NIST's Ridiculous Non-Response Response To Revelation That NSA Controlled Crypto Standards Process

from the that's-not-going-to-calm-anyone-down dept

One of the key revelations from last week, of course, was the fact that the NSA surreptitiously took over the standards making process on certain encryption standards. Here was the key revelation:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.
It took NIST a few days to figure out a response to this, but it's now been posted, and it says... basically nothing at all. Let's go through it piece by piece.
Recent news reports have questioned the cryptographic standards development process at NIST. We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place.
Um, except that as the leaks revealed, that's not actually true. The NSA was the "sole editor" of the standard. So claiming that the standards are rigorously vetted is simply false. Furthermore, as John Gilmore recently revealed, concerning IPSec, the NSA made sure that the standards were so complicated that no one could actually vet the security.
NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.
That's not a response to the charges at all.
NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.
In other words, yes, the NSA is involved -- which was not a secret. But what was a secret, and what NIST does not even begin to address, is the idea that the NSA took control of the standard and became its "sole editor."
Recognizing community concern regarding some specific standards, we reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards.
Again, that does little to address the specific questions raised. If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that's not doing any good.
If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.
Yes, but the "cryptographic community" seems to include the NSA... sometimes in key positions.

Basically this is a total non-response to the revelations from last week. It's just NIST saying "yes, we work with the NSA, but you have nothing to fear" without giving any basis to support the end of that claim.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, nist, nsa, nsa surveillance, standards


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Rich Fiscus (profile), 10 Sep 2013 @ 1:41pm

    We've always been at war with Eastasia.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 1:57pm

    I no longer trust the US govt to be in control of these standards bodies. There should be a concerted push to have control passed to the UN.

    link to this | view in chronology ]

    • icon
      ChurchHatesTucker (profile), 10 Sep 2013 @ 6:36pm

      Re:

      You think the UN would be better?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2013 @ 11:02pm

      Re:

      That sounds like a case of "out of the frying pan, into the fire". If you don't trust a single government, I doubt you would want to trust a group of governments. I would much prefer standards bodies to be fully independent of any and all governments.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Sep 2013 @ 6:36am

      Re:

      Sorry, but are you fucking kidding? The U.N.? That bunch of ninnies would fuck the internet up in two seconds. When those people get together, its a world wide clusterfuck. Everytime.

      link to this | view in chronology ]

      • identicon
        Jose_X, 11 Sep 2013 @ 9:01am

        Re: Re:

        That's in the eye of the beholder. Many nations consider the UN necessary to keep other nations (and their own) in check.

        The "US" under the Articles of Confederation was rather weak by their own admission, but that weakness at the UN is apparently an asset given how diverse is each member.

        Everyone loves government when it comes to protecting their own personal set of "these are the best" laws, but hates it when it compromises in order to serve a larger constituency.

        link to this | view in chronology ]

    • identicon
      LeifOfLiberty, 13 Sep 2013 @ 12:33pm

      Re:

      You do not trust the US govt but you trust the UN?

      link to this | view in chronology ]

  • identicon
    Alt0, 10 Sep 2013 @ 1:58pm

    Statutes like this bug me...

    "NIST is also required by statute to consult with the NSA."

    link to this | view in chronology ]

    • icon
      stine (profile), 10 Sep 2013 @ 2:15pm

      Re: Statutes like this bug me...

      For a given value of "consult."

      link to this | view in chronology ]

    • identicon
      Jose_X, 11 Sep 2013 @ 8:52am

      Re: Statutes like this bug me...

      Does it say to follow the NSA's wishes or show preference?

      The question I have is not who is the editor of any given standard (which btw can be ignored by the private sector in many cases) but would the NIST allow the spec to be changed when the community shows weaknesses. Does anyone know of a case where they have not done that?

      If people find flaws, point them out and the spec can change. If the spec is complex, don't use it. There is already the parallel stds from places like Internet RFCs (IETF).

