Computer Security Basics

7.6. Government Cryptographic Programs

The government has a keen interest in cryptographic products. NSA, NIST, and the Department of the Treasury have all developed programs for evaluating cryptographic algorithms and products.

7.6.1. NSA

NSA's Communications Security Cryptographic Endorsement Program, introduced earlier in this chapter, evaluates so-called "high-grade" cryptographic products. All algorithms used in high-grade products are designed by NSA and are classified. Chip implementations of the algorithms are provided to vendors with protective coating so they can't be reverse-engineered.

NSA classifies high-grade cryptographic products developed under CCEP as either Type 1 or Type 2:

Type 1

Type 1 products are designed to encrypt classified data; they can also be used to encrypt sensitive unclassified data. An example of a Type 1 product is the Secure Telephone Unit (STU), a telephone that encrypts voice and data communications and provides secure key distribution. STU-II and STU-III are NSA-sponsored projects aimed at developing secure telephones for government agencies and government contractors. The telephones operate over ordinary telephone circuits and use encryption to provide secure voice and data communication. The first versions are being developed by AT&T, General Electric, and Motorola. DoD has recently bought thousands of STU-III units for use by both government employees and contractors. Other Type 1 products include trunk encryption devices and network communications products.

Type 2

Type 2 products are designed to encrypt sensitive unclassified data; the government doesn't allow these products to be used to encrypt classified data. Examples of Type 2 products include authentication devices, transmission security devices, and secure LANs. Type 2 equipment is effectively intended as a replacement for DES-based equipment.

Until recently, NSA's Government Endorsed Data Encryption Standard Equipment Program evaluated products based on the DES algorithm. Although NSA no longer endorses new DES-based products through this program, it does continue to list and provide keys, as necessary, for already endorsed products.

7.6.2. NIST

NIST's cryptographic responsibilities include the development of both standards and validation systems. NIST assists the Department of the Treasury by offering a system that tests the conformance of vendors' systems to the ANSI X9.9 message authentication standard. The system also checks for conformance to FIPS 113 (Computer Data Authentication). The validation is automated and can be initiated remotely via telephone lines. NIST is currently developing a system that tests the conformance of systems to the ANSI X9.17 key management standard. NIST is also working on systems that use digital message authentication codes in place of written signatures in government transactions.

7.6.3. Treasury

Since 1988, the Department of the Treasury has required that all of the department's electronic funds transfer messages be authenticated. The Treasury certifies authentication devices developed by vendors to ensure that they conform to Federal Standard 1027 (DES implementation) as well as to ANSI standard X9.17 (key management). The Electronic Funds Transfer Certification Program for Authentication Devices is aided by technical input and testing services provided by NSA and NIST.