home *** CD-ROM | disk | FTP | other *** search
-
- A LETTER FROM THE NATIONAL COMPUTER SYSTEMS LABORATORY
- No. 29 February 1990
-
-
- DATA ENCRYPTION STANDARD: THE KEY TO INFORMATION SECURITY
-
- In response to the many questions we receive about the Data
- Encryption Standard (DES), we have developed a DES Fact Sheet
- which covers all aspects of the standard and its applicability.
- Highlights of the DES Fact Sheet follow.
-
- Background
-
- Protecting the confidentiality and integrity of sensitive
- unclassified information in federal computer systems has been a
- key goal of NCSL since the inception of its computer security
- program in 1972. Federal Information Processing Standard (FIPS)
- 46, Data Encryption Standard (DES), was issued in 1977. FIPS 46
- is based upon work by the International Business Machines
- Corporation and has been approved as American National Standard
- X3.92-1981/R1987. DES has been reaffirmed twice, most recently
- in 1988. The current FIPS 46-1 reaffirms the standard until
- 1993.
-
- How does DES work?
-
- DES specifies a cryptographic algorithm that converts plaintext
- to ciphertext using a key, a process called encryption. The same
- algorithm used with the same key converts ciphertext back to
- plaintext in the reverse process called decryption. DES involves
- 16 rounds of operations that mix the data and key together in a
- prescribed manner. The result is a complete scramble of data and
- key so that no correlation exists between the ciphertext and
- either the original data or key.
-
- How does DES provide security?
-
- The security provided by DES depends on the following factors:
-
- o mathematical soundness,
-
- o length of key,
-
- o key management,
-
- o input data formatting,
-
- o mode of operation,
-
- o implementation,
-
- o application, and
-
- o threat.
-
- Several organizations have evaluated DES and found the standard
- to be mathematically sound. NCSL has determined that at least
- until 1993, DES will continue to provide more than adequate
- security for its intended applications. Applications which use
- DES include Electronic Funds Transfer, privacy protection of
- personal information, personal authentication, password
- protection, and access control.
-
- Applicability of DES
-
- Subject to agency waivers, the use of DES is mandatory for all
- federal agencies, including defense agencies, for the protection
- of sensitive unclassified data communications (except information
- covered by 10 U.S.C. Section 2315) when the agency determines
- that cryptographic protection is required. Note that the use of
- DES is currently applicable only to the protection of data
- communications. Private-sector individuals or organizations may
- use DES at their discretion.
-
- Heads of federal agencies may waive the mandatory use of DES
- when:
-
- o compliance with the standard would adversely affect the
- accomplishment of the mission of an operator of a federal
- computer system; or
-
- o compliance would cause a major adverse financial impact on
- the operator which is not offset by governmentwide savings.
-
- Endorsement of DES Products
-
- The National Security Agency (NSA) no longer endorses DES
- products for use in telecommunications equipment and systems for
- conformance to FIPS 140 (formerly Federal Standard 1027). NCSL
- has notified federal agencies that they may wish to waive FIPS
- 140 in order to buy equipment which may not meet all requirements
- of the standard. This action enables agencies to procure cost-
- effective equipment that meets their needs, but has not been
- endorsed by NSA. FIPS 140 is being revised; in the interim,
- agencies may accept written affirmation of conformance to FIPS
- 140 from vendors as sufficient indication of conformance.
-
- DES Fact Sheet
-
- The DES Fact Sheet is available at no charge from the following
- address:
-
- DES Fact Sheet
- National Computer Systems Laboratory
- Room B64, Technology Building
- National Institute of Standards and Technology
- Gaithersburg, MD 20899
- (301) 975-2821
-
- Alternatively, you may access our NCSL Computer Security Bulletin
- Board and download the DES Fact Sheet. To access the board, you
- need a standard ASCII terminal (or PC with communications
- capabilities) set up with the following parameters: baud rate -
- 300, 1200, or 2400; data bits - 8 with no parity or 7 with even
- parity; and stop bits - 1. Dial (301) 948-5717 and after the
- CONNECT message is displayed, strike the carriage return twice.
- The DES file is located in the "File Subsystem" under the
- "General Information (1)" Directory. The ten-page file can only
- be viewed by downloading it. Instructions for downloading are
- available in the "Bulletin Topics Menu" under the "Using the BBS
- (1)" Directory.
