This CSL Bulletin provides updated information on the Data Encryption Standard (DES) which was revised in 1993 and issued as Federal Information Processing Standard (FIPS) 46-2.

NIST (formerly the National Bureau of Standards) issued the Data Encryption Standard (DES) in 1977 to provide an encryption algorithm for use in protecting federal unclassified information from unauthorized disclosure or undetected modification during transmission or while in storage. The standard required NIST to conduct a review every five years to determine whether the cryptographic algorithm specified by the standard should be affirmed, revised or withdrawn. The first review resulted in the reaffirmation of the standard in 1983; the standard was again reaffirmed in 1988 following a second review; the third review was completed in 1993.

FIPS 46-2, which was issued following the third review, reaffirms the DES until 1998. The DES is based on work of the International Business Machines Corporation and has been adopted as American National Standard X3.92-1981/R1987.

The DES is a publicly known cryptographic algorithm that converts plaintext to ciphertext using a 56-bit key. The same algorithm is used with the same key to convert ciphertext back to plaintext, a process called decryption. The DES consists of 16 "rounds" of operations that mix the data and key together in a prescribed manner using the fundamental operations of permutation and substitution. The goal is to completely scramble the data and key so that every bit of the ciphertext depends on every bit of the data plus every bit of the key (a 56-bit quantity for DES).

Authorized users of encrypted computer data must have the key that was used to encrypt the data in order to decrypt it. The unique key chosen for use in a particular application makes the results of encrypting data using the algorithm unique. Using a different key causes different results. The cryptographic security of the data depends on the security provided for the key used to encrypt and decrypt the data. FIPS 171, Key Management Using ANSI X9.17, provides approved methods for managing the keys used by the DES.

The security provided by a cryptographic system depends on the mathematical soundness of the algorithm, length of the keys, key management, mode of operation, and implementation.

The DES was developed to protect unclassified computer data in federal computer systems against a number of passive and active attacks in communications and computer systems. It was assumed that a knowledgeable person might seek to compromise the security system by employing resources commensurate with the value of the protected information. Agencies determining that cryptographic protection is needed based on an analysis of risks and threats can use the DES for applications such as electronic funds transfer, privacy protection of personal information, personal authentication, password protection, and access control.

The DES has been evaluated by several organizations and has been found to be mathematically sound. Some individuals have analyzed the DES algorithm and have concluded that the algorithm would not be secure if a particular change were made (e.g., if fewer "rounds" were used). Modifications of this sort are not in

accordance with the standard and, therefore, may provide significantly less security.

NIST believes that DES provides adequate security for its intended unclassified applications. The algorithm is also widely used by the private sector. NIST will continue to evaluate the security provided by the DES. At the next review in 1998, the algorithm specified in the standard will be over 20 years old. At that time, NIST will consider alternatives that offer a higher level of security for possible replacement of the DES.

For many years, the DES was the only FIPS available for federal encryption requirements. Changing technology has created new requirements for different kinds of protection for special applications. FIPS 46-2 allows for the use of other FIPS- approved cryptographic algorithms in addition to, or in lieu of the DES, when such algorithms are implemented in accordance with FIPS 140-1.

FIPS 140-1, Security Requirements for Cryptographic Modules, was issued in January 1994. This standard defines levels of security for the cryptographic modules which perform cryptographic processes. Cryptographic modules include the hardware, software, firmware, or some combination thereof, that implements cryptographic logic or processes. The standard provides for four increasing, qualitative levels of security and covers module design and documentation, interfaces, authorized roles and services, physical security, software security, operating system security, key management, and other issues. FIPS 140-1 replaces FIPS 140, General Security Requirements for Equipment Using the Data Encryption Standard (formerly Federal Standard 1027). See the Validation section below for a discussion of the acquisition of FIPS 140 devices.

In 1994, NIST issued FIPS 185, Escrowed Encryption Standard (EES), which is suitable for use in telephone communications that are circuit-switched and use a commercial modem to transmit digital data. This standard specifies a technology developed by the federal government to provide strong encryption protection for unclassified information and also to provide for the escrowing of device keys. The standard provides for lawfully authorized access to the keys required to decipher enciphered information. The escrowed encryption technology is to be implemented in electronic devices. The specifications for the algorithm (SKIPJACK) and for the Law Enforcement Access Field (LEAF) are classified. FIPS 185 does not mandate the use of escrowed encryption devices by federal government agencies, the private sector or other levels of government. Such use is totally voluntary when organizations require the key escrow features.

FIPS 186, Digital Signature Standard (DSS), provides cryptographic techniques for generating and verifying electronic signatures for applications requiring authentication of data integrity and the identity of the signer. FIPS 180, Secure Hash Standard, provides the hash function used in generating and verifying digital signatures.

Early versions of the DES required that the encryption algorithm be implemented in electronic hardware and firmware. FIPS 46-2 allows for implementation of the cryptographic algorithm in software, firmware, hardware, or any combination thereof to enable more flexible, cost-effective implementations.

The DES is for use by federal department and agencies when agency officials determine that cryptographic protection of information is required and the data is not classified according to the National Security Act of 1947, as amended, or the Atomic Energy Act of 1954, as amended. Federal organizations that use cryptographic devices for protecting classified data can also use those devices for protecting unclassified data instead of the DES.

The National Security Agency (NSA) of the U.S. Department of Defense develops and promulgates requirements for telecommunications and automated information systems operated by the U.S. government, its contractors, or agents, that contain classified information or, as delineated in 10 U.S.C. Section 2315, the function, operation, or use of which:

 involves intelligence activities;

 involves cryptologic activities related to national

security;

 involves the direct command and control of military forces;

 involves equipment which is an integral part of a weapon or

weapon systems; or

 is critical to the direct fulfillment of a military or

intelligence mission.

The term unclassified information as used in this bulletin excludes information covered by 10 U.S.C. 2315.

The head of a federal department or agency may waive the use of the DES for the protection of unclassified information in accordance with the provisions of FIPS 46-2. A waiver is necessary if cryptographic modules performing an algorithm other than the DES or another FIPS-approved algorithm are to be used by a federal agency. No waiver is necessary if communications security equipment approved for the protection of classified information is to be used.

U.S. government users of DES products which NSA had previously endorsed for compliance with Federal Standard 1027 may obtain DES cryptographic keys for these products from NSA upon request at no cost. NSA is no longer endorsing products under Federal Standard 1027. Contact your responsible Communications Security (COMSEC) officer for further information.

Alternatively, users of DES, including federal organizations, may generate their own cryptographic keys. DES keys must be properly generated and managed in order to assure a high level of protection to computer data. Key Management includes generation, distribution, storage, and destruction of the cryptographic keys used in the encryption and decryption processes. Information on this subject is included in FIPS 74, FIPS 140-1, and FIPS 171. See the reference list.

Hardware- and software-based implementations of DES are subject to federal export controls as specified in Title 22, Code of Federal Regulations (CFR), Parts 120-130, the International Traffic in Arms Regulations (ITAR). Specific information regarding export applications, application procedures, types of licenses, and necessary forms may be found in the CFR. Responsibility for granting export licenses (except for those DES implementations noted below) rests with:

Office of Defense Trade Controls

Bureau of Political-Military Affairs

U.S. Department of State

Washington, DC 20522-0602

Telephone (703) 875-6650

The Office of Defense Trade Controls, U.S. Department of State, issues either individual or distribution licenses. Under a distribution license, annual reports must be submitted by the distributor describing to whom the licensed products have been sold. License requests for products to be shipped to certain

prohibited countries (see Section 126.1 of the ITAR) are denied for foreign policy reasons by the Department of State. Licenses are normally granted if the end users are either financial institutions or American subsidiaries abroad.

The Bureau of Export Administration, U.S. Department of Commerce, is responsible for the granting of export licenses for the following categories of cryptographic products (including DES):

 Authentication. Software or hardware which calculates a

Message Authentication Code (MAC) or similar result to

assure no alteration of text has taken place, or to

authenticate users, but does not allow for encryption of

data, text, or other media other than that needed for the

authentication.

 Access Control. Software or hardware which protects

passwords or Personal Identification Numbers (PINs) or

similar data to prevent unauthorized access to computing

facilities, but does not allow for encryption of files or

text, except as directly related to password or PIN

protection.

 Proprietary Software Protection. Decryption-only routines

for encrypted proprietary software, fonts, or other

computer-related proprietary information for the purpose of

maintaining vendor control over said information when such

decryption routines are not accessible to users of said

software, font, or other information, and cannot be used for

any other purpose.

 Automatic Teller Devices. Devices limited to the issuance

of cash or traveler's checks, acceptance of deposits, or

account balance reporting.

Vendors of products in the above four categories should contact the following for a product classification determination:

Bureau of Export Administration

U.S. Department of Commerce

P.O. Box 273

Washington, DC 20044

Telephone (202) 482-4811

Following this determination, the vendor will be informed whether an export license from the U.S. Department of Commerce is necessary. The Bureau of Export Administration will provide vendors with license procedures and further information as appropriate.

Please note that vendors whose products do not fall clearly into the above categories should follow procedures set forth in the ITAR, 22 CFR 120-130.

FIPS 140-1 places additional requirements on cryptographic modules that implement the DES. NIST is establishing a validation system for FIPS 140-1 products. Until the validation system is in operation, agencies may purchase equipment with FIPS 140-1 modules that have been affirmed in writing by the manufacturer as complying with the standard. A copy of the written affirmation should be sent to the Director, Computer Systems Laboratory, NIST, B154 Technology, Gaithersburg, MD 20899-0001.

Additionally, until June 1997, federal agencies may purchase FIPS 140 (former Federal Standard 1027) products that had been validated under the endorsement program that NSA previously operated. Also agencies may buy FIPS 140 products that have not been validated by NSA if the vendor submits a written affirmation that the products are in conformance with the provisions of FIPS 140. A copy of the written affirmation should be sent to the Director of the Computer Systems Laboratory, address as above.

NIST also performs validations of products for compliance with FIPS 113 and 171. For further information about submitting products for validation, please contact:

Manager, Security Technology Group

Computer Security Division

National Institute of Standards and Technology

Building 225, Room A216

Gaithersburg, MD 20899-0001

Telephone (301) 975-2920

NIST validates DES implementations for conformance to FIPS 46-2. When the DES is implemented in software, the processor and operating system on which the algorithm runs must be specified as part of the validation process. Validated implementations are listed in the Validated Products List (VPL) which is updated and issued quarterly by NIST. Copies of the VPL may be obtained from:

National Technical Information Service

U.S. Department of Commerce

5285 Port Royal Road

Springfield, VA 22151

Subscriptions (703) 487-4630

Individual Copies (703) 487-4650

Ordering Number PB95-937301

The entries in the printed VPL are contained in WordPerfect Version 5.1 files and may be accessed on the Internet using the instructions listed below.

Type: ftp speckle.ncsl.nist.gov (Internet address is 129.6.59.2)

Login as user ftp

Type your e-mail address preceded by a dash (-) as the password

Type: cd vpl

Type: binary

Type: get and the name of the file you want, e.g., language

For a list of FIPS 140 and FIPS 140-1 products that have been affirmed by the manufacturer, contact the Manager, Security Technology Group, Computer Security Division, Building 225, Room A216, National Institute of Standards and Technology, Gaithersburg, MD 20899-0001, telephone (301) 975-2920.

NIST Publication List 91, Computer Security Publications,

describes CSL's publications, bulletins, and electronic

resources for computer security information. Call (301)

975-2821 or e-mail dward@enh.nist.gov for a complimentary

copy.

The following FIPS and other publications are available for sale

by the:

National Technical Information Service

U.S. Department of Commerce

5285 Port Royal Road

Springfield, VA 22161

Telephone (703) 487-4650; rush service (800) 553-6847

Fax (703) 321-8547 or (703) 321-9038

FIPS 46-2, Data Encryption Standard

FIPS 74, Guidelines for Implementing and Using the NBS Data

Encryption Standard

FIPS 81, DES Modes of Operation

FIPS 113, Computer Data Authentication

FIPS 139, Interoperability and Security Requirements for Use of

the Data Encryption Standard in the Physical Layer of Data

Communications

FIPS 140-1, Security Requirements for Cryptographic Modules

FIPS 141, Interoperability and Security Requirements for Use of

the Data Encryption Standard With CCITT Group 3 Facsimile

Equipment