NIST to allow agencies use of COTS products
- By Heather Harreld
- May 25, 1997
The National Institute of Standards and Technology last week announced plans to allow agencies to use commercial information technology to secure electronic commerce.
Security experts believe NIST's policy revision could solve the problem of ensuring that personal information in government databases and information offered on-line to the public is released only to the individuals authorized to access it.
In a May 20 Federal Register notice NIST announced plans to develop a proposed revision to its Digital Signature Standard which requires agencies to use security technology developed by the National Security Agency (NSA) for digital signature applications - a technology that is used to confirm the identity of a sender of electronic information and to verify that the data has not been altered.
The revision would allow agencies to use digital signature technology from RSA Data Security Inc. Redwood City Calif. - which dominates the private-sector security market - or a fledgling technology called elliptic curve.
The announcement marks the end of a fierce and longstanding battle between the government and RSA which opposed NSA requiring federal agencies to use its digital signature technology in hopes that it would become the worldwide standard for securing electronic commerce. But the technology did not achieve widespread private-sector acceptance and is found only in a handful of products.
RSA's technology however is now embedded in numerous popular IT products and has become the worldwide staple for digital signature technology.
John Pescatore senior consultant with Trusted Information Systems Inc. Glenwood Md. said the announcement will affect federal agencies significantly because they have had difficulty finding a way to authenticate the identity of users who requested confidential information from federal agencies.
The recent controversy about the weak security in the Social Security Administration's on-line request service for personal benefits and earnings statements and the failed attempts of the Internal Revenue Service to allow people to file tax returns over the Internet were caused in part by the lack of a federal IT security infrastructure that incorporated digital signature at its core he said.
In addition digital signature is key for the widespread use of EC the success of which hinges on users having confidence in the security of electronic financial transactions Pescatore said. Allowing federal agencies to use commercial products could provide a boost to the federal government's effort to promote the use of EC.
"Anything that moves us more toward what the commercial market is doing couldn't do anything but help our efforts " said Tony Trenkle director of EC at the General Services Administration. "We think it's very important to really bringing electronic commerce into the mainstream of government procurement to have that authentication feature."
Jim Bidzos chief executive officer of RSA said he is encouraged by NIST's announcement. "I am pleased to see the government has realized that there are benefits to letting agencies use off-the-shelf technology " he said. "There were parts of the government that didn't want to see RSA used. Clearly it's the choice of industry. Why should the government be denied?"
On the Verge of Waivers
The NIST announcement came only weeks after two agencies announced plans to obtain waivers to bypass the government standard in order to use RSA's digital signature technology instead.
In April the chief information officer of the Environmental Protection Agency issued a waiver that allowed the agency to use RSA's cryptography features embedded in Lotus Development Corp.'s groupware product Lotus Notes. That same month the Agriculture Department's marketing service issued a similar waiver that will allow the service to use RSA's digital signature technology. Both agencies cited unnecessary costs associated with purchasing hardware and software products that support the government standard as a primary reason for obtaining waivers.
Elliptic-curve technology is the other digital signature method that soon could be incorporated into an emerging federal standard according to the NIST announcement. This type of technology which was introduced in 1985 has a more concentrated strength-per-bit in its keys compared with other public key systems which offer more security with shorter keys.