Billing Code 3510-CN DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 930659-4017] RIN 0693-AB19 APPROVAL OF FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 185, ESCROWED ENCRYPTION STANDARD (EES) AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: The purpose of this notice is to announce that the Secretary of Commerce has approved a new standard, which will be published as FIPS Publication 185, Escrowed Encryption Standard. SUMMARY: On July 30, 1993, notice was published in the Federal Register (58 FR 40791) that a Federal Information Processing Standard for EES was being proposed for Federal use. The written comments submitted by interested parties and other material available to the Department relevant to this standard were reviewed by NIST. On the basis of this review, NIST recommended that the Secretary approve the standard as a Federal Information Processing Standards Publication, and prepared a detailed justification document for the Secretary's review in support of that recommendation. The detailed justification document which was presented to the Secretary is part of the public record and is available for inspection and copying in the Department's Central Reference and Records Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC 20230. This FIPS contains two sections: (1) An announcement section, which provides information concerning the applicability, implementation, and maintenance of the standard; and (2) a specifications section which deals with the technical requirements of the standard. Both sections of the standard are provided in this notice. EFFECTIVE DATES: This standard is effective ___________ (please insert date which is thirty (30) days from the date of publication of this notice in the Federal Register). ADDRESSES: Interested parties may purchase copies of this standard, including the technical specifications section, from the National Technical Information Service (NTIS). Specific ordering information from NTIS for this standard is set out in the "Where to Obtain Copies" Section of the announcement section of the standard. FOR FURTHER INFORMATION CONTACT: Michael R. Rubin, Deputy Chief Counsel for the National Institute of Standards and Technology, (301) 975-2803, Room A1111, Administration Building, National Institute of Standards and Technology, Gaithersburg, MD 20899. SUPPLEMENTARY INFORMATION: This standard specifies a technology developed by the Federal government to provide strong encryption protection for unclassified information and to provide that the keys used in the encryption and decryption processes are escrowed. This latter feature will assist law enforcement and other government agencies, under the proper legal authority, in the collection and decryption of electronically transmitted information. The encryption technology will be implemented in electronic devices. The purpose of this standard is to facilitate the acquisition of devices that implement escrowed encryption techniques by Federal government agencies. This standard does not mandate the use of escrowed encryption devices by Federal government agencies, the private sector or other levels of government. The use of such devices is totally voluntary. The standard provides a mechanism for Federal government agencies to use when they wish to specify key escrowed encryption as a requirement in their acquisition documents. Otherwise agencies would have to formally waive the requirements of the recently reaffirmed encryption standard, FIPS 46-2, Data Encryption Standard, if they wanted to use escrowed encryption techniques. Key escrow technology was developed to address the concern that widespread use of encryption makes lawfully authorized electronic surveillance difficult. In the past, law enforcement authorities have encountered very little encryption because of the expense and difficulty in using this technology. More recently, however, lower cost, commercial encryption technology has become available for use by U.S. industry and private citizens. The key escrow technology provided by this standard addresses the needs of the private sector for top notch communications security, and of U.S. law enforcement to conduct lawfully authorized electronic surveillance. Analysis of Comments This FIPS was announced in the Federal Register (58 FR 40791 dated July 30, 1993) and was also sent to Federal agencies for review. Comments were received from 22 government organizations in the United States, 22 industry organizations and 276 individuals. Of the 298 comments received from industry organizations and from individuals, 225 were forwarded to NIST by the Electronic Frontier Foundation which had collected them as electronic mail messages. The Federal government organizations submitting comments included 11 Cabinet departments and 11 other Federal organizations. The 22 industry organizations included several large computer industry organizations, 4 trade associations, 2 professional societies, and several smaller computer industry organizations. The individuals submitting comments included computer systems, networks and software professionals; consultants; professionals affiliated with universities and colleges; students; and many individuals who did not identify their professions. Comments were grouped for the purpose of this analysis in the following major categories: A. General comments concerning key escrow encryption; B. Other general comments; C. Patent infringement allegations; D. Economic comments on the standard, including its potential cost to Federal agencies and private organizations that adopt it, and the effect that the standard may have upon the competitiveness of U.S. firms in domestic and world markets; and, E. Comments on the technical operation of the standard. Each of these matters is discussed in turn below. A. General Comments Concerning Key Escrow Nearly all of the comments received from industry and individuals opposed the adoption of the standard, raising concerns about a variety of issues