Re: [office] Passwords

[Patrick Durusau <patrick@durusau.net>]

Dave,

Dave Pawson wrote:

> On 28/11/06, Patrick Durusau <patrick@durusau.net> wrote:
>
>
>> Does anyone know if the list of hash functions posted by Florian
>> (thanks!) would be considered sufficient by government agencies? Or 
>> common?
>
>
> <grin/> Good thinking Patrick!
>  Think of the customer first. Very important.
>
Seems to me easier to sell a customer something they want than to try to 
sell them something we are interested in selling. ;-) (The latter too 
often being the starting point in both software and markup circles.)

> Sorry, I can't help you there.
>
> Is this the right list to ask?
> Could we use the ODF alliance website to ask? Or other lists?
>
> I.e. look for a list where users listen?
>
Asking on lists would be one place but realize that users at particular 
agencies probably can't say what they actually use. ;-)

I did search around and http://csrc.nist.gov/, the Computer Security 
Division of NIST looked like a good starting point.

That lead to the Cryptographic ToolKit, 
http://csrc.nist.gov/CryptoToolkit/, and thence to Secure Hashing, 
http://csrc.nist.gov/CryptoToolkit/tkhash.html.

***
March 15, 2006: *The SHA-2 family of hash functions (i.e., SHA-224, 
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all 
applications using secure hash algorithms.* Federal agencies *should* 
stop using SHA-1 for digital signatures, digital time stamping and other 
applications that require collision resistance as soon as practical, and 
must use the SHA-2 family of hash functions for these applications after 
2010. After 2010, Federal agencies may use SHA-1 only for the following 
applications: hash-based message authentication codes (HMACs); key 
derivation functions (KDFs); and random number generators (RNGs). 
Regardless of use, NIST encourages application and protocol designers to 
use the SHA-2 family of hash functions for all new applications and 
protocols.
***

In case anyone is interested, approved encryption algorithms are covered 
at: http://csrc.nist.gov/CryptoToolkit/tkencryption.html

There is a ton of material at this site and anyone who wants to create 
an ODF conformant application where security is a concern will need to 
master a lot of requirements, some of which may be project specific.

I just saw Daniel's post on Whirlpool. Are there any other "known" 
systems likely to be in widespread use?

It occurs to me that we may want to make this extensible to accomodate 
anyone inside a secure environment that may have a method we are not 
going to list. To be sure it would not be generally interoperable but 
that is not really a consideration inside a secure environment.

Hope you are having a great day!

Patrick


>
> regards
>
>

-- 
Patrick Durusau
Patrick@Durusau.net
Chair, V1 - Text Processing: Office and Publishing Systems Interface
Co-Editor, ISO 13250, Topic Maps -- Reference Model
Member, Text Encoding Initiative Board of Directors, 2003-2005

Topic Maps: Human, not artificial, intelligence at work!