NIST To Review Standards After Cryptographers Cry Foul Over NSA Meddling

from the about-time dept

The federal institute that sets national standards for how government, private citizens and business guard the privacy of their files and communications is reviewing all of its previous recommendations.

The move comes after ProPublica, The Guardian and The New York Times disclosed that the National Security Agency had worked to secretly weaken standards to make it easier for the government to eavesdrop.

The review, announced late Friday afternoon by the National Institute for Standards and Technology, will also include an assessment of how the institute creates encryption standards.

The institute sets national standards for everything from laboratory safety to high-precision timekeeping. NIST's cryptographic standards are used by software developers around the world to protect confidential data. They are crucial ingredients for privacy on the Internet, and are designed to keep Internet users safe from being eavesdropped on when they make purchases online, pay bills or visit secure websites.

But as the investigation by ProPublica, The Guardian and The New York Times in September revealed, the National Security Agency spends $250 million a year on a project called "SIGINT Enabling" to secretly undermine encryption. One of the key goals, documents said, was to use the agency's influence to weaken the encryption standards that NIST and other standards bodies publish.

"Trust is crucial to the adoption of strong cryptographic algorithms," the institute said in a statement on their website. "We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines."

The NSA is no stranger to NIST's standards-development process. Under current law, the institute is required to consult with the NSA when drafting standards. NIST also relies on the NSA for help with public standards because the institute doesn't have as many cryptographers as the agency, which is reported to be the largest employer of mathematicians in the country.

"Unlike NSA, NIST doesn't have a huge cryptography staff," said Thomas Ptacek, the founder of Matasano Security, "NIST is not the direct author of many of most of its important standards."

Matthew Scholl, the deputy chief at the Computer Security Division of the institute, echoed that statement, "As NIST Director Pat Gallagher has said in several public settings, NIST is designed to collaborate and the NSA has some of the world's best minds in cryptography." He continued, "We also have parallel missions to protect federal IT systems, so we will continue to work with the NSA."

Some of these standards are products of public competitions among academic cryptography researchers, while others are the result of NSA recommendations. An important standard, known as SHA2, was designed by the NSA and is still trusted by independent cryptographers and software developers worldwide.

NIST withdrew one cryptographic standard, called Dual EC DRGB, after documents provided to news organizations by the former intelligence contractor Edward Snowden raised the possibility that the standard had been covertly weakened by the NSA.

Soon after, a leading cryptography company, RSA, told software writers to stop using the algorithm in a product it sells. The company promised to remove the algorithm in future releases.

Many cryptographers have expressed doubt about NIST standards since the initial revelations were published. One popular encryption library changed its webpage to boast that it did not include NIST-standard cryptography. Silent Circle, a company that makes encryption apps for smartphones, promised to replace the encryption routines in its products with algorithms not published by NIST.

If the NIST review prompts significant changes to existing encryption standards, consumers will not see the benefit immediately. "If the recommendations change, lots of code will need to change," said Tanja Lange, a cryptographer at the University of Technology at Eindhoven, in the Netherlands. "I think that implementers will embrace such a new challenge, but I can also imagine that vendors will be reluctant to invest the extra time."

In Friday's announcement, NIST pointed to its long history of creating standards, including the role it had in creating the first national encryption standard in the 1970s — the Data Encryption Standard, known as DES. "NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard," the bulletin said. But even that early standard was influenced by the NSA.

During the development of DES, the agency insisted that the algorithm use weaker keys than originally intended — keys more susceptible to being broken by super computers. At the time, Whitfield Diffie, a digital cryptography pioneer, raised serious concerns about the keys. "The standard will have to be replaced in as few as five years," he wrote.

The weakened keys in the standard were not changed. DES was formally withdrawn by the institute in 2005.

The announcement is the latest effort by NIST to restore the confidence of cryptographers. A representative from NIST announced in a public mailing list, also on Friday, that the institute would restore the original version of a new encryption standard, known as SHA3, that had won a recent design competition but altered by the institute after the competition ended. Cryptographers charged that NIST's changes to the algorithm had weakened it.

The SHA3 announcement referred directly to cryptographers' concerns. "We were and are comfortable with that version on technical grounds, but the feedback we've gotten indicates that a lot of the crypto community is not comfortable with it," wrote John Kelsey, NIST's representative. There is no evidence the NSA was involved in the decision to change the algorithm.

The reversal took Matthew Green, a cryptographer at Johns Hopkins University, by surprise. "NIST backed down! I'm not sure they would have done that a year ago," he said.

Originally posted at ProPublica.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Mason Wheeler (profile), Nov 5th, 2013 @ 4:15pm

    DES

    The interesting thing about the DES changes is that, while a bunch of people at first thought the NSA was weakening the standard, it later came out that their changes actually strengthened DES by making it more resistant to a cutting-edge cryptoanalytic technique that no one outside of DES and IBM knew existed at the time. But they figured it would get discovered by someone else eventually, and acted proactively to help secure the standard.