including privacy; the use of a secret algorithm; the security of the technology; restrictions on software implementation; impact on competitiveness; and lack of procedures for escrowing keys. Over 80 percent of the industry and individual responses repeated the following points which were also made by the Electronic Frontier Foundation: (1) Five industry organizations and 200 individuals said that guarantees are needed to assure that this standard is not a first step toward prohibition against other forms of encryption. In response, NIST notes that the standard is a specification for voluntary use by the Federal government in the acquisition of devices for escrowed encryption. There is no requirement that the public use this standard. Further, the Administration has announced that it will not propose new legislation to limit the use of encryption technology. (2) Three industry organizations and 164 individuals said that there had been insufficient technical and operational information available to allow full public comment. Also, seven Federal government organizations, 19 industry organizations, and 213 individuals expressed concern that the details of the escrowed encryption system had not been announced when the FIPS was proposed. Other related concerns included: the escrow agents have not been identified; the operating procedures are unclear; the system will not be secure if the keys are not protected; the system must allow for enforcement of expiration of wiretap authority. One member of the NIST Computer Privacy and Security Advisory Board stated that the notice was "content-free". In response, NIST notes that the standard is a technical one, for implementation in electronic devices and use in protection of certain unclassified government communications when such protection is required. It adopts encryption technology developed by the Federal government to provide strong protection for unclassified information and to enable the keys used in the encryption and decryption processes to be escrowed. The technical aspects of the Escrowed Encryption Standard have been set forth in detail, and the classified algorithm has been examined by independent experts. The responsibility for designation of the key component escrow agents lies with the Attorney General, rather than the Secretary of Commerce. In addition, the Attorney General is charged with reviewing for legal sufficiency the procedures by which an agency establishes its authority to acquire the content of communications encrypted with electronic devices using the Escrowed Encryption Standard. Designation of the key component escrow agents, and approval of procedures for acquisition of key components to facilitate decryption of communications, are separate from the establishment of the technical parameters of this standard. Necessarily, protection of the information encrypted by use of the Escrowed Encryption Standard requires that the key components and other aspects of the system be accorded strict security. Procedures to provide strict security in the programming, storage, and transmission of key components have been developed; however, the security procedures for the key components are beyond the scope of this rule. Even were the identity of the key component escrow agents, or the procedures under which escrowed key components will be maintained and released for use in conjunction with lawfully authorized interceptions relevant to the technical standards established in the instant rule, the Department of Commerce has found, consistent with 5 U.S.C.  553 (b) (B), that notice and public procedure thereon is unnecessary. The technical aspects of the Escrowed Encryption Standard themselves, coupled with the strength of the algorithm and the privacy protections afforded by the Constitution and relevant statutes, afford adequate assurance of the efficacy of the standard for the protection of sensitive unclassified Federal government information, without the need for specifying the identities of key component escrow agents or detailing the procedures respecting maintenance or release of key components. (3) One Federal government organization, 10 industry organizations, and 199 individuals were concerned that the escrowed encryption system may infringe on individual rights. Some said that the government cannot act as an independent escrow agent. One industry organization and 6 individuals said that the government cannot be trusted to run the escrow system. The technical capabilities afforded by the Escrowed Encryption Standard permit protection of certain sensitive, but unclassified Federal government information at a level far stronger than that of the Data Encryption Standard, while at the same time permitting decryption of communications in conjunction with electronic surveillance when authorized by law. These comments address policy issues separate from the technical aspects of the Escrowed Encryption Standard established herein. The technical benefits accruing to a Federal government system using the Escrowed Encryption Standard are independent of the identity of the entities serving as key component escrow agents. With respect to the suggestions that the system may infringe individual rights, the purpose of the escrowing of key components is to permit decryption only in those circumstances in which interception of communications is lawfully authorized, consistent with the Constitution and relevant statutes. To this end, the Attorney General is to review for legal sufficiency the procedures by which an agency establishes its authority to acquire the contents of such communications. The Department of Justice has assured NIST, therefore, that the Escrowed Encryption Standard is fully consistent with protection of individual privacy rights. (4) Fifteen industry organizations and 193 individuals were concerned that the standard uses a secret algorithm. Some said that since the algorithm is secret, it is not possible to evaluate it. Some said that the algorithm