DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Contents 1 INTRODUCTION............................................................................................................. 1 1.1 DataTraveler 6000 Overview........................................................................................... 2 DataTraveler 6000 Environmental Range ................................................................. 2 1.2 1.3 DataTraveler 6000 Implementation ................................................................................. 2 1.4 DataTraveler 6000 Cryptographic Boundary and Tamper Inspection ............................. 3 1.5 Approved Mode of Operations ........................................................................................ 3 2 FIPS 140-2 SECURITY LEVELS .................................................................................... 4 3 SECURITY RULES ......................................................................................................... 4 3.1 FIPS 140-2 Imposed Security Rules ................................................................................ 5 3.2 Kingston Imposed Security Rules.................................................................................... 8 3.3 Identification and Authentication Policy ......................................................................... 9 4 DATATRAVELER 6000 ROLES AND SERVICES ............................................................. 9 4.1 Roles ................................................................................................................................ 9 4.2 Services .......................................................................................................................... 10 5 IDENTIFICATION AND AUTHENTICATION .................................................................. 12 5.1 Initialization Overview .................................................................................................. 12 5.2 Operator Authentication ................................................................................................ 12 5.3 Generation of Random Numbers ................................................................................... 12 5.4 Strength of Authentication ............................................................................................. 12 6 ACCESS CONTROL ...................................................................................................... 14 6.1 Critical Security Parameters (CSPs) and Public Keys ................................................... 14 6.2 CSP Access Modes ........................................................................................................ 15 6.3 Access Matrix ................................................................................................................ 16 7 SELF-TESTS ................................................................................................................ 17 8 MITIGATION OF OTHER ATTACKS ............................................................................ 18 9 ACRONYMS AND REFERENCES ................................................................................... 19 ii DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 1 Introduction This Security Policy specifies the security rules under which the DataTraveler 6000 operates. Included in these rules are those derived from the security requirements of FIPS 140-2 and additionally, those imposed by Kingston. These rules, in total, define the interrelationship between: 1. Operators, 2. Services, and 3. Critical Security Parameters (CSPs). Figure 1 DataTraveler 6000 (Topside) Figure 2 DataTraveler 6000 (Underside) 1 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 1.1 DataTraveler 6000 Overview The DataTraveler 6000 enables security critical capabilities such as operator authentication and secure storage in rugged, tamper-evident hardware. The DataTraveler 6000 communicates with a host computer via the USB interface. DataTraveler 6000 protects data for government, large enterprises, small organizations, and home users. Key features:  Encryption technology uses Suite B algorithms approved by the U.S. government for protecting both Unclassified and Classified data  Encrypted file storage on non-removable flash card  Strong protection against intruder attacks Access protection is as important as encryption strength. Data encrypted with DataTraveler 6000 cannot be decrypted until the authorized user gains access to the device. 1.2 DataTraveler 6000 Environmental Range The DataTraveler 6000 operates in the following temperature range: -20 degrees C. to 65 degrees C. The epoxy hardness was evaluated at the normal operating temperature range extremes of -20 degrees to 65 degrees Celsius inclusive, as well as at ambient temperature. No penetration to the underlying components of the module was possible utilizing Level 3 physical security testing techniques. 1.3 DataTraveler 6000 Implementation The DataTraveler 6000 is implemented as a multi-chip standalone module as defined by FIPS 140-2. The FIPS 140-2 module identification data for the DataTraveler 6000 is shown in the table below: Part Number FW Version HW Version 880074002F 03.00.0C 02.00.01 880074003F 03.00.0C 02.00.01 880074004F 03.00.0C 02.00.01 The DataTraveler 6000 is available with a USB interface compliant to the Universal Serial Bus Specification, Revision 2.0, dated 23 September 1998. All Interfaces have been tested for compliance with FIPS 140-2. 2 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 1.4 DataTraveler 6000 Cryptographic Boundary and Tamper Inspection The Cryptographic Boundary is defined to be the outer perimeter of the hard, opaque epoxy potting. Please see Figure 1. The operator detects physical attacks against the module by direct physical inspection. If the module is packaged in a plastic case or similar outer coating that is not inside the cryptographic boundary, any sign of entry, cracking, breakage or damage to the case due to prying or forcing using a sharp tool may require further inspection to confirm whether a penetration attack has taken place on the module's epoxy coating. The epoxy coating will either show tamper evidence or not. If it shows tamper evidence, the module has been compromised and the operator must treat the device in accordance with organizational security policy. This would include issuance of a new device. If it does not show tamper evidence, the operator may continue to use the device in accordance with organizational security policy. No hardware, firmware, or software components that comprise the DataTraveler 6000 are excluded from the requirements of FIPS 140-2. 1.5 Approved Mode of Operations The DataTraveler 6000 operates only in a FIPS Approved mode. The indicator that shows the operator that the module is in the Approved mode is the “GetCapabilities” command, which shows the module’s firmware and hardware versions as well as the product indicator. The DataTraveler 6000 supports the FIPS 140-2 Approved algorithms in Table 1- 1 below and the following allowed algorithms:  EC Diffie-Hellman (ECDH) for key agreement as allowed by FIPS 140-2 Implementation Guidance D.2 (key agreement; key establishment methodology provides between 128, 192 or 256 bits of encryption strength).  NDRNG to seed the FIPS 186-2 Approved RNG. Table 1-1 Approved Algorithms supported by the DataTraveler 6000 Encryption & Decryption AES-128/192/256 (Certs. #1259, #1260, #1261, #1262, #1263, and #1264) Digital Signatures ECDSA, key sizes: 256, 384, 521 (Certs. #147, #148, and #149) 3 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Hash SHA-224, SHA-256, SHA-384, SHA-512 (Certs. #1155, #1156, #1157, #1158,#1159, and #1160) SHA-1 (Certs. #1161, #1162, and #1163) DRBG HASH_DRBG (SP 800-90) (Certs. #29, #30, and #31) RNG for Seeding FIPS 186-2 (Certs. #703, #704, and #705) 2 FIPS 140-2 Security Levels The DataTraveler 6000 cryptographic module complies with the requirements for FIPS 140-2 validation to the levels defined in Table 2.1. The FIPS 140-2 overall rating of the DataTraveler 6000 is Level 3. Table 2-1 FIPS 140-2 Validation Levels FIPS 140-2 Category Level 1. Cryptographic Module Specification 3 2. Cryptographic Module Ports and Interfaces 3 3. Roles, Services, and Authentication 3 4. Finite State Model 3 5. Physical Security 3 6. Operational Environment N/A 7. Cryptographic Key Management 3 8. EMI/EMC 3 9. Self-tests 3 10. Design Assurance 3 11. Mitigation of Other Attacks N/A 3 Security Rules The DataTraveler 6000 enforces the following security rules. These rules are separated into two categories: 1) rules imposed by FIPS 140-2; and 2) rules imposed by Kingston. 4 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 3.1 FIPS 140-2 Imposed Security Rules Table 3-1 FIPS 140-2 Policies and Rule Statements Policy Rule Statement The DataTraveler 6000 shall obscure feedback Authentication Feedback of authentication data to an operator during authentication (e.g., no visible display of characters result when entering a password). The DataTraveler 6000 shall enforce Identity- Authentication Mechanism Based authentication. The DataTraveler 6000 shall ensure that Authentication Strength (1) feedback provided to an operator during an attempted authentication shall not weaken the strength of the authentication mechanism. The DataTraveler 6000 shall satisfy the Authentication Strength (2) requirement for a single–attempt false acceptance rate of no more than one in 1,000,000 authentications. The DataTraveler 6000 shall satisfy the Authentication Strength (3) requirement for a false acceptance rate of no more than one in 100,000 for multiple authentication attempts during a one minute interval. The DataTraveler 6000 shall be under a Configuration Management configuration management system and each configuration item shall be assigned a unique identification number. The DataTraveler 6000 shall protect all CSPs CSP Protection from unauthorized disclosure, modification, and substitution. The DataTraveler 6000 shall conform to the Emissions Security EMI/EMC requirements specified in FCC Part 15, Subpart B, Class B. The DataTraveler 6000 shall inhibit all data Error State (1) output via the data output interface whenever an error state exists and during self-tests. 5 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Policy Rule Statement The DataTraveler 6000 shall not perform any Error State (2) cryptographic functions while in an Error State. The DataTraveler 6000 documentation shall Guidance Documentation provide Administrator and User Guidance per FIPS 140-2, Section 4.10.4. The DataTraveler 6000 shall contain production Hardware Quality quality ICs with standard passivation. The DataTraveler 6000 interfaces shall be Interfaces (1) logically distinct from each other. The DataTraveler 6000 shall support the Interfaces (2) following five (5) interfaces:  data input  data output  control input  status output  power interface The DataTraveler 6000 shall provide that: a key Key Association entered into, stored within, or output from the DataTraveler 6000 is associated with the correct entity to which the key is assigned. The DataTraveler 6000 shall logically disconnect Logical Separation the output data path from the circuitry and processes performing the following key functions:  key generation,  key zeroization The DataTraveler 6000 services shall indicate Mode of Operation that the module is in an approved mode of operation with a standard success return code and the output of the “GetCapabilities” command. The DataTraveler 6000 shall protect public keys Public Key Protection against unauthorized modification and substitution. The DataTraveler 6000 shall re-authenticate an Re-authentication identity when it is powered-up after being 6 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Policy Rule Statement powered-off. The DataTraveler 6000 shall use a ‘seed input’ RNG Strength into the deterministic random bit generator of sufficient length that ensures at least the same amount of operations are required to determine the value of the generated key. The DataTraveler 6000 source code shall be Secure Development (1) annotated. The DataTraveler 6000 software shall be Secure Development (2) implemented using a high-level language except that limited use of a low-level language is used to enhance the performance of the module. The DataTraveler 6000 documentation shall Secure Distribution include procedures for maintaining security while distributing and delivering the module. The power-up tests shall not require operator Self-tests (1) intervention in order to run. The DataTraveler 6000 shall perform the self- Self-tests (2) tests identified in Section 7. The DataTraveler 6000 shall enter an Error Self-tests (3) State and output an error indicator via the status interface whenever self-test is failed. The DataTraveler 6000 shall provide the Services following services: (see Reference Table 4.2). The DataTraveler 6000 shall apply a SHA-384 Software Integrity hash to check the integrity of all firmware components The DataTraveler 6000 shall provide an Status Output indication via the “GetUserState” command if all of the power-up tests are passed successfully. The module also provides status via the LED. The DataTraveler 6000 shall use a key Strength of Key establishment methodology that ensures at least Establishment 7 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Policy Rule Statement the same amount of operations are required to determine the value of the transported/agreed upon key. The DataTraveler 6000 shall protect the Unauthorized Disclosure following keys from unauthorized disclosure, modification and substitution:  secret keys  private keys The DataTraveler 6000 shall provide a Zeroization (1) zeroization mechanism that can be performed either procedurally by the operator or automatically by the DataTraveler 6000 interface software on the connected host platform. The DataTraveler 6000 shall provide the Zeroization (2) capability to zeroize all plaintext cryptographic keys and other unprotected critical security parameters within the DataTraveler 6000 (HPC140-F). 3.2 Kingston Imposed Security Rules Table 3-2 Kingston Imposed Policies and Rule Statements Policy Rule Statement The DataTraveler 6000 shall not support multiple Single User Session concurrent operators. The DataTraveler 6000 shall not provide a No Maintenance Interface maintenance role/interface. The DataTraveler 6000 shall not support a No Bypass Mode bypass mode. 8 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 3.3 Identification and Authentication Policy The table below describes the type of authentication and the authentication data to be used by operators, by role. For a description of the roles, see section 4.2. Table 3-3 Identification and Authentication Roles and Data Role Type of Authentication Data Authentication Identity-based Service and ECDSA Administrator (CO) Signature (384-bits) Identity-based Service and PIN User (minimum 7 to 262 characters) 4 DataTraveler 6000 Roles and Services 4.1 Roles The DataTraveler 6000 supports two roles, Administrator (Crypto Officer) and User, and enforces the separation of these roles by restricting the services available to each one. Each role is associated with a single user identity, namely the service that has been requested and is associated with the role. Table 4-1 Roles and Responsibilities Role Responsibilities The Administrator is responsible for performing Firmware Administrator Updates and setting configuration of the DataTraveler 6000 (HPC140-F). The DataTraveler 6000 validates the Administrator identity by way of a signature before accepting any FirmwareUpdate or SetConfiguration commands. The User role is available after the DataTraveler 6000 has User been initialized. The user can load, generate and use secret keys for encryption services. The DataTraveler 6000 validates the User identity by password before access is granted. 9 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 4.2 Services The following table describes the services provided by the DataTraveler 6000. Table 4-2 DataTraveler 6000 Services Service CO User Unauthen- Description ticated X Changes User ChangePassword Password X Formats the mounted Format CDROM X X X Returns the current GetCapabilities capabilities of the system including: global Information, Sector storage size and the product name. This service provides a response that indicates the approved mode of operation (see Section 3.1). X X X Returns the card GetConfig configuration structure X X X Returns the state and GetUserState the Logon attempts remaining. X Generates a new Initialize encryption key and changes the PIN. Secure channel is required. Formats the media. X Log Off; Return to LogOff unauthenticated state. X Log on with the user LogOn PIN if system is initialized. 10 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Service CO User Unauthen- Description ticated X Allows the CDROM MountCDROM drive to be mounted as the read/write drive. This permits the CDROM software to be updated by a user application. X Read user media from ReadMedia SCSI drive. X X X Get a block of data ReadUserArea from a specified user area. X X X Pass/Fail Test of SelfTest DataTraveler 6000. Will run the Power On Self Tests again. X Writes the card SetConfig configuration structure if the signature on the structure is valid X X X Initializes secure SetupBasicSecureCha channel. nnel X Writes signed blocks UpdateFirmware to the firmware area of the module X Writes user media to WriteMedia SCSI drive. X Write a block of data WriteUserArea to a specified user area. All areas will require the token to be logged on for writes and updates X X Clears the encryption Zeroize keys. Requires the Initialize command to be run again. 11 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 5 Identification and Authentication 5.1 Initialization Overview The DataTraveler 6000 modules are initialized at the factory to be in the zeroized state. Before an operator can access or operate a DataTraveler 6000, the User must first initialize the module with a User ID and PIN. 5.2 Operator Authentication Operator Authentication is accomplished by PIN entry by the User or valid ECDSA signature by the CO. Once valid authentication information has been accepted, the DataTraveler 6000 is ready for operation. The DataTraveler 6000 stores the number of User logon attempts in non-volatile memory. The count is reset after every successful entry of a User PIN. If an incorrect PIN is entered during the authentication process, the count of unsuccessful logon attempts is incremented by one. If the User fails to log on to the DataTraveler 6000 in 10 consecutive attempts, the DataTraveler 6000 will block the user’s access to the module, by transitioning to the blocked state. To restore operation to the DataTraveler 6000 (HPC140-F), the User will have to zeroize the token and reload the User PIN and optional details. When the DataTraveler 6000 is inserted after zeroization, it will power up and transition to the Zeroized State, where it can be initialized. 5.3 Generation of Random Numbers The Random Number Generators are not invoked directly by the user. The Random Number output is generated by the HASH-DRBG algorithm specified in SP 800-90 in the case of static private keys and associated key wrapping keys, ephemeral keys and symmetric keys. 5.4 Strength of Authentication The strength of the authentication mechanism is stated in Table 5-1 below. 12 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Table 5-1 Strength of Authentication Authentication Mechanism Strength of Mechanism User Single PIN-entry attempt / False The probability that a random PIN-entry Acceptance Rate attempt will succeed or a false acceptance will occur is 1.66 x10-14. The requirement for a single–attempt / false acceptance rate of no more than 1 in 1,000,000 (i.e., less than a probability of 10-6) is therefore met. User Multiple PIN-entry attempt in one DataTraveler 6000 authentication minute mechanism has a feature that doubles the time of authentication with each successive failed attempt. There is also a maximum bound of 10 successive failed authentication attempts before zeroization occurs. The probability of a successful attack of multiple attempts in a one minute period is 1.66 x10-13 due to the time doubling mechanism. This is less than one in 100,000 (i.e., 1 105 ), as required. Crypto-Officer Single attempt / False The probability that a random ECDSA Acceptance Rate signature verification authentication attempt will succeed or a false acceptance will occur is 1/2^192. The requirement for a single–attempt / false acceptance rate of no more than 1 in 1,000,000 (i.e., less than a probability of 10-6) is therefore met. Crypto-Officer Multiple Signature The probability of a successful attack of verification attempt in one minute multiple ECDSA signature authentication attempts in a one minute period is 1/2^192. The computational power needed to process this is outside of the ability of the module. This is less than one in 100,000 (i.e., 1 105 ), as required. 13 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 6 Access Control 6.1 Critical Security Parameters (CSPs) and Public Keys Table 6-1 DataTraveler 6000 CSPs CSP Designation Algorithm(s) / Symbolic Description Standards Form de,U SP 800-56A ECDH ephemeral private key used to Disk Ephemeral Private generate shared secret. DKEK AES 256 AES key used to unwrap the Disk Disk Key Encryption Encryption Key (DEK). Key (DKEK) DEK AES 512 A pair of AES 256 keys. The Drive Encryption Key concatenated value is used to encrypt (DEK) and decrypt the User’s encrypted drive. S SP 800-90 FIPS 186-2-generated seed used to Hash-DRBG Seed seed the Hash-DRBG RNG. sHDRBG SP 800-90 Hash_DRBG state value Hash-DRBG State MEK AES 256 AES 256 wraps / unwraps user’s static Master Encryption Key private keys in storage. (MEK) de,SCHP SP 800-56A ECDH Ephemeral Transport Private Secure Channel HYDRA Private kSCSK SP 800-56A ECDH / AES key used to encrypt and Secure Channel decrypt commands and responses to Session Key and from the card. PIN The user’s 7 character PIN for User PIN authentication to the module dECDSA,s,U X9.62 ECDSA Static Signature private key User’s Static Signature Private ds,U SP 800-56A ECDH Static Transport private key User’s Static Transport Private Hardware RNG Seed Seed value generated for use with the FIPS 186-2 RNG Seed RNGs. 14 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Table 6-2 DataTraveler 6000 Public Keys Key Description/Usage Algorithm(s) Standards ANSI X9.62 The ECDSA P-384 public Key is used to Configuration Update Key verify the signature of the CO before the settings are changed ANSI X9.62 The ECDSA P-384 public Key is used to Card Firmware Update Key verify the signature of the CO before loading firmware. SP 800-56A ECDH Ephemeral Transport Public P384. Disk Ephemeral Public The key is used to generate a shared secret using ECDH with the User’s Static Transport Private key. SP 800-56A ECDH Ephemeral Transport Public P256 Secure Channel Host Public SP 800-56A ECDH Ephemeral Transport Public P256. Secure Channel HYDRA Public The key is used to generate a shared secret between the host and the card. SP 800-56A ECDH Static Signature Public P384. The User’s Static Signature Public key for ECDSA. SP 800-56A ECDH Static Transport Public P384. The User’s Static Transport Public key for ECDH. 6.2 CSP Access Modes Table 6-3 DataTraveler 6000 Access Modes Access Type Description Generate (G) “Generate” is defined as the creation of a CSP Delete (D) “Delete” is defined as the zeroization of a CSP Use (U) “Use” is defined as the process in which a CSP is employed. This can be in the form of loading, encryption, decryption, signature verification, or key wrapping. 15 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 6.3 Access Matrix The following table shows the services (see section 4.2) of the DataTraveler 6000 (HPC140-F), the roles (see section 4.1) capable of performing the service, the CSPs (see section 6.1) that are accessed by the service and the mode of access (see section 6.3) required for each CSP. The following convention is used: if the role column has an ‘X’, then that role may execute the command. Table 6-4 DataTraveler 6000 Access Matrix Service Name Roles Access to Critical Security Parameters CSPs Access Mode Admin User kSCSK ChangePassword X U ds,U U dECDSA,s,U U de,U, U DKEK G, U, D DEK U PIN D,G de,U Format X G, U, D DKEK, G,U,D DEK G,U GetCapabilities X X GetConfiguration X X GetUserState X X kSCSK Initialize X U ds,U G dECDSA,s,U G de,U, G, U, D DKEK G, U, D DEK G MEK U LogOff X kSCSK LogOn X U ds,U U DKEK G,U,D DEK U PIN U DEK MountCDROM X U DEK ReadMedia X U ReadUserArea X X s, sHDRBG, SelfTest X X G 16 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 Service Name Roles Access to Critical Security Parameters CSPs Access Mode Admin User ds,U SetConfiguration X D dECDSA,s,U D D DEK de,SCHP SetupBasicSecureChannel X G,D kSCSK G,D ds,U UpdateFirmware X D dECDSA,s,U D DEK D DEK WriteMedia X U WriteUserArea X ds,U Zeroize X X D dECDSA,s,U D DEK D 7 Self-Tests The module performs both power-on and conditional self-tests. The module performs the following power-on self-tests:  Cryptographic Algorithm Tests: - AES-128, 192, 256 KATs - ECDSA-256, 384, 521 KATs - EC-Diffie-Hellman-256, 384, 521 KATs - SHA-224 KAT - SHA-256 KAT - SHA-384 KAT - SHA-512 KAT - HASH-DRBG KAT - FIPS 186-2 RNG KAT (includes SHA-1 KAT)  Firmware Test - SHA-384 Hash The module performs the following Conditional Tests:  Firmware Load Test - ECDSA P-384 signed SHA-384 hash verification  Pairwise Consistency Test - ECDSA key pair generation - EC-Diffie-Hellman key pair generation  Continuous Random Number Generator Test - HASH-DRBG SP800-90 - FIPS 186-2 RNG - NDRNG 17 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 8 Mitigation of Other Attacks No claims of mitigation of other attacks listed in Section 4.11 of FIPS 140-2 by the DataTraveler 6000 are made or implied in this document. 18 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 9 Acronyms and References Acronyms Advanced Encryption Standard AES Cipher Block Chaining CBC Critical Security Parameter CSP Differential Power Analysis DPA Deterministic Random Bit Generator DRBG Digital Signature Algorithm DSA Electronic Code Book ECB Elliptic Curve Diffie Hellman ECDH Elliptic Curve Digital Signature Algorithm ECDSA Elliptic Curve Menezes-Qu-Vanstone ECMQV Electromagnetic Compatibility EMC Electromagnetic Interface EMI File Encryption Key FEK Federal Information Processing Standard FIPS Host Authentication Code HAC Master Key Encryption Key MKEK Non-deterministic Random Number Generator NDRNG Personal Computer PC Printed Circuit Board PCB Personal Identification Number PIN Random Number Generator RNG Rivest, Shamir and Adleman Algorithm RSA Secure Digital (flash memory card) SD Secure Digital High-capacity SDHC Secure Hash Algorithm SHA Simple Power Analysis SPA Solid-state Drive SSD Universal Serial Bus USB 19 DataTraveler 6000 Security Policy Version 0.2 August 30, 2010 References FIPS PUB 140-2, Change Notice, FIPS 140-2 Federal Information Processing Standards Publication (Supersedes FIPS PUB 140-1, 1994 January 11) Security Requirements For Cryptographic Modules, Information Technology Laboratory, National Institute of Standards and Technology (NIST), Gaithersburg, MD, Issued May 25, 2001. FIPS PUB 186-2, (+ Change Notice), FIPS 186-2 Federal Information Processing Standards Publication DIGITAL SIGNATURE STANDARD (DSS), National Institute of Standards and Technology (NIST), Gaithersburg, MD, Issued 2000 January 27 NIST Special Publication 800-56A SP 800-56A Recommendation for Pairwise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), Barker, E., Johnson, D., Smid, M., Computer Security Division, NIST, March 2007. NIST Special Publication 800-90 SP 800-90 Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Barker, E., Kelsey, J., Computer Security Division, Information Technology Laboratory, NIST, June 2006. American National Standards Institute (ANSI) X9.62 Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), 2005. 20