The American Bankers Association is attempting to address the privacy and security needs of banks and bank customers by ensuring that each have access to appropriate cryptographic tools. The ABA Cryptographic Policy will be posted on this list later today. ************************************************  CONTACT: Sonia Barbara FOR IMMEDIATE RELEASE (202) 663-5469 (1995) ABA REAFFIRMS SUPPORT FOR PRIVATE-SECTOR CONTROL OF CRYPTOGRAPHY Association Recommends a 10-year Extension for the Data Encryption Standard WASHINGTON, July 21 -- The Data Encryption Standard (DES) should be recertified for at least 10 more years to allow interested financial institutions adequate time to convert to any new cryptography standard, the American Bankers Association said in a policy statement issued today. Encryption is the process whereby sensitive data communications, such as wire transfers, credit card and automated teller machine transactions, are protected by secret codes to protect their confidentiality. DES, released in 1977, is the primary method used by financial institutions to encrypt information. Critics say that the longer DES is used, the more likely its code could be broken. While realizing this could limit its life span as a government certified standard, ABA warned that requiring banks to convert to a new standard by 1998 (the year DES's certification expires) could be prohibitively costly due to the high level of electronic funds transfers secured by DES. ABA therefore encouraged the National Institute for Standards and Technology (NIST) to continue to endorse DES as a Federal Information Processing Standard (FIPS) for use by the financial community. There has been an ongoing debate regarding who should control the development and support of private-sector computer security standards: the government or the private sector. ABA strongly recommends that the U.S. government work with the private sector and Congress in an open forum to develop a comprehensive policy on the commercial use of cryptography. In its newly-revised policy statement on cryptography, ABA proposed alternatives to DES and outlined other criteria that must be met before changes in cryptographic standards can be accepted by the banking industry. These criteria -- which will be (more) ABA CRYPTOGRAPHY POLICY/P2 presented next week to representatives of the White House, U.S. Department of Commerce, National Security Agency (NSA) and federal banking agencies -- were developed following a two-day meeting held in June of bankers, vendors and crypto experts concerned about the federal government's direction regarding private-sector information security. Specifically, ABA recommended: a The financial services industry be allowed to continue to use DES based on risk assessment (e.g. value of the transaction) and the business application involved. a A security framework encompassing a family of commercially available algorithms, including DES, be developed. This framework should include a process for negotiated algorithm selection based on the level of risk and other business requirements. a Opposition to government mandated key management systems for financial applications where keys would have to be stored outside the financial institution (e.g. key registration/surrender or the mandatory escrow of cryptographic keys). Instead, banks should continue to be responsible for key management and continue to cooperate with government for law enforcement purposes, as required by law. a Export of cryptography for financial applications must not be restricted. a Full participation of Congress and the private sector before establishing a U.S. policy for the commercial use of cryptography, instead of being carried out solely by Executive Order. [Note: These recommendations were summarized. For the full statement, please call Sonia Barbara at 202/663-5469.] The American Bankers Association is the only national trade and professional association serving the entire banking community, from small community banks to large bank holding companies. ABA members represent approximately 90 percent of the commercial banking industry's total assets, and about 94 percent of ABA members are community banks with assets less than $500 million. ### -- John A. Limpert johnl@Radix.Net