RE: Data Accountability and Trust Act (link and definitions)

[Matt Ball]

Hi All,

 

These definitions are very interesting.  It sounds like a cryptographic device will need to be certified for FIPS 140-2 (level 1) before the resulting ciphertext is legally considered 'encrypted'.

 

The implication is that the LRW mode of P1619 will not be sufficient for this requirement.  To my knowledge, LRW is not an approved NIST mode-of-operation, nor does it even appear to be under consideration (see the absence of LRW at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/index.html).  Maybe we should submit LRW to NIST?

 

For P1619.1, the outlook is a little sunnier.  CCM is already an approved NIST mode, and GCM should be approved shortly.

 

Does anyone have more information on this topic?  The outcome of this legislation will potentially have a big impact on the direction of this working group.

 

-Matt

-----Original Message-----
stds-p1619@LISTSERV.IEEE.ORG
[mailto:stds-p1619@LISTSERV.IEEE.ORG]On Behalf Of Cole, John (Civ,
ARL/CISD)
Sent: Monday, March 27, 2006 5:28 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Data Accountability and Trust Act (link and definitions)


http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.4127:

SEC. 5. DEFINITIONS.

        In this Act the following definitions apply:

                (1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

                (2) COMMISSION- The term `Commission' means the Federal Trade Commission.

                (3) DATA IN ELECTRONIC FORM- The term `data in electronic form' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

                (4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.