    It's a shame they're not still in that line of work anymore.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Mason Wheeler (profile), Nov 5th, 2013 @ 4:16pm

    Re: DES

    Erm, that no one outside of NSA or IBM knew about, even. (Why is there no Edit button in here?)

     

    reply to this | link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 4:28pm

    you clearly don't understand the function of NIST and how it operates, it does not 'define standards' they enshrine standards based on "state of the art", it would not be appropriate for NIST to take on the role of employing cryptographers, no they look at what the state of the art is, and what industry is doing and set the standards according to that principle.

    But hey, any excuse to attach the NSA is worth a try.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 4:38pm

    I'll never trust NIST cryptography standards, because they're tied at the hip too the NSA. By law.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Rikuo (profile), Nov 5th, 2013 @ 4:53pm

    Re:

    Reading through your comment...doesn't set the standard = define standards?

    Also...why is it wrong to attack (not attach) the NSA? Are they for some reason supposed to be immune from criticism?

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 5:05pm

    Re: DES

    Shortening the keys made them stronger? Really? You forgot to tell us how war is peace, freedom is slavery and ignorance is strength too.

     

    reply to this | link to this | view in thread ]

  7. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 5th, 2013 @ 5:16pm

    Mike, this is NOT "from the about-time dept"!!!

    Since you just went legalistic weenie on the RIAA for someone somewhere omitting attribution of open-source code -- which was quickly corrected -- I'm going to point out that YOUR editorial addition is far worse because tends to DIS-attribute ProPublica.

    Here's the ProPublica condition that you've violated:
    You can’t edit our material, except to reflect relative changes in time, location and editorial style. (For example, “yesterday” can be changed to “last week,” and “Portland, Ore.” to “Portland” or “here.”)

    But readers will interpret the insertion of Techdirt's characteristically schmaltzy phrase (here, "from the about-time dept") for sub-head as meaning the source is Techdirt itself, and so I'd rule that an editorial change which isn't allowed under the above terms.

    Besides that, every time I see you run one of these ProPublica fillers, even I, long-term reader and sharp-eyed, tend to at first think it's a Techdirt "staff" writer.

    I'm sure you'll ignore this. Hilarity ensues.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 5:18pm

    Re:

    Perhaps NIST needs to create a mission statement?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 5:46pm

    Re: Mike, this is NOT "from the about-time dept"!!!

    Good god, you are a fucking idiot.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Rikuo (profile), Nov 5th, 2013 @ 5:57pm

    Re: Mike, this is NOT "from the about-time dept"!!!

    Good fucking god, you've done it AGAIN. You've gone and proven AGAIN that it's possible to have negative numbers in your IQ. This time you must have hit negative triple digits.

    You are calling foul over a tiny sub-heading? How could anyone (other than you?) be fooled into thinking the source of the article is TD or that TD intended as such, when the AUTHOR on the right is listed as ProPublica AND it says so at the very end of the article!

    Now that I've proven you wrong (not a hard thing to do by the way, I now find it as easy to do as breathing), why don't you strap your big boy pants on, waddle back here to TD and apologize? No? Too proud? Don't want the Lone Ranger OOTB to be seen in public apologizing to Megaphone Mike, Satan's Spawn, Google's play-boy?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymouse Coward, Nov 5th, 2013 @ 6:07pm

    Re: Mike, this is NOT "from the about-time dept"!!!

    And they get paid "staff" wages too.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 6:28pm

    Re:

    Enshrine?

    NIST had a process that chose the best standards, then it changes the winner after the contest, so it LITERALLY defines standards. Changing the winner is the opposite of 'enshrine'.

    Secondly, we know from the Snowden leaks that NSA has hijacked that standards process and boasted about it cracking cryptography in 2010 to GCHQ.

    http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

    So Mike is right, you are wrong.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 6:59pm

    Re: Re: DES

    It actually did in that particular instance. There were instances where a block cipher could be compromised because of weaknesses in the substitution table. This was because there were attacks (known only to the NSA and IBM, which is where the NSA is at fault) which could, theoretically, compromise the encrypted message.

    So the idea was: lower the amount of information the block cipher was outputting, and give less information to the attacker every round. Brute-force when they were discussing this was out of the question because they were discussing this during the 70's (when even 48-bit keys, their original recommendation for the key length, was unfeasible for supercomputers). This was mostly a stop-gap measure because, especially IBM, knew that DES would not last into the 90's as an encryption standard.

    This is both a good thing the NSA did and a bad thing, because we all know now that there was no security in obscurity. It was found out eventually and by then there was untold amounts of information encrypted with DES. But it did act as one of the few times they worked to strengthen encryption instead of weaken it. I think the NSA is actually staffed by many talented people who would like nothing more than to make extremely strong ciphers (like what happened during the elliptic curve encryption fad) but are constantly chained down by superiors (like what happened during the elliptic curve's random number generator) ordering to place backdoors into their own work.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 7:33pm

    Re: Re: Re: DES

    "It actually did in that particular instance."
    Umm, no it didn't.

