This article summarizes the Federal Register notice, Vol. 65, No. 31, of February 15, 2000.
On January 27, 2000, the Secretary of Commerce approved Federal Information Processing Standard (FIPS) 186-2, Digital Signature Standard (DSS). FIPS 186-2 supersedes and expands FIPS 186-1, DSS, by specifying an additional voluntary industry standard for generating and verifying digital signatures. This action enables federal agencies to use the Digital Signature Algorithm (DSA), originally the single approved technique for digital signatures, as well as two new American National Standards Institute (ANSI) standards that were developed for the financial community. These new standards are ANSI X9.31, Digital Signature Using Reversible Public Key Cryptography, and ANSI X9.62, Elliptic Curve Digital Signature Algorithm (ECDSA). FIPS 186-2 is effective June 27, 2000.
In May 1994, the Secretary of Commerce approved FIPS 186, Digital Signature Standard (DSS). This standard specified the DSA as the single technique for the generation and verification of digital signatures. In 1997, NIST solicited comments on augmenting FIPS 186 with other digital signature techniques including the Rivest-Shamir-Adleman (RSA) and the elliptic curve technique. Comments received by NIST supported adding these techniques to FIPS 186. Both techniques were being considered by the financial services industry as voluntary industry standards.
On December 15, 1998, NIST announced in a Federal Register notice that the Secretary of Commerce approved FIPS 186-1, DSS, as an interim final standard. FIPS 186-1 added the RSA digital signature technique; this technique had been approved as an industry standard (X9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry). The elliptic curve technique was not included in the interim final standard since it had not yet been approved by ANSI as a voluntary industry standard. NIST invited comments from public, academic and research communities, manufacturers, voluntary standards organizations, and federal, state, and local government organizations concerning the specification of two techniques (DSA and ANSI X9.31-1998) for the generation and verification of digital signatures. The Federal Register notice also referred to the elliptic curve technique, which NIST had expected to be approved by ANSI as a voluntary industry standard. NIST received comments from 15 private sector organizations and individuals, and from two federal organizations.
Comments supported the addition of the ANSI X9.31 standard, as well as the addition of the elliptic curve technique to the DSS. NIST recommended that the Secretary of Commerce approve FIPS 186-2, including the DSA, ANSI X9.31, and the elliptic curve technique, which has now been approved as ECDSA, under ANSI X9.62, Elliptic Curve Digital Signature Algorithm. Other comments supported the continued use of another RSA signature algorithm that is specified by PKCS#1. The algorithm specified in PKCS#1 does not interoperate with the algorithm specified in ANSI X9.31. FIPS 186-2 allows for the continued acquisition of implementations of PKCS#1 for a transition period of eighteen months from the date of approval of this standard. This enables federal agencies to plan for the acquisition of implementations of the algorithms in FIPS 186-2.
Specifications for FIPS 186-2 are available at http://csrc.nist.gov/encryption. Copies of ANSI X9.31, Digital Signatures Using Reversible Public Key Cryptography, and ANSI X9.62, Elliptic Curve Digital Signature Algorithm (ECDSA) are available from the American Bankers Assoc./DC, X9 Customer Service Dept. P.O. Box 79064, Baltimore, MD 21279-0064; telephone 1-800-338-0626. For further information, contact Elaine Barker, (301) 975-2911, elaine.barker@nist.gov.
On February 25, 2000, a Federal Register notice announced that the Secretary of Commerce had approved the withdrawal of 33 FIPS. Many of these FIPS adopted voluntary industry standards for federal government use, but the FIPS documents have not been updated to reference current or revised voluntary industry standards. The withdrawn FIPS are:
ITL publishes the results of studies, investigations, and research. The reports listed below may be ordered from the following sources as indicated for each:
Superintendent of Documents
U.S. Government Printing Office (GPO)
P.O. Box 371954
Pittsburgh, PA 15250-7954
Telephone (202) 512-1800
Fax (202) 512-2250
Home Page: http://www.access.gpo.gov
National Technical Information Service (NTIS)
5285 Port Royal Road
Springfield, VA 22161
Telephone (703) 605-6000
Rush Service (800) 553-6847
Fax (703) 321-8547 or (703) 321-9038
Home Page: http://www.ntis.gov/ordernow
Benchmark Development for the Evaluation of Visualization for Data Mining
By S.J. Laskowski, G.G. Grinstein, P. Hoffman, and R. Pickett
NISTIR 6287
February 1999
PB99-118192, $25.50
Order from NTIS
This paper discusses some of the issues that need to be addressed in order to provide benchmark testing and evaluation to the visualization and data mining communities.
Introduction to Evaluating Biometric Systems
By P.J. Phillips, A. Martin, C.L. Wilson, M. Przybocki
NISTIR 6363
July 1999
PB99-156275, $25.50 paper
Order from NTIS, $12.00 microfiche
This paper provides a starting point for users of biometric identification and verification systems. It describes the evaluation methods that are applicable to all biometric systems and discusses general properties of biometric system and the different levels of evaluation that are needed to move these systems from the development laboratory to the desktop.
1999 ITL Technical Accomplishments
Elizabeth B. Lennon, Editor; Kathleen Simon, Photographs
NISTIR 6365
October 1999
PB2000-100119 $25.50
Order from NTIS
This report presents the achievements and highlights of NIST's Information Technology Laboratory during FY 1999. Technical projects in eight divisions are described, followed by industry interactions, international activities, staff recognition, and service to the NIST staff and the public.
