NIST's Ridiculous Non-Response Response To Revelation That NSA Controlled Crypto Standards Process
from the that's-not-going-to-calm-anyone-down dept
One of the key revelations from last week, of course, was the fact that the NSA surreptitiously took over the standards making process on certain encryption standards. Here was the key revelation:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
“Eventually, NSA became the sole editor,” the document states.
It took NIST a few days to figure out a response to this, but it’s now been posted, and it says… basically nothing at all. Let’s go through it piece by piece.
Recent news reports have questioned the cryptographic standards development process at NIST. We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place.
Um, except that as the leaks revealed, that’s not actually true. The NSA was the “sole editor” of the standard. So claiming that the standards are rigorously vetted is simply false. Furthermore, as John Gilmore recently revealed, concerning IPSec, the NSA made sure that the standards were so complicated that no one could actually vet the security.
NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.
That’s not a response to the charges at all.
NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.
In other words, yes, the NSA is involved — which was not a secret. But what was a secret, and what NIST does not even begin to address, is the idea that the NSA took control of the standard and became its “sole editor.”
Recognizing community concern regarding some specific standards, we reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards.
Again, that does little to address the specific questions raised. If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that’s not doing any good.
If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.
Yes, but the “cryptographic community” seems to include the NSA… sometimes in key positions.
Basically this is a total non-response to the revelations from last week. It’s just NIST saying “yes, we work with the NSA, but you have nothing to fear” without giving any basis to support the end of that claim.