[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Proposal: CKM_SHA512_224, CKM_SHA512_256, CKM_SHA512_T
On 8/6/2013 1:25 PM, Andrey Jivsov wrote:
On 08/05/2013 06:20 PM, Michael StJohns wrote:There's some disconnect going on here. SHA1 has been deprecated/prohibited only for signatures, it's still permitted for general hashes, KDFs, PRFs and HMACs. So for the current document, its perfectly acceptable to talk about 160 bit lengths.For non-digital signature uses (i.e. for applications that don't depend on collision resistance) there is no known weakness in SHA-1. These applications can continue using SHA-1. There won't be a compliance issue regarding this (again, in non-digital signature applications).The question remains: where would SHA-512/160 be needed today and in the future? I don't see such a use.
For the specific case of SHA512/160 - I don't see such a case either. On the other hand, if all you have is SHA512 hardware, I could see the use.
Mostly what I would use is a truncated SHA256 HMAC with an unchanged IV for something like an integrity tag on a network message. Those could go down as low as 32bits and still be effective for certain applications. 64 and 80 are more common though. The gating factor is how long it takes to calculate a collision vs how long the key is live.
Other truncated hashes can be used other places (e.g. the SHA256 of a subject public key info truncated to 8 bytes as a key ID).
I guess - "if you build it they will come".... Mike
---------------------------------------------------------------------To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]