Archive for November, 2008

Updated draft of FIPS 186-3 released for public comment

Friday, November 14th, 2008

So, the FIPS 186-3 is getting closer to finalization, and a new draft has been published for public comment.

As stated in today’s (Nov. 12, 2008) Federal Register Notice, NIST requests final comments on FIPS 186-3, the proposed revision of FIPS 186-2, the Digital Signature Standard. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures using DSA, RSA and ECDSA. [...] The comment period closes on Friday, December 12, 2008.

Along with a draft of SP 800-102 being announced for public comment.

NIST requests comments on SP 800-102, Recommendation for Digital Signature Timeliness. This Recommendation provides methods for obtaining assurance about the time that a message was signed. The concepts in this Recommendation were presented in the original public comment draft of FIPS 186,3, The Digital Signature Standard. Please provide comments [...] by December 19, 2008 [...]

A summary of the changes between this draft and the earlier ones, as well as a brief summary of the changes between FIPS 186-2 between 186-3, can be found in the Federal Register notice. In the notice, the changes between drafts are covered in a comments received and NIST response format. For those that will be specifically dealing with this future standard, I found the most interesting NIST responses to be…

A.1.1.3 is intentionally different from A.1.1.1. The change in the use of the hash function (no XORing) was in response to a cryptanalytic attack that showed how to select a set of domain parameters generated in the A.1.1.1 fashion in such a way that two ‘‘messages’’ with the same DSA signature could be found. Note that A.1.1.1 still allows domain parameters generated using the older method to be verified.

The length of the larger keys has a huge impact on communications and storage requirements. The strategy of the U.S. government is to transition to elliptic curve algorithms in order to reduce the key sizes.

NIST has chosen to base the number of tests on the key sizes and provided separate requirements for each. An implementer can choose to combine the requirements into fewer categories, as long as the number of rounds for each key size are equal to or greater than the numbers provided in the FIPS.

The only other NIST document containing approved methods for random number generation is FIPS 186–2. With the approval of FIPS 186–3, those methods will no longer be approved, subject to a transition period posted by the Cryptographic Module Validation Program (CMVP).

My comments on the draft proposed back in 2006 plus feedback from readers can be found here. I was happy to see the focus refined to be solely on the digital signature algorithms, and other information migrated elsewhere. Even so, I do have a little concern about the complexity of the document – it almost feels like there is too much information and too many options to make a clear standard, but maybe not.

Update: As with RSA digital signatures, the world has been using RSA for key exchange for years, even in FIPS-validated modules. So, a draft of SP800-56B has been released for public comment.

NIST requests comments on Draft SP 800-56B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. This Recommendation provides the specifications of asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm.

Posted in Authentication & Identity, Crypto, Security | No Comments »

Too quick – hash competition, petname tool, etc.

Thursday, November 6th, 2008

Still here. Work. Read. Work. Read.

-

Cool, cool, cool. The deadline for the NIST hash competition submissions was Halloween 2008 (2008-10-31), and a tally of the received submissions (64!) has now been provided via the hash mailing list.

Date: Wed, 5 Nov 2008 17:02:07 -0500
From: Shu-jen Chang
To: Multiple recipients of list
Subject: Submission tally

>Do we know how many submissions were made??

We have received 64 submissions, but not all of these are “complete and proper”. As soon as we are ready to make the determination for all the submissions, we will post the first round candidates on our web site.

Thanks,
Shu-jen

Update: The list of first round candidates has now been published by NIST. Of the 64 submissions, 51 qualified for the first round!

And, a conference has been announced.

The First SHA-3 Candidate Conference will be held at K.U. Leuven, Belgium, following the 16th International Workshop on Fast Software Encryption (FSE 2009) which is scheduled for February 22-25, 2009. The purpose of the SHA-3 Conference is to allow the submitters of the first round candidates to present their algorithms, and for NIST to discuss the way forward with the competition.


Update: The conference program has been posted.

While we wait for NIST to release a list of first round candidates, there is an attempt to aggregate the known submissions here.

The SHA-3 Zoo is a collection of cryptographic hash functions (in alphabetical order) submitted to the SHA-3 contest. It’s aim is to provide an overview of design and cryptanalysis of all submissions. For a performance-related overview, see eBASH.

Somewhat related…

FIPS 180-3 has been released.

The National Institute of Standards and Technology (NIST) is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 180-3, Secure Hash Standard (SHS), a revision of FIPS 180-2. The Federal Register Notice (FRN) of the approval is available here. [...]

The changes are listed here.

[...]Some technical information in FIPS 180–2 about the security of the hash algorithms may no longer be accurate, as shown by recent research results, and it is possible that further research may indicate additional changes. Therefore, the technical information has been removed from the revised standard, and will be provided in Special Publications (SPs) 800–107 and 800–57, which can be updated in a timely fashion as the technical conditions change.

And a draft of SP800-57 Part3 is now out for public comment.

NIST announces the release of a draft of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. [...]

Update: EnRUPT has fallen.

Collisions have been found in ïrRUPT taking it out of the SHA-3 competition since tweaks or corrections will be allowed only for the 5 finalists.

Update: Or not. Just the EnRUPT/4 variant has been slain.

After studying Sebastiaan’s linearization attack in detail, we have come to the conclusion that EnRUPT does not require any structural changes, corrections or tweaks and that its dismissal is more than premature. It is only a matter of setting the ‘s’ parameter to a slightly higher value increasing the amount of diffusion in the state between inputs.

And, SP800-108 has been released.

November 6, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-108. Recommendation for Key Derivation Using Pseudorandom Functions. [...]

-

More cool, cool, cool. Since my last post way back when, the Petname Tool (mentioned here) has been updated to be compatible with Firefox 3.

Secure web sites identify themselves using cryptography. In a phishing attack, a thief tries to impersonate such a site by omitting the cryptographic identification, or using one that’s confusingly similar.

The Petname Tool can help you keep track of these cryptographic identifiers by letting you attach reminder notes to them. Before exchanging sensitive information with a site, you type in a name that will help you remember the site. From then on, whenever your browser is securely connected to that site, your name for it will be displayed. After following a hyperlink, just check that the Petname Tool is displaying the expected name. If so, the Petname Tool has checked that the cryptographic identifiers are also the expected ones.
Works with:

* Firefox: 3.0 – 3.0.*

And NoScript really has been plowing along. Good stuff.

Posted in Crypto, Security | 2 Comments »