Tech Industry

Feds broaden crypto standards

The government is adding an RSA algorithm to its list of acceptable forms of data encryption, drawing industry plaudits.

The government is updating its technical standard for digital signatures, and it's adding an RSA Data Security algorithm to acceptable forms of encryption. But most commercial digital signature products used in private industry still won't meet the government standard.

Still, RSA welcomes this narrowing of the standards split for digital signatures, which are a key element in electronic commerce.

"It's good to see after all these years the closer cooperation between industry and the Commerce Department," said Bert Kaliski, chief scientist at RSA Labs. The National Institute of Standards and Technology (NIST), the agency that controls what kinds of digital signature software federal agencies can buy, is part of the Commerce Department.

"We are broadening that standard to say that government agencies can buy products that have either the DSA algorithm or RSA algorithms," said Miles Smid, acting chief of NIST's computer security division. DSA stands for Digital Signature Algorithm, a government-created encryption cipher that has been the only one acceptable in government until now. RSA-based products have required special permission in the past.

As the name implies, digital signatures are a way of electronically signing a message or document so it carries legal weight, just as a signature does in the physical world.

But there's a catch: NIST has approved products that use RSA algorithms as long as they conform to a new standard called ANSI x9.31, which is only months old. But, most RSA-based digital signature products available today don't comply with that standard and hence can't be sold to federal agencies without special permission, according to Kalisky.

"Personally, I wish the current products and the standards would be the same, but they aren't," said NIST's Smid. "We're getting there, but there is an existing set of legacy products that don't meet this standard."

The new NIST rule is in effect now, but comments are being accepted through March 15, so it could be altered. "We received a lot of comments favorable to incorporating RSA," Smid said.

He may get more from parties that want to be able to sell existing digital signature software to the government.

"We generally do submit comments, and I suspect we will in this case," said RSA's Kaliski. RSA is a unit of Security Dynamics