Forwarded from: Elizabeth Lennon <[EMAIL PROTECTED]>



Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

For the past thirty years, cryptography has been an important
technical tool for protecting the federal government's information and
information systems.  Cryptographic methods have been used to maintain
the confidentiality and integrity of information, to verify that
information was not changed after it was sent, and to authenticate the
originator of the information. During these years, NIST's Information
Technology Laboratory has worked actively with other government and
industry organizations to develop standards and guidelines for the
cost-effective uses of cryptography. As information technology has
changed and as new federal requirements have been established to
strengthen information technology security, NIST has updated older
methods and developed new methods for the application of cryptography.
This bulletin discusses current federal requirements and the
techniques that are available to help federal agencies use
cryptography to protect their information and information systems.

Revised NIST Special Publication (SP) 800-21, Guideline for
Implementing Cryptography in the Federal Government

A revised version of NIST SP 800-21, Guideline for Implementing
Cryptography in the Federal Government, was issued in December 2005 to
replace an earlier version of the guide that had been released in
1999. The revised guide, written by Elaine B. Barker, William C.
Barker, and Annabelle Lee, explains new requirements for federal
agencies to protect their information systems, and points to current
cryptographic standards and techniques that can provide the needed

NIST SP 800-21-1 focuses on cryptographic standards and guidelines
that had been adopted or amended since 1999. It discusses the
development of standards for cryptography, current cryptographic
methods, and issues that agencies deal with in implementing
cryptography in information systems. The guide covers the process for
selecting and implementing cryptographic controls as part of federal
agency responsibilities under the Federal Information Security
Management Act of 2002. NIST's Cryptographic Module Validation Program
is also discussed. The appendices contain a list of acronyms,
cryptographic terms and definitions, references to standards and
guidelines, and information about laws and regulations related to
information security. NIST SP 800-21-1, as well as the other
guidelines and standards that are referenced in this bulletin, is
available at

Federal Information Security Management Act Requirements

The Federal Information Security Management Act (FISMA)  established
requirements for all federal agencies to develop, document, and
implement agency-wide information security programs and to provide
appropriate levels of security for the information and information
systems that support the operations and assets of the agency. FISMA
tasked NIST to develop federal standards for the security
categorization of federal information and information systems
according to risk levels, and to develop minimum security requirements
for information and information systems in each security category.

Federal Information Processing Standard (FIPS) 199, Standards for
Security Categorization of Federal Information and Information
Systems, issued in February 2004, addresses the first task specified
by FISMA. FIPS 199 requires agencies to categorize their information
systems as low-impact, moderate-impact, or high-impact for the
security objectives of confidentiality, integrity, and availability. A
loss of confidentiality is the unauthorized disclosure of information.
A loss of integrity is the unauthorized modification or destruction of
information. A loss of availability is the disruption of access to or
use of information or an information system. Agencies must assign a
security category for both information and information systems.

FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems, issued in March 2006, addresses the second task
identified by FISMA. FIPS 200 specifies minimum security requirements
for information and information systems in seventeen security-related
areas.  Federal agencies must meet the minimum security requirements
through the use of the security controls in accordance with NIST SP
800-53, Recommended Security Controls for Federal Information Systems.

In applying the provisions of FIPS 200, agencies categorize their
systems as required by FIPS 199 and then select an appropriate set of
security controls from NIST SP 800-53.  Security controls are the
management, operational, and technical safeguards or countermeasures
that are prescribed for an information system to protect the
confidentiality, integrity, and availability of the system and its
information. Controls based on the application of cryptographic
functions are fundamental to the overall security of systems and their
information. All security controls, including cryptography, should be
selected as part of an organization's overall information security

Cryptographic Functions

Cryptography is used to protect data that is sensitive, has a high
value, or is vulnerable to unauthorized disclosure or undetected
modification during transmission or while in storage. NIST has
developed standards, guidelines, and techniques for the application of
cryptographic methods to protect the confidentiality and integrity of
data, to authenticate data and users, to authorize users, and to
verify the source of messages and data. For information about
encryption, digital signatures, secure hashing, message (data)
authentication codes, key management, entity authentication, and
random number generation, see

Encryption transforms data into ciphertext before transmission or
storage, and decryption transforms the data back into plaintext.
Symmetric encryption algorithms operate on blocks of data of fixed
size, and the same cryptographic key that is used to encrypt the
information to be protected is also used to decrypt the information.  
The following symmetric encryption algorithms are available for
federal agency use:

* The Advanced Encryption Algorithm (AEA) is a symmetric block cipher
  that is specified in FIPS 197, Advanced Encryption Standard (AES). 
  The AEA encrypts and decrypts data in 128-bit blocks, with three
  possible key sizes: 128, 192, or 256 bits.

