
* * * * * * * * * * * * *  NOTE * * * * * * * * * * * * * * * * *

This file is a DRAFT chapter intended to be part of the NIST
Computer Security Handbook.  The chapters were prepared by
different parties and, in some cases, have not been reviewed by
NIST.  The next iteration of a chapter could be SUBSTANTIALLY
different than the current version.  If you wish to provide
comments on the chapters, please email them to roback@ecf.ncsl.gov
or mail them to Ed Roback/Room B154, Bldg 225/NIST/Gaithersburg, MD 
20899.  

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

DRAFT          DRAFT          DRAFT          DRAFT          DRAFT



                          Cryptography

1.  Introduction

Cryptography provides an important tool for the protection of
information and is used in many aspects of computer security.  
For example, it can help provide data confidentiality and
integrity, support sound user authentication and access controls,
and increase the security provided by other technical controls. 
Many people realize that modern cryptography relies upon advanced
mathematics.  Not all understand, however, that users can obtain
the benefits offered by cryptography without an understanding of
its mathematical underpinnings. 

Cryptography's uses are wide
and varied.  They include
traditional uses such as
eavesdropping protection and
newer uses such as ensuring
that computer files are
unchanged or that computer
programs are not infected with
viruses.  

This chapter describes the use
of cryptography as a tool for
satisfying a wide spectrum of
IT security needs and requirements.  It describes fundamental
aspects of the basic cryptographic technologies, and some
specific ways cryptography can be applied to improve security. 
This chapter also explores some of the important issues which
should be considered when incorporating cryptography into IT
systems.  

2.   BASIC CRYPTOGRAPHIC TECHNOLOGIES

Cryptography relies upon two basic components:  an algorithm (or
cryptographic methodology) and
a key.  For instance, in a
system where letters are
substituted for other letters,
the "key" is the chart of
paired letters and the
algorithm is substitution.  In
modern cryptographic systems,
the algorithms are complex mathematical formulae and keys are
strings of bits.  For two parties to communicate they must use
the same algorithm.  In some cases, they must also use the same
key.   Many cryptographic keys must be kept secret.  Sometimes
algorithms are also kept secret.

There are two basic types of cryptographic systems:  secret key
systems (also called symmetric systems) and public key systems
(also called asymmetric systems).  Table 1 summarizes and
compares some of the distinct features of both secret and public
key systems.  Both types of systems offer advantages and
disadvantages.  Often, the two are combined to form a hybrid
system in order exploit the strengths of each type.  In order to
determine which type of cryptography to utilize, an organization
first has to identify its security requirements and operating
environment. Then the organization can determine which type of
cryptography best meets its needs.

2.1  Secret Key Cryptography

Secret key cryptography is
better known than public key
cryptography.  In secret key
cryptography, two (or more)
parties share the same key. 
In secret key cryptography,
the same key is used to
encrypt and decrypt data.  As
the name implies, secret key cryptography relies on keeping the
key secret.  If this key is compromised, the security offered by
cryptography is severely reduced or entirely eliminated.  Secret
key cryptography assumes that the parties who share a key rely
upon each other not to disclose the key and protect it against
modification.  Since both parties share the same key, secret key
cryptography only protects information against third parties.  

Secret key cryptography can be used to protect both
confidentiality and integrity of information.  It can also be
used to support computer security technical controls, such as
user authentication.  

The best known secret key system is the Data Encryption Standard
(DES), published by NIST as Federal Information Processing
Standard (FIPS) 46-1.  Although the adequacy of DES has at times
been questioned, these claims remain unsubstantiated and DES
remains strong.  It is the most widely accepted, publicly
available cryptographic system today.  Besides being the only
published secret key system approved for protection of Federal
unclassified data, DES has been widely adopted by the commercial
sector.  The American National Standards Institute (ANSI) has
adopted DES as the basis for encryption, integrity, access
control, and key management standards.

2.2  Public Key Cryptography

Public key cryptography is a more modern invention than secret
key cryptography.  It is also very different and is not always
easily understood.  Whereas secret key cryptography employs a
single key shared by two (or more) parties, public key
cryptography uses a pair of keys for each party.  One of these is
"public" and one "private."  The public key can be made known to
other parties, perhaps published in an on-line directory.  The
private key must be kept confidential and be known only to its
owner.  (All keys, however, must be protected against
modification.)

