NIST To Review Standards After Cryptographers Cry Foul Over NSA Meddling

from the about-time dept

The federal institute that sets national standards for how government, private citizens and business guard the privacy of their files and communications is reviewing all of its previous recommendations.

The move comes after ProPublica, The Guardian and The New York Times disclosed that the National Security Agency had worked to secretly weaken standards to make it easier for the government to eavesdrop.

The review, announced late Friday afternoon by the National Institute for Standards and Technology, will also include an assessment of how the institute creates encryption standards.

The institute sets national standards for everything from laboratory safety to high-precision timekeeping. NIST’s cryptographic standards are used by software developers around the world to protect confidential data. They are crucial ingredients for privacy on the Internet, and are designed to keep Internet users safe from being eavesdropped on when they make purchases online, pay bills or visit secure websites.

But as the investigation by ProPublica, The Guardian and The New York Times in September revealed, the National Security Agency spends $250 million a year on a project called “SIGINT Enabling” to secretly undermine encryption. One of the key goals, documents said, was to use the agency’s influence to weaken the encryption standards that NIST and other standards bodies publish.

“Trust is crucial to the adoption of strong cryptographic algorithms,” the institute said in a statement on their website. “We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines.”

The NSA is no stranger to NIST’s standards-development process. Under current law, the institute is required to consult with the NSA when drafting standards. NIST also relies on the NSA for help with public standards because the institute doesn’t have as many cryptographers as the agency, which is reported to be the largest employer of mathematicians in the country.

“Unlike NSA, NIST doesn’t have a huge cryptography staff,” said Thomas Ptacek, the founder of Matasano Security, “NIST is not the direct author of many of most of its important standards.”

Matthew Scholl, the deputy chief at the Computer Security Division of the institute, echoed that statement, “As NIST Director Pat Gallagher has said in several public settings, NIST is designed to collaborate and the NSA has some of the world’s best minds in cryptography.” He continued, “We also have parallel missions to protect federal IT systems, so we will continue to work with the NSA.”

Some of these standards are products of public competitions among academic cryptography researchers, while others are the result of NSA recommendations. An important standard, known as SHA2, was designed by the NSA and is still trusted by independent cryptographers and software developers worldwide.

NIST withdrew one cryptographic standard, called Dual EC DRGB, after documents provided to news organizations by the former intelligence contractor Edward Snowden raised the possibility that the standard had been covertly weakened by the NSA.

Soon after, a leading cryptography company, RSA, told software writers to stop using the algorithm in a product it sells. The company promised to remove the algorithm in future releases.

Many cryptographers have expressed doubt about NIST standards since the initial revelations were published. One popular encryption library changed its webpage to boast that it did not include NIST-standard cryptography. Silent Circle, a company that makes encryption apps for smartphones, promised to replace the encryption routines in its products with algorithms not published by NIST.

If the NIST review prompts significant changes to existing encryption standards, consumers will not see the benefit immediately. “If the recommendations change, lots of code will need to change,” said Tanja Lange, a cryptographer at the University of Technology at Eindhoven, in the Netherlands. “I think that implementers will embrace such a new challenge, but I can also imagine that vendors will be reluctant to invest the extra time.”

In Friday’s announcement, NIST pointed to its long history of creating standards, including the role it had in creating the first national encryption standard in the 1970s — the Data Encryption Standard, known as DES. “NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard,” the bulletin said. But even that early standard was influenced by the NSA.

During the development of DES, the agency insisted that the algorithm use weaker keys than originally intended — keys more susceptible to being broken by super computers. At the time, Whitfield Diffie, a digital cryptography pioneer, raised serious concerns about the keys. “The standard will have to be replaced in as few as five years,” he wrote.

The weakened keys in the standard were not changed. DES was formally withdrawn by the institute in 2005.

The announcement is the latest effort by NIST to restore the confidence of cryptographers. A representative from NIST announced in a public mailing list, also on Friday, that the institute would restore the original version of a new encryption standard, known as SHA3, that had won a recent design competition but altered by the institute after the competition ended. Cryptographers charged that NIST’s changes to the algorithm had weakened it.

The SHA3 announcement referred directly to cryptographers’ concerns. “We were and are comfortable with that version on technical grounds, but the feedback we’ve gotten indicates that a lot of the crypto community is not comfortable with it,” wrote John Kelsey, NIST’s representative. There is no evidence the NSA was involved in the decision to change the algorithm.

The reversal took Matthew Green, a cryptographer at Johns Hopkins University, by surprise. “NIST backed down! I’m not sure they would have done that a year ago,” he said.

Originally posted at ProPublica.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NIST To Review Standards After Cryptographers Cry Foul Over NSA Meddling”

Subscribe: RSS Leave a comment
Mason Wheeler (profile) says:


The interesting thing about the DES changes is that, while a bunch of people at first thought the NSA was weakening the standard, it later came out that their changes actually strengthened DES by making it more resistant to a cutting-edge cryptoanalytic technique that no one outside of DES and IBM knew existed at the time. But they figured it would get discovered by someone else eventually, and acted proactively to help secure the standard.

It’s a shame they’re not still in that line of work anymore.

Anonymous Coward says:

Re: Re: DES

It actually did in that particular instance. There were instances where a block cipher could be compromised because of weaknesses in the substitution table. This was because there were attacks (known only to the NSA and IBM, which is where the NSA is at fault) which could, theoretically, compromise the encrypted message.

So the idea was: lower the amount of information the block cipher was outputting, and give less information to the attacker every round. Brute-force when they were discussing this was out of the question because they were discussing this during the 70’s (when even 48-bit keys, their original recommendation for the key length, was unfeasible for supercomputers). This was mostly a stop-gap measure because, especially IBM, knew that DES would not last into the 90’s as an encryption standard.

This is both a good thing the NSA did and a bad thing, because we all know now that there was no security in obscurity. It was found out eventually and by then there was untold amounts of information encrypted with DES. But it did act as one of the few times they worked to strengthen encryption instead of weaken it. I think the NSA is actually staffed by many talented people who would like nothing more than to make extremely strong ciphers (like what happened during the elliptic curve encryption fad) but are constantly chained down by superiors (like what happened during the elliptic curve’s random number generator) ordering to place backdoors into their own work.

Anonymous Coward says:

Re: Re: DES

if you think the length of the key is the only factor in determining the quality of the cypher then yes.. but there are many other facts apart from the key..

if it was just the key the standard would simply be the length of the Key, it is not.

So YES, shortening the key could very well make the cypher stronger.

Again, if you have no idea how encryption works, you might be led to believe key size is everything, but in cryptography, “size is not everything”, but the method of encryption IS..

perhaps you need to learn a little bit about the subject before shooting your mouth off !!

Anonymous Coward says:

Re: Re: Re: DES

“if you think the length of the key is the only factor in determining the quality of the cypher”

I think no such thing. Perhaps you should read what I actually wrote.

“So YES, shortening the key could very well make the cypher stronger.”

It did not, and I know of no case in which it ever has. Perhaps in your zeal to defend the NSA you can also provide the math to support your assertion?

blah blah blah “..the method of encryption IS.. “

The method of encryption is everything? Use what ever method you like, put a two bit key on it and I’ll break it pretty quickly.

“perhaps you need to learn a little bit about the subject before shooting your mouth off !!”

Perhaps you should follow your own advice.

Anonymous Coward says:

you clearly don’t understand the function of NIST and how it operates, it does not ‘define standards’ they enshrine standards based on “state of the art”, it would not be appropriate for NIST to take on the role of employing cryptographers, no they look at what the state of the art is, and what industry is doing and set the standards according to that principle.

But hey, any excuse to attach the NSA is worth a try.

Anonymous Coward says:

Re: Re: Re:

no set standards do not equal define standards, but thanks for asking.

