Confirm, administrator
5,526
edits
Changes
→NIST Recommendations
The NIST document also has this footnote about the SHA-1 Hash Function:
* SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)
NIST has provided: [http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes]. As of September 14, 2010, NIST representatives are addressing the comments and hope to have a final version posted in the next few weeks. The document (dated June 2010) includes the following guidance.
* Digital signature generation:
** The use of key lengths providing 80 bits of security strength is acceptable for digital signature generation through December 31, 2010.
** From January 1, 2011 through December 31, 2013, the use of key lengths providing 80 bits of security strength is deprecated. The user must accept risk when using these keys, particularly when approaching the December 31, 2013 upper-limit date. This is especially critical for digital signatures on data whose signature is required to be valid beyond this date. Appendix A.2 provides rationale for this modified guidance. See Section 5.6.2 of [SP 800-57] for further guidance.
** After December 31, 2013, key lengths providing less than 112 bits of security strength shall not be used to generate signatures.
** Key lengths providing at least 112 bits of security are acceptable.
* Digital signature verification:
** Key lengths providing 80 bits of security using approved digital signature algorithms are acceptable through 2010.
** Key lengths providing 80 bits of security using approved digital signature algorithms are allowed for legacy use after 2010.
** Key lengths providing at least 112 bits of security using approved digital signature algorithms are acceptable.
