Cryptography

NIST recommends against NSA-influenced standards

abstract head representing big data

The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now "strongly" recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.

NIST's Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.

"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," the bulletin states.

Dual_EC_DRBG is the acronym for the Dual Elliptic Curve Deterministic Random Bit Generation algorithm found within the SP 800-90A. The issue was identified during the standard's development process and addressed, though the trustworthiness of that correction has been called into question, according to the bulletin.

NIST has been under fire since top-secret documents leaked by former National Security Agency contractor Edward Snowden showed the NSA "became the sole editor" of the encryption standards in question and apparently introduced weaknesses into them.

NIST has been quick to address questions about its integrity, both in reopening to public scrutiny the standards themselves – used by approximately 70 government vendors –and through public statements.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013 on Sept. 10.

NIST has made sure to explain how it "uses a transparent, public process to rigorously vet its standards and guidelines," but it has also tactfully explained why it works with the NSA, the largest employer of cryptographers in the world: The law says it has to.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," according to a NIST statement. "NIST is also required by statute to consult with the NSA."

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.