Using this type of cryptography, any party can use any other
party's public key to send an encrypted message; however, only
the party with the corresponding private key can decrypt, and
thus read, the message.  For example, it can be used to send an
encrypted confidential message between Person A and Person B. 
Each person has two keys, one public and one private.  Person A
can encrypt a message to Person B.  To do this, he uses Person
B's Public key.  Only Person B can decrypt the message, which
requires use of his private key.  This ensures that only Person B
can read the message, thus providing data confidentiality.  

Public key cryptography can also be used for other purposes.  For
example, consider again Person A sending a message to Person B. 
In this case, however, Person A not only wants to keep the
message confidential but also for Person B to know that the
message really came from Person A.  In this case, Person A can
encrypt the data with both Person A's private key and Person B's
public key.  When the message is received, Person B decrypts the
message using both Person
A's public key and Person
B's private key.  Like the
other example, Person B is
the only one who can decrypt
the message, thus providing
data confidentiality. 
However, in this case only
Person A could have sent it,
since it was encrypted with
Person A's private key. 
There are many variations of
these basic examples, which
are explained in the
Services section below.  

Public key cryptography is
particularly useful in those
situations when the parties
wishing to communicate can
not rely upon each other or
do not share a common key. 
Public key cryptography is
typically used to protect cryptographic keys used by secret key
cryptography and in digital signatures, but also for other
purposes as discussed later in this chapter.

There are several public key cryptographic systems.  One of the
first public key systems, named RSA after its three MIT creators,
Ronald Rivest, Adi Shamir, and Len Adleman, is in wide use and
can provide many different security services.  The Digital
Signature Standard (DSS), which is described later in the
chapter, is another example of a public key system.

2.3  Hybrid Cryptographic Systems

Public and secret key cryptography have relative advantages and
disadvantages, although it may initially seem that public key
cryptography is preferable because of its versatility.  However,
speed is typically a significant advantage for secret key
systems.  Equivalent implementations of secret key cryptography
can run 1,000 to 10,000 times faster than public key
cryptography.

To exploit the advantages of
both secret and public key
cryptography, an IT system can
use both types in a
complementary manner, with
each performing different
functions.  Typically, the
speed advantage of secret key cryptography means that it is used
for encrypting bulk data. 
Public key cryptography is
used for smaller
transmissions, which are
less demanding to the IT
system's resources.  A
practical use of the public
key side of a hybrid system,
for example, is to automate
the distribution of the keys
used by secret key
cryptography.  This is known
as an example of automated
key distribution.  This type
of hybrid system provides
many of the advantages of
both public and secret key
cryptography while
minimizing the
disadvantages.

3.  USES OF CRYPTOGRAPHY

As discussed in the Introduction,
cryptography can be used to provide
for data confidentiality and
integrity.  It can also be used to
determine the originator of a
message (also known as non-
repudiation, see sidebar) and as a
basis for other security controls,
such as identification and
authentication and logical access controls.  (See chapters *****
and ***** respectively.)  These benefits, called security
services by computer security specialists, are obtained through
specific implementations of cryptography (frequently referred to
as security mechanisms).

Once it is determined what security services are required, the
mechanisms that provide that service can be reviewed.  Then the
most cost-effective ones can be selected.  The following
subsections describe some of the common cryptographic
implementations mechanisms, and the benefits that each can
provide.

3.1  Data Encryption

One of the best ways to obtain
cost-effective data
confidentiality if through the
use of encryption.  Encryption
transforms intelligible data
(understandable to either a
human [e.g., a novel] or
machine [e.g., executable
code]), called "plaintext,"
into an unintelligible form,
called "ciphertext."  This
process is reversed through
the process known as
decryption.  Once data is
encrypted, the ciphertext does
not have to be protected
against disclosure, since it
reveals little (except perhaps
length) about the plaintext. 
It does, however, have to be
protected against
modification.  If it is not,
it will not decrypt correctly.

Both secret key and public key cryptography can be used for data
encryption.  Secret key encryption, as noted above, is typically
much faster, but has attendant key distribution difficulties. 
With secret key cryptography, the same key is used to both
encrypt and decrypt data.  With public key cryptography,
selecting which key or keys to use for encryption can be more
complicated as it is based upon the type of security objectives
desired.  Both encryption methods are designed so that only an
authorized party has the key necessary to decrypt the ciphertext,
thus assuring that only intended parties have access to the data.