-
- FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES
-
- FIPS For COBOL Revised
-
- The Secretary of Commerce has approved a revision of FIPS 21-2,
- COBOL, to be published as FIPS 21-3. To be effective June 29,
- 1990, the revised standard adopts American National Standard
- Programming Language COBOL, ANSI X3.23-1985 and X3.23A-1989 for
- federal agency use. FIPS 21-3 adds an Intrinsic Function
- facility to the COBOL specifications. FIPS COBOL is one of the
- high-level programming language standards provided for use by all
- federal agencies. The language is especially suited for
- applications that emphasize the manipulation of characters,
- records, files, and input/output (in contrast to those primarily
- concerned with scientific and numeric computations). FIPS 21-3
- will be available through NTIS.
-
- Revision of FIPS Structured Query Language (SQL) Approved
-
- FIPS 127, Database Language SQL, has been revised and will be
- published as FIPS 127-1. The revised standard adopts American
- National Standard Database Language SQL with Integrity
- Enhancement, ANSI X3.135-1989, and American National Standard
- Database Language Embedded SQL, ANSI X.3.168-1989. FIPS 127-1
- offers new conformance alternatives, new programming language
- interfaces, a new integrity enhancement option, clarification and
- correction of existing specifications, and additional
- considerations for use in procurements. It does not contain any
- new requirements that would make an existing conforming
- implementation nonconforming.
- FIPS 127-1 will be available through NTIS.
-
- NCSL HOSTS INTERAGENCY COMPUTER SECURITY MANAGERS MEETING
-
- Lynn McNulty, Associate Director for Computer Security, recently
- hosted the first meeting of the Federal Computer Security Program
- Managers Forum. The purpose of the meeting was to share
- information with federal personnel who manage operational
- computer security organizations responsible for the protection of
- sensitive unclassified information. Representatives from
- approximately thirty agencies and departments attended, including
- all four military services.
-
- McNulty discussed two projects that his office is undertaking.
- The first is to develop a special publication to provide guidance
- to federal agencies on the management and organization of a
- computer security program. Additionally, his office is examining
- how the federal personnel system is used to hire computer
- security professionals and hopes to convince the Office of
- Personnel Management to recognize computer security as a separate
- professional series.
-
- Participants were provided the latest information on NCSL's
- efforts in virus prevention, awareness publications, and
- interagency computer assistance activities. The group also
- addressed whether NCSL should establish a standing interagency
- body to address policy issues. McNulty will chair regular Forum
- meetings to share computer security information among the federal
- participants.
-
- NCSL SEEKS AUTOMATED PASSWORD GENERATORS
- We are seeking contributions of existing automated password and
- passphrase generators from the commercial, industrial, and
- academic computer security communities. These generators will be
- evaluated for use in federal systems that require automated
- password and passphrase generation. Responses should be sent to
- Lawrence Keys, A216, Technology Building, National Institute of
- Standards and Technology, Gaithersburg, MD 20899 or call Larry at
- (301) 975-5482.
-
- GRAPHICS VALIDATION TEST SUITES TO BE DEMONSTRATED
-
- Our Information Systems Engineering Division will demonstrate its
- graphics validation test suites at the National Computer Graphics
- Association (NCGA) '90 Conference and Exposition in Anaheim, CA
- on March 19-22. The test suites determine if a specified
- implementation conforms to the corresponding ANSI and FIPS
- graphics standards. Test suites will be run for the following
- standards: Graphical Kernel System (GKS); Programmer's
- Hierarchical Interactive Graphics System (PHIGS); Computer
- Graphics Metafile (CGM); and Structured Query Language (SQL).
-
- Implementors can use the test suite to improve their products and
- help ensure correct implementation of the graphics standard.
- Vendors with conforming products benefit by improving their
- competitive edge; users benefit from an open marketplace and
- increased confidence in these products.
-
- For information about the NCSL exhibit, contact Lynne S.
- Rosenthal, A266, Technology Building, National Institute of
- Standards and Technology, Gaithersburg, MD 20899, (301) 975-3353.
-
- For information about the conference in general, contact NCGA,
- 2722 Merrilee Drive, Suite 200, Fairfax, VA 22031, (800) 225-
- NCGA.
