[Federal Register Volume 59, Number 143 (Wednesday, July 27, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-18270]


[[Page Unknown]]

[Federal Register: July 27, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 940795-4195]
RIN 0693-AB34

 

Proposed Federal Information Processing Standard (FIPS) for 
Cryptographic Service Calls

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; Request for comments.

-----------------------------------------------------------------------

SUMMARY: The purpose of this notice is to announce the proposed Federal 
Information Processing Standard (FIPS) for Cryptographic Service Calls 
for Federal agency use. This proposed FIPS specifies a standard 
interface for application programs to request cryptographic functions 
from a cryptographic module. The cryptographic functions include 
message encryption and decryption, message authentication, digital 
signature generation and verification, key management, and user 
authentication. The proposed standard supports both secret key and 
public key algorithms
    Prior to the submission of this proposed FIPS to the Secretary of 
Commerce for review and approval, it is essential to assure that 
consideration is given to the needs and views of manufacturers, the 
public, and State and local governments. The purpose of this notice is 
to solicit such views.
    This proposed FIPS contains two sections: (1) An announcement 
section, which provides information concerning the applicability, 
implementation, and maintenance of the standard; and (2) a 
specifications section. Only the announcement section of the standard 
is provided in this notice. Interested parties may obtain copies of the 
specifications from the Standards Processing Coordinator (ADP), 
National Institute of Standards and Technology, Technology Building, 
room B-64, Gaithersburg, MD 20899, telephone (301) 975-2816.
    The specifications are also available in electronic form as

cryptcal.txt (ASCII version)
cryptcal.ps (PostScript version)
cryptcal.ps.Z (Compressed Postscript version)

    For access by modem, dial (301) 948-5717 and set modem 
communications parameters at no parity, 8 data bits and one stop. Modem 
speeds of up to 2400 baud are supported. Files are in /NISTPUBS 
directory.
    For access by Internet, ftp to csrc.ncsl.nist.gov (129.6.54.11). 
Files are in the /pub/nist/pubs directory.

DATES: Comments on this proposed FIPS must be received on or before 
October 25, 1994.

ADDRESSES: Written comments concerning this FIPS should be sent to: 
Director, Computer Systems Laboratory, ATTN: Proposed FIPS for 
Cryptographic Service Calls, Technology Building, room B154, National 
Institute of Standards and Technology, Gaithersburg, MD 20899.
    Written comments received in response to this notice will be made 
part of the public record and will be made available for inspection and 
copying in the Central Reference and Records Inspection Facility, room 
6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and 
Constitution Avenues, NW, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT:
Ms. Shu-Jen H. Chang, National Institute of Standards and Technology, 
Gaithersburg, MD 20899, telephone (301) 975-2940.

    Dated: July 21, 1994.
Raymond G. Kammer,
Deputy Director.

Proposed Federal Information Processing Standards Publication XXX

1994 May 23

Announcing the Standard for Cryptographic Service Calls
    Federal Information Processing Standards Publications (FIPS PUBS) 
are issued by the National Institute of Standards and Technology (NIST) 
after approval by the Secretary of Commerce pursuant to Section 111(d) 
of the Federal Property and Administrative Services Act of 1949 as 
amended by the Computer Security Act of 1987, Public Law 100-235.

1. Name of Standard. Cryptographic Service Calls (FIPS PUB XXX).
2. Category of Standard. Computer Security, Cryptography.
3. Explanation. This standard specifies a set of generic cryptographic 
service calls, or applications program interface (API), for application 
programs to interface with a cryptographic module for requesting 
cryptographic functions. The service calls specify the interface for 
common cryptographic functions such as message encryption and 
decryption, message authentication, digital signature generation and 
verification, key management, and user authentication. Cryptographic 
algorithms that are supported include both secret-key based and public-
key based algorithms. In this standard, the terms cryptographic service 
calls and cryptographic APIs can be used interchangeably.
4. Approving Authority. Secretary of Commerce.
5. Maintenance Agency. Department of Commerce, National Institute of 
Standards and Technology, (Computer Systems Laboratory).
6. Cross Index.

    a. FIPS PUB 46-2, Data Encryption Standard.
    b. FIPS PUB 74, Guidelines for Implementing and Using the NBS Data 
Encryption Standard.
    c. FIPS PUB 81, DES Modes of Operation.
    d. FIPS PUB 113, Computer Data Authentication.
    e. FIPS PUB 171, Key Management Using ANSI X9.17.
    f. FIPS PUB 180, Secure Hash Standard.
    g. FIPS PUB XXX, Digital Signature Standard.
    h. FIPS PUB 185, Escrowed Encryption Standard.
    i. Special Publication 800-2, Public Key Cryptography.
    j. Federal Information Resources Management Regulations (FIRMR) 
subpart 201.20.303, Standards, and subpart 201.39.1002, Federal 
Standards.

    Other NIST publications may be applicable to the implementation and 
use of this standard. A list (NIST Publications List 91) of currently 
available computer security publications, including ordering 
information, can be obtained from NIST.

7. Objectives. A standard cryptographic interface will facilitate 
interoperability among different cryptographic implementations. 
Specifically, a standard set of cryptographic service calls provides 
the following advantages:

    a. Application programmers will need to learn only one set of 
cryptographic service calls for multiple cryptographic applications.
    b. Cryptographic modules from different vendors, which conform to 
this interface standard, may be interfaced to a given application 
without requiring modification to the application program.
    c. Contracts for additional cryptographic modules would not have to 
be sole sourced because multiple vendors would offer the standard 
service calls.
    d. Vendors could build cryptographic modules which would interface 
to a wide variety of applications.

