|
A letter from the national computer systems laboratory
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
A LETTER FROM THE NATIONAL COMPUTER SYSTEMS LABORATORY
No. 29 February 1990
DATA ENCRYPTION STANDARD: THE KEY TO INFORMATION SECURITY
In response to the many questions we receive about the Data
Encryption Standard (DES), we have developed a DES Fact Sheet
which covers all aspects of the standard and its applicability.
Highlights of the DES Fact Sheet follow.
Background
Protecting the confidentiality and integrity of sensitive
unclassified information in federal computer systems has been a
key goal of NCSL since the inception of its computer security
program in 1972. Federal Information Processing Standard (FIPS)
46, Data Encryption Standard (DES), was issued in 1977. FIPS 46
is based upon work by the International Business Machines
Corporation and has been approved as American National Standard
X3.92-1981/R1987. DES has been reaffirmed twice, most recently
in 1988. The current FIPS 46-1 reaffirms the standard until
1993.
How does DES work?
DES specifies a cryptographic algorithm that converts plaintext
to ciphertext using a key, a process called encryption. The same
algorithm used with the same key converts ciphertext back to
plaintext in the reverse process called decryption. DES involves
16 rounds of operations that mix the data and key together in a
prescribed manner. The result is a complete scramble of data and
key so that no correlation exists between the ciphertext and
either the original data or key.
How does DES provide security?
The security provided by DES depends on the following factors:
o mathematical soundness,
o length of key,
o key management,
o input data formatting,
o mode of operation,
o implementation,
o application, and
o threat.
Several organizations have evaluated DES and found the standard
to be mathematically sound. NCSL has determined that at least
until 1993, DES will continue to provide more than adequate
security for its intended applications. Applications which use
DES include Electronic Funds Transfer, privacy protection of
personal information, personal authentication, password
protection, and access control.
Applicability of DES
Subject to agency waivers, the use of DES is mandatory for all
federal agencies, including defense agencies, for the protection
of sensitive unclassified data communications (except information
covered by 10 U.S.C. Section 2315) when the agency determines
that cryptographic protection is required. Note that the use of
DES is currently applicable only to the protection of data
communications. Private-sector individuals or organizations may
use DES at their discretion.
Heads of federal agencies may waive the mandatory use of DES
when:
o compliance with the standard would adversely affect the
accomplishment of the mission of an operator of a federal
computer system; or
o compliance would cause a major adverse financial impact on
the operator which is not offset by governmentwide savings.
Endorsement of DES Products
The National Security Agency (NSA) no longer endorses DES
products for use in telecommunications equipment and systems for
conformance to FIPS 140 (formerly Federal Standard 1027). NCSL
has notified federal agencies that they may wish to waive FIPS
140 in order to buy equipment which may not meet all requirements
of the standard. This action enables agencies to procure cost-
effective equipment that meets their needs, but has not been
endorsed by NSA. FIPS 140 is being revised; in the interim,
agencies may accept written affirmation of conformance to FIPS
140 from vendors as sufficient indication of conformance.
DES Fact Sheet
The DES Fact Sheet is available at no charge from the following
address:
DES Fact Sheet
National Computer Systems Laboratory
Room B64, Technology Building
National Institute of Standards and Technology
Gaithersburg, MD 20899
(301) 975-2821
Alternatively, you may access our NCSL Computer Security Bulletin
Board and download the DES Fact Sheet. To access the board, you
need a standard ASCII terminal (or PC with communications
capabilities) set up with the following parameters: baud rate -
300, 1200, or 2400; data bits - 8 with no parity or 7 with even
parity; and stop bits - 1. Dial (301) 948-5717 and after the
CONNECT message is displayed, strike the carriage return twice.
The DES file is located in the "File Subsystem" under the
"General Information (1)" Directory. The ten-page file can only
be viewed by downloading it. Instructions for downloading are
available in the "Bulletin Topics Menu" under the "Using the BBS
(1)" Directory.
FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES
FIPS For COBOL Revised
The Secretary of Commerce has approved a revision of FIPS 21-2,
COBOL, to be published as FIPS 21-3. To be effective June 29,
1990, the revised standard adopts American National Standard
Programming Language COBOL, ANSI X3.23-1985 and X3.23A-1989 for
federal agency use. FIPS 21-3 adds an Intrinsic Function
facility to the COBOL specifications. FIPS COBOL is one of the
high-level programming language standards provided for use by all
federal agencies. The language is especially suited for
applications that emphasize the manipulation of characters,
records, files, and input/output (in contrast to those primarily
concerned with scientific and numeric computations). FIPS 21-3
will be available through NTIS.
Revision of FIPS Structured Query Language (SQL) Approved
FIPS 127, Database Language SQL, has been revised and will be
published as FIPS 127-1. The revised standard adopts American
National Standard Database Language SQL with Integrity
Enhancement, ANSI X3.135-1989, and American National Standard
Database Language Embedded SQL, ANSI X.3.168-1989. FIPS 127-1
offers new conformance alternatives, new programming language
interfaces, a new integrity enhancement option, clarification and
correction of existing specifications, and additional
considerations for use in procurements. It does not contain any
new requirements that would make an existing conforming
implementation nonconforming.
FIPS 127-1 will be available through NTIS.
NCSL HOSTS INTERAGENCY COMPUTER SECURITY MANAGERS MEETING
Lynn McNulty, Associate Director for Computer Security, recently
hosted the first meeting of the Federal Computer Security Program
Managers Forum. The purpose of the meeting was to share
information with federal personnel who manage operational
computer security organizations responsible for the protection of
sensitive unclassified information. Representatives from
approximately thirty agencies and departments attended, including
all four military services.
McNulty discussed two projects that his office is undertaking.
The first is to develop a special publication to provide guidance
to federal agencies on the management and organization of a
computer security program. Additionally, his office is examining
how the federal personnel system is used to hire computer
security professionals and hopes to convince the Office of
Personnel Management to recognize computer security as a separate
professional series.
Participants were provided the latest information on NCSL's
efforts in virus prevention, awareness publications, and
interagency computer assistance activities. The group also
addressed whether NCSL should establish a standing interagency
body to address policy issues. McNulty will chair regular Forum
meetings to share computer security information among the federal
participants.
NCSL SEEKS AUTOMATED PASSWORD GENERATORS
We are seeking contributions of existing automated password and
passphrase generators from the commercial, industrial, and
academic computer security communities. These generators will be
evaluated for use in federal systems that require automated
password and passphrase generation. Responses should be sent to
Lawrence Keys, A216, Technology Building, National Institute of
Standards and Technology, Gaithersburg, MD 20899 or call Larry at
(301) 975-5482.
GRAPHICS VALIDATION TEST SUITES TO BE DEMONSTRATED
Our Information Systems Engineering Division will demonstrate its
graphics validation test suites at the National Computer Graphics
Association (NCGA) '90 Conference and Exposition in Anaheim, CA
on March 19-22. The test suites determine if a specified
implementation conforms to the corresponding ANSI and FIPS
graphics standards. Test suites will be run for the following
standards: Graphical Kernel System (GKS); Programmer's
Hierarchical Interactive Graphics System (PHIGS); Computer
Graphics Metafile (CGM); and Structured Query Language (SQL).
Implementors can use the test suite to improve their products and
help ensure correct implementation of the graphics standard.
Vendors with conforming products benefit by improving their
competitive edge; users benefit from an open marketplace and
increased confidence in these products.
For information about the NCSL exhibit, contact Lynne S.
Rosenthal, A266, Technology Building, National Institute of
Standards and Technology, Gaithersburg, MD 20899, (301) 975-3353.
For information about the conference in general, contact NCGA,
2722 Merrilee Drive, Suite 200, Fairfax, VA 22031, (800) 225-
NCGA.
