Encryption

NIST reopens NSA-altered standards

digital key

The National Institute of Standards and Technology reopened the public comment period for already-adopted encryption standards that, according to leaked top-secret documents, were deliberately weakened by the National Security Agency.

Reopening the standards in question – Special Publication 800-90A and draft Special Publications 800-90B and 800-90C – gives the public a chance to weigh in again on encryption standards that were approved by NIST in 2006 for federal and worldwide use.

The move came Sept. 10, a swift response from NIST after several media outlets, including FCW, published articles that questioned the agency's cryptographic standards development process after the leaks surfaced.

"What's most troubling to me is [the reports] appeared to attack our integrity," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," Gallagher said, addressing what he called the "elephant in the room" at the summit. "We're committed that when there is a new issue or vulnerability identified, we address it."

If vulnerabilities are found in the encryption standards, NIST will work with the cryptographic community to address them as quickly as possible, Gallagher said.

Gallagher's comments echoed a public statement issued by NIST on the matter on the same day. The statement explained why the NSA works with NIST in developing certain cryptographic standards, even though NIST is charged with establishing standards for unclassified federal computer systems.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," the statement said. "NIST is also required by statute to consult with the NSA."

News reports from the New York Times and The Guardian based on top secret documents leaked by former NSA contractor Edward Snowden indicate the NSA essentially "became the sole editor" of the NIST standards. Contained within them is an algorithm called the Deterministic Random Bit Generator that has been long-rumored to contain weaknesses known to the NSA. It is used by approximately 70 government vendors.

NIST's statement absolves the agency from blame while not denying that weaknesses exist in the standards. "NIST would not deliberately weaken a cryptographic standard," the statement said.

To review the standards and comment, go to http://csrc.nist.gov/publications/PubsDrafts.html.

About the Author

Frank Konkel is a former staff writer for FCW.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Thu, Sep 12, 2013

There seems to be either universal blind faith that the govt is doing the right thing for its citizens or absolute distrust that even though intentions might be good, it is not possible to predict the negative outcome of govt actions, and therefore universal distrust. And of course it's all along party lines. Sad. Personally, I am swiftly moving from the former to the latter. There have been too many negative consequences for me to trust the govt as a whole really comprehends the damage it is doing (in the name of doing the right thing of course).

Thu, Sep 12, 2013

@John Denver, oh yeah right. Obama and the democrat party had a supermajority from 2008 through 2010 and could have unilaterally repealed the Patriot Act and did not. This indicates agreement. So it must have been a great idea for a supermajority of democrats to agree to extend it, right?

Wed, Sep 11, 2013 Flonkbob

We don't trust the NSA. You worked with the NSA to weaken our privacy. We don't trust you. What's not to understand?

Wed, Sep 11, 2013 John Denver

The heart of that issue is about random number generators. They are not perfect. John von Neumann: "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." I say, if you want truly random, talk to my kids! And lostFaith, the Bush administration gave us the Patriot act - if you want to talk about trashing our constitution, talk about that - over and over, loudly and clearly, until it's fixed.

Wed, Sep 11, 2013

What is more important is to get the names of the cryptographic chipset vendor/s who were blacked out in the NSA leaked document. It is likely they are the ones who put the NSA cryptographic routines into practice.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above