    "There were instances where a block cipher could be compromised because of weaknesses in the substitution table."

    You're conflating shorter keys with substitution table weaknesses. They're not the same.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Nov 5th, 2013 @ 10:07pm

    Re: Re:

    no set standards do not equal define standards, but thanks for asking.

    Standards are defined by empirical methods, such as the standard for 1 meter would be defined as a certain number of wavelengths of a laser at a specific frequency, if NIST feel that this measurement is suitable as a measurement for distance, it "sets that as the primary standard".

    Science and industry (the state of the art) defines the standards and NIST set them standards (in stone).

    All standards are and what NIST does is make sure everyone is working on the same basic physical values, they define the standard for 1 gram for example, so that industry can calibrate their scales to that primary standard, not that that ever happens.

    what happens is those as set as "primary standards", and they are used to calibrate 'secondary standards' that are certified to certify "working standards".

    So a company that builds scales for measuring your gold collection, would have their scales calibrated against a NIST secondary standard, so if they measure your gold to be 1 gram it is within the allowable limits of that secondary standard and is calibrated against the NIST primary standard.

    So no setting and defining standards are not the same things at all.

    Nothing wrong with attacking the NSA if it is done for real reasons, and you don't use everyone else to do it for you, or don't base it on opinion or assumptions.

    And if those attacks are based on facts, and not what 'someone said', and if it is done for the right reasons, and not for the reason that it give you the opportunity to attack the Government, and does not rely on 'the Snowdens' who has questionable honesty and integrity.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 12:16am

    Re: Re: DES

    if you think the length of the key is the only factor in determining the quality of the cypher then yes.. but there are many other facts apart from the key..

    if it was just the key the standard would simply be the length of the Key, it is not.

    So YES, shortening the key could very well make the cypher stronger.

    Again, if you have no idea how encryption works, you might be led to believe key size is everything, but in cryptography, "size is not everything", but the method of encryption IS..

    perhaps you need to learn a little bit about the subject before shooting your mouth off !!

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 12:21am

    Re: Re:

    you don't think they have a mission statement ?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 12:23am

    Re: Re: Mike, this is NOT "from the about-time dept"!!!

    as you have not referred to anyone, can we assume you are talking about yourself !!!

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 12:28am

    Whatever, NIST. Time for international and non-government influenced standard bodies. NIST is over.

    If you need to use something right away, go with Dan Bernstein's curves and protocols instead.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Ninja (profile), Nov 6th, 2013 @ 1:47am

    This is some major win for transparency and security. People smearing and condemning Snowden are looking like fools by now. His actions are having much more implications than anyone dared foresee when it began.

    History is being written. Your turn, pseudo-democratic Governments.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 2:46am

    Re: Re: Re: Mike, this is NOT "from the about-time dept"!!!

    Since he's replying to ootb, the reference would be assumed to be ootb to be the fucking idiot. But since such comprehension appears to be beyond your limited skills, perhaps you, too, are a fucking idiot.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 4:01am

    Re: Re: Re: DES

    "if you think the length of the key is the only factor in determining the quality of the cypher"

    I think no such thing. Perhaps you should read what I actually wrote.

    "So YES, shortening the key could very well make the cypher stronger."

    It did not, and I know of no case in which it ever has. Perhaps in your zeal to defend the NSA you can also provide the math to support your assertion?

    blah blah blah "..the method of encryption IS.. "

    The method of encryption is everything? Use what ever method you like, put a two bit key on it and I'll break it pretty quickly.

    "perhaps you need to learn a little bit about the subject before shooting your mouth off !!"

    Perhaps you should follow your own advice.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 4:48am

    Re:

    Clearly ... arrogance is your best attribute.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 4:50am

    Re: Re: Re:

    I'm sure it waxes poetic about how they enshrine standards.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Nov 6th, 2013 @ 4:55am

    Re:

    It's not even pseudo-democratic anymore.
    They blatantly claim privilege and declare everyones best interests are being met by disenfranchising their opponents.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    John Fenderson (profile), Nov 6th, 2013 @ 8:53am

    The economics of software development

    "I think that implementers will embrace such a new challenge, but I can also imagine that vendors will be reluctant to invest the extra time."


    It's not extra time, it's the extra expense. Where I work, we use cryptography heavily. The day after it became clear that certain algorithms were in question, everything stopped while we evaluated our (very large) software base to find and replace any usage of these algorithms. I estimate the wages spent to do this in my department alone exceeded a half million dollars.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Dave, Nov 6th, 2013 @ 1:13pm

    Re: Mike, this is NOT "from the about-time dept"!!!

    Oh dear....Mr. Paranoia is off again. Have you graduated to proper joined-up writing and a real pen instead of crayons?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This