Cryptography

NIST recommends against NSA-influenced standards

abstract head representing big data

The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now "strongly" recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.

NIST's Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.

"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," the bulletin states.

Dual_EC_DRBG is the acronym for the Dual Elliptic Curve Deterministic Random Bit Generation algorithm found within the SP 800-90A. The issue was identified during the standard's development process and addressed, though the trustworthiness of that correction has been called into question, according to the bulletin.

NIST has been under fire since top-secret documents leaked by former National Security Agency contractor Edward Snowden showed the NSA "became the sole editor" of the encryption standards in question and apparently introduced weaknesses into them.

NIST has been quick to address questions about its integrity, both in reopening to public scrutiny the standards themselves – used by approximately 70 government vendors –and through public statements.

"We are not deliberately, knowingly working to undermine encryption standards, and one way we ensure that integrity is by ensuring our work is done in the full light of the public," said NIST Director Patrick Gallagher, speaking at the Amazon Web Services Public Sector Summit 2013 on Sept. 10.

NIST has made sure to explain how it "uses a transparent, public process to rigorously vet its standards and guidelines," but it has also tactfully explained why it works with the NSA, the largest employer of cryptographers in the world: The law says it has to.

"The NSA participates in the NIST cryptography development process because of its recognized expertise," according to a NIST statement. "NIST is also required by statute to consult with the NSA."

About the Author

Frank Konkel is a former staff writer for FCW.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Tue, Sep 17, 2013 lostFaith

Oh what a tangled web we weave when we try to deceive.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group