NewsBits, IEEE Cipher E103, E102.Jul-2011

News Bits

NIST requests comments re key derivation

The second draft of NIST SP 800-56C: Recommendation for Key Derivation through Extraction-then-Expansion is available for public comments. The initial draft was released in September 2010. This second version incorporates resolutions to the comments received during the first comment period.

This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure. NIST is in the process of modifying SP 800-56A and SP 800-56B to include the extraction-then-expansion key derivation procedure specified in this draft Recommendation (800-56C). You can find the second draft of NIST SP 800-56C at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-56-C.

Please submit comments to mailto:800-56Ccomments@nist.gov with "Comments on SP 800-56C" in the subject line. The comment period closes on August 11, 2011.

US Dept of Defense Announces Cyber Operating Strategy, Signals More Offensive Action?

The US Department of Defense has issued a summary of its new cyber operating strategy: http://www.defense.gov/news/d20110714cyber.pdf. In an Associated Press article by Lisa Baldor from July 14, quoted in the Navy Times http://www.navytimes.com/news/2011/07/ap-pentagon-publish-strategy-cyberspace-war-071411/, a Department spokesman indicated a desire to increase offensive operations. "In an interview with a group of reporters Thursday before release of the document, Marine Gen. James Cartwright said the new strategy is focused on defending against attack, but he believes the U.S. government broadly and the Pentagon in particular need to develop offensive approaches that reduce incentives to attack U.S. computer systems. Cartwright is vice chairman of the Joint Chiefs of Staff. "If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's difficult" to stop that cycle, Cartwright said. "He said the Pentagon currently focuses 90 percent of its cybersecurity effort on defense and 10 percent on offense. A better balance for the U.S. government as a whole would be 50-50, he said."