the submission of 
comments.
    Comments, responses, and questions were received from two federal 
government organizations, three private sector organizations and one 
individual. The comments that were received asked for clarification of 
the text of the standard, recommended editorial and formatting changes, 
or raised issues unrelated to the revision of the FIPS. All of the 
suggestions and recommendations were carefully reviewed, and changes 
were made to the standard, where appropriate. None of the comments 
opposed the approval of the revised standard. The following is a 
summary of the specific comments and NIST's responses to them:
    Comment: A number of editorial changes were suggested.
    Response: NIST made the appropriate editorial changes such as page 
numbering style changes for the preface and the main body of the FIPS 
and adding a page break before the appendix section.
    Comment: Was the specification for SHA-1 changed in FIPS 180-3?
    Response: The SHA-1 algorithm remains the same in the FIPS 180-3.
    Comment: What are the changes between FIPS 180-2 and 180-3?
    Response: There are two main technical changes in FIPS 180-3 from 
FIPS 180-2. The first change is that security strengths of the five 
secure hash algorithms are not described in the FIPS because they could 
change. Instead, the security strengths are discussed in NIST Special 
Publication 800-107. A reference to the NIST Publication 800-107 was 
added in Appendix A. The second change is that examples of the hash 
values generated by the five hash algorithms were removed from the FIPS 
and posted on a Web site so that they can be conveniently updated. The 
link to the Web site was added in the FIPS under Implementation Notes 
in the FIPS.
    Comment: One commenter preferred having the examples of the five 
hash algorithms included in the FIPS.
    Response: The FIPS contains only the technical specifications for 
the hash algorithms. NIST will provide examples on its Web site for 
illustrative purposes only. Since NIST is providing a link to the Web 
site within the standard, finding the examples should be no more 
onerous than if they were included in the standard.
    Comment: Add a footnote to describe the compromised security status 
of SHA-1.
    Response: This type of information will be provided in NIST Special 
Publication 800-107; a reference to SP 800-107 is provided in the FIPS.

    Authority: In accordance with the Information Technology 
Management Reform Act of 1996 (Pub. L. 104-106) and the Federal 
Information Security Management Act (FISMA) of 2002 (Pub. L. 107-
347), the Secretary of Commerce is authorized to approve Federal 
Information Processing Standards (FIPS). NIST activities to develop 
computer security standards to protect Federal sensitive 
(unclassified) information systems are undertaken pursuant to 
specific responsibilities assigned to NIST by section 20 of the 
National Institute of Standards and Technology Act (5 U.S.C. 278g-
3), as amended by section 303 of the Federal Information Security 
Management Act of 2002.

    E.O. 12866: This notice has been determined not to be significant 
for the purposes of E.O. 12866.

    Dated: October 9, 2008.
Patrick Gallagher,
Deputy Director.
 [FR Doc. E8-24743 Filed 10-16-08; 8:45 am]
BILLING CODE 3510-13-P