How deep does NSA incursion at NIST go?
FCW published an article Sept. 6 in which sources questioned the integrity and trustworthiness of the National Institute of Standards and Technology following the release of top-secret documents showing the National Security Agency weakened a set of encryption standards adopted for worldwide use in 2006.
Readers expressed concern at the news, questioning whether the NSA's intervention was a one-time event or a frequent occurrence.
So if our computer security standards are open to, let's call it "tweaking", I wonder what other standards that NIST regulates are "tweaked?" remarked one reader.
Another said, So much for NIST's credibility. I noticed they ignored the good stuff brought to them, now we know why.
A reader identifying himself as William Frazier questioned why government agencies even bother to compare each other's security protocols when they're all apparently operating with subverted encryption standards promulgated by NIST and used in IT solutions mass-produced by vendors.
Another reader wondered how far down the rabbit hole NSA-tweaking extends beyond encryption standards.
Frank Konkel responds: NIST responded to the criticism on Sept. 10, reopening the standards for public scrutiny and stating "NIST would not deliberately weaken" standards it approves for adoption.
However, the key word here is "deliberately," and I agree with readers who believe NIST's credibility is now open to question. When a top-secret NSA document – leaked by former NSA contractor Edward Snowden – states directly that the NSA "became the sole editor" of the weakened encryption standards in question, what does that say about NIST?
Nobody has come out and claimed responsibility for the apparent weakness in standards, and it's unlikely anybody will. What is more likely is that the cryptographic community will work hard to expose the vulnerabilities– if any – and work to correct them in a widespread, yet sensitive endeavor. If vulnerabilities exist, patches will be made. But as several cryptographers have noted, the time between when a vulnerability is found and a patch is implemented is key.
Regardless, the revelations uproot the image of NIST as a "just the facts, ma'am" agency based on scientific principles, which is sad for federal agencies and worldwide commercial organizations that adhere their security standards to NIST recommendations. What role did NIST play in adopting the weakened standards?
The agency says none at all, and that raises questions in itself. How many other standards were adopted in the same fashion? Was NIST handcuffed by the NSA from discussing any kind of potential sabotage? How often does the NSA take the lead on standards for unclassified systems?
NIST regularly exposes its standards to public scrutiny in an effort to be a transparent organization, but if anyone at the agency knew the NSA deliberately or even inadvertently messed with standards, they sure didn't make a public fuss about it.
While the whole issue got lost in the NSA leaks story, the NSA's efforts to defeat encryption by any means necessary is one of the biggest stories to come from Snowden's flash drives. Perhaps there is more to come on that front, and if it involves more collaboration between NIST and the NSA, it may be more bad news for feds.
Posted by Frank Konkel on Sep 11, 2013 at 9:33 AM