Standards are defined by empirical methods, such as the standard for 1 meter would be defined as a certain number of wavelengths of a laser at a specific frequency, if NIST feel that this measurement is suitable as a measurement for distance, it “sets that as the primary standard”.

Science and industry (the state of the art) defines the standards and NIST set them standards (in stone).

All standards are and what NIST does is make sure everyone is working on the same basic physical values, they define the standard for 1 gram for example, so that industry can calibrate their scales to that primary standard, not that that ever happens.

what happens is those as set as “primary standards”, and they are used to calibrate ‘secondary standards’ that are certified to certify “working standards”.

So a company that builds scales for measuring your gold collection, would have their scales calibrated against a NIST secondary standard, so if they measure your gold to be 1 gram it is within the allowable limits of that secondary standard and is calibrated against the NIST primary standard.

So no setting and defining standards are not the same things at all.

Nothing wrong with attacking the NSA if it is done for real reasons, and you don’t use everyone else to do it for you, or don’t base it on opinion or assumptions.

And if those attacks are based on facts, and not what ‘someone said’, and if it is done for the right reasons, and not for the reason that it give you the opportunity to attack the Government, and does not rely on ‘the Snowdens’ who has questionable honesty and integrity.

Anonymous Coward says:

Re: Re:


NIST had a process that chose the best standards, then it changes the winner after the contest, so it LITERALLY defines standards. Changing the winner is the opposite of ‘enshrine’.

Secondly, we know from the Snowden leaks that NSA has hijacked that standards process and boasted about it cracking cryptography in 2010 to GCHQ.

So Mike is right, you are wrong.

out_of_the_blue says:

Mike, this is NOT "from the about-time dept"!!!

Since you just went legalistic weenie on the RIAA for someone somewhere omitting attribution of open-source code — which was quickly corrected — I’m going to point out that YOUR editorial addition is far worse because tends to DIS-attribute ProPublica.

Here’s the ProPublica condition that you’ve violated:

You can?t edit our material, except to reflect relative changes in time, location and editorial style. (For example, ?yesterday? can be changed to ?last week,? and ?Portland, Ore.? to ?Portland? or ?here.?)

But readers will interpret the insertion of Techdirt’s characteristically schmaltzy phrase (here, “from the about-time dept”) for sub-head as meaning the source is Techdirt itself, and so I’d rule that an editorial change which isn’t allowed under the above terms.

Besides that, every time I see you run one of these ProPublica fillers, even I, long-term reader and sharp-eyed, tend to at first think it’s a Techdirt “staff” writer.

I’m sure you’ll ignore this. Hilarity ensues.

Rikuo (profile) says:

Re: Mike, this is NOT "from the about-time dept"!!!

Good fucking god, you’ve done it AGAIN. You’ve gone and proven AGAIN that it’s possible to have negative numbers in your IQ. This time you must have hit negative triple digits.

You are calling foul over a tiny sub-heading? How could anyone (other than you?) be fooled into thinking the source of the article is TD or that TD intended as such, when the AUTHOR on the right is listed as ProPublica AND it says so at the very end of the article!

Now that I’ve proven you wrong (not a hard thing to do by the way, I now find it as easy to do as breathing), why don’t you strap your big boy pants on, waddle back here to TD and apologize? No? Too proud? Don’t want the Lone Ranger OOTB to be seen in public apologizing to Megaphone Mike, Satan’s Spawn, Google’s play-boy?

John Fenderson (profile) says:

The economics of software development

“I think that implementers will embrace such a new challenge, but I can also imagine that vendors will be reluctant to invest the extra time.”

It’s not extra time, it’s the extra expense. Where I work, we use cryptography heavily. The day after it became clear that certain algorithms were in question, everything stopped while we evaluated our (very large) software base to find and replace any usage of these algorithms. I estimate the wages spent to do this in my department alone exceeded a half million dollars.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...