-
- UPDATE ON NEW PUBLICATIONS
-
- NCSL publishes the results of studies, investigations, and
- research. The reports listed below may be ordered from the
- following sources as indicated for each:
-
- *Superintendent of Documents
- U.S. Government Printing Office
- (GPO)
- Washington, DC 20402
- Telephone (202) 783-3238
-
- *National Technical Information
- Service (NTIS)
- 5285 Port Royal Road
- Springfield, VA 22161
- Telephone (703) 487-4650
-
- Report of the Invitational Workshop on Data Integrity
- By Zella G. Ruthberg and William T. Polk
- NIST Spec. Pub. 500-168
- September 1989
- SN003-003-02966-1
- Order from GPO
-
- This publication contains the proceedings of the second
- invitational workshop on computer integrity issues which took
- place at NIST on January 25-27, 1989. Attended by 66 invited
- participants who are currently working in some aspect of data
- integrity, the workshop addressed such topics as data integrity
- models, data quality, integrity controls, and certification of
- transformation procedures that preserve data integrity. Results
- of the first workshop held in October 1987 which addressed
- integrity policy in computer information systems are contained in
- NIST Special Publication 500-160.
-
- Executive Guide to the Protection of Information Resources
- By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
- NIST Spec. Pub. 500-169
- October 1989
- SN003-003-02969-6 $1.50
- Order from GPO (also available on NCSL Computer Security Bulletin
- Board)
-
- This guide assists executives address a host of questions
- regarding the protection and safety of computer systems and their
- information resources. The publication introduces information
- systems security concerns, outlines the management issues that
- must be addressed by agency policies and programs, and describes
- essential components of an effective implementation process.
-
- Management Guide to the Protection of Information Resources
- By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
- NIST Spec. Pub. 500-170
- October 1989
- SN003-003-02968-8 $1.75
- Order from GPO (also available on NCSL Computer Security Bulletin
- Board)
-
- This guide introduces information systems security concerns and
- outlines the issues that must be addressed by all agency managers
- in meeting their responsibilities to protect information systems
- with their organizations. It describes essential components of
- an effective information resource protection process that applies
- to a stand alone personal computer or to a large data processing
- facility.
-
- Computer User's Guide to the Protection of Information Resources
- By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
- NIST Spec. Pub. 500-171
- October 1989
- SN003-003-02970-0 $1.00
- Order from GPO (also available on NCSL Computer Security Bulletin
- Board)
-
- Computers have changed the way we handle our information
- resources. Large amounts of information are stored in one
- central place with the ability to be accessed from remote
- locations. Users have a personal responsibility for the security
- of the system and the data stored in it. This document outlines
- the user's responsibilities and provides security and control
- guidelines to be implemented.
-
- Computer Security Training Guidelines
- By Mary Anne Todd and Constance Guitian
- NIST Spec. Pub. 500-172
- November 1989
- SN003-003-02975-1 $2.50
- Order from GPO
-
- This guideline provides a framework for determining the training
- needs of employees involved with computer systems. It describes
- the learning objectives of agency computer security training
- programs -- what the employee should know and be able to direct
- or actually perform -- so that agencies may use the guidance to
- develop or acquire training programs that fit the agency
- environment.
-
- Guide to Data Administration
- By Bruce K. Rosen and Margaret H. Law
- NIST Spec. Pub. 500-173
- October 1989
- SN003-003-02967-0 $4.25
- Order from GPO
-
- This guide provides a reference model for the various activities
- performed by information resource management, data
- administration, data modeling tools administration, and database
- administration. Data administration is responsible for defining
- an information architecture. The guide describes computing tools
- useful for data administration, such as data dictionary systems
- and computer-aided software engineering (CASE) tools.
-
- Guide for Selecting Automated Risk Analysis Tools
- By Irene E. Gilbert
- NIST Spec. Pub. 500-174
- October 1989
- SN003-003-02971-8 $2.00
- Order from GPO
-
- This document recommends a process for selecting automated risk
- analysis tools, describing important considerations for
- developing selection criteria for acquiring risk analysis
- software. The report describes three essential elements that
- should be present in an automated risk analysis tool: data
- collection, analysis, and output results. It is intended
- primarily for managers and those responsible for managing risks
- in computer and telecommunications systems.
