On 6/26/06, Steve G <linux_4ever@xxxxxxxxx> wrote:
>We have been told that computer systems that are covered by FISMA are supposed to >use a minimum of SHA-256 when doing baselines of systems. I just looked through SP 800-53 and see no mention of SHA anything. Where would this be coming from if not SP 800-53?
I don't think it is directly referenced. http://csrc.nist.gov/CryptoToolkit/tkhash.html March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. I am guessing the reference to SHA_256 was because SHA-224 seems to have been added after the original document in 2004. Hope that helps.
-Steve
-- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
