Encryption

NIST reopens NSA-altered standards

digital key

The National Institute of Standards and Technology reopened the public comment period for already-adopted encryption standards that, according to leaked top-secret documents, were deliberately weakened by the National Security Agency.

Reopening the standards in question – Special Publication 800-90A and draft Special Publications 800-90B and 800-90C – gives the public a chance to weigh in again on encryption standards that were approved by NIST in 2006 for federal and worldwide use.

The move came Sept. 10, a swift response from NIST after several media outlets, including FCW, published articles that questioned the agency's cryptographic standards development process after the leaks surfaced.

"What's most troubling to me is [the reports] appeared to attack our integrity," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," Gallagher said, addressing what he called the "elephant in the room" at the summit. "We're committed that when there is a new issue or vulnerability identified, we address it."

If vulnerabilities are found in the encryption standards, NIST will work with the cryptographic community to address them as quickly as possible, Gallagher said.

Gallagher's comments echoed a public statement issued by NIST on the matter on the same day. The statement explained why the NSA works with NIST in developing certain cryptographic standards, even though NIST is charged with establishing standards for unclassified federal computer systems.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," the statement said. "NIST is also required by statute to consult with the NSA."

News reports from the New York Times and The Guardian based on top secret documents leaked by former NSA contractor Edward Snowden indicate the NSA essentially "became the sole editor" of the NIST standards. Contained within them is an algorithm called the Deterministic Random Bit Generator that has been long-rumored to contain weaknesses known to the NSA. It is used by approximately 70 government vendors.

NIST's statement absolves the agency from blame while not denying that weaknesses exist in the standards. "NIST would not deliberately weaken a cryptographic standard," the statement said.

To review the standards and comment, go to http://csrc.nist.gov/publications/PubsDrafts.html.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.