Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
March, 2007<br />
making such decisions. Systems should offer algorithm suite options that provide for<br />
future growth.<br />
3. System design: The new system should be designed to meet the minimum<br />
performance and security requirements. This is often a difficult task, since<br />
performance and security goals may conflict. All aspects of security (e.g., physical<br />
security, computer security, operational security, and personnel security) are<br />
involved. If a current system is to be modified to incorporate the new algorithms, the<br />
consequences need to be analyzed. For example, the existing system may require<br />
significant modifications to accommodate the footprints (e.g., key sizes, block sizes,<br />
etc.) of the new algorithms. In addition, the security measures (other than the<br />
cryptographic algorithms) retained from the current system should be reviewed to<br />
assure that they will continue to be effective in the new system.<br />
4. Pre-implementation evaluation: Strong cryptography may be poorly implemented.<br />
Therefore no change over to new cryptographic techniques should be made without<br />
an evaluation as to how effective and secure they are in the system.<br />
5. Testing: Any complex system should be tested before it is employed.<br />
6. Training: If the new system requires that new or different tasks (e.g., key<br />
management procedures) be performed, then the individuals who will perform those<br />
tasks should be properly trained. Features that are thought to be improvements may<br />
be viewed as annoyances by an untrained user.<br />
7. System implementation and transition: Care should be taken to implement the<br />
system as close as possible to the design. Exceptions should be noted.<br />
8. Transition: A transition plan should be developed and followed so that the change<br />
over from the old to the new system runs as smoothly as possible.<br />
9. Post-implementation evaluation: The system should be evaluated to verify that the<br />
system as implemented meets the minimum security requirement.<br />
71