UPDATE ON NEW PUBLICATIONS
NCSL publishes the results of studies, investigations, and
research. The reports listed below may be ordered from the
following sources as indicated for each:
*Superintendent of Documents
U.S. Government Printing Office
(GPO)
Washington, DC 20402
Telephone (202) 783-3238
*National Technical Information
Service (NTIS)
5285 Port Royal Road
Springfield, VA 22161
Telephone (703) 487-4650
Report of the Invitational Workshop on Data Integrity
By Zella G. Ruthberg and William T. Polk
NIST Spec. Pub. 500-168
September 1989
SN003-003-02966-1
Order from GPO
This publication contains the proceedings of the second
invitational workshop on computer integrity issues which took
place at NIST on January 25-27, 1989. Attended by 66 invited
participants who are currently working in some aspect of data
integrity, the workshop addressed such topics as data integrity
models, data quality, integrity controls, and certification of
transformation procedures that preserve data integrity. Results
of the first workshop held in October 1987 which addressed
integrity policy in computer information systems are contained in
NIST Special Publication 500-160.
Executive Guide to the Protection of Information Resources
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
NIST Spec. Pub. 500-169
October 1989
SN003-003-02969-6 $1.50
Order from GPO (also available on NCSL Computer Security Bulletin
Board)
This guide assists executives address a host of questions
regarding the protection and safety of computer systems and their
information resources. The publication introduces information
systems security concerns, outlines the management issues that
must be addressed by agency policies and programs, and describes
essential components of an effective implementation process.
Management Guide to the Protection of Information Resources
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
NIST Spec. Pub. 500-170
October 1989
SN003-003-02968-8 $1.75
Order from GPO (also available on NCSL Computer Security Bulletin
Board)
This guide introduces information systems security concerns and
outlines the issues that must be addressed by all agency managers
in meeting their responsibilities to protect information systems
with their organizations. It describes essential components of
an effective information resource protection process that applies
to a stand alone personal computer or to a large data processing
facility.
Computer User's Guide to the Protection of Information Resources
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
NIST Spec. Pub. 500-171
October 1989
SN003-003-02970-0 $1.00
Order from GPO (also available on NCSL Computer Security Bulletin
Board)
Computers have changed the way we handle our information
resources. Large amounts of information are stored in one
central place with the ability to be accessed from remote
locations. Users have a personal responsibility for the security
of the system and the data stored in it. This document outlines
the user's responsibilities and provides security and control
guidelines to be implemented.
Computer Security Training Guidelines
By Mary Anne Todd and Constance Guitian
NIST Spec. Pub. 500-172
November 1989
SN003-003-02975-1 $2.50
Order from GPO
This guideline provides a framework for determining the training
needs of employees involved with computer systems. It describes
the learning objectives of agency computer security training
programs -- what the employee should know and be able to direct
or actually perform -- so that agencies may use the guidance to
develop or acquire training programs that fit the agency
environment.
Guide to Data Administration
By Bruce K. Rosen and Margaret H. Law
NIST Spec. Pub. 500-173
October 1989
SN003-003-02967-0 $4.25
Order from GPO
This guide provides a reference model for the various activities
performed by information resource management, data
administration, data modeling tools administration, and database
administration. Data administration is responsible for defining
an information architecture. The guide describes computing tools
useful for data administration, such as data dictionary systems
and computer-aided software engineering (CASE) tools.
Guide for Selecting Automated Risk Analysis Tools
By Irene E. Gilbert
NIST Spec. Pub. 500-174
October 1989
SN003-003-02971-8 $2.00
Order from GPO
This document recommends a process for selecting automated risk
analysis tools, describing important considerations for
developing selection criteria for acquiring risk analysis
software. The report describes three essential elements that
should be present in an automated risk analysis tool: data
collection, analysis, and output results. It is intended
primarily for managers and those responsible for managing risks
in computer and telecommunications systems.
