Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
March, 2007<br />
This recommendation often uses “requirement” terms; these terms have the following meaning in<br />
this document:<br />
1. shall: This term is used to indicate a requirement of a Federal Information Processing<br />
Standard (FIPS) or a requirement that must be fulfilled to claim conformance to this<br />
recommendation. Note that shall may be coupled with not to become shall not.<br />
2. should: This term is used to indicate an important recommendation. Ignoring the<br />
recommendation could result in undesirable results. Note that should may be coupled<br />
with not to become should not.<br />
1.4 Purpose of FIPS and NIST Recommendations<br />
FIPS security standards and NIST Recommendations are valuable because:<br />
1. They establish an acceptable minimal level of security for U.S. government systems.<br />
Systems that implement these standards and recommendations offer a consistent level of<br />
security Approved for sensitive, unclassified government data.<br />
2. They often establish some level of interoperability between different systems that<br />
implement the standard or recommendation. For example, two products that both<br />
implement the Advanced Encryption Standard (AES) cryptographic algorithm have the<br />
potential to interoperate, provided that the other functions of the product are compatible.<br />
3. They often provide for scalability because the U.S. government requires products and<br />
techniques that can be effectively applied in large numbers.<br />
4. They are scrutinized by the U.S. government to assure that they provide an adequate level<br />
of security. This review is performed by U.S. government experts in addition to the<br />
reviews performed by the public.<br />
5. NIST Approved cryptographic techniques are periodically re-assessed for their continued<br />
effectiveness. If any technique is found to be inadequate for the continued protection of<br />
government information, the standard is revised or discontinued.<br />
6. Several of the FIPS and NIST Recommendations (e.g., DES, TDEA, SHA-1, DSA, and<br />
Cryptographic Modules) have required conformance tests. These tests are performed by<br />
accredited laboratories on vendor products that claim conformance to the standards.<br />
Vendors are permitted to modify non-conforming products so that they meet all<br />
applicable requirements. Users of validated products can have a high degree of<br />
confidence that validated products conform to the standard.<br />
Since 1977, NIST has built up a cryptographic “toolkit” of FIPS security standards and NIST<br />
Recommendations that form a basis for the implementation of Approved cryptography. This<br />
recommendation references many of those standards and provides guidance on how they may be<br />
properly used to protect sensitive information.<br />
1.5 Content and Organization<br />
<strong>Part</strong> 1, <strong>General</strong> Guidance, contains basic key management guidance. It is intended to advise<br />
developers and system administrators on the "best practices" associated with key management.<br />
17