Assurance

["Rowe, Ken" <>]

Since InCommon is focused on federation to meet Federal requirements, I would interpret 1.2 to mean NIST-approved.

 http://csrc.nist.gov/publications/nistpubs/800-133/sp800_133.pdf , dated November 2012, defines “approved” as “FIPS-approved and/or NIST-recommended.”

 

It really encompasses both algorithm and key length.

http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf , dated January 2011, is probably the definitive reference for approved cryptography.

 

Hope that helps.

 

Ken.

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Monday, December 17, 2012 1:50 PM
To:
Subject: [Assurance] Approved Encryption algorithms?

 

My understanding on the differences from 1.1 to 1.2 are that we’re going from “industry standard” encryption to an “approved algorithm”.  The question arises as to who is doing the approving?

 

For guidance to the auditors, it seems like we are looking to see if NIST has “approved” an algorithm.  My quick google search research has yielded that the NIST Computer Security Division provides this service using the Cryptographic Algorithm Validation Program (CAVP).

 

Names, links, and types of algorithms are listed here:

http://csrc.nist.gov/groups/STM/cavp/standards.html

 

The list includes DES, AES, HMAC, along with several others.

 

So, given the above, would an encryption algorithm on the NIST CAVP approved list be good enough to qualify the encryption algorithm as “approved” for InCommon Silver if the auditor is the one who checks that off as “meets criteria”?

 

The question of approved is really whether executive management has to approve the use, or is it a standards body like NIST, or ideally both?

 

Thank you,

Jeff

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu