NIST recommends against NSA-influenced standards

abstract head representing big data

The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now "strongly" recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.

NIST's Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.

"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," the bulletin states.

Dual_EC_DRBG is the acronym for the Dual Elliptic Curve Deterministic Random Bit Generation algorithm found within the SP 800-90A. The issue was identified during the standard's development process and addressed, though the trustworthiness of that correction has been called into question, according to the bulletin.

NIST has been under fire since top-secret documents leaked by former National Security Agency contractor Edward Snowden showed the NSA "became the sole editor" of the encryption standards in question and apparently introduced weaknesses into them.

NIST has been quick to address questions about its integrity, both in reopening to public scrutiny the standards themselves – used by approximately 70 government vendors –and through public statements.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013 on Sept. 10.

NIST has made sure to explain how it "uses a transparent, public process to rigorously vet its standards and guidelines," but it has also tactfully explained why it works with the NSA, the largest employer of cryptographers in the world: The law says it has to.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," according to a NIST statement. "NIST is also required by statute to consult with the NSA."

About the Author

Frank Konkel is a former staff writer for FCW.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Tue, Sep 17, 2013 lostFaith

Oh what a tangled web we weave when we try to deceive.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group