t byfield on Sun, 28 Jun 1998 19:53:35 +0200 (MET DST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> US FIPS project falters


<http://jya.com/gak-fails.htm>

26 June 1998

----------------------------------------------------------------------------

Date: Fri, 26 Jun 1998 16:03:34 -0500
To: John Young <jya@pipeline.com>
From: Alan Davidson <abd@CDT.ORG>
Subject: Fips Flop

John,

Thought you might be interested in this for Cryptome. The
final letter from NIST's Technical Advisory Committee to Develop a
Federal Information Processing Standard for the Federal Key
Management Infrastructure is attached below.

Regards,

Alan

Alan Davidson, Staff Counsel                 202.637.9800 (v)
Center for Democracy and Technology          202.637.0968 (f)
1634 Eye St. NW, Suite 1100                  <abd@cdt.org>
Washington, DC 20006                         PGP key via finger

-----------------

U.S. effort on encryption "backdoors" ends in failure
 By Aaron Pressman

WASHINGTON, June 25 (Reuters) - A U.S. government panel has failed in a
two-year effort to design a federal computer security system that includes
"back doors," a feature that would enable snooping by law enforcement
agencies, people familiar with the effort said this week.

The failure casts further doubt on the Clinton administration policy --
required for government agencies and strongly encouraged for the private
sector -- of including such back doors in computer encryption technology
used to protect computer data and communications, according to outside
experts.

But administration officials said the panel, which is set to expire in
July, simply needed more time.

 <...>

The 22-member panel appointed by the secretary of commerce in 1996
concluded at a meeting last week that it could not overcome the technical
hurdles involved in creating a large-scale infrastructure that would meet
the needs of law enforcers, panel members said.

The group was tapped to write a formal government plan known as a
"Federal Information Processing Standard," or FIPS, detailing how
government agencies should build systems including back doors.

In a letter to Commerce Secretary William Daley obtained by Reuters, the
panel said it "encountered some significant technical problems that,
without resolution, prevent the development of a useful FIPS."

"Because the focus of this work is security, we feel that it is
critically important that we produce a document that is complete, coherent,
and comprehensive in addressing the many facets of this complex security
technology," the group added. "The attached document does not satisfy these
criteria."

The group is formally known as the Technical Advisory Committee to
Develop a Federal Information Processing Standard for the Federal Key
Management Infrastructure, but with the unwieldy acronym of TACDFIPSFKMI,
members of the panel jokingly referred to themselves as "Bob."

The failure after two years to write a FIPS vindicates the view of
critics of the administration's encryption policy, said Alan Davidson,
staff counsel at the Center for Democracy and Technology, a nonprofit
advocacy group.

"The administration keeps spending taxpayer money to pursue a ...
strategy that's wrong-headed and won't protect security," Davidson said.
"Its own advisory committee can't answer basic questions about how to make
it work for the government, yet they continue to push for its adoption by
everyone, worldwide."

 <...>

Bruce Schneier, a leading cryptography researcher and critic of the
government policy, said the FIPS panel failed because of the impossibility
of meeting the needs of both law enforcers and industry.

 <...>

But Edward Roback, an official with the U.S. National Institution of
Standards and Technology who worked closely with the panel, said the
technical problems the group encountered were surmountable with more time.

 <...>

Friday, 26 June 1998 14:17:59
RTRS [nN25122338]

------------------------------------------------------------------------
Any views expressed in this message are those of the individual  sender,
except  where  the  sender  specifically  states them to be the views of
Reuters Ltd.

------------------------------------------------------------------------
Final Letter From the National Instititue of Standards and Technology (NIST)
Technical Advisory Committee to Develop a Federal Information Processing
Standard for the Federal Key Management Infrastructure

                     June 19, 1998
------------------------------------------------------------------------

Dear Mr. Secretary:

We respectfully submit the attached technical input from the "Technical
Advisory Committee to Develop a Federal Information Processing Standard for
the Federal Key Management Infrastructure" (TAC) for Requirements for Key
Recovery Products.  The TAC is cognizant of the steps you are obligated to
take under various statutes and policies to seek public comment in making
your determination about implementing a Federal Information Processing
Standard.  However, the TAC believes significant, substantive additional
work is necessary before this document will be ready for the next step in
the process. Specifically, we believe that this document is not ready to be
released for public comment, to be used as a basis for generation of answers
to policy questions relevant to a FIPS, or to begin planning for development
of implementation guidance.

With regard to this latter topic, we suggest initiating work on detailed
implementation guidance, once this document is completed. Such guidance will
be essential to the successful deployment of any key recovery system (KRS),
since many aspects of  KRS security are outside the scope of the work we
have undertaken.  We also urge pursuit of conformance testing based on the
NVLAP model, e.g., as employed for FIPS 140-1.  Because of the complexity
and security sensitivity of KRS technology, we do not support vendor
self-declaration of conformance.

The TAC has made substantial progress and a completed version of the work
begun here could provide a basis for the development of a FIPS.  However,
the TAC encountered some significant technical problems that, without
resolution, prevent the development of a useful FIPS. There are unresolved
conflicts among some requirements. In addition, the model that underlies the
product evaluation process is not yet complete.

In retrospect, the time and effort devoted to this task were not sufficient
to develop an adequate set of technical requirements for a FIPS.  Because
the focus of this work is security, we feel that it is critically important
that we produce a document that is complete, coherent, and comprehensive in
addressing the many facets of this complex security technology.  The
attached document does not satisfy these criteria.

The TAC understands that its charter expires in July of 1998.  However, the
TAC has gained much experience during this process, and is willing to
continue to work towards the completion of its initial charge.

As you know, TAC members were appointed for their individual expertise.  The
actions of the TAC do not have the explicit or implicit endorsement of the
corporations or organizations with which its members are affiliated.

On behalf of the TAC, we hope that you find our efforts have been useful,
and we thank you for the opportunity to work on your behalf.

----------------------------------------------------------------------------

More on the committee's final work and documents:

Source: http://csrc.nist.gov/tacdfipsfkmi/

Technical Advisory Committee to Develop a
Federal Information Processing Standard for the
Federal Key Management Infrastructure

The Technical Advisory Committee to Develop a Federal Information Processing
Standard for the Federal Key Management Infrastructure was established by
the Department of Commerce in July, 1996. The Committee, which was formally
chartered on July 24, 1996, held its first meeting on December 5-6, 1996.
The Committee's last meeting was held June 17-19, 1998.

[Excerpts]

                           Meeting Agendas

     1998-05-21 June 17-19, 1998          Meeting  agenda9806.txt
                Agenda                             [908 bytes]

                   Materials from June 1998 Meeting


 June 19,
 1998         Revised Cover Letter (6/19/98)        revisedcover.txt
 June 19,     Revised Assembled Document (6/19/98)
 1998         (MS Word '97)                         revisedFIPS9806.doc
 June 1998    Discussion Draft Cover Letter         cover.txt

 June 1998    Draft Assembled Document (MS Word     FIPS698_Word97.doc
           '97) Original

 June 1998    Draft Assembled Document (MS Word 6 / FIPS698_Word95.doc
           '95)
 June 1998    Draft Assembled Document text format  FIPS698.txt
---
#  distributed via nettime-l : no commercial use without permission
#  <nettime> is a closed moderated mailinglist for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@desk.nl and "info nettime-l" in the msg body
#  URL: http://www.desk.nl/~nettime/  contact: nettime-owner@desk.nl