DOCSLIB.ORG

The Compression Functions of SHA, MD2, MD4 and MD5 Are Not a Ne

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The Compression Functions of SHA, MD2, MD4 and MD5 are not Ane Mahesh V. Tripunitara and Samuel S. Wagsta , Jr. COAST Lab oratory Purdue University West Lafayette, IN 47907-1398 ftripunit,[email protected] COAST TR-98/01 Abstract In this pap er, we show that the compressions functions of SHA, MD2, MD4 and MD5 are not ane transformations of their inputs. 1 Intro duction The Secure Hash Algorithm SHA [1, 5, 2] and the Message Digest algorithms MD2 [4], MD4 [6] and MD5 [7], are used to pro duce a message digest, a condensed form of a message for use in digital signature and other applications. Figure 1 shows how these algorithms are used. Each step in each of the algorithms is a compression function denoted by CF in the gure which takes as inputs a p ortion of a message and the currentvalue for a chaining variable. Each compression function alters the value for the chaining variable based on the input message, and the output from each compression function is this altered value for the chaining variable. The value for the chaining variable from the last application of the compression function is the output message digest. The initial value for the chaining variable for the rst application of the compression function is xed for each algorithm and each subsequent application uses the output from the previous application as input value for the chaining variable. An imp ortant prop erty for each such compression function to p ossess is for the output to not b e an ane transformation of the inputs, which are a xed size p ortion of a message and the initial value for the chaining variable. If the output from a compression function is an ane transformation of its inputs, it would b e trivial to construct messages that pro duce a given message digest when sub jected to the message digest algorithm as we show in section 1.2. Such an algorithm would b e useless in a security context. In this pap er we show that the compressions functions of the message digest algorithms SHA, MD2, MD4 and MD5 as describ ed in [1], [4], [6] and [7] resp ectively are indeed not ane. 1.1 Some Characteristics of the Algorithms Each algorithm takes an arbitrary length we use \length", \size" and \numb er of bits" to mean the same unless sp eci cally noted otherwise message as input and pro duces a xed length message digest as output. The message digest is 160 bits for SHA and 128 bits for each of MD2, MD4 and MD5. Each algorithm pads the input message such astomake the numb er of bits in the message plus the padamultiple of 512 in the case of SHA, MD4 and MD5, and a multiple of 128 in the case of MD2. Portions of this work were supp orted by sp onsors of the COAST Lab oratory. 1 Message Pad MMMMM LLLLLL CF CF CF CF CF Initial Final Default Digest Value for Chaining Variable M = 512 bits for SHA, MD{4,5} L = 160 bits for SHA M = 128 bits for MD2 L = 128 bits for MD{2,4,5} Figure 1: Use of Message Digest Algorithms For SHA, MD4 and MD5, the padding consists of a 1 bit followed by enough 0's to make the number of bits of the message plus the pad so far 448 mo d 512. At least 1 bit and at most 512 bits are thus added as pad. The length of the original message represented as a 64 bit numb er is then app ended to make the entire length a multiple of 512. In the case of MD2, padding of sucient length to make the numb er of bits of the padded message a multiple of 128 is added. Thus, if i bytes are added as pad, each of those bytes has the value i.At least 1 byte and at most 16 bytes are app ended as pad. A 16 byte 128 bit checksum of the message plus pad is also then app ended. After padding, SHA, MD4 and MD5 break the padded message into 512 bit chunks and use those as inputs to the compression function, in turn, as indicated in gure 1. MD2 also do es the same, except that its compression function takes 128 bit chunks of the message as input. Each compression function also takes as input the value of the chaining variable which is the output from the previous application of the compression function. For the rst application of the compression function, each algorithm uses a default initial value for the chaining variable. 