Management of Networks Based on Open Systems Interconnection
(OSI) Standards: Functional Requirements and Analysis
By Robert Aronoff, Michael Chernick, Karen Hsing, Kevin Mills,
and Daniel Stokesberry
NIST Spec. Pub. 500-175
November 1989
SN003-003-02986-6 $7.00
Order from GPO
This publication examines current and proposed network management
systems to determine both user and functional requirements for
network management. The report compares the derived functional
requirements to emerging standards to determine where and how
requirements are being met. The examination of requirements
focuses on those necessary for interoperability in the following
broad areas: architecture, configuration management, fault
management, security management, performance management, and
accounting management.
A Detailed Description of the Knowledge-Based System for Physical
Database Design
(two volumes)
By Christopher E. Dabrowski
NISTIR 89-4139-1
August 1989
PB 89 228993 $17.00
NISTIR 89-4139-2
PB 89 229033 $23.00
A knowledge-based system for physical database design developed
at NCSL has previously been described in NIST Spec. Pub. 500-151.
This follow-up report to that publication describes the knowledge
base for the system in detail. The description includes a
complete explanation of each component of the knowledge base
together with the actual rules used by the system.
Working Implementation Agreements for Open Systems
Interconnection Protocols
Tim Boland, Editor
NISTIR 89-4140
August 1989
PB 89-235931 $36.95
Order from NTIS
This document records current agreements on implementation
details of Open Systems Interconnection (OSI) protocols among the
organizations participating in the NIST/OSI Workshop for
Implementors of OSI. The document is based on the proceedings of
the workshop plenary assembly held June 16, 1989. Decisions are
documented to facilitate organizations in their understanding of
the status of agreements.
UPCOMING TECHNICAL CONFERENCES
North American ISDN Users' Forum
This conference will address many concerns over a broad range of
Integrated Services Digital Network (ISDN) issues and will seek
to reach consensus on ISDN Implementation Agreements.
Participants will include ISDN users, implementors, and service
providers.
Date: March 6-9, 1990
Place: Dallas, TX
August 6-9, 1990
Place: NIST, Gaithersburg, MD
Date: November 5-8, 1990
Place: NIST, Gaithersburg, MD
Contact: Dawn Hoffman
(301) 975-2937
FTS 879-2937
NIST Workshop for Implementors of OSI
This workshop is part of a continuing series to develop
implementation specifications from international standard design
specifications for computer network protocols.
Sponsors: NIST and the IEEE Computer Society
Dates: March 12-16, 1990
June 18-22, 1990
September 10-14, 1990
December 10-14, 1990
Place: NIST, Gaithersburg, MD
Contact: Brenda Gray
(301) 975-3664
FTS 879-3664
Data Administration Management Association Annual Symposium
Data administration techniques and approaches will be discussed
in a forum for the exchange of ideas and resolution of problems.
Sponsors: NIST, FEDMUG, and Data Administration Management
Association
Date: May 7-8, 1990
Place: NIST, Gaithersburg, MD
Contact: Judith Newton
(301) 975-3256
FTS 879-3256
Applications Portability Profile (APP) Workshop
This workshop is designed as a user's forum to discuss the latest
developments in the APP.
Date: May 9, 1990
Place: NIST, Gaithersburg, MD
Contact: James Hall
(301) 975-3273
FTS 879-3273
COMPASS '90
The purpose of this conference is to identify the meaning of
computer assurance, the techniques needed to achieve it, and
their limitation.
Sponsors: NIST, IEEE Aerospace & Electronics Systems Society,
and IEEE National Capital Area Council
Date: June 25-29, 1990
Place: NIST, Gaithersburg, MD
Contact: Dolores Wallace
(301) 975-3340
FTS 879-3340
If you are interested in receiving our newsletter, send your
name, organization, and mailing address to: NCSL Newsletter,
National Institute of Standards and Technology, Room B151,
Technology Building, Gaithersburg, MD 20899.
|
|
