Related Stories

  • NIST Issues Preliminary Cybersecurity Framework
    The US Department of Commerce's National Institute of Standards and Technology (NIST) has, after months of planning and feedback-gathering, released its Preliminary Cybersecurity Framework, aimed at helping critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation and telecommunications.
  • Senior Cryptographers Move away from NIST Algorithms
    'Do not trust proprietary cryptography – stick to peer-reviewed international standards' has long been standard security advice. Perhaps no longer, as the cryptographers at Silent Circle move on, or away, from National Institute of Standards and Technology algorithms.
  • RSA Says Don't Use NIST Crypto Algorithm
    Last week NIST recommended that its elliptic curve specification 'no longer be used.' Now, in an email advisory sent to customers, RSA strongly recommends that developers discontinue use of Dual EC DRBG and move to a different PRNG.
  • NIST Says Don't Use our Crypto Algorithm
    Standing accused of NSA interference in its processes, and backdoors in its algorithms, NIST now says our crypto standards and processes are sound -- but don't use the elliptic curve algorithm.
  • NIST Issues Draft of Cybersecurity Framework for Public Review
    Moving further along in its efforts to develop a voluntary framework for organizations to adopt in order to improve cybersecurity for the nation's critical infrastructure, the National Institute of Standards and Technology (NIST) has posted a draft review copy of the framework document to invite public review and gather comments.

Top 5 Stories


Post-NSA Revelations, NIST Opens Review of All Crypto Standards

06 November 2013

The US National Institute of Standards and Technology (NIST) is reviewing all of its cryptographic standards and its peer-review development process in the wake of revelations that the National Security Agency has been able to weaken its encryption algorithms to carry out surveillance.

“Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines,” wrote Donna Dodson, chief of the Computer Security Division at NIST, in an announcement. “NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process.” 

Documents leaked by Edward Snowden in September showed that the NSA spends $250 million a year on a project called “SIGINT Enabling” to secretly undermine encryption. A main goal of that effort is to “use the agency’s influence” within the peer-review process to weaken the encryption standards that NIST and other standards bodies around the world publish.

Shortly thereafter, NIST recommended that its elliptic curve specification no longer be used in light of how involved the NSA was in developing it. "Eventually, NSA became the sole editor,” as Infosecurity previously reported. Vendors followed suit, with RSA “strongly recommending” that its developers discontinue use of the NIST-developed cryptography. And, Silent Circle shut down its secure mail service, which used NIST encryption standards.

In response to the brouhaha, NIST has now initiated a formal review of its existing body of cryptographic work, looking at both documented process and the specific procedures used to develop each of its standards and guidelines. It will also examine its process for standards development, “to ensure that our guidance has been developed according the highest standard of inclusiveness, transparency and security.”

When it comes to encryption, NIST’s history lies in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard. It relies on open comment and peer participation to harden its approaches. “We strive for a consistently open and transparent process that enlists the worldwide cryptography community to help us develop and vet algorithms included in our cryptographic guidance,” Dodson said. “NIST endeavors to promote confidence in our cryptographic guidance through these inclusive and transparent development processes, which we believe are the best in use.”

In light of NSA’s activities, it now wants to make sure that approach is the best one, NIST said. The institute is in the process of compiling goals and objectives, principles of operation, processes for identifying cryptographic algorithms for standardization, methods for reviewing and resolving public comments, and other procedures in order to get ready for what it said will be a rigorous process.

NIST said that it will also invite public comment on the process, and also bring in an independent organization to conduct a formal review of the standards development approach and to suggest improvements. “Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable,” Dodson concluded.

This article is featured in:
Compliance and Policy  •  Encryption  •  Identity and Access Management  •  Industry News  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×