National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....is a known preimage, x; it is computationally infeasible to nd x such that y = f(x ) but x 6= x (2nd preimage resistance) None of the functions used in practice was actually proven to be an OWHF. Some functions gained acceptance as secure (i.e. conjectured OWHFs) for example, SHA [12]. In addition, block ciphers can also be used as a building block for constructing hash functions, for example, Rijndael [3] 2.2 One Time Digital Signatures The idea of using OWHFs for one time digital signatures was introduced by Lamport [9, 10] The basic idea works as follows. The signer ....

National Institute of Standards and Technology (NIST), FIPS Publication 180: Secure Hash Standard (SHS), May 1993.

.... [23] Electronic Codebook Mode (ECB) 23] and Counter Mode (CTR) 9] Since each of these modes provides privacy only and not authenticity, most applications require that the mode be combined with an authentication mechanism, typically a MAC algorithm [21] based on a hash function such as SHA 1 [24]. For example, a popular cipher suite in SSL TLS [8] combines CBC mode based on Triple DES [22] with the MAC algorithm HMAC [26] based on SHA 1. As it turns out, there are secure and insecure ways of combining a secure encryption mode with a secure MAC algorithm; certain constructions are easily ....

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard (SHS). April 1995. Advanced Encryption Standard (AES). November 2001.

....to find an input whose hash is the specified output. In addition to the requirements, the hash function should yield a mask generation function (Appendix B.2) with pseudorandom output. Six hash functions are recommended for the encoding methods in this document: MD2 [28] MD5 [35] SHA 1 [32], and the proposed algorithms SHA 256, SHA 384, and SHA 512 [33] For the EME OAEP and EMSA PSS encoding methods, only SHA 1 and SHA 256 384 512 are recommended. For the EMSA PKCS1 v1 5 encoding method, SHA 1 or SHA 256 384 512 are recommended for new applications. MD2 and MD5 are recommended only ....

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.

....function (Section 10.2) with pseudorandom output. Kaliski Staddon Informational [Page 27] RFC2437 RFC.net Page 28 of 40 RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 Three hash functions are recommended for the encoding methods in this document: MD2 [15] MD5 [17] and SHA 1 [16]. For the EME OAEP encoding method, only SHA 1 is recommended. For the EMSA PKCS1 v1 5 encoding method, SHA 1 is recommended for new applications. MD2 and MD5 are recommended only for compatibility with existing applications based on PKCS #1 v1.5. The hash functions themselves are not defined ....

....EMSA PKCS1 v1 5 encoding method, SHA 1 is recommended for new applications. MD2 and MD5 are recommended only for compatibility with existing applications based on PKCS #1 v1.5. The hash functions themselves are not defined here; readers are referred to the appropriate references ( 15] 17] and [16]) Note. Version 1.5 of this document also allowed for the use of MD4 in signature schemes. The cryptanalysis of MD4 has progressed significantly in the intervening years. For example, Dobbertin [10] demonstrated how to find collisions for MD4 and that the first two rounds of MD4 are not one way ....

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.

....password, the salt, the iteration count and the key length to produce a derived key. 4. Output the derived key. Any number of keys may be derived from a password by varying the salt, as described in Section 3. 5. 1 PBKDF1 PBKDF1 applies a hash function, which shall be MD2 [6] MD5 [19] or SHA 1 [18], to derive keys. The length of the derived key is bounded by the length of the hash function PKCS #5 V2.0: PASSWORD BASED CRYPTOGRAPHY STANDARD 8 Copyright 1991 1999 RSA Laboratories. output, which is 16 octets for MD2 and MD5 and 20 octets for SHA 1. PBKDF1 is compatible with the key derivation ....

....OBJECT IDENTIFIER : rsadsi 3 B.1 Pseudorandom functions An example pseudorandom function for PBKDF2 (Section 5.2) is HMAC SHA 1. B.1. 1 HMAC SHA 1 HMAC SHA 1 is the pseudorandom function corresponding to the HMAC message authentication code [7] based on the SHA 1 hash function [18]. The pseudorandom function is the same function by which the message authentication code is computed, with a full length output. The first argument to the pseudorandom function PRF serves as HMAC s key, and the second serves as HMAC s text. In the case of PBKDF2, the key is thus the ....

[Article contains additional citation context not shown here]

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.

....Such certificates are used to assure users that a specific public key is legitimate and indeed belongs to the correct user. Hash function Another primitive widely used in SET is a hash function. Hash functions have a wide variety of properties. The specific hash function used in SET, SHA 1 [NIS94b], is used at different places for different reasons. Two of the main properties of SHA 1 are: collision resistance meaning that it is difficult to find two inputs that produce the same output one wayness meaning that it is difficult to find any input that produces a given output. SHA 1 ....

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994. Available from http://csrc.ncsl.nist.gov/fips/.

....as being secure for any application. While all three hash functions bear similarities to MD4 and MD5 in their design, the techniques of Dobbertin do not readily extend to these hash functions. Indeed, one of the design criteria for RIPEMD 128 and 160 was that this be the case. SHA 1 is a revision [17] of the Secure Hash Algorithm (SHA) which first appeared as part of the Secure Hash Standard, FIPS 180 [16] While the fault in the original SHA and the reasons for the particular change made in SHA 1 are not known, it can be anticipated that SHA 1 is a good hash algorithm to use. The forerunner ....

....collision resistance of a hash function should be upgraded away from MD2 and MD5 when practical and convenient. They can probably be safely swapped out in coordination with the vendor s normal product release cycle. RSA Laboratories currently recommends that in general, the hash function SHA 1 [17] be used instead but RIPEMD 160 would also be a good alternative. It is interesting that both hash functions borrow heavily from the initial structural design of MD4. Occasionally performance requirements or the existence of fielded applications might make a move to SHA 1 undesirable when ....

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994. Available from http://csrc.ncsl.nist.gov/fips/.

....design, the techniques of Dobbertin do not readily extend to these hash functions. Indeed, one of the design criteria for RIPEMD 128 and 160 was that this be the case. SHA 1 is a revision [17] of the Secure Hash Algorithm (SHA) which first appeared as part of the Secure Hash Standard, FIPS 180 [16]. While the fault in the original SHA and the reasons for the particular change made in SHA 1 are not known, it can be anticipated that SHA 1 is a good hash algorithm to use. The forerunner to both RIPEMD 128 and RIPEMD160 was RIPEMD [19] a 128 bit hash function developed within the framework of ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). May 1993.

....in Internet RFCs (Requests For Comments) 1319, 1320, and 1321, respectively. No feasible attacks on any of the MD algorithms have been discovered, although some recent theoretical work has found some interesting structural properties [24, 25] 8. 4 What is SHS The Secure Hash Standard (SHS) [58] is a hash function proposed by NIST (see Question 7.1) and adopted as a U.S. government standard. It is designed for use with the proposed Digital Signature Standard (see Question 6.8) and is part of the government s Capstone project (see Question 6.1) SHS produces a 160 bit hash value from a ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). May 11, 1993.

....see that though there are perhaps no major weaknesses yet identified, initial work on the cryptanalysis of IDEA has made some progress despite the impressive theoretical foundations on which the cipher is based. 30 Block Ciphers 6. 2 Design The designers used an increasingly common approach [129, 109] to attain security: mixing different arithmetic operations so that no single framework can be used to fully analyze the round function used in IDEA. Operations acting on 16 bit words and those acting in a bitwise fashion have different properties. Combining these operations tends to make ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....their secret keys are denoted SKB , SKU , and SK V . A message M with its digital signature produced by secret key SK is denoted fMg SK . This signature can be verified using the corresponding public key PK. We let h denote a cryptographically strong hash function, such as MD5[15] or SHA[13]. The output (nominally 128 or 160 bits) may be truncated to shorter lengths as described later. The important property of h is its one wayness and collision resistance; a very large search should be required to find a single input producing a given output, or to find two inputs producing the same ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....machine instructions per byte. SEAL requires a large amount of pre computation to initialize several large look up tables which total approximately 3 Kbytes in size. This initialization procedure makes repeated use of the compression function which lies at the heart of the Secure Hash Algorithm [93]. The algorithm was optimized with a particular range of popular processors in mind and since these processors were among those that are more difficult to optimize for, it 26 Stream Ciphers is expected that an implementation will perform well on any modern 32 bit processor. Since SEAL is so new ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). May 11, 1993. 38 Stream Ciphers

....32 bit words. As Kaliski and Robshaw have expressed in [46] the attack is not considered as an active attack, because it does not imply a real collision, and the resulting messages are the same. Moreover, the attack does not allow the intruder to arbitrary fix one of the initial vectors. SHA [59] is another strengthened version of MD4, where, for instance, the digest length is increased from 128 bits to 160 bits and the number of steps per rounds is increased from 16 steps to 20 steps. These changes make SHA slower than both MD4 and MD5. There is not any successful attack on SHA (for the ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....on the DSS. Hashing. The 160 bit message m above is not the actual text one wants to sign, but rather the hash of it, under a strong, collision resistant cryptographic hash function H . Specifically, if m is the actual text to be signed, the standard sets H = SHA 1, the Secure Hash Algorithm of [15]. The hashing serves two purposes. The first is to enable one to sign messages of length longer than 160 bits. Second, it randomizes the message to prevent any possible attacks based on the algebraic structure of the scheme. Accordingly, following [2] we treat the hash function as a random ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....y = H(x) then it is infeasible for us to gain any information about x other than that y = H(x) 12 Sometimes we write H l (x) to denote the first l bits of H(x) When it is clear from context, we omit writing the l. In practice, one could replace H by an appropriately modified version of SHA 1 [28] or MD5 [32] which are believed to possess the types of properties mentioned above [35] We require these assumptions to prove security of our scheme in the random oracle model [30, 5] 1.6 Organization of this Thesis Chapter 2: We give a more detailed exposition on blind digital signatures. We ....

....Oracle Model Based Proofs: In many cases when it is difficult to attain a complexity theoretic based proof of security, one opts for a random oracle model based proof. This approach was used in several papers [5, 18, 30] The idea here is to assume that some cryptographic primitive such as SHA [27, 28] behaves like a random function. Then, you should prove that your system is secure under this assumption. This form of proof is acceptable, but much less preferable to the complexity based approach. The Group Blind Digital Signature Scheme we will later present is also proven secure under this ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....using blind RSA signatures [Cha83] This change makes it infeasible for the vendor to determine the customer s identity. 8 The second modification involves using an additional random oracle H 2 . In practice, one could implement these random oracles via an appropriately modified version of SHA1 [Nat93] or MD5 [Riv92] This oracle is applied to the message M to generate the random bits needed for signing that message. This oracle derandomizes the [CS97] scheme; thus if a customer signs the same message twice, then the resulting signatures will be identical. This prevents the user from using the ....

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.

....project. The DSS specifies a Digital Signature Algorithm (DSA) This standard has been issued as a working draft by the American National Standards Institute (ANSI) 15]via NIST. The hash function specified in Capstone is a United States Government standard known as the Secure Hash Standard (SHS) [16]. There has been no announcement on the key management protocol yet. Chapter 3 Security for Internet Protocol Networks 3.1 Overview of Current Internet Protocol Security During the development of the Internet Protocol (IP) the area of security for the protocol suite was not addressed. As a ....

National Institute of Standards and Technology (NIST), FIPS Publication 180: Secure Hash Standard (SHS), May 1993.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11 1993.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.

No context found.

National Insitute of Standards and Technology. FIPS Publication 180: Secure Hash Standard, 1993.

No context found.

National InstituH of Standards and Technology. FIPS Publication 180--1: Secure Hash Standard, 1995.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). May 11, 1993.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS). May 11, 1993.

No context found.

National Bureau of Standards, FIPS publication 180-1: Secure Hash Standard, 1995. Federal Information Processing Standards Publications 180-1.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC