Professional Documents
Culture Documents
Notice: Information Processing Standards, Federal: Withdrawal of FIPS 46-3, Fips 74, and FIPS 81
Notice: Information Processing Standards, Federal: Withdrawal of FIPS 46-3, Fips 74, and FIPS 81
Notice: Information Processing Standards, Federal: Withdrawal of FIPS 46-3, Fips 74, and FIPS 81
VerDate jul<14>2003 22:14 May 18, 2005 Jkt 205001 PO 00000 Frm 00007 Fmt 4703 Sfmt 4703 E:\FR\FM\19MYN1.SGM 19MYN1
28908 Federal Register / Vol. 70, No. 96 / Thursday, May 19, 2005 / Notices
Guidelines for Implementing and Using of the recommended action to withdraw of files, and for the security of digital
the NBS Data Encryption Standard; and FIPS 46–3 and two associated standards. television signals. The standards should
FIPS 81, DES Modes of Operation. The Comment: NIST should retain the be reaffirmed for use by non-
Federal Register notice solicited availability of the technique in FIPS 74 government organizations or made
comments from the public, academic that specifies the encryption of numeric available in electronic form to non-
and research communities, data into numeric data. This technique government organizations that wish to
manufacturers, voluntary standards is used to protect customer data that a use them.
organizations, and Federal, state, and bank might share with a telemarketing
local government organizations. In firm. Response: The specifications for FIPS
addition to being published in the Response: NIST will place FIPS 74, 46–3 (DES) and the associated standards
Federal Register, the notice was posted Guidelines for Implementing and Using will be placed on NIST’s Web page at
on the NIST Web site. the NBS Data Encryption Standard, on http://www.itl.nist.gov/fipspubs/ under
Comments and questions were NIST’s Web page at http:// Withdrawn FIPS. All of the withdrawn
received from thirteen private sector www.itl.nist.gov/fipspubs/ under standards will be marked as inadequate
organizations or individuals, and two Withdrawn FIPS. The standard will be for the protection of Federal government
federal government organizations. Seven marked as inadequate for the protection information, but will be available to
of the submitted comments supported of Federal government information. private sector organizations that wish to
the withdrawal of the DES. Five Comment: NIST should provide a use them.
comments recognized the inadequacy of timetable and a transition strategy for
the discontinuation of the use of DES Comment: NIST should issue the
the DES and did not oppose the Triple-DES as a FIPS and encourage
withdrawal, but raised transition issues implementations. NIST should clarify
the transition from the use of applied implementers to use both the TDES and
or suggested that NIST keep the the Advanced Encryption Standard in
and embedded DES products.
specifications available for private their products.
Response: A proposed transition
sector organizations that wish to use strategy for validating algorithms and
them or make provisions for continued Response: Although both AES and
cryptographic modules has been posted three-key TDES are considered adequate
use of the DES. One industry for public comment on NIST’s Web page
organization and two individuals for the protection of Federal government
at http://csrc.nist.gov/cryptval/ under information for many years, TDES is
opposed the withdrawal of the DES, ‘‘Notices.’’ The transition plan addresses
citing the large investments made in less efficient and is slightly less secure
the use by Federal agencies of DES
DES technology by their organizations than AES. In order to encourage the use
implementations, which are
and others. of AES over TDES, AES has been
incorporated in cryptographic modules,
Following is an analysis of the and which have been validated under published as a Standard (FIPS 197),
comments dealing with technical and the Cryptographic Module Validation whereas TDES was published as a NIST
transition issues. Program. The transition plan allows Recommendation (Special Publication
Comment: NIST should consider Federal agencies and vendors to make a 800–67).
allowing the continued use of DES smooth transition to stronger Therefore, as of the date of this
implementations that only decrypt data, cryptographic algorithms such as AES Federal Register notice, FIPS 46–3, Data
enabling agencies to recover the data or Triple-DES. Encryption Standard is withdrawn as it
that they have already encrypted using Comment: The DES should be no longer provides the security that is
the DES. retained because it is widely used in the needed to protect Federal government
Response: NIST guidance contained market. information. FIPS 74, Guidelines for
in draft Special Publication 800–57, Response: NIST believes that the DES Implementing and Using the NBS
Recommendation for Key Management, no longer provides adequate protection
Part 1 General Guideline, covers this Encryption Standard and FIPS 81, DES
for Federal government information,
situation. SP 800–57 expands on Modes of Operation, are also
and therefore recommends withdrawal
guidance issued in Special Publication withdrawn, as they are associated
of FIPS 46–3 and associated standards.
800–21, Guideline for Implementing When FIPS 46–3 was reaffirmed in standards that provide for the
Cryptography in the Federal 1999, the standard stated that NIST implementation and operation of the
Government, and recommends that could no longer support the use of DES.
agencies re-encrypt information that had single DES for many applications, and Authority: Federal Information Processing
been encrypted using an algorithm and that agencies with legacy single DES Standards Publications (FIPS PUBS) are
key size that no longer provide adequate systems should start the transition to issued by the National Institute of Standards
protection. Thus, Federal government Triple DES. The specifications for the and Technology after approval by the
information that has been encrypted standards that have been withdrawn Secretary of Commerce pursuant to Section
with the DES should be re-encrypted will be placed on NIST’s Web page at 5131 of the Information Technology
using a FIPS-approved algorithm and an http://www.itl.nist.gov/fipspubs/ under Management Reform Act of 1996 and the
appropriate key size that agencies Withdrawn FIPS. All of the withdrawn Federal Information Security Management
determine will provide adequate standards will be marked as inadequate Act of 2002, Public Law 107–347.
security for the information for the for the protection of Federal government
remainder of its life. information, but will be available to E.O. 12866: This notice has been
Comment: NIST should note certain private sector organizations that wish to determined to be significant for the
limits that might be reached when using use them. purposes of E. O. 12866.
two-key Triple DES. The recommended Comment: FIPS 46–3 and associated Dated: May 12, 2005.
safe default when using two-key Triple- standards are used in the commercial Hratch G. Semerjian,
DES is to re-key before encrypting 240 world and serve important functions,
Acting Director, NIST.
blocks. including use by the entertainment
[FR Doc. 05–9945 Filed 5–18–05; 8:45 am]
Response: These specific applications industry for real-time broadcast
and requirements are outside the scope security, to prevent unrestricted copying BILLING CODE 3510–CN–P
VerDate jul<14>2003 22:14 May 18, 2005 Jkt 205001 PO 00000 Frm 00008 Fmt 4703 Sfmt 4703 E:\FR\FM\19MYN1.SGM 19MYN1