-
- Management of Networks Based on Open Systems Interconnection
- (OSI) Standards: Functional Requirements and Analysis
- By Robert Aronoff, Michael Chernick, Karen Hsing, Kevin Mills,
- and Daniel Stokesberry
- NIST Spec. Pub. 500-175
- November 1989
- SN003-003-02986-6 $7.00
- Order from GPO
-
- This publication examines current and proposed network management
- systems to determine both user and functional requirements for
- network management. The report compares the derived functional
- requirements to emerging standards to determine where and how
- requirements are being met. The examination of requirements
- focuses on those necessary for interoperability in the following
- broad areas: architecture, configuration management, fault
- management, security management, performance management, and
- accounting management.
-
- A Detailed Description of the Knowledge-Based System for Physical
- Database Design
- (two volumes)
- By Christopher E. Dabrowski
- NISTIR 89-4139-1
- August 1989
- PB 89 228993 $17.00
- NISTIR 89-4139-2
- PB 89 229033 $23.00
-
- A knowledge-based system for physical database design developed
- at NCSL has previously been described in NIST Spec. Pub. 500-151.
- This follow-up report to that publication describes the knowledge
- base for the system in detail. The description includes a
- complete explanation of each component of the knowledge base
- together with the actual rules used by the system.
-
- Working Implementation Agreements for Open Systems
- Interconnection Protocols
- Tim Boland, Editor
- NISTIR 89-4140
- August 1989
- PB 89-235931 $36.95
- Order from NTIS
-
- This document records current agreements on implementation
- details of Open Systems Interconnection (OSI) protocols among the
- organizations participating in the NIST/OSI Workshop for
- Implementors of OSI. The document is based on the proceedings of
- the workshop plenary assembly held June 16, 1989. Decisions are
- documented to facilitate organizations in their understanding of
- the status of agreements.
-
- UPCOMING TECHNICAL CONFERENCES
-
- North American ISDN Users' Forum
- This conference will address many concerns over a broad range of
- Integrated Services Digital Network (ISDN) issues and will seek
- to reach consensus on ISDN Implementation Agreements.
- Participants will include ISDN users, implementors, and service
- providers.
- Date: March 6-9, 1990
- Place: Dallas, TX
- August 6-9, 1990
- Place: NIST, Gaithersburg, MD
- Date: November 5-8, 1990
- Place: NIST, Gaithersburg, MD
- Contact: Dawn Hoffman
- (301) 975-2937
- FTS 879-2937
-
- NIST Workshop for Implementors of OSI
- This workshop is part of a continuing series to develop
- implementation specifications from international standard design
- specifications for computer network protocols.
- Sponsors: NIST and the IEEE Computer Society
- Dates: March 12-16, 1990
- June 18-22, 1990
- September 10-14, 1990
- December 10-14, 1990
- Place: NIST, Gaithersburg, MD
- Contact: Brenda Gray
- (301) 975-3664
- FTS 879-3664
-
- Data Administration Management Association Annual Symposium
- Data administration techniques and approaches will be discussed
- in a forum for the exchange of ideas and resolution of problems.
- Sponsors: NIST, FEDMUG, and Data Administration Management
- Association
- Date: May 7-8, 1990
- Place: NIST, Gaithersburg, MD
- Contact: Judith Newton
- (301) 975-3256
- FTS 879-3256
-
- Applications Portability Profile (APP) Workshop
- This workshop is designed as a user's forum to discuss the latest
- developments in the APP.
- Date: May 9, 1990
- Place: NIST, Gaithersburg, MD
- Contact: James Hall
- (301) 975-3273
- FTS 879-3273
-
- COMPASS '90
- The purpose of this conference is to identify the meaning of
- computer assurance, the techniques needed to achieve it, and
- their limitation.
- Sponsors: NIST, IEEE Aerospace & Electronics Systems Society,
- and IEEE National Capital Area Council
- Date: June 25-29, 1990
- Place: NIST, Gaithersburg, MD
- Contact: Dolores Wallace
- (301) 975-3340
- FTS 879-3340
-
-
-
- If you are interested in receiving our newsletter, send your
- name, organization, and mailing address to: NCSL Newsletter,
- National Institute of Standards and Technology, Room B151,
- Technology Building, Gaithersburg, MD 20899.
-