NIST's Ridiculous Non-Response Response To Revelation That NSA Controlled Crypto Standards Process
from the that's-not-going-to-calm-anyone-down dept
One of the key revelations from last week, of course, was the fact that the NSA surreptitiously took over the standards making process on certain encryption standards. Here was the key revelation:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
“Eventually, NSA became the sole editor,” the document states.
It took NIST a few days to figure out a response to this, but it’s now been posted, and it says… basically nothing at all. Let’s go through it piece by piece.
Recent news reports have questioned the cryptographic standards development process at NIST. We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place.
Um, except that as the leaks revealed, that’s not actually true. The NSA was the “sole editor” of the standard. So claiming that the standards are rigorously vetted is simply false. Furthermore, as John Gilmore recently revealed, concerning IPSec, the NSA made sure that the standards were so complicated that no one could actually vet the security.
NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.
That’s not a response to the charges at all.
NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.
In other words, yes, the NSA is involved — which was not a secret. But what was a secret, and what NIST does not even begin to address, is the idea that the NSA took control of the standard and became its “sole editor.”
Recognizing community concern regarding some specific standards, we reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards.
Again, that does little to address the specific questions raised. If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that’s not doing any good.
If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.
Yes, but the “cryptographic community” seems to include the NSA… sometimes in key positions.
Basically this is a total non-response to the revelations from last week. It’s just NIST saying “yes, we work with the NSA, but you have nothing to fear” without giving any basis to support the end of that claim.
Filed Under: encryption, nist, nsa, nsa surveillance, standards
Comments on “NIST's Ridiculous Non-Response Response To Revelation That NSA Controlled Crypto Standards Process”
We’ve always been at war with Eastasia.
I no longer trust the US govt to be in control of these standards bodies. There should be a concerted push to have control passed to the UN.
Re: Re:
You think the UN would be better?
Re: Re:
That sounds like a case of “out of the frying pan, into the fire”. If you don’t trust a single government, I doubt you would want to trust a group of governments. I would much prefer standards bodies to be fully independent of any and all governments.
Re: Re:
Sorry, but are you fucking kidding? The U.N.? That bunch of ninnies would fuck the internet up in two seconds. When those people get together, its a world wide clusterfuck. Everytime.
Re: Re: Re:
That’s in the eye of the beholder. Many nations consider the UN necessary to keep other nations (and their own) in check.
The “US” under the Articles of Confederation was rather weak by their own admission, but that weakness at the UN is apparently an asset given how diverse is each member.
Everyone loves government when it comes to protecting their own personal set of “these are the best” laws, but hates it when it compromises in order to serve a larger constituency.
Re: Re:
You do not trust the US govt but you trust the UN?
Statutes like this bug me...
“NIST is also required by statute to consult with the NSA.”
Re: Statutes like this bug me...
For a given value of “consult.”
Re: Statutes like this bug me...
Does it say to follow the NSA’s wishes or show preference?
The question I have is not who is the editor of any given standard (which btw can be ignored by the private sector in many cases) but would the NIST allow the spec to be changed when the community shows weaknesses. Does anyone know of a case where they have not done that?
If people find flaws, point them out and the spec can change. If the spec is complex, don’t use it. There is already the parallel stds from places like Internet RFCs (IETF).
If the government wants their own minimal level of stds they feel comfortable with, eg, for government contracts, what is the beef? Again, is there actual evidence of NIST or NSA pushing a purposely weak std onto everyone by law and not backing from it? Because if people want to have laws that allow everyone to have super encryption and that would not be available without a law change, then that can be addressed in the US form of government.
I feel like I’m hearing that the sky is falling just because the NSA is involved somehow.
Re: Re: Statutes like this bug me...
We should probably be thanking NIST for this actually. If it wasn’t true they’d be denying it. Their decision not to deny it is all the confirmation I need – not that there was any doubt in the first place.
Re: Re:
The reason the NIST is not denying it is simple. The minute they do deny this, a newspaper article will come out that says they are involved.
So claiming that the standards are rigorously vetted is simply false
They never claimed that the process was properly utilized, merely that it was in place. They also claimed the process was transparent and public, but never once claimed that it was simple enough to be understood even by most experts.
I also note carefully crafted language in the rest of the response about participation, the ability to view and comment, and that issues will be addressed (but addressed doesn’t mean actually rectified) but nowhere do I see a claim that the NSA isn’t the sole arbitrator or that anyone else has actual authority in the final decision making process.
cRYPTOLOGY
Ok,
something to think about..
WHICH is faster?
Straight unencrypt site to site..Plane to plane, place to place?
BASIC encrypt, that compresses data and allows for Faster connections?
HEAVY DUTY, SOLID CORE encryt? Where the TIME needed to encrypt/SEND/decrypt takes TIME..AND the SIZE will probably be larger then the original material.
Basic encrypt, which is MOSTLY packages/letters/email type stuff…Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.
Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up.
The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}”:/?., and about 100 more characters..
16 characters to the ^246 power…
Re: cRYPTOLOGY
“Where the TIME needed to encrypt/SEND/decrypt takes TIME..”
Time takes time? ECA, you’re losing it.
“AND the SIZE will probably be larger then the original material.”
ECA, you’re clueless.
“Basic encrypt, which is MOSTLY packages/letters/email type stuff…Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.
Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up.”
More bullshit.
“The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}”:/?., and about 100 more characters..
16 characters to the ^246 power…”
UTTER bullshit. Serious encryption, like AES256, AES1024, etc. adds NOTHING extra. Encrypted message size = plaintext message size.
Why can’t idiots who KNOW NOTHING just shut the hell up? Faaack…
Lack of denial speaks volumes, thanks for fucking everything up.
So much of this stuff is like “Just Trust Us” *wink
Seriously this is just beyond insulting now.
Does the NIST actually believe any cryptography experts, or the public, would believe this BS response. I will never trust anything coming out of NIST ever again. It’s obvious they have been corrupted.
This is just a standard corporate BS.
It does not differ a tiniest bit from what corpos say when they want not to say a thing. Smoke and mirrors wrapped in weasel words.
I wonder what else did the government meddle in?
Keep it up, Techdirt
I’m really grateful that Techdirt has taken it upon itself to be a major conduit about news regarding the overreach and misdeeds of our national security/corporate apparatus.
I’m sure there are a lot of tech stories that the editors of Techdirt would rather be talking about, but this is by far the most important issue facing us.
I’m surprised, and pleased at some of the places I’m finding links to Techdirt stories about this issue. People ARE taking notice, and this is not just a story of the day that’s going to go away tomorrow.
Thank you for spending time on this instead of just passing along another meaningless Apple product roll-out press release, as some tech sources seem to be doing today.
Ok, what's next
Ok, so if the Government’s been involved in it don’t trust it.
So as a Private Citizen (or is it suspect???) What’s my best choice in NSA free Encryption?
Re: Ok, what's next
Make it up yourself and don’t tell anyone haha…
Who’s going to trust NIST and the US gov now? There needs to be a completely new international body formed, much like W3C, for the purpose of creating new security standards.
I don't read it that way.
Recognizing community concern regarding some specific standards, we reopened the public comment period for…
I see that as an opportunity to raise certain concerns. Such as the ones Mike pointed out:
If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that’s not doing any good.
Yes, but the “cryptographic community” seems to include the NSA… sometimes in key positions.
They claim to be listening to “concerns”. What remains to be seen is whether
they will actually act on these concerns.
More interesting is whether they’ll try to immediately address the “NSA
personel in key positions” of their standards process. They may wish to
consider that in order to avoid any *appearance* of impropriety.
Doing that may help in the acceptence of their standard. I do not think
they wish to be known as the standards body saddled with the negative
aspects of a “Approved by the NSA” reputation.
Think ISO and OOXML.
FEAR NOT OLD MCDONNALD! We have foxes and other carnivorous animals to take care of the farm.
the only good america is a dead america
Yellowstone, please blow the fascist state of america off the map. We have no choice, its the only way we will ever be free ever again.