HostedDB - Dedicated UNIX Servers
fips191_19 FIPS PUB 191 •     granular privilege mechanism, 2.2.3 Data and Message Confidentiality The  data  and  message  confidentiality  service  can  be  used  when  the  secrecy  of  information  is necessary.   As a front line protection, this service may incorporate mechanisms associated with the access control service, but can also rely on encryption to provide further secrecy protection. Encrypting information converts it to an unintelligible form called ciphertext, decrypting converts the information back to its original form.   Sensitive information can be stored in the encrypted, ciphertext,  form.    In  this  way  if  the  access  control  service  is  circumvented,  the  file  may  be accessed but the information is still protected by being in encrypted form.  (The use of encryption may be critical on PCs that do not provide an access control service as a front line protection.) It is very difficult to control unauthorized access to LAN traffic as it is moved through the LAN. For most LAN users, this is a realized and accepted problem.  The use of encryption reduces the risk  of  someone  capturing  and  reading  LAN  messages  in  transit  by  making  the  message unreadable to those who may capture it.   Only the authorized user who has the correct key can decrypt the message once it is received. A  strong  policy  statement  should  dictate  to  users  the  types  of  information  that  are  deemed sensitive enough to warrant encryption.  A program level policy may dictate the broad categories of information that need to be stringently protected, while a system level policy may detail the specific types of information and the specific environments that warrant encryption protection. At whatever level the policy is dictated,   the decision to use encryption should be made by the authority within the organization charged with ensuring protection of sensitive information.   If a  strong  policy  does  not  exist  that  defines  what  information  to  encrypt,  then  the  data  owner should ultimately make this decision. Cryptography can be categorized as either secret key or public key.   Secret key cryptography is based on the use of a single cryptographic key shared between two parties .   The same key is used to encrypt and decrypt data.   This key is kept secret by the two parties.   If encryption of sensitive but unclassified information (except Warner Amendment information) is needed, the use of the Data Encryption Standard (DES), FIPS 46-2, is required unless a waiver is granted by the head of the federal agency.   The DES is a secret key algorithm used in a cryptographic system that  can  provide  confidentiality.     FIPS  46-2  provides  for  the  implementation  of  the  DES algorithm  in  hardware,  software,  firmware  or  some  combination.   This  is  a  change  from  46-1 which  only  provided  for  the  use  of  hardware  implementations.    For  an  overview  of  DES, information addressing the applicability of DES, and waiver procedures see [NCSL90]. Public key cryptography is a form of cryptography which make use of two keys: a public key and a private key.   The two keys are related but have the property that, given the public key, it 21