A Specification-Based Coverage Metric to Evaluate Test Sets
By Paul E. Ammann and Paul E. Black
NISTIR 6403
October 1999
PB99-175366, $25.50 paper
Order from NTIS, $12.00 microfiche
This paper describes a connection between formal methods and testing that defines a specification-based coverage metric to evaluate test sets. The metric gives the software developer assurance that a given test set is sufficiently sensitive to the structure of an application's specification.
Abstracting Formal Specifications to Generate Software Tests via Model Checking
By Paul E. Ammann and Paul E. Black
NISTIR 6405
October 1999
PB99-175374, $25.50 paper
Order from NTIS, $12.00 microfiche
This report describes an innovative approach to generate tests from formal software specifications. This approach combines mutation analysis, symbolic model checking, and test generation, which solves some problems using other approaches and automatically produces good sets of tests from formal specifications.
Software Quality Lessons from Medical Device Failure Data
By Dolores R. Wallace and D. Richard Kuhn
NISTIR 6407
November 1999
PB99-175390, $25.50 paper
Order from NTIS, $12.00 microfiche
This report presents an analysis of 342 software-related failures of medical devices that caused no death or injury but led to recalls by the manufacturers. System failures activated by software faults can provide lessons for software development practices and software quality assurance.
Applying Mobile Agents to Intrusion Detection and Response
By Wayne A. Jansen, Peter Mell, Tom Karygiannis and Donald Marks
NISTIR 6416
October 1999
PB2000-100142, $27.00 paper
Order from NTIS, $12.00 microfiche
This report explores the use of mobile agents for intrusion detection systems (IDSs). It suggests a number of innovative ways to apply agent mobility to address shortcomings of current IDS designs and implementations, and explores several new paradigms involving mobile agents.
UPCOMING TECHNICAL CONFERENCES
13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Founded in 1987, FISSEA is an organization run by and for federal information systems security professionals. The annual FISSEA conference addresses the major challenges confronting information security trainers and educators; this year’s theme is “Effective IT Security Training Strategies.”
Dates: March 14-16, 2000
Place: Hilton Hotel, Gaithersburg, Maryland
Contact: Mark Wilson, (301) 975-3870, mark.wilson@nist.gov
http://csrc.nist.gov/organizations/fissea.html
Electronic Documents Conference
The purpose of this conference is to present and compare e-document visions and models, identify the needs of major user enterprises, and prioritize the development of needed standards. The audience will be government and private document users, and document creation product companies; participation is limited to two representatives from each organization. Topics include multimedia documents, revisable documents-in-progress, business transaction documents of record, engineering and scientific/laboratory documents, negotiable bearer instruments and general "knowledge" documents.
Dates: March 16-17, 2000
Place: NIST, Gaithersburg, MD
Sponsors: NIST and the Federal Government Chief Information Officer Council.
Technical Contact: Bruce Rosen, (301) 975-3299, bruce.rosen@nist.gov
http://xw2k.sdct.itl.nist.gov/e-docs/
BioAPI Users and Developers Workshop
The purpose of this workshop is to announce the release of BioAPI specification Version 1.0, to discuss the architecture of specification for users and the BioAPI architecture for developers, and to address the development of a biometric module and a BioAPI-compliant application.
Date: April 6, 2000
Place: Marriott Residence Inn, Pentagon City, VA
Sponsors: NIST, National Security Agency, and the Biometric Consortium.
Contact: Fernando Podio, (301) 975-2947, fernando.podio@nist.gov
Third Advanced Encryption Standard (AES3) Candidate Conference
The purpose of this conference is to help answer the question: "Which algorithm(s) should NIST include in the AES FIPS, and why?" The conference will have an international audience consisting of cryptographers and other interested parties, who wish to participate in the evaluation and analysis of the five finalist candidate algorithms being considered for the AES.
Dates: April 13-14, 2000
Place: New York Hilton and Towers, New York, NY
Sponsor: NIST
Contact: Jim Foti, (301) 975- 5237, james.foti@nist.gov
http://csrc.nist.gov/encryption/aes/round2/conf3/aes3conf.htm
DASE Symposium 2000
The purpose of this symposium is to educate the attendees about Digital TV Software Application Environment (DASE) and promote DASE. The audience will be technical and mid-level managers who have an interest in Digital TV.
Dates: May 23-24, 2000
Place: NIST, Gaithersburg, MD
Sponsor: NIST
Technical Contact: Alan Mink, (301) 975-5681, alan.mink@nist.gov
http://www.dase2000.nist.gov/
First International Common Criteria Conference
This conference will bring together consumers and producers of IT products and systems from around the world to learn how to effectively use the new international security standard and how to take advantage of the many testing opportunities available worldwide. The audience will be information assurance professionals, consumers of IT security products, IT product developers, systems integrators, IT security testing laboratories, IT product and system evaluators, validators and certifiers.
Dates: May 23-25, 2000
Place: Baltimore Convention Center, Baltimore, MD
Sponsors: NIST and the National Information Assurance Partnership (NIAP)
Technical Contact: Ron Ross, (301) 975-5390, ron.ross@nist.gov
http://niap.nist.gov/cc-scheme/iccc/
National Information Assurance Partnership (NIAP) Training Courses – Check out the NIAP Web site at http://niap.nist.gov, click on Events, click on Training Classes.