[Federal Register Volume 60, Number 108 (Tuesday, June 6, 1995)]
[Notices]
[Pages 29830-29832]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-13765]



-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE
[Docket No. 950420110-5110-01]
RIN 0693-XX06


Proposed Federal Information Processing Standard (FIPS) for 
Public Key Cryptographic Entity Authentication Mechanisms

agency: National Institute of Standards and Technology (NIST), 
Commerce.

action: Notice; request for comments.

-----------------------------------------------------------------------

summary: NIST is proposing a FIPS for Public Key Cryptographic Entity 
Authentication Mechanisms, which will specify two challenge-response 
mechanisms by which entities in a computer system may authenticate 
their identities to one another. This standard defines protocols which 
are derived from an international standard for entity authentication 
based on public key cryptography using digital signatures and random 
number challenges.
    Public key based authentication is advantageous because no secret 
information has to be shared by the entities involved in the exchange. 
In the authentication process, a user employs a private key to 
digitally sign a random number challenge issued by the verifying 
entity. This random number is a time variant parameter which is unique 
to the authentication exchange. If the verifier can successfully verify 
the signed response using the claimant's public key, then the claimant 
has been successfully authenticated.
    Prior to the submission of this proposed FIPS to the Secretary of 
Commerce for review and approval, it is essential to assure that 
consideration is given to the needs and views of manufacturers, the 
public, and State and local governments. The purpose of this notice is 
to solicit such views.
    The proposed FIPS contains two sections: (1) An announcement 
section, which provides information concerning the applicability, 
implementation, and maintenance of the standard; and (2) a 
specifications section which deal with the technical aspects of the 
standard. Only the announcement section of the standard is provided in 
this notice. Interested parties may obtain copies of the specifications 
section from the Standards Processing Coordinator, National Institute 
of Standards and Technology, Technology Building, Room B-64, 
Gaithersburg, MD 20899, telephone (301) 975-2816.

[[Page 29831]] dates: Comments on this proposed FIPS must be received 
on or before September 5, 1995.

addresses: Written comments concerning the proposed FIPS should be sent 
to: Director, Computer Systems Laboratory, ATTN: Proposed FIPS for 
Public Key Authentication, Technology Building, Room B-154, National 
Institute of Standards and Technology, Gaithersburg, MD 20899.
    Written comments received in response to this notice will be made 
part of the public record and will be made available for inspection and 
copying in the Central Reference and Records Inspection Facility, Room 
6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and 
Constitution Avenues, NW., Washington, DC 20230.

for further information contact: Mr. James Foti, National Institute of 
Standards and Technology, Gaithersburg, MD 20899, telephone (301) 975-
5237.

    Dated: May 31, 1995.
Samuel Kramer,
Associate Director.
Federal Information Processing Standards Publication JJJ

Draft 1995--March 13 Draft

Announcing the Draft Standard for Public Key Cryptographic Entity 
Authentication Mechanisms
    Federal Information Processing Standards (FIPS PUBS) are issued by 
the National Institute of Standards and Technology (NIST) after 
approval by the Secretary of Commerce pursuant to Section 111(d) of the 
Federal Property and Administrative Services Act of 1949 as amended by 
the Computer Security Act of 1987, Public Law 100-235.
    1. Name of Standard. Standard for Public Key Cryptographic Entity 
Authentication Mechanisms (FIPS PUB JJJ).
    2. Category of Standard. Computer Security, Subcategory Access 
Control.
    3. Explanation. This standard specifies two challenge-response 
mechanisms by which entities in a computer system may authenticate 
their identities to one another. These mechanisms are used during 
session initiation, and at any other time that entity authentication is 
necessary. Depending on which protocol is implemented, either one or 
both entities involved may be authenticated. The defined protocols are 
derived from an international standard for entity authentication based 
on public key cryptography using digital signatures and random number 
challenges.
    Public key based authentication has an advantage over many other 
authentication schemes because no secret information has to be shared 
by the entities involved in the exchange. A user (claimant) attempting 
to authenticate oneself must use a private key to digitally sign a 
random number challenge issued by the verifying entity. This random 
number is a time variant parameter which is unique to the 
authentication exchange. If the verifier can successfully verify the 
signed response using the claimant's public key, then the claimant has 
been successfully authenticated.
    4. Approving Authority. Secretary of Commerce.
    5. Maintenance Agency. Department of Commerce, National Institute 
of Standards and Technology, Computer Systems Laboratory.
    6. Cross Index.
    a. FIPS PUB 140-1, Security Requirements for Cryptographic Modules.
    b. FIPS PUB 171, Key Management Using ANSI X9.17.
    c. FIPS PUB 180, Secure Hash Standard.
    d. FIPS PUB 186, Digital Signature Standard.
    e. FIPS PUB 190, Guideline for the Use of Advanced Authentication 
Technology Alternatives.
    f. ISO/IEC 9798-1:1991, Information technology--Security 
techniques--Entity authentication mechanisms--Part 1: General model.
    g. ISO/IEC 9798-3:1993, Information technology--Security 
techniques--Entity authentication mechanisms--Part 3: Entity 
authentication using a public key algorithm.
    Other NIST publications may be applicable to the implementation and 
use of this standard. A list (NIST Publications List 91) of currently 
available computer security publications, including ordering 
information, can be obtained from NIST.
    7. Applicability. This standard is applicable to all Federal 
departments and agencies that use public key based authentication 
systems to protect unclassified information within computer and digital 
telecommunications systems that are not subject to Section 2315 of 
Title 10, U.S. Code, or Section 3502(2) of Title 44, U.S. Code. This 
standard shall be used by all Federal departments and agencies in 
designing, acquiring and implementing public key based, challenge-
response authentication systems at the application layer within 
computer and digital telecommunications systems. This includes all 
systems that Federal departments and agencies operate or that are 
operated for them under contract. In addition, this standard may be 
used at other layers within computer and digital telecommunications 
systems.
    This standard may be adopted and used by non-Federal Government 
organizations. Such use is encouraged when it is either cost effective 
or provides interoperability for commercial and private organizations.
    8. Applications. Numerous applications can benefit from the 
incorporation of public key authentication. Networking applications 
that require remote login will be able to authenticate clients who have 
not previously registered with the host, since secret material (e.g., a 
password) does not have to be exchanged beforehand. Also, point-to-
point authentication can take place between users who are unknown to 
one another. The authentication mechanisms in this standard may be used 
in conjunction with other public key based systems (e.g., a public key 
infrastructure that uses public key certificates) to enhance the 
security of a computer system.
    9. Specifications. Federal Information Processing Standard (FIPS) 
JJJ, Standard for Public Key Cryptographic Entity Authentication 
Mechanisms (affixed).
    10. Implementations. The authentication mechanisms described in 
this standard may be implemented in software, firmware, hardware, or 
any combination thereof.
    11. Export Control. Implementations of this standard are subject to 
Federal Government export controls as specified in Title 15, Code of 
Federal Regulations, Parts 768 through 799. Exporters are advised to 
contact the Department of Commerce, Bureau of Export Administration, 
for more information.
    12. Implementation Schedule. This standard becomes effective 
(insert six months after approval by the Secretary of Commerce).
    13. Qualifications. The authentication technology described in this 
standard is based upon information provided by sources within the 
Federal Government and private industry. Authentication systems are 
designed to protect against adversaries mounting cost-effective attacks 
on unclassified government or commercial data (e.g., hackers, organized 
crime, economic competitors). The primary goal in designing an 
effective security system is to make the cost of any attack greater 
than the possible payoff.
    14. Waivers. Under certain exceptional circumstances, the heads of 
Federal departments and agencies may approve waivers to Federal 
Information [[Page 29832]] Processing Standards (FIPS). The head of 
such agency may re-delegate such authority only to a senior official 
designated pursuant to section 3506(b) of Title 44, U.S. Code. Waivers 
shall be granted only when:

    a. Compliance with a standard would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system, or

    b. Cause a major adverse financial impact on the operator which is 
not offset by Governmentwide savings.

    Agency heads may act upon a written waiver request containing the 
information detailed above. Agency heads may also act without a written 
waiver request when they determine that conditions for meeting the 
standard cannot be met. Agency heads may approve waivers only by a 
written decision which explains the basis on which the agency head made 
the required finding(s). A copy of each such decision, with procurement 
sensitive classified portions clearly identified, shall be sent to: 
National Institute of Standards and Technology, ATTN: FIPS Waiver 
Decisions, Technology Building, Room B-154, Gaithersburg, MD 20899.

    In addition, notice of each waiver granted and each delegation of 
authority to approve waivers shall be sent promptly to the Committee on 
Government Operations of the House of Representatives and the Committee 
on Governmental Affairs of the Senate and shall be published promptly 
in the Federal Register.

    When the determination on a waiver applies to the procurement of 
equipment and/or services, a notice of the waiver determination must be 
published in the Commerce Business Daily as a part of the notice of 
solicitation for offers of an acquisition or, if the waiver 
determination is made after that notice is published, by amendment to 
such notice.

    A copy of the waiver, any supporting documents, the document 
approving the waiver and any supporting and accompanying documents, 
with such deletions as the agency is authorized and decides to make 
under 5 U.S.C. Section 552(b), shall be part of the procurement 
documentation and retained by the agency.


[FR Doc. 95-13765 Filed 6-5-95; 8:45 am]

BILLING CODE 3510-CN-M