1.2 An Attack on a Message Digest Algorithm That Uses an Ane Com- pression Function In this section, we assume the existence of a message digest algorithm, A that works like SHA, MD2, MD4 and MD5 in that it takes as input a message of some length, pads the message and breaks the padded message into equal sized chunks to use as input to a compression function, CF . CF also takes as input a chaining variable that is the output from the previous application of CF a default value for the rst application. Also, we assume that CF is ane in its inputs, that is, CF can b e represented as a pre-multiplication by a matrix of appropriate dimensions bitwise XOR-ed with a vector of appropriate size. Then, given a message and its corresp onding message digest, we construct a second message with the same message digest. We assume that the reader is familiar with basic concepts of numerical linear algebra suchasrank of a matrix and Gaussian Elimination.We refer the reader to [3] for a review of these and other related topics. Also, we adopt the following notation: n;m F : The set of n m matrices each of whose elements are in F , the Galois Field with the 2 2 two elements 0 and 1. m is omitted if it is 1, and n and m are omitted if they are b oth 1. : The bitwise exclusive-or op erator. jj: A function that takes as argument a bit string or bit vector and returns its length. : Used to concatenate bit strings. 2 A: The message digest algorithm with an ane compression function. 0 00 M; M ;M : Inputs to A messages of some length. D : Output from A message digest. CF : The compression function used in A. 0 00 m; m : Input message to CF ,typically a p ortion of M , M or M , written as a bit vector. i v; v : Input chaining variable to CF written as a bit vector. i w; w : Output from CF written as a bit vector. The output from the nal application of CF i is the message digest. L : The length of the input message to CF .Thus, typically, L = jm j and L = 512 for m m i m SHA, MD4 and MD5 and L = 128 for MD2. m L : The length of the input chaining variable to and thus, the output from, CF .Thus, v L = jv j = jw j for any i; j . L = 160 for SHA and L = 128 for MD2, MD4 and MD5. v i j v v p: The padding added to the message. For SHA, MD4 and MD5, 65 jpj 576 and for MD2, 136 jpj 256. L ;L +L v v m C : The matrix corresp onding to CF .Thus, C 2 F . 2 L th v and C = C : The i column of C , where 1 i L + L . Thus, C 2 F i v m i 2 C C ::: C . 1 2 L +L v m b: The constantvector corresp onding to the ane transformation, CF .Thus, b is the output L v . on input 0 the vector of all 0's, and b 2 F 2 Thus, CF , on inputs v , m and output w can now b e expressed as: v w = C C ::: C b 1 1 2 L +L v m m Assume that some message M on input to A pro duces D as message digest. Wewould liketo 0 substitute our favorite message, M for the original message, but have the new message also pro duce the same output D on input to A. Of course, this is not p ossible in general. Therefore, starting from our 0 00 0 00 favorite message M ,we construct M , a slightly transformed version of M , such that M on input to 0 A, pro duces D as message digest. Starting with M ,we carry out the attack as follows. 0 1. We split M into chunks of size L .Thus, we pro duce m ;m ;:::;m such that jm j = L for m 1 2 k i m 0 i =1; 2;:::;k 1, jm j L and m m ::: m = M . k m 1 2 k 2. We sub ject eachofm ;m ;:::;m to CF , in turn. At the rst application, we use the default 1 2 k 1 value for the input chaining variable and at each subsequent application, we use the output from the previous application of CF . Application of CF is carried out as indicated in 1. The output from the last such application of CF is w = v , which is the same as the input chaining variable k 1 k to the next application of CF .Thus, wehavenow p erformed k 1 applications of CF . 3. If A works like SHA, MD4 or MD5, the message is rst padded with at least one bit so that it is of length 448 mo d L , and then with the length of the message represented as a 64 bit number m of course, L = 512 for SHA, MD4 and MD5.
Recommended publications
  • MD5 Collisions the Effect on Computer Forensics April 2006