is flawed and is subject to compromise. Two individuals said that the algorithm has severe technical problems, and that the algorithm for generating the unit keys is too predictable. One individual said that in addition to possible decryption via escrowed keys, the algorithm has a back door. Others said that people will not use encryption that they cannot trust, and that the risks of using the EES have not been assessed. One government organization, two industry organizations and 7 individuals said that the technology will not be accepted internationally if the algorithm is not known. The algorithm was developed originally as a classified algorithm for the U.S. Government to provide highly effective communications security. It is still used for that purpose. There are no trap doors or any known weaknesses in it. A classified algorithm is essential to the effectiveness of the key escrow solution. The use of a classified algorithm assures that no one can produce devices that use the algorithm without the key escrow feature and thereby frustrate the ability of government agencies to acquire the content of communications encrypted with the algorithm, in conjunction with lawfully authorized interception. NIST finds that, because the algorithm needs to remain secret in order to preserve the utility of the key escrow feature, it would be neither practicable nor in the public interest to publish the algorithm. (5) Eight industry organizations and 181 individuals said that it was premature to adopt the EES as a standard until policy decisions on encryption are made. The Federal government is committed to protection of sensitive information of all kinds, particularly sensitive, but unclassified information outside the scope of the Warner Amendment. The Escrowed Encryption Standard gives Federal managers the ability to afford their agencies' sensitive, but unclassified information protection substantially stronger than possible with the Data Encryption Standard. This standard permits, but does not mandate, the use of the Escrowed Encryption Standard by Federal managers; it in no way mandates use of the standard outside the Federal government. Issuance of the standard at this time is fully consistent with the President's Directive on encryption management. B. Other General Comments Twelve individuals questioned the role of the National Security Agency in the development of the standard. In response, NIST notes that NSA, because of its expertise in the field of cryptography and its statutory role as a technical advisor to U.S. government agencies concerning the use of secure communications, developed the technical basis for the standard which allows for the widespread use of encryption technology while affording law enforcement the capability to access encrypted communications under lawfully authorized conditions. NSA worked in cooperation with the Department of Justice, the FBI and NIST to develop the escrowed encryption standard. Seven individuals said that there is other technology available for protecting information that is more cost effective and that the EES is not the best solution for the problems identified. NIST notes that use of the standard is voluntary. The standard states that a risk analysis should be performed to determine potential threats and risks and that the costs of providing encryption using this standard as well as alternative methods and their respective costs should be projected. A decision to use this standard should be based on the risk and cost analyses. One individual said that the government should not broaden its access to private communications. NIST notes that the standard does not broaden access to private communications. Access must be legally authorized. One government organization, 4 industry organizations and 28 individuals said that the standard hinders security of information and will not help law enforcement activities. NIST responds that, as noted in the President's directive on "Public Encryption Management," new communications technology can frustrate lawful government electronic surveillance and, when exported abroad, thwart foreign intelligence activities critical to our national interests. The Escrowed Encryption Standard provides substantially stronger encryption protection than is currently available under the Data Encryption Standard, and its implementation in hardware is expected to permit ease and transparency of use. It is anticipated that security will be enhanced by the combination of robust encryption with technology easily usable even in circumstances that have not, in the past, readily lent themselves to encryption. The Escrowed Encryption Standard permits the protection of sensitive information with strong encryption, while at the same time permitting protection of the public safety by decryption in conjunction with lawfully authorized electronic surveillance. The key escrowing technique in this standard will allow the government to gain access to encrypted information only with appropriate legal authorization. Four industry organizations and 17 individuals said that the standard does not respond to any user requirement. NIST responds that the standard provides substantially stronger protection for sensitive, but unclassified Federal government information than is currently available under the Data Encryption Standard. Moreover, the standard permits law enforcement entities to protect the public safety by gaining access to encrypted information in conjunction with lawfully authorized electronic surveillance. One industry organization and 20 individuals said that it is unlikely that people engaged in illegal activities will use the standard. NIST notes that the Administration has chosen to encourage the widespread use of key escrow devices to make strong encryption broadly available and affordable. One individual said that the key escrow program will be funded by asset forfeiture and therefore will not be subject to Congressional review. The Federal government will