NSA to declassify two security algorithms

The National Security Agency plans to declassify two computer security algorithms used in Fortezza PC Cards to clear the way for commercial firms to work with the Defense Department on software encryption for DOD's large e-mail message system now under development.

NSA last week declassified the Skipjack algorithm and the Key Exchange Algorithm, both of which are used in the Fortezza PC Card, which is a credit card-size security device that authenticates users and encrypts e-mail. Skipjack is used for general-purpose encryption, and the Key Exchange Algorithm is used for key exchange.

This is the first time NSA, which has carefully guarded its data-scrambling algorithms from the public, has declassified such information and made it commercially available. The Skipjack algorithm was the core technology of the highly controversial Clipper chip initiative, which was introduced in 1993 to give law enforcement agents access to the keys needed to unscramble encrypted data.

Fortezza-based encryption, which is one of the core components of NSA's Multilevel Information Systems Security Initiative (MISSI), eventually will be used to secure e-mail communications for 2 million DOD PCs as part of the agency's

$1 billion Defense Message System (DMS). NSA officials who previously had insisted on Fortezza encryption to be used only in hardware began last year to brief the commercial sector on design requirements for software and smart card Fortezza applications.

The algorithms have been declassified for use in software implementations because there is less protection in software that in hardware implementations, according to an NSA statement issued to FCW. "In software, the algorithms are exposed while running; therefore, there is no point in keeping them classified," according to the statement. "In hardware implementations, appropriately cleared vendors implemented the classified algorithms in chips using built-in safeguards to prevent exposure of the algorithms."

Santosh Chokhani, chief executive officer of Cygnacom Solutions, a McLean, Va., information technology security company, said the move was driven by NSA's desire to encourage Fortezza software that can be used with DMS. In addition, the move will enable interoperability among Fortezza cards, smart cards and software applications, he said.

"Not all DMS users have to have Fortezza cards," Chokhani said. "It can reduce the cost in that sense. You can have the same MISSI...without having the cost of the hardware tokens."

DOD has found the cost of providing each DMS user with a machine equipped with a PC Card reader/writer to be prohibitive, Chokhani said. With Fortezza in software and smart cards, users can send and receive secure e-mail via DMS while using existing PCs.

In a statement, DOD noted that the declassification "is an essential part of the Defense Department's efforts to work with commercial industry in developing reasonably priced computer-protection products. The availability of such products will enhance the protection of DOD's sensitive but unclassified and critical nonmission communications."

One of the main Fortezza card suppliers, Spyrus, already has announced a new Software Cryptographic Library addition to its developers toolkit to allow vendors that support the Fortezza card to build software applications. Ken Mohr, director of marketing for Spyrus, said NSA's move will offer businesses that need to communicate and transact with DMS users a cost-effective option to the hardware Fortezza solution. Mohr estimated that the software implementation of Fortezza will drive down costs "fivefold" compared with the hardware option.

Civilian agencies also have expressed interest in a software solution, which would offer them secure communications options at lower costs, Mohr said.

However, Bruce Schneier, president of Minneapolis-based Counterpane Systems, said vendors other than those directly involved with DMS would not rush to embrace the security algorithms. After analyzing Skipjack, he said the algorithm would be very slow in software.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.