NIST's Ridiculous Non-Response Response To Revelation That NSA Controlled Crypto Standards Process

from the that's-not-going-to-calm-anyone-down dept

One of the key revelations from last week, of course, was the fact that the NSA surreptitiously took over the standards making process on certain encryption standards. Here was the key revelation:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
It took NIST a few days to figure out a response to this, but it's now been posted, and it says... basically nothing at all. Let's go through it piece by piece.
Recent news reports have questioned the cryptographic standards development process at NIST. We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place.
Um, except that as the leaks revealed, that's not actually true. The NSA was the "sole editor" of the standard. So claiming that the standards are rigorously vetted is simply false. Furthermore, as John Gilmore recently revealed, concerning IPSec, the NSA made sure that the standards were so complicated that no one could actually vet the security.
NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.
That's not a response to the charges at all.
NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.
In other words, yes, the NSA is involved -- which was not a secret. But what was a secret, and what NIST does not even begin to address, is the idea that the NSA took control of the standard and became its "sole editor."
Recognizing community concern regarding some specific standards, we reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards.
Again, that does little to address the specific questions raised. If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that's not doing any good.
If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.
Yes, but the "cryptographic community" seems to include the NSA... sometimes in key positions.

Basically this is a total non-response to the revelations from last week. It's just NIST saying "yes, we work with the NSA, but you have nothing to fear" without giving any basis to support the end of that claim.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Rich Fiscus (profile), Sep 10th, 2013 @ 1:41pm

    We've always been at war with Eastasia.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 1:57pm

    I no longer trust the US govt to be in control of these standards bodies. There should be a concerted push to have control passed to the UN.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Alt0, Sep 10th, 2013 @ 1:58pm

    Statutes like this bug me...

    "NIST is also required by statute to consult with the NSA."

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    stine (profile), Sep 10th, 2013 @ 2:15pm

    Re: Statutes like this bug me...

    For a given value of "consult."

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Rich Fiscus (profile), Sep 10th, 2013 @ 2:15pm

    We should probably be thanking NIST for this actually. If it wasn't true they'd be denying it. Their decision not to deny it is all the confirmation I need - not that there was any doubt in the first place.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 2:24pm

    So claiming that the standards are rigorously vetted is simply false

    They never claimed that the process was properly utilized, merely that it was in place. They also claimed the process was transparent and public, but never once claimed that it was simple enough to be understood even by most experts.

    I also note carefully crafted language in the rest of the response about participation, the ability to view and comment, and that issues will be addressed (but addressed doesn't mean actually rectified) but nowhere do I see a claim that the NSA isn't the sole arbitrator or that anyone else has actual authority in the final decision making process.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    ECA (profile), Sep 10th, 2013 @ 2:37pm

    cRYPTOLOGY

    Ok,
    something to think about..

    WHICH is faster?
    Straight unencrypt site to site..Plane to plane, place to place?
    BASIC encrypt, that compresses data and allows for Faster connections?
    HEAVY DUTY, SOLID CORE encryt? Where the TIME needed to encrypt/SEND/decrypt takes TIME..AND the SIZE will probably be larger then the original material.

    Basic encrypt, which is MOSTLY packages/letters/email type stuff...Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.

    Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up.

    The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}":/?., and about 100 more characters..
    16 characters to the ^246 power...

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    letherial (profile), Sep 10th, 2013 @ 2:52pm

    Lack of denial speaks volumes, thanks for fucking everything up.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 2:54pm

    So much of this stuff is like "Just Trust Us" *wink

    Seriously this is just beyond insulting now.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 2:55pm

    Does the NIST actually believe any cryptography experts, or the public, would believe this BS response. I will never trust anything coming out of NIST ever again. It's obvious they have been corrupted.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 2:55pm

    This is just a standard corporate BS.

    It does not differ a tiniest bit from what corpos say when they want not to say a thing. Smoke and mirrors wrapped in weasel words.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 2:56pm

    I wonder what else did the government meddle in?

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    PopeRatzo (profile), Sep 10th, 2013 @ 3:18pm

    Keep it up, Techdirt

    I'm really grateful that Techdirt has taken it upon itself to be a major conduit about news regarding the overreach and misdeeds of our national security/corporate apparatus.

    I'm sure there are a lot of tech stories that the editors of Techdirt would rather be talking about, but this is by far the most important issue facing us.

    I'm surprised, and pleased at some of the places I'm finding links to Techdirt stories about this issue. People ARE taking notice, and this is not just a story of the day that's going to go away tomorrow.

    Thank you for spending time on this instead of just passing along another meaningless Apple product roll-out press release, as some tech sources seem to be doing today.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Hephaestus (profile), Sep 10th, 2013 @ 3:36pm

    Re:

    The reason the NIST is not denying it is simple. The minute they do deny this, a newspaper article will come out that says they are involved.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 4:02pm

    Ok, what's next

    Ok, so if the Government's been involved in it don't trust it.