acquire a number of key escrow-equipped devices, for some of which funds from the Department of Justice Asset Forfeiture Super Surplus Fund will be utilized. NIST notes that the asset forfeiture program is subject to Congressional review and oversight, and to General Accounting Office reviews and audits, if requested by the Congress. There are, however, no plans to use asset forfeiture funds for other aspects of the key-escrow encryption system. One industry organization stated that the applicability of the standard should be limited to telephony. NIST notes that the standard is applicable to voice, facsimile, and computer information communicated in a telephone system. One industry organization said that the recommended FIPS deviates from the FIPS process. In response, NIST notes that it uses a variety of methods to develop needed standards, including working closely with other Federal agencies as mandated by the Computer Security Act of 1987. NIST followed its usual procedures in announcing the proposed standard and soliciting comments from government and private sector organizations, as well as from interested members of the public. All comments received to the Federal Register notice announcing the proposed standard have been made part of the public record and are available for inspection and copying at the Central Reference and Records Inspection Facility in the Department of Commerce. The justification document which was presented to the Secretary of Commerce is part of the public record as well. C. Patent Infringement Allegations In addition to the above comments, NIST has received two allegations of patent infringement for the key escrow technology adopted by the EES. The first allegation was from the holder of an issued patent, the second was from an inventor who had recently filed a patent application with the Patent and Trademark Office. Also, one government organization observed that the patent status of the EES is not clear and may result in cost impacts due to payment of royalties, should EES be found to infringe upon any privately held patent. Based upon information received to date, NIST has not been persuaded that any patent of which it is aware will lead to a successful claim against any user of the EES, including U.S. Government users, for payment of royalties. An infringement study was conducted upon the first infringement allegation, with the result that no infringement was found. When the patent relevant to the second allegation was issued in January of this year, an infringement study was begun on that patent. D. Economic Effects of the Standard Public comments were received on three economic aspects of the proposed standard, including concerns about the cost to the government and the private sector of implementing the standard; the effect of the standard upon the competitiveness of U.S. software firms in world markets; and suggestions that the government has bestowed an unfair economic benefit upon the contractor that has been selected to manufacture the escrow encryption semiconductor chips that are called for in the standard. Each of these matters is addressed in turn below. 1. Costs A number of comments were received concerning the possible cost of implementing the Escrowed Encryption Standard. Thus, one government agency, two industry organizations and nine individuals expressed concern about the cost of administration of the escrow database, or about the cost, availability, implementation and maintenance of the equipment needed to support the standard. Indeed, one Federal organization said that it did not support the standard because there would be an adverse impact if the organization had to replace or modify its current equipment. An industry organization suggested that the standard would impose costs on the private sector if private parties need to use the standard to communicate with the government. NIST estimates the cost of establishing the escrow system to be approximately $14 million. The cost of operating the key escrow facility is estimated to be $16 million annually. These costs figures are based upon a number of factors. NIST notes that use of the standard is voluntary for Federal agencies, and that agencies are not required to implement it. Agencies will determine whether to use this standard based on their analyses of the risk of unauthorized disclosure of their sensitive data and the cost of using this standard to protect the data. NIST does not expect the wholesale replacement of the current base of equipment that conforms to FIPS 46-2, Data Encryption Standard. Rather, the implementation of this standard appears most likely to occur as the Federal government replaces old and obsolete equipment. NIST believes that as the Federal government replaces old and obsolete equipment, the additional costs of implementing this standard in electronic devices will prove to be negligible compared to the costs of equivalent encryption protection which would be implemented in encryption devices which do not comply with this standard. NIST also notes that the standard has no direct applicability to entities that do not operate Federal computer systems. Thus, businesses, universities and other nonprofit organizations and individual citizens are free to use products that conform to the standard, or to ignore the standard if they see fit. 2. Competitiveness Eight industry organizations and 28 individuals said that the standard will reduce the competitiveness of U.S. computer hardware and software companies in foreign markets. NIST notes that approval of the Escrowed Encryption Standard will not prevent U.S. manufacturers from making other encryption products for the private sector. While export controls may affect the sales of U.S. encryption products abroad, key escrow products are already exportable to U.S. industry and individuals operating abroad in accordance with proper export licensing through the Department of State. Further, a comprehensive policy review on commercial encryption is now underway by the Administration. This review will consider, among other topics, broader export options for key escrow products. Again, approval of the Escrowed Encryption Standard for broader export will not restrict exports of other encryption products. The overseas market for these products will be depend on a variety of factors including any restrictions other countries place on imports of encryption technology. 