NIST reopens NSA-altered standards

digital key

The National Institute of Standards and Technology reopened the public comment period for already-adopted encryption standards that, according to leaked top-secret documents, were deliberately weakened by the National Security Agency.

Reopening the standards in question – Special Publication 800-90A and draft Special Publications 800-90B and 800-90C – gives the public a chance to weigh in again on encryption standards that were approved by NIST in 2006 for federal and worldwide use.

The move came Sept. 10, a swift response from NIST after several media outlets, including FCW, published articles that questioned the agency's cryptographic standards development process after the leaks surfaced.

"What's most troubling to me is [the reports] appeared to attack our integrity," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," Gallagher said, addressing what he called the "elephant in the room" at the summit. "We're committed that when there is a new issue or vulnerability identified, we address it."

If vulnerabilities are found in the encryption standards, NIST will work with the cryptographic community to address them as quickly as possible, Gallagher said.

Gallagher's comments echoed a public statement issued by NIST on the matter on the same day. The statement explained why the NSA works with NIST in developing certain cryptographic standards, even though NIST is charged with establishing standards for unclassified federal computer systems.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," the statement said. "NIST is also required by statute to consult with the NSA."

News reports from the New York Times and The Guardian based on top secret documents leaked by former NSA contractor Edward Snowden indicate the NSA essentially "became the sole editor" of the NIST standards. Contained within them is an algorithm called the Deterministic Random Bit Generator that has been long-rumored to contain weaknesses known to the NSA. It is used by approximately 70 government vendors.

NIST's statement absolves the agency from blame while not denying that weaknesses exist in the standards. "NIST would not deliberately weaken a cryptographic standard," the statement said.

To review the standards and comment, go to http://csrc.nist.gov/publications/PubsDrafts.html.

About the Author

Frank Konkel is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Thu, Sep 12, 2013

There seems to be either universal blind faith that the govt is doing the right thing for its citizens or absolute distrust that even though intentions might be good, it is not possible to predict the negative outcome of govt actions, and therefore universal distrust. And of course it's all along party lines. Sad. Personally, I am swiftly moving from the former to the latter. There have been too many negative consequences for me to trust the govt as a whole really comprehends the damage it is doing (in the name of doing the right thing of course).

Thu, Sep 12, 2013

@John Denver, oh yeah right. Obama and the democrat party had a supermajority from 2008 through 2010 and could have unilaterally repealed the Patriot Act and did not. This indicates agreement. So it must have been a great idea for a supermajority of democrats to agree to extend it, right?

Wed, Sep 11, 2013 Flonkbob

We don't trust the NSA. You worked with the NSA to weaken our privacy. We don't trust you. What's not to understand?

Wed, Sep 11, 2013 John Denver

The heart of that issue is about random number generators. They are not perfect. John von Neumann: "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." I say, if you want truly random, talk to my kids! And lostFaith, the Bush administration gave us the Patriot act - if you want to talk about trashing our constitution, talk about that - over and over, loudly and clearly, until it's fixed.

Wed, Sep 11, 2013

What is more important is to get the names of the cryptographic chipset vendor/s who were blacked out in the NSA leaked document. It is likely they are the ones who put the NSA cryptographic routines into practice.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group