[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sha256sum



On 6/26/06, Steve G <linux_4ever yahoo com> wrote:

>We have been told that computer systems that are covered by FISMA are supposed
to
>use a minimum of SHA-256 when doing baselines of systems.

I just looked through SP 800-53 and see no mention of SHA anything. Where would
this be coming from if not SP 800-53?


I don't think it is directly referenced.

http://csrc.nist.gov/CryptoToolkit/tkhash.html

March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should
stop using SHA-1 for digital signatures, digital time stamping and
other applications that require collision resistance as soon as
practical, and must use the SHA-2 family of hash functions for these
applications after 2010. After 2010, Federal agencies may use SHA-1
only for the following applications: hash-based message authentication
codes (HMACs); key derivation functions (KDFs); and random number
generators (RNGs). Regardless of use, NIST encourages application and
protocol designers to use the SHA-2 family of hash functions for all
new applications and protocols.

I am guessing the reference to SHA_256 was because SHA-224 seems to
have been added after the original document in 2004.

Hope that helps.

-Steve



--
Stephen J Smoogen.
CSIRT/Linux System Administrator


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]