* The Triple Data Encryption Algorithm (TDEA) is specified
  in NIST SP 800-67, Recommendation for the Triple Data
  Encryption Algorithm (TDEA) Block Cipher. The TDEA is based
  on the Data Encryption Algorithm (DEA), which was specified
  in FIPS 46-3, Data Encryption Standard. FIPS 46-3 has been
  withdrawn since it was no longer considered strong enough
  to protect sensitive, unclassified information. The DEA is
  still used as the primary cryptographic component of the
  TDEA. This latter application uses three DEA keys for
  encryption and decryption and is more robust than the DEA 

Modes of operation describe how encryption algorithms can be used to
provide services such as confidentiality protection or authentication
of users and information.  Currently, there are seven modes of
operation that may be used with the approved encryption algorithms.
The five modes for confidentiality, one for authentication, and one
combined mode for confidentiality and authentication are described in
the following publications:

*  NIST SP 800-38 A, Recommendation for Block Cipher Modes 
   of Operation - Methods and Techniques;

*  NIST SP 800-38 B, Recommendation for Block Cipher Modes 
   of Operation: The CMAC Mode for Authentication;

*  NIST SP 800-38C, Recommendation for Block Cipher Modes 
   of Operation: The CCM Mode for Authentication and 
   Confidentiality; and

* A fourth publication (to be designated NIST SP 800-38D) 
  dealing with the Galois/Counter Mode (GCM) for 
  Confidentiality and Authentication has been released for 
  public review and comments.

Information on current modes of operation is available at

Message authentication codes (MACs) (also known as data authentication
codes) and digital signatures are cryptographic functions that provide
assurance to the receiver of data that the sender of the data is truly
the sender and that the data has not been modified since it was
authenticated. A MAC is a cryptographic checksum that is computed on
data using a MAC algorithm and a secret key.  After the MAC is
computed, it is sent with the data. The authenticity of the received
data can be verified by the receiver who computes a MAC on the data
using the same key as the sender. FIPS 198, The Keyed-Hash Message
Authentication Code (HMAC), specifies the computation of a MAC using
an approved hash function and a key. NIST SP 800-38B provides for the
computation of a MAC, using AES or TDEA. NIST SP 800-38C provides for
the use of a mode that both authenticates and encrypts data using AES.

A hash function is a one-way function that produces a short
representation of a longer message. It is easy to compute the hash
value from the input, but it is difficult to reverse the process from
the hash value back to the input.  Hash functions are used to
determine whether or not data has been changed after it was
transmitted. Applications of hash functions are used by MACs, digital
signature algorithms, key derivation functions, and random number
generators. Five hash functions are specified in FIPS 180-2, Secure
Hash Standard: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Since
new attacks have indicated that SHA-1 may provide less security than
originally thought, SHA-1 is not recommended for the generation of
digital signatures in new systems.

Digital signatures are used to prove to the recipient of data or to a
third party that a message or data was signed by the originator and
that the data was not changed.  Digital signatures are generated and
verified using asymmetric key algorithms, commonly known as public key
algorithms. These algorithms use a pair of keys: a public key that may
be known by anyone and a private key that must be known only by the
owner of the key pair. The private key is used to generate a digital
signature on the information.  The signed information and the digital
signature are transmitted to the receiver, who uses the public key,
which corresponds to but is not the same as the private key, to verify
the digital signature. If the digital signature is verified as
correct, the receiver can be assured of the identity of the signer and
that the signed information was received correctly. The identity of
the message signer and the integrity of the data can also be proved to
an independent third party, if necessary.

FIPS 186-2, Digital Signature Standard (DSS), specifies three
algorithms: Digital Signature Algorithm (DSA); RSA signature algorithm
(American National Standard ANSI X9-31); and Elliptic Curve Digital
Signature Algorithm (ECDSA) (ANSI X9-62). The security of digital
signature systems is dependent upon maintaining the secrecy of users'
private keys. The data to which signatures are applied are hash
functions that have been implemented as specified in FIPS 180-2.

