[From the NIST Computer Security Bulletin Board] (EMBARGOED FOR RELEASE: 3:00 P.M., Friday, Feb. 4, 1994) Fact Sheet NIST Cryptography Activities Escrowed Encryption Standard On April 16, 1993, the White House announced that the President approved a directive on "Public Encryption Management." Among other items, the President directed the Secretary of Commerce, in consultation with other appropriate U.S. agencies, to initiate a process to write standards to facilitate the procurement and use of encryption devices fitted with key-escrow microcircuits in federal communications systems that process sensitive but unclassified information. In response to the President's directive, on July 30, 1993, the Department of Commerce's National Institute of Standards and Technology (NIST) announced the voluntary Escrowed Encryption Standard (EES) as a draft Federal Information Processing Standard (FIPS) for public comment. The FIPS would enable federal agencies to procure escrowed encryption technology when it meets their requirements; the standard is not to be mandatory for either federal agency or private sector use. During the public review of the draft standard, a group of independent cryptographers were provided the opportunity to examine the strength of the classified cryptographic algorithm upon which the EES is based. They found that the algorithm provides significant protection and that it will be 36 years until the cost of breaking the EES algorithm will be equal to the cost of breaking the current Data Encryption Standard. They also found that there is no significant risk that the algorithm can be broken through a shortcut method of attack. Public comments were received by NIST on a wide range of issues relevant to the EES. The written comments submitted by interested parties and other information available to the Department relevant to this standard were reviewed by NIST. Nearly all of the comments received from industry and individuals opposed the adoption of the standard. However, many of those comments reflected misunderstanding or skepticism about the Administration's statements that the EES would be a voluntary standard. The Administration has restated that the EES will be a strictly voluntary standard available for use as needed to provide more secure telecommunications. The standard was found to be technically sound and to meet federal agency requirements. NIST made technical and editorial changes and recommended the standard for approval by the Secretary of Commerce. The Secretary now has approved the EES as a FIPS voluntary standard. In a separate action, the Attorney General has now announced that NIST has been selected as one of the two trusted agents who will safeguard components of the escrowed keys. Digital Signature Standard In 1991, NIST proposed a draft digital signature standard as a federal standard for publiccomment. Comments were received by NIST on both technical and patent issues. NIST has reviewed the technical comments and made appropriate changes to the draft. In order to resolve the patent issues, on June 3, 1993, NIST proposed a cross-licensing arrangement for a "Digital Signature Algorithm" for which NIST has received a patent application. The algorithm forms the basis of the proposed digital signature standard. Extensive public comments were received on the proposed arrangement, many of them negative and indicating the need for royalty-free availability of the algorithm. The Administration has now concluded that a royalty-free digital signature technique is necessary in order to promote widespread use of this important information security technique. NIST is continuing negotiations with the aim of obtaining a digital signature standard with royalty-free use worldwide. NIST also will pursue other technical and legal options to attain that goal. Cooperation with Industry During the government's review of cryptographic policies and regulations, NIST requested assistance from the Computer System Security and Privacy Advisory Board to obtain public input on a wide range of cryptographic-related issues, including the key escrow encryption proposal, legal and Constitutional issues, social and public policy issues, privacy, vendor and business perspectives, and users' perspectives. The Board held five days of public meetings. Comments obtained by the Board were useful during the government's review of these issues. In addition, NIST met directly with many industry and public interest organizations, including those on the Digital Privacy and Security Working Group and the Electronic Frontier Foundation. As directed by the President when the key escrow encryption initiative was announced, the government continues to be open to other approaches to key escrowing. On August 24, 1993, NIST also announced the opportunity to join a Cooperative Research and Development Agreement (CRADA) to develop secure software encryption with integrated cryptographic key escrowing techniques. Three industry participants have expressed their interest to NIST in this effort; however, the government still seeks fuller participation from the commercial software industry. NIST now is announcing an opportunity for industry to join in a CRADA to develop improved and alternative hardware technologies that contain key escrow encryption capabilities. Additionally, the Administration has decided to strengthen NIST's cryptographic capabilities in order to better meet the needs of U.S. industry and federal agencies. 2/4/94 -- Stanton McCandlish * mech@eff.org * Electronic Frontier Found. OnlineActivist F O R M O R E I N F O, E - M A I L T O: I N F O @ E F F . O R G O P E N P L A T F O R M O N L I N E R I G H T S V I R T U A L C U L T U R E C R Y P T O