June 10, 2001
FYI - The FDIC Bank Technology Bulletin introduces three short documents containing practical ideas for banks to consider when they engage in technology outsourcing. They are for informational purposes only and should not be considered examination procedures or official guidance.
FYI - June 6, 2001 - Specially Designated Nationals and Blocked Persons - On May 16, 2001, the Secretary of State published in the Federal Register the notice that the following organization has been designated as a foreign terrorist organization: the "Real IRA" (a.k.a. "32 County Sovereignty Committee"; a.k.a. "32 County Sovereignty Movement"; a.k.a. "Irish Republican Prisoners Welfare Association"; a.k.a. "Real Irish Republican Army"; a.k.a. "Real Oglaigh Na Heireann"; a.k.a. "RIRA"). The name has also been added to the Department of the Treasury's Office of Foreign Assets Control (OFAC) listing of specially designated nationals and blocked persons as a foreign terrorist organization.
INTERNET COMPLIANCE - RECORD RETENTION
Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.
INTERNET SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet." We are covering the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.
Symmetric and Asymmetric Key Systems
There are two types of cryptographic key systems, symmetric and asymmetric. With a symmetric key system (also known as secret key or private key systems), all parties have the same key. The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised. For the parties to get the same key, there has to be a way to securely distribute the key to each party. While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet. Asymmetric key systems can solve this problem.
In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key." The other key is made widely available to anyone who wants it, and is referred to as the "public key." The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key. Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system. Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key. Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is. The keys can be stored either on a computer or on a physically separate medium such as a smart card.
Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s). In addition, the key itself must be strong enough for the intended application. The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data. Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods. Because the strength of the key is determined by its length, the longer the key, the harder it is for
high-speed computers to break the code.
PRIVACY - Congress has vowed to make Internet privacy one of its top issues.