3.2  Message Authentication Codes

In IT systems, it is not always possible for humans to scan
information to determine if data has been erased, added or
modified.  Even if scanning were possible, the individual may
have no way of knowing what the correct data should be.  For
example, "do" may be changed to "do not"; or $1,000 may be
changed to $10,000.  It is therefore desirable to have an
automated means of detecting both intentional and unintentional
modifications of data.  While error detecting codes have long
been used in communications protocols (e.g., parity bits), these
are easily defeated to allow modifications to go undetected. 
Fortunately, cryptography can be used in a very secure technique
for performing error detection.

A Message Authentication Code (MAC) is a means for performing
error detection using secret key cryptography in order to detect
unauthorized modifications to data.  NIST FIPS 113, Computer Data
Authentication, specifies a standard technique for calculating a
MAC.  Using a secret key, a MAC is calculated from and appended
to the data.  To verify that the data has not been modified at a
later time, any party with access to the correct secret key can
recalculate the MAC.  The new MAC is compared with the original
MAC, and if they are identical, the verifier has confidence that
the data has not been modified by an unauthorized party.  If the
two MACs are different, then an unauthorized modification must be
assumed.  The calculation and verification of a MAC from data
provides for its integrity, since any modification to the data by
an unauthorized party can be detected.

3.3  Electronic Signatures

Today's IT systems are storing and processing more and more
paper-based documents in electronic form.  Having documents in
electronic form permits rapid processing and transmission and
thereby improves overall efficiency.  However, approval of a
written document has traditionally been indicated by a written
signature.  Thus, there is a need for the electronic equivalent
of a written signature which can be recognized as having the same
legal status as a written signature.  

Why not just take a digital picture of a written signature? 
Unfortunately, a digital image of a written signature (also known
as a digitized written signature) does not provide adequate
security.  Such a digitized written signature could easily be
copied from document to document with no way to determine whether
or not it is legitimate.  Use of cryptography, however, provides
a solution.

Cryptography can be used to protect electronic documents from
modification and forgery by enabling the generation of an
electronic signature that is
intrinsically tied to each
component in the electronic
document.  This means that the
change to a single character
in the document results in an
unpredictable change in the
signature.  Therefore, when
the electronic digital signature created via cryptography is
verified, any alteration is highly likely to be detected.

While there are many uses for electronic signatures, they have
particularly important implications for Electronic Data
Interchange (EDI).  For these important business technologies to
succeed, adequate security services are necessary.  The use of
cryptography in general and the use of electronic signatures in
particular is growing and is likely to become even more
widespread as the use of EDI continues to grow.  Discussed below
are the two types of electronic signatures.

3.3.1  Message Authentication Codes

An electronic signature can be implemented using secret key
cryptography.  If a secret key is used to protect data, and the
key used is shared only by the originator and recipient of the
data, then the recipient can authenticate the originator of the
data, provided that the key has not been released to an
unauthorized party or otherwise compromised.  For example, if two
parties share a secret key and one party receives data with a MAC
that is correctly verified using the shared key, that party may
assume that the data was sent by the other party.  This does
assume, however, that the two parties trust each other.  Thus,
through the use of a MAC, in addition to data integrity,
authentication of origin to the receiver of the data is also
obtained.  Such systems have been approved for use by the Federal
government as a replacement for written signatures on certain
electronic documents.

3.3.2  Digital Signatures

Another type of electronic signature called a "digital signature"
can be implemented using public key cryptography.  Data is
electronically signed by applying the originator's private key to
the data.  (The exact mathematical process for doing this is not
important for this discussion.)  Often, the private key is
applied to a shorter form of the data, called a "hash," rather
than to the entire set of data.  The resulting digital signature
can be stored or transmitted along with the data.  The signature
can be verified by any party using the public key of the signer.
This feature is very useful, for example, when distributing
signed copies of virus-free software.  Any recipient can verify
that the program remains virus-free. If the signature verifies
properly, then the verifier has confidence that the data was not
modified after it was signed and that it was signed by the owner
of the public key.  

Now, recall that with secret key cryptography, both the signer
and verifier can calculate the MAC, since they must share the
same key.  With public key cryptography, however, the private key
used to generate the signature is known only to its owner, and
the signature can be verified by a third party by applying the
signer's public key.  A digital signature, therefore, not only
provides for the integrity and the authentication of the source
of data, but also inherently provides for non-repudiation of
origin, whereby the signer cannot falsely deny having signed the
data.  

NIST has proposed a Digital Signature Standard (DSS) which uses
public key cryptography and is appropriate for applications
requiring a public key-based digital signature.  When approved by
the Secretary of Commerce, the DSS will become the Federal
government's public key digital signature technique for all
unclassified data.  In addition, NIST has proposed a Secure Hash
Standard (SHS) to be used in conjunction with DSS for generating
signatures.

