7.6. Government Cryptographic Programs
The government has a keen interest in cryptographic products. NSA, NIST, and the Department of the Treasury have all developed programs for evaluating cryptographic algorithms and products.
NSA's Communications Security Cryptographic Endorsement Program, introduced earlier in this chapter, evaluates so-called "high-grade" cryptographic products. All algorithms used in high-grade products are designed by NSA and are classified. Chip implementations of the algorithms are provided to vendors with protective coating so they can't be reverse-engineered.
NSA classifies high-grade cryptographic products developed under CCEP as either Type 1 or Type 2:
Until recently, NSA's Government Endorsed Data Encryption Standard Equipment Program evaluated products based on the DES algorithm. Although NSA no longer endorses new DES-based products through this program, it does continue to list and provide keys, as necessary, for already endorsed products.
NIST's cryptographic responsibilities include the development of both standards and validation systems. NIST assists the Department of the Treasury by offering a system that tests the conformance of vendors' systems to the ANSI X9.9 message authentication standard. The system also checks for conformance to FIPS 113 (Computer Data Authentication). The validation is automated and can be initiated remotely via telephone lines. NIST is currently developing a system that tests the conformance of systems to the ANSI X9.17 key management standard. NIST is also working on systems that use digital message authentication codes in place of written signatures in government transactions.
Since 1988, the Department of the Treasury has required that all of the department's electronic funds transfer messages be authenticated. The Treasury certifies authentication devices developed by vendors to ensure that they conform to Federal Standard 1027 (DES implementation) as well as to ANSI standard X9.17 (key management). The Electronic Funds Transfer Certification Program for Authentication Devices is aided by technical input and testing services provided by NSA and NIST.