Microsoft Plans for FIPS 140-1 Compliance

Federal Information Processing Standard 140-1 stipulates requirements for the cryptographic processing of sensitive but unclassified data. More details at In EI #27, April 1998, we reported that FIPS 140-1 became mandatory on June 30 and that it was meeting resistance in the US DoD in part because Microsoft products are not currently compliant. The following was sent to us as an update by Patrick Arnold of Microsoft .

"Microsoft Corporation is committed to delivering a software-based cryptographic module certified by NIST as FIPS 140-1 compliant. This cryptographic module will be comprised of the Microsoft CryptoAPI and a cryptographic service provider (CSP) supporting DSS/DSA, DES, and SHA-1 at a minimum. As a result of the open CryptoAPI architecture, customers and all independent software vendors (ISVs) alike will realize benefit from Microsoft's FIPS 140-1 evaluation. ISVs who develop to the Microsoft CryptoAPI will have the option to leverage FIPS 140-1 compliant cryptography in their applications.

Microsoft is scheduled to enter the validation process with one of the National Institute of Technology's (NIST) approved testing and evaluation labs within the next four months. This commitment from Microsoft clearly enables a FIPS 140-1 migration path for our customers who wish to implement commercial Microsoft Internet technologies today."

Common Criteria Full-use Version 2.0 Now Completed. contributed by Gene Troy

"The Common Criteria Project sponsoring organizations (governments of Canada, France, Germany, Netherlands, United Kingdom, and United States) have just completed the Common Criteria for IT Security Evaluation (CC) version 2.0, and it is now ready for full use. This version supersedes the trial-use version 1.0, which was published in January 1996 primarily for the purpose of gaining field experience via application and secondarily for in-depth public review. The very large number of technical revisions and additions that were made via that process have resulted in a much improved version 2.0 document that is substantially different from the older version in numerous respects.

"The CC Project has a cooperative working relationship with ISO JTC1 SC27 in developing an International Standard IT security criteria based on the CC. The Final Committee Draft (FCD) International Standard now being balloted within ISO is identical in content to the CC version 2.0. It is anticipated that the CC will be published as International Standard 15408 by the Spring of 1999.

"CC version 2.0 is initially available for downloading in both Acrobat PDF and FrameMaker5 formats at the NIST CC website ( It will subsequently be made widely available from the CC Project Organizations in the various countries, in paper and CD-ROM formats, along with an HTML version. "A revised draft of the companion document, "Guide for Production of Protection Profiles and Security Targets" (3/98), being developed by ISO is also available via the NIST website. "For further information on the Common Criteria, see the website or contact: Gene Troy, NIST, at"

Purdue CERIAS Opens

On May 7, 1998, Purdue University unveiled a new University Center devoted to education and research into protection of critical information resources: CERIAS. The Purdue CERIAS (pronounced "serious") is the: Center for Education and Research in Information Assurance and Security. See for more details.

The mission of the CERIAS is to provide innovation and leadership in technology for the protection of information and information resources, and in the development and enhancement of expertise in information assurance and security. The Center is multidisciplinary in nature and will address the problems of information protection from a variety of different perspectives.

More information on the CERIAS is available at the Center WWW site: . Other inquiries may be e-mailed to the Director, .

US Government Announces Comprehensive Privacy Plan

On May 14, the Vice President announced a comprehensive privacy action plan to give people more control over their personal information. In addition to legislative plans and the intention to hold a privacy summit, there is also a Web site that allows consumers to opt out of sharing of their personal information by companies and states. White House press release at

Controversial Intellectual Property Law Headed Towards Enactment: Independent Security Analysis of Software to be Criminal in US?

Legislation to implement the World Intellectual Property Organization (WIPO) copyright treaty has already passed the US Senate and, as of this writing, is headed for passage by the House of Representatives. President Clinton has indicated that he will sign the legislation. One purpose of the treaty is to prevent people from disabling copyright protection in software and electronic media. Current versions of the legislation are controversial because they appear to make it a criminal offense for anyone not authorized by the copyright owner to, e.g., test the security mechanisms in software to determine if they are adequate for an intended application. Bruce Schneier of Counterpane Systems noted that this legislation "is going to criminalize my profession." While Gene Spafford of Purdue noted that "Products such as the ISS scanner, SATAN, SAINT, and the like may no longer be legal to develop, sell or distribute (or use). Firewalls will need to be "dumbed down" and not allowed to block or proxy traffic. Anti-virus researchers may be arrested for disassembling new viruses. Penetration testing would be illegal. Security testing of products you want to purchase or deploy might be a felony." Alternative legislation more favored by those who oppose the current bills has been proposed before the House with many cosponsors. Text of the current bills (S 2037 and HR 2281) along with their status and references to them in the Congressional Record may be found at Also found their is the alternative (HR 3048). Some side-by-side comparisons of the various bills (which strongly favor the alternative) can be found at

SKIPJACK and KEA declassified, Biham et al. Announce Cryptanalysis

As noted above under LISTWATCH the SKIPJACK algorithm of Clipper fame, along with the associated Key Exchange Algorithm were recently declassified. Within a week a group of researchers at the Technion (Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson) together with Adi Shamir of the Weizmann Institute announced some cryptanalytic results. "The main result is an attack on a variant, which we call SkipJack-3XOR (SkipJack minus 3 XORs). The only difference between SkipJack and SkipJack-3XOR is the removal of 3 out of the 320 XOR operations. The attack uses the ciphertexts derived from about 500 plaintexts which are identical except for the second 16 bit word. Its total running time is equivalent to about one million SkipJack encryptions, which can be carried out in seconds on a personal computer." More details can be found at

AES Submissions All In

Submission period for AES the Advanced Encryption Standard closed on June 19th. AES is more or less the successor of DES. Candidate algorithms that meet the official criteria for submission have not been announced. However, ten candidates are listed on the AES Web page hosted by Lars Knudsen and Vincent Rijmen, along with pointers to public cryptanalytic results. The list of submitters contains most of the most prominent names in block cipher design. The official AES Web page at NIST lists additional information including registration information about the first AES Candidate Conference to be held this August.

DataFellows Reports On Word Macro Virus

6/18/98 - Datafellows reported a Word macro virus (WM/PolyPoster) that may, if it takes hold on a machine, post infected versions of documents it finds there to certain heavily-used newsgroups. PolyPoster is probably not in the wild at present, and would require particular combinations of software to deliver its payload. Nevertheless, it is in line with a recent trend towards malicious software attempting to trawl for information (documents, IP numbers, passwords) rather than just replicating and damaging data. For more information see

Industry coalition pushes for new Encryption policy

The Washington Post reports (7/12/98) that a new industry coalition consisting of such companies as Sun Microsystems Inc., Novell Inc., Hewlett-Packard Co. and Network Associates plans to unveil a plan it hopes will persuade the U.S. government to dramatically loosen export restrictions on sophisticated data-scrambling technology. Government officials say they are cautiously optimistic that the coalition's approach, dubbed the "private doorbell," will win their approval. The full Washington Post story can be found at A plain ascii reproduction of the story can also be found at Cisco Systems Inc., which according to the Post article heads the industry coalition, has a white paper on the approach that can be found at