Key management includes the rules and protocols for generating,
establishing, and protecting keys. The security and reliability of
cryptographic processes depend upon the strength of the keys, the
effectiveness of the protocols associated with the keys, and the
protection of the keys.  NIST SP 800-57, Recommendation on Key
Management, provides guidance on the generation, use, and disposal of
cryptographic keys. Other topics covered include the selection of
cryptographic algorithms and key sizes, and the development of
policies for the uses of cryptography.

A Public Key Infrastructure (PKI) is the combination of software,
encryption technologies, and services that creates and manages the use
of public keys used in public key cryptography. Public key (or
asymmetric) cryptography allows parties that do not know each other to
exchange data securely. The PKI binds public keys to entities, enables
other entities to verify public key bindings, and provides the
services needed for ongoing management of keys in networks. A PKI
enables confidentiality, integrity, authentication, and digital
signature services to be available on a broad scale to many
organizations. FIPS 196, Entity Authentication Using Public Key
Cryptography, specifies two protocols for entity authentication that
use a public key cryptographic algorithm for generating and verifying
digital signatures. One entity can prove its identity to another
entity by using a private key to generate a digital signature on a
random challenge. The use of public key cryptography provides strong
authentication, without the requirement for authenticating entities to
share secret information. Information about the federal PKI is
available at

Random numbers are used within many cryptographic applications to
generate keys, other cryptographic values, digital signatures, and
challenge-response protocols.  Deterministic Random Bit Generators
(DRBGs), which use cryptographic algorithms to generate random
numbers, have been specified in draft NIST SP 800-90, Recommendation
for Random Number Generation Using Deterministic Random Bit
Generators. The DRBGs provide random numbers for cryptographic

Use of Cryptography in Personal Identity Verification (PIV)

FIPS 201, Personal Identification Verification (PIV) of Federal
Employees and Contractors, approved in February 2005 and recently
updated as FIPS 201-1, applies to the identification cards that are
issued by federal agencies to their employees and contractors who
require access to federal facilities and information systems. PIV
cards incorporate an individual's identity credentials on smart cards.
PIV components and subsystems use the electronically stored data on
the cards to carry out automated identity verification of the
individual. FIPS 201 was developed in response to Homeland Security
Presidential Directive (HSPD)  12, which called for a federal standard
for secure and reliable forms of identification for employees and

Cryptographic methods support the PIV applications and the information
that is stored on the smart cards. NIST SP 800-78, Cryptographic
Algorithms and Key Sizes for Personal Identity Verification, specifies
the acceptable cryptographic algorithms and key sizes to be
implemented in the PIV system to achieve secure and reliable means of
identification. The publication discusses the infrastructure
components for issuance and management of the PIV card, and the
applications for security services that rely on the credentials
supported by the PIV card. The cryptographic methods discussed include
symmetric and asymmetric encryption algorithms, digital signature
algorithms, message digest algorithms, and mechanisms to identify the
algorithms associated with PIV keys or digital signatures. Algorithms
and key sizes were selected to be consistent with federal standards
and to ensure adequate cryptographic strength for PIV applications.

Validation and Testing Requirements

NIST and the Communications Security Establishment of the Government
of Canada coordinate a validation program with independent accredited
testing laboratories that validate modules for conformance to Federal
Information Processing Standard (FIPS) 140-2, Security Requirements
for Cryptographic Modules. The Cryptographic Module Validation Program
(CMVP) provides for the validation of implementations of many
cryptographic standards and guidelines developed by NIST, including
encryption algorithms, digital signature algorithms, hashing
algorithms, random number generators, and message authentication
methods. Information about the CMVP is available at

NIST has established a program for testing and validating PIV
components and subsystems for conformance to FIPS 201-1. This effort
is managed by the NIST PIV Program (NPIVP). Testing organizations will
be accredited by NIST's National Voluntary Laboratory Accreditation
Program (NVLAP), which provides third-party accreditation to testing
and calibration laboratories. NVLAP accredits public and private
sector laboratories, including commercial, manufacturers' in-house,
university, and federal, state, and local government laboratories,
based on evaluation of their technical qualifications and their
competence to carry out specific calibrations or tests.  Information
about this new validation program is available at

Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.

Elizabeth B. Lennon
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

Reply via email to