couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Winshell (Bear River)" <>
Subject Re: PBDK2 implementation specs
Date Mon, 08 Dec 2014 03:08:33 GMT
Thanks. That's exactly what I needed. The relevant government specification is sp800-131A (section
8, 9 10). It looks like CouchDB's PBDK2 is FIPs compliant because it meets the requirements
of all these 3 sections -- together.

Section 8: HMAC key derivation functions are acceptable

Section 9: Though these days SHA-256/384/512 are preferrer, the spec says that SHA-1 is acceptable
for "Non-digital signature generation applications"

Section 10: HMAC to with key length >= 112 bits OK past the year 2013.

Since CouchDB is SHA-1, 160 bit key length, 128 salt and for non-digital signatures, it's
FIPs compliant. I'd like to suggest that CouchDB switch to SHA-256, 256 bit key length.

View raw message