OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11] Proposal: CKM_SHA512_224, CKM_SHA512_256, CKM_SHA512_T

On 08/06/2013 10:37 AM, Michael StJohns wrote:

On 8/6/2013 1:25 PM, Andrey Jivsov wrote:

On 08/05/2013 06:20 PM, Michael StJohns wrote:

There's some disconnect going on here. SHA1 has been
deprecated/prohibited only for signatures, it's still permitted for
general hashes, KDFs, PRFs and HMACs.  So for the current document,
its perfectly acceptable to talk about 160 bit lengths.

For non-digital signature uses (i.e. for applications that don't
depend on collision resistance) there is no known weakness in SHA-1.
These applications can continue using SHA-1. There won't be a
compliance issue regarding this (again, in non-digital signature
applications).

The question remains: where would SHA-512/160 be needed today and in
the future? I don't see such a use.

For the specific case of SHA512/160 - I don't see such a case either.
On the other hand, if all you have is SHA512 hardware, I could see the use.

Mostly what I would use is a truncated SHA256 HMAC with an unchanged IV
for something like an integrity tag on a network message.  Those could
go down as low as 32bits and still be effective for certain
applications. 64 and 80 are more common though.  The gating factor is
how long it takes to calculate a collision vs how long the key is live.

Other truncated hashes can be used other places (e.g. the SHA256 of a
subject public key info truncated to 8 bytes as a key ID).

I guess - "if you build it they will come"....

Mike
I agree that truncation is the way to go. It is secure in all real-world protocols. The design goal of SHA-X/Y is overprotecting from a theoretical weakness that doesn't exist in practice. Besides, truncation of hashes legitimately happens all the time. In addition to the MAC example you gave consider that truncation is blessed by NIST/FIPS with DSA signatures (stronger hash, weaker Q).
SHA-X/Y algorithms are not without controversy. The downside of the SHA-X/Y is the protocol complexity (for example, SHA-512/256 is yet another hash algorithm, unrelated to SHA-256, at least as far as IDs are concerned).

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]