balenson@mimsy.UUCP (David M. Balenson) (01/11/88)
On January 5, 1988, C. William Verity, the Secretary of Commerce, following the recommendation of the National Bureau of Standards (NBS), approved the reaffirmation of the Data Encryption Standard (DES) for another five years, thus ending the second review. An appropriate Federal Register notice anouncing the decision is forthcoming. Some of the details of the standard and its second review follow: FIPS 46, (DES), which was issued on January 15, 1977, specifies an algorithm to be implemented in electronic hardware devices and used for the cryptographic protection of computer data. The standard required that a review would be performed by NBS five years after its effective date, taking into account technological trends and other factors in order to determine whether the standard should be affirmed, revised, or withdrawn. The first review was completed in 1983, and the standard was affirmed with the requirement that a second review take place in 1987. The second review of FIPS 46 was announced in the Federal Register on March 6, 1987. Comments from industry and the public were invited on three possible alternatives for FIPS 46: the reaffirmation of the standard for another five years and continued validation of DES equipment by NBS; withdrawal of the standard and withdrawal of NBS support to the standard; or revision of the applicability of the standard to specify certain uses such as protection of electronic fund transfers. A memorandum announcing the review of FIPS 46 was also sent to all Federal agencies and State governments. Thirty-three (33) comments were received. Twelve (12) were from Federal agencies and the remainder were from the private sector. Thirty-one (31) comments supported the reaffirmation of the standard for another 5 years. One organization stated that it had no comments but did not oopose reaffirmation. One organization recommended that FIPS 46 be modified to apply only to protection of financial transactions. Many of the organizations point out that the DES is already used for financial and other commercial applications. Several voluntary industry standards based on the DES have been adopted for both financial and non-financial uses. Any action short of full reaffirmation of the DES would cast serious unwarranted doubts on the suitability of the DES for any application. Withdrawal of the standard would leave many organizations without adequate protection for their information. Limiting the applicability of the DES to financial transactions would leave many government agencies and commercial organizations without readily available crypto- graphic protection of their unclassified information. Information available to NBS indicates that the DES is adequate to protect unclassified computer data for the next five years. ** -- -------------------------------------------------------------------------------- David M. Balenson balenson@mimsy.umd.edu -or- balenson@icst-ssi.arpa
gwyn@brl-smoke.ARPA (Doug Gwyn ) (01/11/88)
In article <10123@mimsy.UUCP> balenson@mimsy.UUCP (David M. Balenson) quotes: >Withdrawal of the standard would leave many organizations >without adequate protection for their information. One would presume that they could continue to operate just as they have been. If it's not currently adequately protected, it won't be in the future, and conversely.