Encryption

NIST reopens NSA-altered standards

digital key

The National Institute of Standards and Technology reopened the public comment period for already-adopted encryption standards that, according to leaked top-secret documents, were deliberately weakened by the National Security Agency.

Reopening the standards in question – Special Publication 800-90A and draft Special Publications 800-90B and 800-90C – gives the public a chance to weigh in again on encryption standards that were approved by NIST in 2006 for federal and worldwide use.

The move came Sept. 10, a swift response from NIST after several media outlets, including FCW, published articles that questioned the agency's cryptographic standards development process after the leaks surfaced.

"What's most troubling to me is [the reports] appeared to attack our integrity," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," Gallagher said, addressing what he called the "elephant in the room" at the summit. "We're committed that when there is a new issue or vulnerability identified, we address it."

If vulnerabilities are found in the encryption standards, NIST will work with the cryptographic community to address them as quickly as possible, Gallagher said.

Gallagher's comments echoed a public statement issued by NIST on the matter on the same day. The statement explained why the NSA works with NIST in developing certain cryptographic standards, even though NIST is charged with establishing standards for unclassified federal computer systems.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," the statement said. "NIST is also required by statute to consult with the NSA."

News reports from the New York Times and The Guardian based on top secret documents leaked by former NSA contractor Edward Snowden indicate the NSA essentially "became the sole editor" of the NIST standards. Contained within them is an algorithm called the Deterministic Random Bit Generator that has been long-rumored to contain weaknesses known to the NSA. It is used by approximately 70 government vendors.

NIST's statement absolves the agency from blame while not denying that weaknesses exist in the standards. "NIST would not deliberately weaken a cryptographic standard," the statement said.

To review the standards and comment, go to http://csrc.nist.gov/publications/PubsDrafts.html.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.