CRYPTOGRAPHIC STANDARDS AND GUIDELINES: A STATUS REPORT
By Elaine Barker
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Introduction
The Computer Security Division within NIST's Information Technology Laboratory is
responsible for the development of cryptographic standards and guidelines for the protection of
the sensitive, unclassified information of federal government agencies. A comprehensive toolkit
of cryptographic standards and associated guidance that covers a wide range of cryptographic
technology is nearing completion. These standards and guidelines will enable federal
government agencies to select cryptographic security components and functionality for
protecting their data communications and operations.
The toolkit consists of standards for encryption, digital signatures, secure hashing, message
(data) authentication codes, key management, entity authentication, password usage, and random
number generation. The current standards and guidelines are available at
http://csrc.nist.gov/publications/. Links to information on standards and guidelines under
development are provided below.
The Computer Security Division and the Communications Security Establishment of the
Government of Canada coordinate a validation program with independent accredited testing
laboratories that validate conformance to Federal Information Processing Standard (FIPS) 140-2,
Security Requirements for Cryptographic Modules. The Cryptographic Module Validation
Program (CMVP) includes the validation of implementations of many of the cryptographic
standards and guidelines developed by NIST. Information is available about the CMVP at
http://csrc.nist.gov/cryptval/.
Encryption
Encryption provides confidentiality for data. The data to be protected is called plaintext.
Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an
encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key.
Several algorithms have been approved in FIPS for the encryption of general-purpose data. Each
of these algorithms is a symmetric key algorithm, where the encryption key is the same as the
decryption key. In order to maintain the confidentiality of the data encrypted by a key, the key
must be known only by the entities that are authorized to access the data. These symmetric key
algorithms are commonly known as block cipher algorithms, because the encryption and
decryption processes each operate on blocks (chunks) of data of a fixed size.
FIPS 46-3 and FIPS 197 have been approved for the encryption of general-purpose data. The
protection (e.g., encryption) of keys is discussed below under Key Management.
FIPS 46-3, Data Encryption Standard (DES). FIPS 46-3 specifies the DES algorithm. It was
originally adopted in 1977 as FIPS 46, and reaffirmed in 1983 and 1987 as FIPS 46-1 and FIPS
46-2 with changes to the allowed embodiment of the algorithm. In 1999, the standard was
affirmed as FIPS 46-3, adopting the Triple DES algorithm (TDES) as specified in the American
National Standards Institute (ANSI) X9.52 standard, and continuing to allow [single] DES for
legacy systems, as specified in FIPS 46-2. When FIPS 46-3 comes up for review in 2004, single
DES will no longer be approved for Federal Government applications. Therefore, neither new
applications nor current legacy systems, including systems using cryptographic modules
previously validated against FIPS 140-1 and 2, will be approved for using single DES after 2004.
However, TDES and AES (the algorithm specified in FIPS 197; see below) will continue to be
approved for all systems. Agencies should develop and implement a transition plan for using
approved algorithms other than single DES.
TDES is a method for encrypting data in 64-bit blocks using three 56-bit keys by combining
three successive invocations of the DES algorithm. ANSI X9.52 specifies seven modes of
operation for TDES and three keying options: 1) the three keys may be identical (one key
TDES), 2) the first and third key may be the same but different from the second key (two key
TDES), or 3) all three keys may be different (three key TDES). One key TDES is equivalent to
DES under the same key; therefore, one key TDES, like DES, is currently allowed only for
legacy systems, but will not be approved after 2004. Two key TDES provides more security than
one key TDES (or DES), and three key TDES achieves the highest level of security for TDES.
NIST recommends the use of three different 56-bit keys in Triple DES for Federal
Government sensitive/unclassified applications.
FIPS 197, Advanced Encryption Standard (AES). The encryption algorithm specified in FIPS
197 is the result of a multiyear, worldwide competition to develop a replacement algorithm for
DES. The winning algorithm (originally known as Rijndael, but hereafter referred to as the AES
algorithm) was announced in 2000 and adopted in FIPS 197 in 2001. The AES algorithm
encrypts and decrypts data in 128-bit blocks, with three possible key sizes: 128, 192, or 256 bits.
The nomenclature for the AES algorithm for the different key sizes is AES-x, where x is the size
of the AES key. NIST considers all three AES key sizes adequate for Federal Government
sensitive/unclassified applications. Information on the AES development effort is available at
http://csrc.nist.gov/encryption/aes/.
Comparison of the TDES and AES Algorithms. Both algorithms are considered to be secure for
the foreseeable future. The following is a comparison of the algorithms.
1. TDES builds on DES implementations and is readily available in many cryptographic
products and protocols. The AES algorithm is new; although many implementers are
quickly adding the algorithm to their products, and protocols are being modified to
incorporate the algorithm, it may be several years before the AES algorithm is as
pervasive as TDES.
2. The AES algorithm was designed to provide better performance (e.g., faster speed) than
TDES. Some performance metrics are available at http://csrc.nist.gov/encryption/aes/.
3. Although the security of block cipher algorithms is difficult to quantify, the AES
algorithm, at any of the key sizes, appears to provide greater security than TDES. In
particular, the best attack known against AES-128 is to try every possible 128-bit key
(i.e., perform an exhaustive key search). By contrast, although three key TDES has a 168-
bit key, there is a "shortcut" attack on TDES that is comparable, in the number of
required operations, to performing an exhaustive key search on 112-bit keys. However,
unlike exhaustive key search, this shortcut attack requires a lot of memory. Assuming
that such shortcut attacks are not discovered for the AES algorithm, the uses of the AES
algorithm may be more appropriate for the protection of high-risk or long-term data.
4. The smallest AES key size is 128 bits; the recommended key size for TDES is 168 bits.
The smaller key size means that fewer resources are needed for the generation, exchange,
and storage of key bits.
5. The AES block size is 128 bits; the TDES block size is 64 bits. For some constrained
environments, the smaller block size may be preferred; however, the larger AES block
size is more suitable for cryptographic applications, especially those requiring data
authentication on large amounts of data.
Modes of Operation. With a block cipher algorithm, the same plaintext block will always encrypt
to the same ciphertext block whenever the same key is used. If the multiple blocks in a typical
message were to be encrypted separately, an adversary could easily substitute individual blocks,
possibly without detection. Furthermore, data patterns in the plaintext would be apparent in the
ciphertext. Cryptographic modes of operation have been defined to alleviate these problems by
combining the basic cryptographic algorithm with a feedback of the information derived from
the cryptographic operation.
FIPS 81, DES Modes of Operation, defines four confidentiality (encryption) modes for the DES
algorithm specified in FIPS 46-3: the Electronic Codebook (ECB) mode, the Cipher Block
Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB)
mode.
NIST Special Publication 800-38A (NIST SP 800-38A), Recommendation for Block Cipher
Modes of Operation-Methods and Techniques, defines modes of operation for the encryption and
decryption of data using approved block cipher algorithms such as the AES and TDES
algorithms. Analogues of the four confidentiality modes defined in FIPS 81 are included: ECB,
CBC, CFB, and OFB. A fifth mode is also defined: the Counter (CTR) mode.
Three additional modes for TDES have been defined in ANSI X9.52 (adopted by FIPS 46-3) to
pipeline and interleave the data during the encryption and decryption to attain better performance
with TDES: a pipeline mode for CFB, and interleave modes for CBC and OFB.
Message Authentication Codes
Message authentication codes (MACs) (also known as data authentication codes) are
cryptographic checksums on data that are used to provide assurance to a message receiver of the
authenticity and integrity of the data. The computation of a MAC requires the use of a MAC
algorithm and a secret key.
Two types of MAC algorithms have been approved: MAC algorithms that are based on block
cipher algorithms and MAC algorithms that are based on hash functions.
FIPS 113, Computer Data Authentication, specifies an algorithm, which is based on DES, for
generating and verifying a MAC. FIPS 113 specifies the generation of a MAC of 24, 32, 40, 48,
or 56 bits.
FIPS 198, Keyed-Hash Message Authentication Code (HMAC), specifies the computation of a
MAC using an approved hash function (see below) and a key. The lengths of the MAC in bits
depend on the length of the output of the hash function. If the hash function produces an output
of L bits (e.g., L = 160 for SHA-1), then FIPS 198 specifies that the MAC should be between L/2
and L bits in length; however, FIPS 198 allows a smaller MAC (e.g., 32 bits) under certain
conditions.
NIST SP 800-38B, which is under development, will specify algorithms for the computation of
MACs using approved block cipher algorithms, such as the AES and TDES algorithms.
Information on this project is available at http://www.nist.gov/modes.
Digital Signatures
Digital signatures are used to provide data authentication, data integrity detection, and non-
repudiation. Data authentication and data integrity were discussed under Message Authentication
Codes. Non-repudiation is the property whereby data authentication and data integrity can be
verified not only by a receiving entity, but by a third party as well.
Digital signatures are generated and verified using asymmetric key algorithms, commonly
known as public key algorithms. Asymmetric key algorithms use a pair of keys: a public key that
may be known by anyone, and a private key that must be known only by the owner of the key
pair. The key pair owner generates a digital signature on the information to be signed using the
private key. The signed information and the digital signature are then provided to the intended
receiver. The receiver uses the public key to verify the digital signature. If the digital signature is
verified as correct, the receiver 1) is assured of the identity of the signing entity (because only
that entity knows the private key), 2) is assured that the signed information was received
correctly, and 3) can prove the identity of the message signer to an independent third party, if
necessary.
FIPS 186-2, Digital Signature Standard, specifies the Digital Signature Algorithm (DSA) and
adopts the algorithms specified in two ANSI standards: ANSI X9.31 (RSA and Rabin-Williams
signature algorithms) and ANSI X9.62 (The Elliptic Curve Digital Signature Algorithm
[ECDSA]). FIPS 186-2 also includes recommended elliptic curves for ECDSA; note that these
are the only curves validated by the CMVP during an ANSI X9.62 validation. Each of the Digital
Signature algorithms specifies a number of allowable key sizes in order to provide varying levels
of strength.
Cryptographic algorithms provide different levels of security against currently known attacks,
depending on the algorithm and the size of the key or other parameters. NIST recommends that
all algorithms used for Digital Signatures be used with key sizes that are comparable to key
sizes of at least 80 bits that are used for symmetric encryption algorithms. Guidance on
acceptable key sizes is being developed as part of the key management effort described below. In
the case of the RSA signature algorithm, a minimum key size of 1024 bits is required; for DSA, a
modulus of 1024 bits and a key size of 160 bits are required; for ECDSA, a 160-bit key is
required.
FIPS 186-2 also includes specifications for random number generators to be used for the
generation of DSA keys and digital signatures.
A change notice for FIPS 186-2 was recently published. This change notice updated the specified
random number generators to protect against an attack that was recently proposed. The change
notice for FIPS 186-2 is available at http://csrc.nist.gov/publications/fips/.
NIST is in the process of revising FIPS 186-2, to be proposed as FIPS 186-3. This revision will
include a specification of larger key sizes for DSA that will provide more security, and a
specification for a random number generator that will be based on the complete set of hash
functions specified in FIPS 180-2 and discussed below. NIST is also considering the inclusion of
the RSA signature algorithm as specified in Public Key Cryptographic Standard (PKCS) #1, the
RSA Encryption Standard.
Hash Functions
Hash functions generate a hash value (message digest) from a message or file. The input to the
hash function is of arbitrary length (e.g., a large message or file); the output is a fixed size value
(the hash value), which is often smaller than the input. A hash function is usually used as a
component in other cryptographic processes, such as the computation of a digital signature, the
generation of a Message Authentication Code, the establishment of cryptographic keying
material, or the generation of a random number.
FIPS 180-2, Secure Hash Standard, specifies four approved hash functions: SHA-1, SHA-256,
SHA-384, and SHA-512. Each function provides a different length hash value and a different
cryptographic strength. FIPS 180-2 is available at http://csrc.nist.gov/publications/fips/.
Key Management
Key management includes the rules and protocols for generating and establishing keys, and the
subsequent handling of those keys. The security and reliability of any process using a
cryptographic key depends on the protection afforded to that key. Two documents for key
management are in development for sensitive, unclassified applications: a key establishment
schemes document and a key management guideline.
The key establishment schemes document will include schemes to establish keys between
communicating entities, based on standards developed by the American National Standards
Institute (ANSI). A specification for a key wrapping technique will also be included, whereby a
symmetric key is encrypted using another symmetric key (e.g., an AES key is encrypted by an
AES key).
The key management guideline will provide guidance to federal agencies for the life cycle
management of cryptographic keys, including the generation, establishment, storage,
cryptoperiod, recovery, and destruction of those keys. In addition, the guideline will provide
guidance on the selection of cryptographic algorithms and key sizes, will aid managers in setting
up their key management infrastructure, and will assist users and system administrators of
currently available infrastructures, protocols, and applications to configure and use their products
more securely.
Information about this project and drafts of the key management documents are available at
http://www.nist.gov/kms.
Entity Authentication
FIPS 196, Entity Authentication Using Public Key Cryptography, specifies two protocols for
entity authentication that use a public key cryptographic algorithm for generating and verifying
digital signatures. One entity can prove its identity to another entity by using a private key to
generate a digital signature on a random challenge. The use of public key cryptography provides
strong authentication, without the requirement for authenticating entities to share secret
information.
Passwords and PINS
FIPS 112, Password Usage, provides guidance on the generation and management of passwords
that are used to authenticate the identity of a system user and, in some instances, to grant or deny
access to private or shared data. This standard recognizes that passwords are widely used in
computer systems and networks for these purposes, although passwords are not the only method
of personal authentication, and the standard does not endorse the use of passwords as the best
method.
FIPS 112 was adopted in 1985. An effort is currently in progress to update this guidance.
Random Number Generation
Random numbers are used within many cryptographic applications, such as the generation of
keys and other cryptographic values, the generation of digital signatures, and challenge-response
protocols. Some approved algorithms to produce random numbers have been specified in FIPS
186-2, Digital Signature Standard. An effort is in progress by the Financial Services Committee
of ANSI to develop a random number generation standard, and representatives from NIST
participate in the development of this standard. It is anticipated that the eventual ANSI standard
will be adopted as a FIPS.
Guest Research Internship Opportunities
Opportunities are available at NIST for 6-to24-month-long internships in the security program.
Qualified individuals should contact the Computer Security Division, providing a statement of
qualifications and indicating the area of work that is of interest. Contact: Elaine Barker, (301)
975-2911, ebarker@nist.gov.
Summary and Future Plans
The toolkit of cryptographic standards and guidance is nearing completion. NIST is planning to
develop additional guidance for using its approved algorithms and combining them with other
functions in a secure manner. NIST will continue to monitor the security of its approved
algorithms and revise the standards, as appropriate. As cryptographic technologies emerge, NIST
will investigate their security and applicability for the federal government and develop new
standards and guidance when necessary.
Disclaimer
Any mention of commercial products or reference to commercial organizations is for information
only; it does not imply recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.