    MD5 Collisions the Effect on Computer Forensics April 2006

    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS

    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS

    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
  • BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
  • Extending NIST's CAVP Testing of Cryptographic Hash Function

    Extending NIST's CAVP Testing of Cryptographic Hash Function

    Extending NIST’s CAVP Testing of Cryptographic Hash Function Implementations Nicky Mouha and Christopher Celi National Institute of Standards and Technology, Gaithersburg, MD, USA [email protected],[email protected] Abstract. This paper describes a vulnerability in Apple’s CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authen- tication Code (HMAC) and the Ed25519 signature scheme. The vulnera- bility is present in each of Apple’s CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about 232 bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash func- tions for inputs larger than 65 535 bits. To overcome this limitation of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2. Keywords: CVE-2019-8741, FIPS, CAVP, ACVP, Apple, CoreCrypto, hash function, vulnerability. 1 Introduction The security of cryptography in practice relies not only on the resistance of the algorithms against cryptanalytical attacks, but also on the correctness and robustness of their implementations. Software implementations are vulnerable to software faults, also known as bugs.
  • A (Second) Preimage Attack on the GOST Hash Function

    A (Second) Preimage Attack on the GOST Hash Function

    A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria [email protected] Abstract. In this article, we analyze the security of the GOST hash function with respect to (second) preimage resistance. The GOST hash function, defined in the Russian standard GOST-R 34.11-94, is an iter- ated hash function producing a 256-bit hash value. As opposed to most commonly used hash functions such as MD5 and SHA-1, the GOST hash function defines, in addition to the common iterated structure, a check- sum computed over all input message blocks. This checksum is then part of the final hash value computation. For this hash function, we show how to construct second preimages and preimages with a complexity of about 2225 compression function evaluations and a memory requirement of about 238 bytes. First, we show how to construct a pseudo-preimage for the compression function of GOST based on its structural properties. Second, this pseudo- preimage attack on the compression function is extended to a (second) preimage attack on the GOST hash function. The extension is possible by combining a multicollision attack and a meet-in-the-middle attack on the checksum. Keywords: cryptanalysis, hash functions, preimage attack 1 Introduction A cryptographic hash function H maps a message M of arbitrary length to a fixed-length hash value h. A cryptographic hash function has to fulfill the following security requirements: – Collision resistance: it is practically infeasible to find two messages M and M ∗, with M ∗ 6= M, such that H(M) = H(M ∗).
  • Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

    Advanced Meet-In-The-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2

    Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 Jian Guo1, San Ling1, Christian Rechberger2, and Huaxiong Wang1 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Dept. of Electrical Engineering ESAT/COSIC, K.U.Leuven, and Interdisciplinary Institute for BroadBand Technology (IBBT), Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium. [email protected] Abstract. We revisit narrow-pipe designs that are in practical use, and their security against preimage attacks. Our results are the best known preimage attacks on Tiger, MD4, and reduced SHA-2, with the result on Tiger being the first cryptanalytic shortcut attack on the full hash function. Our attacks runs in time 2188.8 for finding preimages, and 2188.2 for second-preimages. Both have memory requirement of order 28, which is much less than in any other recent preimage attacks on reduced Tiger. Using pre-computation techniques, the time complexity for finding a new preimage or second-preimage for MD4 can now be as low as 278.4 and 269.4 MD4 computations, respectively. The second-preimage attack works for all messages longer than 2 blocks. To obtain these results, we extend the meet-in-the-middle framework recently developed by Aoki and Sasaki in a series of papers. In addition to various algorithm-specific techniques, we use a number of conceptually new ideas that are applicable to a larger class of constructions. Among them are (1) incorporating multi-target scenarios into the MITM framework, leading to faster preimages from pseudo-preimages, (2) a simple precomputation technique that allows for finding new preimages at the cost of a single pseudo-preimage, and (3) probabilistic initial structures, to reduce the attack time complexity.
  • Fast Collision Attack on MD5

    Fast Collision Attack on MD5

    Fast Collision Attack on MD5 Marc Stevens Department of Mathematics and Computer Science, Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven, The Netherlands. [email protected] Abstract. In this paper, we present an improved attack algorithm to find two-block colli- sions of the hash function MD5. The attack uses the same differential path of MD5 and the set of sufficient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the differentials in the first round. We will present a new algorithm to find the first block and we will use an al- gorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sufficient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity 232.3) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity 234.1). With a reasonable probability a collision is found within mere seconds, allowing for instance an attack during the execution of a protocol. Keywords: MD5, collision, differential cryptanalysis 1 Introduction Hash functions are among the primitive functions used in cryptography, because of their one- way and collision free properties.
  • Certicom Security Builder GSE Datasheet

    Certicom Security Builder GSE Datasheet

    Security Builder® GSE™ FIPS 140-2 VALIDATED CRYPTOGRAPHIC MODULE Build trusted, government-approved security into your products. Security Builder® GSE™ enables developers to quickly build client and server-side applications that require a FIPS 140-2 level 1 validation for the cryptographic module. Security Builder GSE acts as a software cryptographic provider within the Certicom® Security Architecture™ – a comprehensive, portable and modular solution designed to allow developers to quickly and cost-effectively embed security across multiple families and generations of devices and applications. MEETS GOVERNMENT SECURITY REQUIREMENTS REDUCES TIME TO MARKET A number of government regulations mandate the use of FIPS By building on Security Builder GSE, you can avoid the lengthy validated modules for the protection of data, especially in a and expensive FIPS validation process and get your product to wireless setting. FIPS also helps demonstrate adherence to market more quickly. Re-validation and re-branding options security best practices. In the US, for instance, compliance are also available if you wish for your product to be listed on with FIPS 140-2 can help manufacturers of network- the NIST Cryptographic Module Validation Program active connected devices and application software demonstrate best validation list. By using a pre-validated module you can meet practice encryption capabilities for protecting patient and user security requirements without diverting valuable resources and data. keep your developers focused on your core application. Security Builder GSE has been validated on a wide variety COMPREHENSIVE SECURITY SOLUTION of high-level and embedded operating systems, including QNX With support for leading client and server-side operating real-time OS, Android and iOS.
  • Implementation of Hash Function for Cryptography (Rsa Security)

    Implementation of Hash Function for Cryptography (Rsa Security)

    International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x.
  • SHA-3 Conference, March 2012, Efficient Hardware Implementations

    SHA-3 Conference, March 2012, Efficient Hardware Implementations

    Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists Kashif Latif, M Muzaffar Rao, Arshad Aziz and Athar Mahboob National University of Sciences and Technology (NUST), H-12 Islamabad, Pakistan [email protected], [email protected], [email protected], [email protected] Abstract. Cryptographic hash functions are at the heart of many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication. In consequence of recent innovations in cryptanalysis of commonly used hash algorithms, NIST USA announced a publicly open competition for selection of new standard Secure Hash Algorithm called SHA-3. An essential part of this contest is hardware performance evaluation of the candidates. In this work we present efficient hardware implementations and hardware performance evaluations of SHA-3 finalists. We implemented and investigated the performance of SHA-3 finalists on latest Xilinx FPGAs. We show our results in the form of chip area consumption, throughput and throughput per area on most recently released devices from Xilinx on which implementations have not been reported yet. We have achieved substantial improvements in implementation results from all of the previously reported work. This work serves as performance investigation of SHA-3 finalists on most up-to-date FPGAs. Keywords: SHA-3, Performance Evaluation, Cryptographic Hash Functions, High Speed Encryption Hardware, FPGA. 1 Introduction A cryptographic hash function is a deterministic procedure whose input is an arbitrary block of data and output is a fixed-size bit string, which is known as the (Cryptographic) hash value. Cryptographic hash functions are widely used in many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication.
  • Modified SHA1: a Hashing Solution to Secure Web Applications Through Login Authentication

    Modified SHA1: a Hashing Solution to Secure Web Applications Through Login Authentication

    36 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 11, No. 1, April 2019 Modified SHA1: A Hashing Solution to Secure Web Applications through Login Authentication Esmael V. Maliberan Graduate Studies, Surigao del Sur State University, Philippines Abstract: The modified SHA1 algorithm has been developed by attack against the SHA-1 hash function, generating two expanding its hash value up to 1280 bits from the original size of different PDF files. The research study conducted by [9] 160 bit. This was done by allocating 32 buffer registers for presented a specific freestart identical pair for SHA-1, i.e. a variables A, B, C and D at 5 bytes each. The expansion was done by collision within its compression function. This was the first generating 4 buffer registers in every round inside the compression appropriate break of the SHA-1, extending all 80 out of 80 function for 8 times. Findings revealed that the hash value of the steps. This attack was performed for only 10 days of modified algorithm was not cracked or hacked during the experiment and testing using powerful online cracking tool, brute computation on a 64-GPU. Thus, SHA1 algorithm is not force and rainbow table such as Cracking Station and Rainbow anymore safe in login authentication and data transfer. For Crack and bruteforcer which are available online thus improved its this reason, there were enhancements and modifications security level compared to the original SHA1. being developed in the algorithm in order to solve these issues [10, 11]. [12] proposed a new approach to enhance Keywords: SHA1, hashing, client-server communication, MD5 algorithm combined with SHA compression function modified SHA1, hacking, brute force, rainbow table that produced a 256-bit hash code.
  • IBM® Crypto for C (ICC) Version 8.0.0 FIPS 140-2 Non-Proprietary

    IBM® Crypto for C (ICC) Version 8.0.0 FIPS 140-2 Non-Proprietary

    IBM® Crypto for C (ICC) Version 8.0.0 FIPS 140-2 Non-Proprietary Security Policy, version 1.2 December 6, 2010 IBM® Crypto for C (ICC), Version 8.0.0 FIPS 140-2 Non-Proprietary Security Policy, version 1.2 December 6, 2010 This document is the property of International Business Machines Corporation (IBM® Corp.). This document may only be reproduced in its entirety without modifications. © Copyright 2010 IBM Corp. All Rights Reserved Table Of Contents 2. References and Abbreviations ................................................................................ 3 2.1 References ......................................................................................................................... 3 2.2 Abbreviations .................................................................................................................... 3 3 Introduction ............................................................................................................... 5 3.1 Purpose of the Security Policy ......................................................................................... 5 3.2 Target Audience ................................................................................................................ 5 4. Cryptographic Module Definition ................................................................................ 6 4.1 Cryptographic Module Boundary ...................................................................................... 8 5. FIPS 140-2 Specifications .....................................................................................