1994-02-23 - NIST Crypto Update (fwd) - a Feb 4 doc we somehow missed…

Header Data

From: Stanton McCandlish <mech@eff.org>
To: eff-staff@eff.org
Message Hash: 22692994e19db66d70a2cec9b8431bbe4052489bb7b058b465c00cb075b6956a
Message ID: <199402232157.QAA26990@eff.org>
Reply To: N/A
UTC Datetime: 1994-02-23 21:58:05 UTC
Raw Date: Wed, 23 Feb 94 13:58:05 PST

Raw message

From: Stanton McCandlish <mech@eff.org>
Date: Wed, 23 Feb 94 13:58:05 PST
To: eff-staff@eff.org
Subject: NIST Crypto Update (fwd)  - a Feb 4 doc we somehow missed...
Message-ID: <199402232157.QAA26990@eff.org>
MIME-Version: 1.0
Content-Type: text/plain


Forwarded message:
From jet@nas.nasa.gov  Tue Feb 22 19:22:07 1994
Date: Tue, 22 Feb 94 16:22:33 -0800
From: jet@nas.nasa.gov (J. Eric Townsend)
Message-Id: <9402230022.AA27791@boxer.nas.nasa.gov>
To: mech@eff.org
In-Reply-To: 's message of Tue, 15 Feb 1994 11:55:00 GMT
Subject: NIST Crypto Update


[From the NIST Computer Security Bulletin Board]

(EMBARGOED FOR RELEASE: 3:00 P.M., Friday, Feb. 4, 1994)

                           Fact Sheet
                  NIST Cryptography Activities 

Escrowed Encryption Standard

On April 16, 1993, the White House announced that the President
approved a directive on "Public Encryption Management."  Among
other items, the President directed the Secretary of Commerce, in
consultation with other appropriate U.S. agencies, to initiate a
process to write standards to facilitate the procurement and use of
encryption devices fitted with key-escrow microcircuits in federal
communications systems that process sensitive but unclassified
information.  

In response to the President's directive, on July 30, 1993, the
Department of Commerce's National Institute of Standards and
Technology (NIST) announced the voluntary Escrowed Encryption
Standard (EES) as a draft Federal Information Processing Standard
(FIPS) for public comment.  The FIPS would enable federal agencies
to procure escrowed encryption technology when it meets their
requirements; the standard is not to be mandatory for either
federal agency or private sector use. 

During the public review of the draft standard, a group of
independent cryptographers were provided the opportunity to examine
the strength of the classified cryptographic algorithm upon which
the EES is based.  They found that the algorithm provides
significant protection and that it will be 36 years until the cost
of breaking the EES algorithm will be equal to the cost of breaking
the current Data Encryption Standard.  They also found that there
is no significant risk that the algorithm can be broken through a
shortcut method of attack.

Public comments were received by NIST on a wide range of issues
relevant to the EES.  The written comments submitted by interested
parties and other information available to the Department relevant
to this standard were reviewed by NIST.  Nearly all of the comments
received from industry and individuals opposed the adoption of the
standard.   However, many of those comments reflected
misunderstanding or skepticism about the Administration's
statements that the EES would be a voluntary standard.  The
Administration has restated that the EES will be a strictly
voluntary standard available for use as needed to provide more
secure telecommunications.  The standard was found to be
technically sound and to meet federal agency requirements.   NIST
made technical and editorial changes and recommended the standard
for approval by the Secretary of Commerce.  The Secretary now has
approved the EES as a FIPS voluntary standard.
   
In a separate action, the Attorney General has now announced that
NIST has been selected as one of the two trusted agents who will
safeguard components of the escrowed keys.
Digital Signature Standard

In 1991, NIST proposed a draft digital signature standard as a
federal standard for publiccomment.  Comments were received by NIST
on both technical and patent issues.  NIST has reviewed the
technical comments and made appropriate changes to the draft. 

In order to resolve the patent issues, on June 3, 1993, NIST
proposed a cross-licensing arrangement for a "Digital Signature 
Algorithm" for which NIST has received a patent application.  The
algorithm forms the basis of the proposed digital signature
standard.  Extensive public comments were received on the
proposed arrangement, many of them negative and indicating the need
for royalty-free availability of the algorithm.   The
Administration has now concluded that a royalty-free
digital signature technique is necessary in order to promote
widespread use of this important information security technique. 
NIST is continuing negotiations with the aim of obtaining a
digital signature standard with royalty-free use worldwide.  NIST
also will pursue other technical and legal options to attain that
goal.  

Cooperation with Industry

During the government's review of cryptographic policies and
regulations, NIST requested assistance from the Computer System
Security and Privacy Advisory Board to obtain public
input on a wide range of cryptographic-related issues, including
the key escrow encryption proposal, legal and Constitutional
issues, social and public policy issues, privacy, vendor and
business perspectives, and users' perspectives.  The Board held
five days of public meetings.  Comments obtained by the Board were
useful during the government's review of these
issues.  In addition, NIST met directly with many industry and
public interest organizations, including those on the Digital
Privacy and Security Working Group and the Electronic
Frontier Foundation.  

As directed by the President when the key escrow encryption
initiative was announced, the government continues to be open to
other approaches to key escrowing.  On August 24,
1993, NIST also announced the opportunity to join a Cooperative
Research and Development Agreement (CRADA) to develop secure
software encryption with integrated cryptographic key escrowing
techniques.  Three industry participants have expressed their
interest to NIST in this effort; however, the government still
seeks fuller participation from the commercial software industry. 
NIST now is announcing an opportunity for industry to join in a
CRADA to develop improved and alternative hardware technologies
that contain key escrow encryption capabilities.

Additionally, the Administration has decided to strengthen NIST's
cryptographic capabilities in order to better meet the needs of
U.S. industry and federal agencies.  

2/4/94




-- 
Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist
F O R   M O R E   I N F O,    E - M A I L    T O:     I N F O @ E F F . O R G 
O  P  E  N    P  L  A  T  F  O  R  M     O  N  L  I  N  E    R  I  G  H  T  S
V  I   R   T   U   A   L   C  U   L   T   U   R   E      C  R   Y   P   T   O




Thread