assurance - [Assurance] RE: Approved Encryption algorithms?
Subject: Assurance
List archive
- From: "Rowe, Ken" <>
- To: "''" <>
- Subject: [Assurance] RE: Approved Encryption algorithms?
- Date: Mon, 17 Dec 2012 20:47:34 +0000
- Accept-language: en-US
Since InCommon is focused on federation to meet Federal requirements, I would interpret 1.2 to mean NIST-approved.
http://csrc.nist.gov/publications/nistpubs/800-133/sp800_133.pdf , dated November 2012, defines “approved” as “FIPS-approved and/or
NIST-recommended.” It really encompasses both algorithm and key length. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf , dated January 2011, is probably the definitive reference for
approved cryptography. Hope that helps. Ken. From: [mailto:]
On Behalf Of Capehart,Jeffrey D My understanding on the differences from 1.1 to 1.2 are that we’re going from “industry standard” encryption to an “approved algorithm”. The question arises as to who is doing the approving? For guidance to the auditors, it seems like we are looking to see if NIST has “approved” an algorithm. My quick google search research has yielded that the NIST Computer Security Division provides this service using the Cryptographic Algorithm
Validation Program (CAVP). Names, links, and types of algorithms are listed here: http://csrc.nist.gov/groups/STM/cavp/standards.html The list includes DES, AES, HMAC, along with several others. So, given the above, would an encryption algorithm on the NIST CAVP approved list be good enough to qualify the encryption algorithm as “approved” for InCommon Silver if the auditor is the one who checks that off as “meets criteria”? The question of approved is really whether executive management has to approve the use, or is it a standards body like NIST, or ideally both? Thank you, Jeff Jeff Capehart, CISA |
- [Assurance] Approved Encryption algorithms?, Capehart,Jeffrey D, 12/17/2012
- [Assurance] RE: Approved Encryption algorithms?, Rowe, Ken, 12/17/2012
Archive powered by MHonArc 2.6.16.