Jakob Bohm <jb-openssl-Ov0D3Su7/I/[email protected]> writes:
[...]
> I did mention that in passing under my item 2 (where I mentioned use
> of 192-bit-truncated-SHA-224 as one allowed 192 bit hash algorithm for
> use with ECDSA-192).
OK, sorry, I missed that.
> I don't remember if the current FIPS-180 actually allows truncating to
> (below) the size of the next smaller standard SHA-2 variant, though
> there may be a special case allowing 160-bit-truncated-SHA-224 for use
> in former SHA-1 applications.
My reading of FIPS 180-4 (section 7) is that it does allow quite general
truncation. (I skipped to section 7, though, so perhaps that's
restricted elsewhere.)
FIPS 186-3 seems to permit larger digest sizes to be used (section 4.2),
It is recommended that the security strength of the (L, N) pair and
the security strength of the hash function used for the generation
of digital signatures be the same unless an agreement has been made
between participating entities to use a stronger hash function.
(it goes on to describe the truncation to be performed).
For Federal Government entities other than CAs it gives specific
combinations to be used, and similarly for CAs.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
