Cryptography

NIST recommends against NSA-influenced standards

abstract head representing big data

The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now "strongly" recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.

NIST's Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.

"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," the bulletin states.

Dual_EC_DRBG is the acronym for the Dual Elliptic Curve Deterministic Random Bit Generation algorithm found within the SP 800-90A. The issue was identified during the standard's development process and addressed, though the trustworthiness of that correction has been called into question, according to the bulletin.

NIST has been under fire since top-secret documents leaked by former National Security Agency contractor Edward Snowden showed the NSA "became the sole editor" of the encryption standards in question and apparently introduced weaknesses into them.

NIST has been quick to address questions about its integrity, both in reopening to public scrutiny the standards themselves – used by approximately 70 government vendors –and through public statements.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013 on Sept. 10.

NIST has made sure to explain how it "uses a transparent, public process to rigorously vet its standards and guidelines," but it has also tactfully explained why it works with the NSA, the largest employer of cryptographers in the world: The law says it has to.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," according to a NIST statement. "NIST is also required by statute to consult with the NSA."

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected