-----Original Message-----
stds-p1619@LISTSERV.IEEE.ORG
[mailto:stds-p1619@LISTSERV.IEEE.ORG]On
Behalf Of Cole, John (Civ,
ARL/CISD)
Sent: Monday, March 27, 2006 5:28
PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Data Accountability
and Trust Act (link and
definitions)
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.4127:
SEC.
5. DEFINITIONS.
In this Act
the following definitions
apply:
(1) BREACH OF SECURITY- The term
`breach of security' means the unauthorized acquisition of data in electronic
form containing personal information that establishes a reasonable basis to
conclude that there is a significant risk of identity theft to the individual to
whom the personal information relates. The encryption of such data, combined
with appropriate safeguards of the keys necessary to enable decryption of such
data, shall establish a presumption that no such reasonable basis exists. Any
such presumption may be rebutted by facts demonstrating that the method of
encryption has been or is likely to be
compromised.
(2) COMMISSION- The term `Commission'
means the Federal Trade
Commission.
(3) DATA IN ELECTRONIC FORM- The term
`data in electronic form' means any data stored electronically or digitally on
any computer system or other database and includes recordable tapes and other
mass storage devices.
(4) ENCRYPTION- The term `encryption'
means the protection of data in electronic form in storage or in transit using
an encryption algorithm implemented within a validated cryptographic module that
has been approved by the National Institute of Standards and Technology or
another comparable standards body recognized by the Commission, rendering such
data indecipherable in the absence of associated cryptographic keys necessary to
enable decryption of such data. Such encryption must include appropriate
management and safeguards of such keys to protect the integrity of the
encryption.
Hi All,
These definitions are very
interesting. It sounds like a cryptographic device will need to be
certified for FIPS 140-2 (level 1) before the resulting ciphertext is
legally considered 'encrypted'.
The implication is that the LRW mode
of P1619 will not be sufficient for this requirement. To my knowledge, LRW
is not an approved NIST mode-of-operation, nor does it even appear to be under
consideration (see the absence of LRW at http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/index.html).
Maybe we should submit LRW to
NIST?
For P1619.1, the outlook is a little
sunnier. CCM is already an approved NIST mode, and GCM should be approved
shortly.
Does anyone have more information on
this topic? The outcome of this legislation will potentially have a big
impact on the direction of this working group.
-Matt
- Data Accountability and Trust Act (link and def... Cole, John (Civ, ARL/CISD)
- RE: Data Accountability and Trust Act (lin... Matt Ball
- RE: Data Accountability and Trust Act (lin... Matt Ball
- RE: Data Accountability and Trust Act (lin... laszlo
- RE: Data Accountability and Trust Act ... Serge Plotkin