3. Unfair Competitive Advantage One industry organization and two individuals said that the standard gives an economic advantage to the one company that has been selected by the Government to date to manufacture semiconductor chips which conform to this standard. NIST notes that the company that designed the microcircuit was selected because of its expertise in design of custom cryptographic chips, its secure facilities, and employment of cleared personnel. The company that developed the microcircuit was selected for its technological capabilities to fabricate microcircuits resistant to reverse engineering. Other manufacturers that wish to enter the market and can satisfy the technology and security requirements will be approved to manufacture the microcircuits. E. Technical Recommendations and Editorial Changes A wide range of technical issues were raised in the public comment process. Each issue, and a NIST response follows below. Four industry organizations and 7 individuals said that the required hardware implementation of the escrowed encryption standard was not optimum. Software implementation would be more useful and cost effective. NIST notes that because software is easy to change, secure software implementations of the key escrow technique have been difficult to devise. On August 24, 1993 (58 F.R. 44662) NIST invited the participation of the software industry in cooperative efforts to meet this challenge. Several organizations have indicated that they wish to collaborate with NIST in this area. NIST will try to establish cooperative partnerships to investigate the implementation of the EES in software. Three Federal government organizations and one individual said that applicability of the standard should not be restrictive, and that it should allow for other applications and data rates. NIST notes that the scope of applicability was established to address the immediate need for improved telephone security while preserving the law enforcement capability of decrypting intercepted telecommunications that have been lawfully authorized. Use of the standard is voluntary. Use of the standard for other purposes is not prohibited in the standard. One individual stated that the standard should require two or more escrow agents and that the standard should state that all the components of the device unique key are independent and all are needed to form the key. A change was made to state that the Device Unique Key shall be composed of two components (each 80 bits long) and each component shall be independently generated and stored by an escrow agent. This change provides for the two escrow agents envisioned by the Department of Justice, and two key components, each 80 bits long. One individual said that the name of Device Identifier (DID) should be device Unique Identifier (UID). Since DID is used elsewhere for another purpose, NIST changed the name of Device Identifier (DID) to device Unique Identifier (UID). One individual said that the standard should provide for access to both sides of a real-time conversation. NIST notes that if the two keys are different, either a law enforcement official must obtain a court order for both parties of a two-way communication or it can only decrypt one part of a conversation. Therefore, the standard was changed to state that the session key used to encrypt transmitted information shall be the same as the session key used to decrypt received information in a two-way simultaneous communication. One industry organization said that the standard should specify a register for Leaf Creation Methods. NIST changed the standard to state that the Leaf Creation Method (LCM) shall be registered in the NIST Computer Security Object Register (e.g., LCM-1). Additional LCM's may be created in the future. One industry organization said that the Cryptographic Protocol Field (CPF) has not been defined and should be removed from the standard since it is an incomplete specification. NIST changed the standard to state that the Cryptographic Protocol Field (CPF) shall be registered in the NIST Computer Security Object Register. This will enable the details on the CPF to be formalized later. Four Federal government organizations and two individuals said that the standard is not an interoperability standard, that it does not specify parameter lengths and formats and placement in communications, and that the standard provides insufficient technical information for implementation. NIST added information to the standard to explain that it is not an interoperability standard. It does not provide sufficient information to design and implement a security device or equipment. Other specifications and standards will be required to assure interoperability of EES devices in various applications. Specifications of a particular EES device must be obtained from the manufacturer in order to use it in an application. One industry commenter said that the standard should specify a register of family keys, such as "FBI Family Key 1," to provide some assurance of interoperability. NIST changed the standard to state that the family key shall have an identifier (KF-ID). The identifier of a family key shall be registered in the NIST Computer Security Object Register. As a result, if more than one family key exists (reasonable assumption), it should be identified so that law enforcement agencies can decrypt the LEAF. One industry organization and one individual stated that the standard should reference technical specifications explicitly (even if they are classified). NIST changed the standard to provide specific