Notice2025-11497
Proposed Withdrawal of Federal Information Processing Standards (FIPS) 198-1, The Keyed-Hash Message Authentication Code (HMAC)
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 23, 2025
Issuing agencies
Commerce DepartmentNational Institute of Standards and Technology
Abstract
The National Institute of Standards and Technology (NIST) proposes to withdraw FIPS 198-1, the Keyed-Hash Message Authentication Code (HMAC), from the FIPS series. Prior to the submission of this proposed withdrawal of FIPS 198-1 to the Secretary of Commerce for review and approval, NIST invites comments from the public, users, the information technology industry, and Federal, State, and local governments, and government organizations concerning the withdrawal of this FIPS.
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 118 (Monday, June 23, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 118 (Monday, June 23, 2025)]
[Notices]
[Pages 26540-26541]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-11497]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Proposed Withdrawal of Federal Information Processing Standards
(FIPS) 198-1, The Keyed-Hash Message Authentication Code (HMAC)
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice; request for comments.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
proposes to withdraw FIPS 198-1, the Keyed-Hash Message Authentication
Code (HMAC), from the FIPS series.
Prior to the submission of this proposed withdrawal of FIPS 198-1
to the Secretary of Commerce for review and approval, NIST invites
comments from the public, users, the information technology industry,
and Federal, State, and local governments, and government organizations
concerning the withdrawal of this FIPS.
DATES: Comments on the proposed withdrawal of this FIPS must be
received no later than 11:59 p.m. EDT on July 23, 2025.
ADDRESSES: Written comments concerning the withdrawal of FIPS 198-1
should be sent to: Crypto Publication Review Board, Computer Security
Division, Information Technology Laboratory, National Institute of
Standards and Technology, 100 Bureau Drive, Mail Stop 8930,
Gaithersburg, MD 20899-8930, ATTN: FIPS 198-1 Comments.
Electronic comments should be sent to:
<a href="/cdn-cgi/l/email-protection#7b1809020b0f140b0e19091e0d121e0c19141a091f3b1512080f551c140d"><span class="__cf_email__" data-cfemail="1e7d6c676e6a716e6b7c6c7b68777b697c717f6c7a5e70776d6a30797168">[email protected]</span></a>.
Information about the FIPS is available on the NIST web page
<a href="https://csrc.nist.gov/pubs/fips/198-1/final">https://csrc.nist.gov/pubs/fips/198-1/final</a>. Comments received in
response to this notice will be published electronically on that page
without change or redaction, so commenters should not include
information they do not wish to be posted (e.g. personal or
confidential business information).
FOR FURTHER INFORMATION CONTACT: Morris Dworkin, NIST, 100 Bureau
Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930,
<a href="/cdn-cgi/l/email-protection#2043525950544f505542524556494557424f415244604e4953540e474f56"><span class="__cf_email__" data-cfemail="8ceffef5fcf8e3fcf9eefee9fae5e9fbeee3edfee8cce2e5fff8a2ebe3fa">[email protected]</span></a>, (301) 975-2354.
SUPPLEMENTARY INFORMATION: FIPS 198-1 is being proposed for withdrawal
from the FIPS series because the content is more suitable in a NIST
Special Publication (SP) and outdated. Specifically, a) it describes a
cryptographic scheme, instead of a fundamental cryptographic primitive,
and b) the HMAC specification needs to be updated to include block
sizes to support the SHA-3 family of hash functions defined in FIPS
202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output
Functions.
Subsequent to the issuance of FIPS 198-1 in 2008, NIST developed
NIST Internal Report (IR) 7977, NIST Cryptographic Standards and
Guidelines Development Process (March 2016), available at <a href="https://csrc.nist.gov/pubs/ir/7977/final">https://csrc.nist.gov/pubs/ir/7977/final</a>. Under NIST IR 7977, NIST typically
specifies fundamental cryptographic primitives--block ciphers, digital
signature algorithms, and hash functions--as FIPS publications, whereas
other cryptographic schemes--modes of operation, key management,
message authentication codes, etc.--are published as a part of the NIST
SP 800 ``Computer Security'' series. For more information, see Section
3 of NIST IR 7977. As FIPS 198-1 describes HMAC, a message
authentication code, NIST proposes to move this specification to an SP
800 publication and withdraw FIPS 198-1 to be consistent with the
approach in NIST IR 7977.
Additionally, the HMAC specification needs updating to include
larger block sizes to support the SHA-3 family of hash functions
specified in FIPS 202. A discussion of truncation, an editorial
refresh, and updated references are also needed and have been
implemented in NIST SP 800-224, as further described below.
In August 2021, NIST's Crypto Publication Review Board (CPRB)
initiated a review process for FIPS 198-1 (published in 2008) and
received public comments. In September 2022, CPRB proposed converting
FIPS 198-1 to a NIST SP and received additional comments on that
proposed decision. The public comments received during these comment
periods are available at <a href="https://csrc.nist.gov/projects/crypto-publication-review-project/completed-reviews#fips198-1">https://csrc.nist.gov/projects/crypto-publication-review-project/completed-reviews#fips198-1</a>. In November
2022, NIST announced its intention to develop NIST SP 800-224, with a
proposed plan to withdraw FIPS 198-1 after the new SP is published.
A draft of NIST SP 800-224, Keyed-Hash Message Authentication Code
(HMAC): Specification of HMAC and Recommendation for Message
Authentication, was released for public comment from June 28, 2024, to
September 6, 2024. A copy of the draft and a compilation of comments
received are posted at <a href="https://csrc.nist.gov/pubs/sp/800/224/ipd">https://csrc.nist.gov/pubs/sp/800/224/ipd</a>. NIST
prepared a final version of SP 800-224, which was cleared for
publication in March 2025, and this notice follows. Should the
[[Page 26541]]
Secretary of Commerce approve the withdrawal of this FIPS, NIST will
keep references to the withdrawn FIPS on its FIPS web pages and will
link to current versions of these standards and specifications where
appropriate.
Withdrawal means that federal agencies will no longer be required
to comply with this FIPS. NIST will continue to provide relevant
information on standards and guidelines by means of electronic
dissemination methods.
(Authority: 40 U.S.C. 11331(f), 15 U.S.C. 278g-3.)
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2025-11497 Filed 6-20-25; 8:45 am]
BILLING CODE 3510-13-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on June 23, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.