SUMMARY: The Data Encryption Standard, issued as Federal Information Processing Standard (FIPS) 46 on January 15, 1977, specified that a review would be performed by NIST within five years to assess its adequacy. The first review was completed in 1983 and the standard was reaffirmed for Federal Government use (48 FR 41062 dated September 13, 1983). In 1987, NIST announced the second review of the standard (52 FR 7006 dated March 6, 1987), and solicited comments from Government, industry, and the public on the adequacy of the standard to protect computer data. The standard was reaffirmed for Federal government use (52 FR 7006). Following the second reaffirmation, the text of the standard was revised to reflect minor editorial changes, updates to references, addresses, and other non-substantive changes. The revision was issued as FIPS 46-1 in January 1988. On September 11, 1992, NIST announced the third review of the standard (57 FR 41727).
At the next review (1998), the algorithm specified in this standard will be over twenty years old. NIST will consider alternatives which offer a higher level of security. One of these alternatives may be proposed as a replacement standard at the 1998 review.
The written comments submitted by interested parties and other material available to the Department relevant to this standard were reviewed by NIST. On the basis of this review, NIST recommended that the Secretary approve the revision of this standard as FIPS 46-2 and the reaffirmation of algorithm specified by the standard, and prepared a detailed justification document for the Secretary's review in support of that recommendation.
The detailed justification document which was presented to the Secretary, and which includes an analysis of the written comments received, is part of the public record and is available for inspection and copying in the Central Reference and Records Inspection Facility, room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW., Washington, DC 20230.
This FIPS contains two sections: (1) An announcement section, which provides information concerning the applicability, implementation, and maintenance of the standard; and (2) a specifications section, which deals with the technical requirements of the standard. Only the announcement section of the standard is provided in this notice. Note that one significant change in this revision is to clause 8, "Implementations," of the Announcement section, which reads:
8. Implementations. Cryptographic modules which implement this standard shall conform to the requirements of FIPS 140-1
. The algorithm specified in this standard may be implemented in software, firmware, hardware, or any combination thereof. The specific implementation may depend on several factors such as the application, the environment, the technology used, etc. Implementations which may comply with this standard include electronic devices (e.g., VLSI chip packages), micro-processors using Read Only Memory (ROM), Programmable Read Only Memory (PROM), or Electronically Erasable Read Only Memory (EEROM), and mainframe computers using Random Access Memory (RAM). When the algorithm is implemented in software or firmware, the processor on which the algorithm runs must be specified as part of the validation process. Implementations of the algorithm which are tested and validated by NIST will be considered as complying with the standard. Note that FIPS 140-1 places additional requirements on cryptographic modules for Government use. Information about devices that have been validated and procedures for testing and validating equipment for conformance with this standard and FIPS 140-1 are available from the National Institute of Standards and Technology, Computer Systems Laboratory, Gaithersburg, MD 20899.
EFFECTIVE DATE: This standard became effective July 1977 and was reaffirmed in 1983, 1988, and 1993. The algorithm specified by the standard has been reaffirmed without change. FIPS 46-2, which revises the implementation of the Data Encryption Algorithm to include software, firmware, hardware, or any combination thereof, becomes effective June 30, 1994. This revised standard may be used in the period before the effective date.
[Citation: 58 FR 69347]