    So as a Private Citizen (or is it suspect???) What's my best choice in NSA free Encryption?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 5:02pm

    Who's going to trust NIST and the US gov now? There needs to be a completely new international body formed, much like W3C, for the purpose of creating new security standards.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    ChurchHatesTucker (profile), Sep 10th, 2013 @ 6:36pm

    Re:

    You think the UN would be better?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 8:10pm

    Re: Ok, what's next

    Make it up yourself and don't tell anyone haha...

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Sep 10th, 2013 @ 11:02pm

    Re:

    That sounds like a case of "out of the frying pan, into the fire". If you don't trust a single government, I doubt you would want to trust a group of governments. I would much prefer standards bodies to be fully independent of any and all governments.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Slicerwizard, Sep 10th, 2013 @ 11:47pm

    Re: cRYPTOLOGY

    "Where the TIME needed to encrypt/SEND/decrypt takes TIME.."

    Time takes time? ECA, you're losing it.


    "AND the SIZE will probably be larger then the original material."

    ECA, you're clueless.


    "Basic encrypt, which is MOSTLY packages/letters/email type stuff...Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.

    Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up."

    More bullshit.


    "The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}":/?., and about 100 more characters..
    16 characters to the ^246 power..."

    UTTER bullshit. Serious encryption, like AES256, AES1024, etc. adds NOTHING extra. Encrypted message size = plaintext message size.

    Why can't idiots who KNOW NOTHING just shut the hell up? Faaack...

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Sep 11th, 2013 @ 1:26am

    I don't read it that way.

    Recognizing community concern regarding some specific standards, we reopened the public comment period for...

    I see that as an opportunity to raise certain concerns. Such as the ones Mike pointed out:

    If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that's not doing any good.

    Yes, but the "cryptographic community" seems to include the NSA... sometimes in key positions.

    They claim to be listening to "concerns". What remains to be seen is whether
    they will actually act on these concerns.

    More interesting is whether they'll try to immediately address the "NSA
    personel in key positions" of their standards process. They may wish to
    consider that in order to avoid any *appearance* of impropriety.

    Doing that may help in the acceptence of their standard. I do not think
    they wish to be known as the standards body saddled with the negative
    aspects of a "Approved by the NSA" reputation.

    Think ISO and OOXML.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Ninja (profile), Sep 11th, 2013 @ 3:27am

    FEAR NOT OLD MCDONNALD! We have foxes and other carnivorous animals to take care of the farm.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Sep 11th, 2013 @ 6:36am

    Re:

    Sorry, but are you fucking kidding? The U.N.? That bunch of ninnies would fuck the internet up in two seconds. When those people get together, its a world wide clusterfuck. Everytime.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Jose_X, Sep 11th, 2013 @ 8:52am

    Re: Statutes like this bug me...

    Does it say to follow the NSA's wishes or show preference?

    The question I have is not who is the editor of any given standard (which btw can be ignored by the private sector in many cases) but would the NIST allow the spec to be changed when the community shows weaknesses. Does anyone know of a case where they have not done that?

    If people find flaws, point them out and the spec can change. If the spec is complex, don't use it. There is already the parallel stds from places like Internet RFCs (IETF).

    If the government wants their own minimal level of stds they feel comfortable with, eg, for government contracts, what is the beef? Again, is there actual evidence of NIST or NSA pushing a purposely weak std onto everyone by law and not backing from it? Because if people want to have laws that allow everyone to have super encryption and that would not be available without a law change, then that can be addressed in the US form of government.

    I feel like I'm hearing that the sky is falling just because the NSA is involved somehow.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Jose_X, Sep 11th, 2013 @ 9:01am

    Re: Re:

    That's in the eye of the beholder. Many nations consider the UN necessary to keep other nations (and their own) in check.

    The "US" under the Articles of Confederation was rather weak by their own admission, but that weakness at the UN is apparently an asset given how diverse is each member.

    Everyone loves government when it comes to protecting their own personal set of "these are the best" laws, but hates it when it compromises in order to serve a larger constituency.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Jose_X, Sep 11th, 2013 @ 9:09am

    Re: Re: Statutes like this bug me...

    >> I feel like I'm hearing that the sky is falling just because the NSA is involved somehow.

    To be fair, the article's motivation is anger at the NSA for trying to add back doors and then removing any benefit of the doubt that the NIST is working with a different agenda (than the NSA) more in line with what a traditional standards body might desire.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    n0s, Sep 11th, 2013 @ 10:05pm

    the only good america is a dead america

    Yellowstone, please blow the fascist state of america off the map. We have no choice, its the only way we will ever be free ever again.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    LeifOfLiberty, Sep 13th, 2013 @ 12:33pm

    Re:

    You do not trust the US govt but you trust the UN?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This