information on how to obtain the technical specifications for the SKIPJACK algorithm and the LEAF Creation Method 1. One industry organization said that parameters (input, output, status, errors) are not specified in the standard, and that diversity of sources of implementations cannot be established. NIST notes that various devices meeting this standard are anticipated. Therefore, the implementations will depend on a number of factors, including physical, electrical and application requirements. One industry organization said that the standard should state that DID is transmitted in the LEAF. NIST notes that the standard does state this. One individual said that the reverse engineering protection for the algorithm is not perfect. NIST notes that the standard specifies that the encryption algorithm and the LEAF creation method shall be implemented in electronic devices highly resistant to reverse engineering. It does not specify how the reverse engineering is to be prevented (or deterred). It also does not specify a metric for measuring the prevention (or deterrence). These are difficult to quantify and to specify and depend greatly on the implementation. A study is being performed to evaluate the protection provided by one of the current implementations of the standard (MYK-78). Estimates of the protection provided are 1-4 years of protection against attacks by specialized laboratories investing $1M to $4M. One industry organization stated that 2**80 keys is sufficient for session key, but it is not sufficient for lifetime keys (family and unique keys). NIST notes that the length of the family key and the device unique key are presently 80 bits for the SKIPJACK algorithm. The session key is also 80 bits. While the security lifetime of a session key is normally much shorter than the security lifetime of a master key (also called Key Encrypting Key), it is convenient to use keys of the same length for all purposes. Present implementations of the EES use one length key for all three types of keys (i.e., 80 bits). This is expected to be sufficiently long for unclassified data encryption for many years. However, the length of the family key and device unique key can be increased in future implementations and future LEAF creation methods. Some provisions for these have been made in the standard. One industry organization was concerned that disclosure of the Device Unique Key could allow decryption of ALL information ever encrypted with that device (all past and all future), and that this condition could technically be prevented. NIST believes that key escrow procedures intended to administratively control the use of the device Unique Key are outside the scope of standard. Technical controls were not included in the initial design of the MYK-78 but could be added in future designs. One individual was concerned that two party control is not truly implemented in the "chip." NIST acknowledges that two party control was not in the original design criteria of the chip. Administrative controls are to be used to assure two party control for present design. This two party control feature could be added to future designs. One individual said that one "tamperproofing session" is supported by the Mykotronics implementation of the EES. However, the second escrow agent entering a key could read first escrow agent's key and hence have both keys. NIST notes that the present method of reverse engineering protection provides for one "programming session" in which device unique parameters are put into the device. The parameters are "locked" after being entered and verified. The present technology allows this to be done only once. Other technologies may be developed which allow two or more independent "programming sessions" which prevent reading of previously entered parameters while other parameters are being entered. Future implementations may have this feature but such requirements at the present time are outside the scope of this standard. One industry organization recommended that the following should be put into the standard: "The Session Key (80 bits) shall be encrypted with the device Unique Key. The encrypted Session Key is concatenated with the Device Identifier (DID) (xx bits) and the Escrow Authenticator (EA) (yy bits). This result is then encrypted with the Family Key to generate a 128 bit LEAF. The 128 bit LEAF along with a 64 bit Initialization Vector shall be transmitted with the cipher text." NIST acknowledges that this is a general description of the LEAF creation method specified in this standard. The complete specifications are classified. Classified specifications must be obtained in order to implement the standard. Users of devices meeting this standard do not need to know the specifics of the LEAF creation method in order to use security devices meeting this standard. There is, therefore, no purpose in providing this general specification in the standard. One industry organization recommended that Modes of Operation be developed for the EES, including Counter Addressing or Long Cycle Mode, and that the LFSR should be included. NIST notes that four modes of operation are specified in FIPS-81. Subsets of these four modes are specified in the EES. Other subsets are implemented in various devices implementing this standard. For example, the Output Feedback (OFB) mode is implemented in the MYK-78T while all subsets specified in the standard are implemented in the MYK-80. The Linear Feedback Shift Register (LFSR) mode has been used in some devices but was not included in the Modes of Operation for DES. OFB can be used in the same applications. National security interests were considered when selecting the modes of operation. One industry organization said that the standard should state length of Family Key. NIST notes that the length of the family key (80 bits) may increase in future implementations, and therefore flexibility is needed in the standard. Samuel Kramer, Associate Director ____________________________ Date