3.4  User Authentication

Cryptography can be used to increase security in user
authentication techniques.  Most password techniques store
passwords on a host system in encrypted form to protect them from
disclosure to unauthorized parties.  When authenticating to a
remote computer system via a network, passwords typically travel
over the network in plaintext form where they are vulnerable to
eavesdropping;  again, cryptography could be used to protect the
passwords from disclosure as they travel over the network. 
Cryptography can also allow the use of passwords to be reduced by
replacement with a "cryptographic handshake," particularly for
multiple logins across a network.  For example, the host can
challenge the user with an encrypted random number.  The user can
authenticate himself by responding with the correct decrypted
number, thereby demonstrating that he shares a common key with
the host.  Thus, cryptography can play various useful roles
either as a tool or as the actual basis for user authentication
techniques.


4.  CONSIDERATIONS WHEN IMPLEMENTING CRYPTOGRAPHY

This section explores several of the important issues which
should be considered when integrating cryptography into an IT
system.

4.1  Security of Cryptographic Modules

Cryptography is typically implemented in a "module" comprised of
software, firmware, hardware, or some combination thereof.  This
module contains the cryptographic algorithm and the key(s).  In
order for the module to properly function, it must be protected
from tampering.  Protection may also have to be provided to
protect the key(s) and possibly the algorithm against disclosure. 
Additionally, users and computer systems must be able to rely
upon the proper functioning of the cryptography.  For these
reasons, the module requires some protection.  This is usually
obtained through the secure design, implementation and use of a
cryptographic module.

NIST Proposed FIPS 140-1, Security Requirements for Cryptographic
Modules, specifies the physical and logical security requirements
for a cryptographic module. 
The proposed standard defines
four security levels for
cryptographic modules, with
each level providing a
significant increase in
security over the preceding
level.  The four increasing levels of security allow for cost-
effective solutions that are appropriate for different degrees of
data sensitivity and different applications environments.  The
user is afforded the flexibility to select the best module for
any given type of IT system, thus avoiding the cost of
unnecessarily elaborate security features where they are not
needed.

4.2  Key Management

The proper management of cryptographic keys is essential to the
effective use of cryptography for security.  Ultimately, the
security of information protected by cryptography is directly
dependent upon the protection afforded to the keys.  Key
management involves the procedures, both manual and automated, to
be used throughout the entire life cycle of the keys, which
includes the generation, distribution, storage, entry and use,
and destruction and archiving of the cryptographic keys. 
Protection must be provided to protect all keys from
modification.  Some keys must also be kept secret.  Unique key
management issues must also be addressed by users of both public
key and secret key cryptography.

With secret key cryptography, the secret key(s) must be securely
distributed to the parties wishing to communicate.  Depending
upon the number and location of users, this may not be a trivial
task.  Automated techniques for distributing and generating
cryptographic keys can ease the overhead of key management, but
some resources will still have to be devoted to this task.  FIPS
171, Key Management Using ANSI X9.17, provides key management
solutions for a variety of operational environments.  

Public key cryptography users also must confront key management
issues.  For example, since private keys are ties to specific
users (or positions or organizations), it is necessary to "bind"
a key pair to a specific user.  This is done by a "certificate
issuing authority," which determines the identity of an
individual before "certifying" the public key.  

4.3  Standards 

NIST and other standards organizations have developed numerous
standards for the design, implementation, and use of cryptography
and for its integration into IT systems.  The use of
cryptographic modules that conform to cryptographic standards can
provide significant benefits
to an organization.  Standards
provide solutions that have
been accepted by a wide
community and that have
withstood the scrutiny of
experts.  Standards help
ensure interoperability among different vendors' equipment, thus
allowing an organization to select from among multiple
alternatives in order to find cost-effective equipment.  By using
voluntary standards, Federal government organizations can reduce
costs and protect their investments in technology by buying
off-the-shelf products.  

4.4  Configurations of Cryptographic Modules

Another area that needs to be considered is how the cryptographic
module will interact with the IT system.  Cryptographic modules
can either be configured: off-line or in-line.  In an off-line
configuration, a cryptographic module accepts information from
the IT system, performs the required the cryptographic
operations, and then passes the processed information back to the
IT system.  In an in-line configuration, a cryptographic module
accepts information to be processed from one part of the IT
system, performs the required cryptographic operations, and then
passes the processed information directly to other parts of the
IT system.  

4.5  Networking Issues

The use of a cryptographic module within an IT system that is
used in networking applications may require special
considerations.  In these applications, the suitability of a
cryptographic module may depend on its capability to handle any
special requirements imposed by locally attached communications
equipment or by the network protocols and software.

Another concern arises if encrypted information, MACs, or digital
signatures, which may appear as random data, inadvertently
contain data that may be misinterpreted by the communications
equipment or software as being control information.  In this
case, it may be necessary to filter the encrypted information,
MAC, or digital signature to ensure that it does not contain any
control information that might confuse the communications
equipment or software.  It essential to ensure that the
cryptography satisfies any requirements imposed by the
communications equipment and does not interfere with the proper
and efficient operation of the network.

4.6  Cost Considerations

The cost of employing cryptography to protect IT systems can be
characterized in terms of both direct and indirect costs, as will
be discussed below.  Cost is in part determined by product
availability;  a wide variety of products exists for implementing
cryptography in integrated circuit (IC) chips, add-on boards or
adaptors, and stand-alone units, and many of these products
implement accepted cryptographic systems (e.g., DES) and conform
to other security standards.

4.6.1  Direct Costs

The direct costs of employing cryptography include:

    acquiring or implementing the cryptographic module and
     integrating it into the IT system;  the medium (i.e.,
     hardware, software, firmware or combination thereof) and
     various other issues such as level of security, logical and
     physical configuration, and special processing requirements
     will have an impact on cost;

    managing the cryptography, and, in particular, managing the
     cryptographic keys, which includes key generation,
     distribution, archiving and disposition as well as the
     security measures to protect the keys, as appropriate.

4.6.2  Indirect Costs

The indirect costs of employing cryptography can include:

    a limited decrease in system or network performance,
     resulting from the additional overhead of applying
     cryptographic protection to stored or communicated data;

    changes in the way users interact with the system, resulting
     from more stringent security enforcement.  It should,
     however, be noted that cryptography can be made relatively
     transparent to the users such that the impact is minimal.

5.  INTERDEPENDENCIES

There are many interdependencies between cryptography and other
security controls highlighted in this Handbook.  Cryptography
both depends on other aspects of IT security and also assists in
providing many other security safeguards.

5.1  Physical and Environmental Security

The physical protection of a cryptographic module is important
for protecting the cryptographic system and keys within from
scrutiny and tampering.  In many environments, the cryptographic
module itself must provide high levels of physical security.  In
other environments, a cryptographic module may be employed within
IT systems residing in a secured facility with adequate physical
security for the cryptographic module.

5.2  Identification and Authentication

Cryptography can be used both to protect passwords that are
stored on computer systems, and to protect passwords that are
communicated between computers.  Furthermore, cryptographic-based
authentication techniques may be used in conjunction with
password-based techniques to provide stronger authentication of
users.

5.3  Logical Access Control

In many cases, cryptographic software may be embedded within a
host system, and it may not be feasible to provide extensive
physical protection to the host system.  In these cases, logical
access control may provide a means to isolate the cryptographic
software from other parts of the host system, and hence, protect
the cryptographic software and keys from scrutiny and tampering. 
The use of such controls essentially provides the logical
equivalent of physical protection.

5.4 Audit

Cryptography may play a useful role in performing auditing.  For
example, audit records may need to be communicated from computers
being audited to another computer that collects the audit
information.  In this case, cryptography may be needed to protect
the communicated audit records from disclosure or modification,
or to authenticate the source of the audit record.  Cryptography
may also be needed to protect audit records stored on IT systems
from disclosure or modification.

5.5 Assurances

Assurance that a cryptographic module is properly and securely
implemented is essential to the effective use of cryptography to
protect IT systems.  NIST maintains validation programs for
several of its standards for cryptography.  Vendors can have
their products validated for
conformance to the standard
through a rigorous series of
tests.  Such testing provides
increased assurance that a
module meets stated standards,
and system designers,
integrators, and users
generally have greater confidence that validated products conform
to accepted standards.

6.  CONCLUSION

Cryptography provides an important means for improving the
security of IT systems.  It can be used to provide both data
confidentiality and integrity.  User authentication procedures
can also be strengthened through cryptographic techniques.  Use
of digital signatures, an important cryptographic application,
will speed the use of EDI.  Cryptography, however, can not be
implemented without costs.  Careful study is required to
determine the types of systems and applications best suited to an
organizations's environment.  

7.  REFERENCES

[1]  Data Encryption Standard (DES), National Institute of
     Standards and Technology (U.S.), Federal Information
     Processing Standards Publication (FIPS PUB) 46-1, National
     Technical  Information Service, Springfield, VA, April,
     1977.

[2]  New Directions in Cryptography, IEEE Transactions on
     Information Theory, W. Diffie and M. Hellman, Vol. IT-22,
     No.  6, November 1976, pp.  644-654.

[3]  Public-Key Cryptography, National Institute of Standards and
     Technology Special Publication 800-2, James Nechvatal, April
     1991.

[4]  A Method For Obtaining Digital Signatures and Public-Key
     Cryptosystems, R. Rivest, A. Shamir, and L. Adleman,
     Communications of the ACM, Vol. 21, No. 2, 1978, pp.
     120-126.

[5]  Computer Data Authentication, National Institute of
     Standards and Technology (U.S.), Federal Information
     Processing Standards Publication (FIPS PUB) 113, National
     Technical Information Service, Springfield, VA, May 30,
     1985.

[6]  CSL Bulletin on Advanced Authentication Technology, Computer
     Systems Laboratory, National Institute of Standards and
     Technology, Gaithersburg, MD, November 1991.

[7]  A Proposed Federal Information Processing Standard for
     Digital Signature Standard (DSS), Federal Register Vol. 56,
     No. 169, August 30, 1991.

[8]  Proposed Federal Information Processing Standard for Secure
     Hash Standard (SHS), Federal Register Vol. ??, No. ??,
     January 31, 1992.

[9]  Security Requirements for Cryptographic Modules, National
     Institute of Standards and Technology (U.S.), Draft Federal
     Information Processing Standards Publication (FIPS PUB)
     140-1.

[10] American National Standard for Financial Institution Key
     Management (Wholesale), ANSI X9.17-1985, American Bankers
     Association, Washington, DC.

[11] Key Management Using ANSI X9.17, National Institute of
     Standards and Technology (U.S.), Federal Information
     Processing Standards Publication (FIPS PUB) 171, National
     Technical Information Service, Springfield, VA, April 1992. 

[12] Information Processing Systems - Open Systems
     Interconnection Reference Model - Part 2: Security
     Architecture, International Organization for
     Standardization, ISO 7498/2:1988.

[13] Security Mechanisms in High-Level Network Protocols, V.L.
     Voydock and S.T. Kent, ACM Computing Surveys Vol. 15, No. 2,
     June 1983.
8.  SIDEBAR NOTES

 Cryptography can be used to protect data communicated among
  computers and to
  to protect data and programs stored within computers. (1.)

 Cryptography can be used to control access to computers and
  networks. (1.)

 There are two basic types of cryptography systems:  "secret
  key" and "public key." (2.) 

 The best known secret key system is the Data Encryption
  Standard (DES). (2.1)

 Secret key systems are often used for bulk data encryption and
  public key systems for automated key distribution. (2.3)

 Cryptography can provide security services such as data
  confidentiality, data integrity, data origin authentication,
  non-repudiation, and access control. (3.)

 A Message Authentication Code (MAC) can be used to verify the
  integrity and origin of data. (3.2.2)

 Cryptography can provide the electronic equivalent of a
  written signature. (3.2.3)

 NIST has proposed the Digital Signature Standard.  (3.2.3.2)

 The contents of a cryptographic module should be protected
  from scrutiny and tampering. (4.1)

 NIST Draft FIPS 140-1 defines basic security requirements for
  cryptographic modules. (4.1)

 Key management involves the secure generation, distribution,
  storage, entry and use, and destruction and archiving of
  cryptographic keys. (4.2)

 Applicable security standards provide a common level of
  security and interoperability among users. (4.3)

 NIST maintains validation programs for several of its
  cryptographic standards. (5.5)
junk:


The effective use of cryptography within IT systems requires that
an organization first identify which security services are
needed, based on its security or protection objectives. 
Appropriate mechanisms to attain the objectives can then be
selected.   

3.1  Services

The most common security services that can be achieved through
the use of cryptography include the following:

 Data confidentiality: ensures that data is not disclosed to
  unauthorized parties.

 Data integrity: ensures that data is not modified in an
  unauthorized manner.

 Non-repudiation of origin: provides evidence that the source
  of received data is as claimed, whereby that evidence can be
  verified by a third party.  Or, in other words, that the
  originator of the data cannot falsely deny having originated
  the data.

 Access control: provides protection against unauthorized use
  of IT resources.


3.2  Mechanisms - The Means to Obtaining the Security Service