8. Applicability. This standard is applicable to all Federal 
departments and agencies that use cryptographic-based security systems 
for the protection of unclassified information that is not subject to 
Section 2315 of Title 10, U.S. Code, or Section 3502(2) of Title 44, 
U.S. Code. The standard shall be used by all Federal departments and 
agencies in designing, acquiring and implementing cryptographic 
services where a cryptographic interface is to be provided. Not all of 
the service calls specified in this standard need to be used in its 
entirety by an application. The specific service calls that shall be 
used depend on the security requirements for the particular application 
and environment in which the system is to be utilized. Private and 
commercial organizations are encouraged to adopt and use this standard 
in order to facilitate interoperability among different cryptographic 
products.
9. Applications. The standard may be used in any application which uses 
cryptography to provide any of the following cryptographic functions: 
message encryption/decryption, message authentication, digital 
signature generation and verification, and key management. Not all the 
service calls specified in this standard need to be used by an 
application. An application can make use of additional service calls 
not available in this standard.
10. Specifications. Federal Information Processing Standard (FIPS) XXX, 
Cryptographic Service Calls.
11. Implementations. Though this document specifies a standard 
interface for requesting cryptographic functions, the standard, 
however, does not mandate a specific implementation of these 
cryptographic functions other than what are explicitly specified in the 
document. The cryptographic functions may in fact be implemented in 
software, firmware, hardware, or any combination thereof. However, 
there may be other standards that are applicable to the implementation 
of specific cryptographic functions. For specific requirements, the 
individual standard shall be referred to. Conformance to this standard 
requires that the cryptographic service calls used by an application 
provide exactly the same name and letter case for the service calls and 
their parameters as specified in the standard. In the rare case where 
the standard naming and specification of the service calls and 
parameters may violate certain rules of a particular programming 
language in use, the exception should be noted and the selected naming 
and case specification should match the standard as much as possible.
12. Export Control. Certain cryptographic devices and technical data 
regarding them are deemed to be defense articles (i.e., inherently 
military in character) and are subject to Federal government export 
controls as specified in Title 22, Code of Federal Regulations, Parts 
120-128. Some exports of cryptographic modules conforming to this 
standard and technical data regarding them must comply with these 
Federal regulations and be licensed by the U.S. Department of State. 
Other exports of cryptographic modules conforming to this standard and 
technical data regarding them fall under the licensing authority of the 
Bureau of Export Administration of the U.S. Department of Commerce. The 
Department of Commerce is responsible for licensing cryptographic 
devices used for authentication, access control, proprietary software, 
automatic teller machines (ATMs), and certain devices used in other 
equipment and software. For advice concerning which agency has 
licensing authority for a particular cryptographic device, please 
contact the respective agencies.
13. Implementation Schedule. This standard becomes effective six months 
after publication of a notice in the Federal Register of its approval 
by the Secretary of Commerce.
14. Qualifications. While this standard specifies a standard interface 
for application programs to request cryptographic functions from a 
cryptographic module, conformance to this standard does not assure that 
a particular cryptographic module or implementation is secure. Security 
requirements for a cryptographic module are addressed in FIPS 140-1. 
The responsible authority in each agency or department shall assure 
that the overall system provides an acceptable level of security.
15. Waiver Procedure. Under certain exceptional circumstances, the 
heads of Federal departments and agencies may approve waivers to 
Federal Information Processing Standards (FIPS). The head of such 
agency may redelgate such authority only to a senior official 
designated pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers 
shall be granted only when:

    a. Compliance with a standard would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system, or
    b. cause a major adverse financial impact on the operator which is 
not offset by Government-wide savings.

    Agency heads may act upon a written waiver request containing the 
information detailed above. Agency heads may also act without a written 
waiver request when they determine that conditions for meeting the 
standard cannot be met. Agency heads may approve waivers only by a 
written decision which explains the basis on which the agency head made 
the required finding(s). A copy of each such decision, with procurement 
sensitive or classified portions clearly identified, shall be sent to: 
National Institute of Standards and Technology; ATTN: FIPS Waiver 
Decisions, Technology Building, Room B-154; Gaithersburg, MD 20899.
    In addition, notice of each waiver granted and each delegation of 
authority to approve waivers shall be sent promptly to the Committee on 
Government Operations of the House of Representatives and the Committee 
on Government Affairs of the Senate and shall be published promptly in 
the Federal Register.
    When the determination on a waiver applies to the procurement of 
equipment and/or services, a notice of the waiver determination must be 
published in the Commerce Business Daily as a part of the notice of 
solicitation for offers of an acquisition or, if the waiver 
determination is made after that notice is published, by amendment to 
such notice.
    A copy of the waiver, any supporting documents, the document 
approving the waiver and any supporting and accompanying documents, 
with such deletions as the agency is authorized and decides to make 
under Section 552(b) of Title 5, U.S. Code, shall be part of the 
procurement documentation and retained by the agency.

16. Where to obtain copies. Copies of this publication are available 
for sale by the National Technical Information Service, U.S. Department 
of Commerce, Springfield, VA 22161. When ordering, refer to Federal 
Information Processing Standards Publication XXX (FIPS PUB XXX), and 
title. When microfiche is desired, this should be specified. Payment 
may be made by check, money order, credit card, or deposit account.

[FR Doc. 94-18270 Filed 7-26-94; 8:45 am]
BILLING CODE 3510-CN-M