      If the government wants their own minimal level of stds they feel comfortable with, eg, for government contracts, what is the beef? Again, is there actual evidence of NIST or NSA pushing a purposely weak std onto everyone by law and not backing from it? Because if people want to have laws that allow everyone to have super encryption and that would not be available without a law change, then that can be addressed in the US form of government.

      I feel like I'm hearing that the sky is falling just because the NSA is involved somehow.

      link to this | view in chronology ]

      • identicon
        Jose_X, 11 Sep 2013 @ 9:09am

        Re: Re: Statutes like this bug me...

        >> I feel like I'm hearing that the sky is falling just because the NSA is involved somehow.

        To be fair, the article's motivation is anger at the NSA for trying to add back doors and then removing any benefit of the doubt that the NIST is working with a different agenda (than the NSA) more in line with what a traditional standards body might desire.

        link to this | view in chronology ]

  • icon
    Rich Fiscus (profile), 10 Sep 2013 @ 2:15pm

    We should probably be thanking NIST for this actually. If it wasn't true they'd be denying it. Their decision not to deny it is all the confirmation I need - not that there was any doubt in the first place.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 2:24pm

    So claiming that the standards are rigorously vetted is simply false

    They never claimed that the process was properly utilized, merely that it was in place. They also claimed the process was transparent and public, but never once claimed that it was simple enough to be understood even by most experts.

    I also note carefully crafted language in the rest of the response about participation, the ability to view and comment, and that issues will be addressed (but addressed doesn't mean actually rectified) but nowhere do I see a claim that the NSA isn't the sole arbitrator or that anyone else has actual authority in the final decision making process.

    link to this | view in chronology ]

  • icon
    ECA (profile), 10 Sep 2013 @ 2:37pm

    cRYPTOLOGY

    Ok,
    something to think about..

    WHICH is faster?
    Straight unencrypt site to site..Plane to plane, place to place?
    BASIC encrypt, that compresses data and allows for Faster connections?
    HEAVY DUTY, SOLID CORE encryt? Where the TIME needed to encrypt/SEND/decrypt takes TIME..AND the SIZE will probably be larger then the original material.

    Basic encrypt, which is MOSTLY packages/letters/email type stuff...Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.

    Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up.

    The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}":/?., and about 100 more characters..
    16 characters to the ^246 power...

    link to this | view in chronology ]

    • identicon
      Slicerwizard, 10 Sep 2013 @ 11:47pm

      Re: cRYPTOLOGY

      "Where the TIME needed to encrypt/SEND/decrypt takes TIME.."

      Time takes time? ECA, you're losing it.


      "AND the SIZE will probably be larger then the original material."

      ECA, you're clueless.


      "Basic encrypt, which is MOSTLY packages/letters/email type stuff...Is fairly easy..and is fairly quick and easy.. but BOTH locations must have the keys.

      Heavy duty? does some interesting things, and adds FILLER that isnt part of the data just to mess things up."

      More bullshit.


      "The difference is like a 4 digit number (0-9) compared to a code that is 16-256 digit/characters/symbols (a-z/A-Z/0-9/!@#$#^%&*^(){}":/?., and about 100 more characters..
      16 characters to the ^246 power..."

      UTTER bullshit. Serious encryption, like AES256, AES1024, etc. adds NOTHING extra. Encrypted message size = plaintext message size.

      Why can't idiots who KNOW NOTHING just shut the hell up? Faaack...

      link to this | view in chronology ]

  • icon
    letherial (profile), 10 Sep 2013 @ 2:52pm

    Lack of denial speaks volumes, thanks for fucking everything up.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 2:54pm

    So much of this stuff is like "Just Trust Us" *wink

    Seriously this is just beyond insulting now.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 2:55pm

    Does the NIST actually believe any cryptography experts, or the public, would believe this BS response. I will never trust anything coming out of NIST ever again. It's obvious they have been corrupted.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 2:55pm

    This is just a standard corporate BS.

    It does not differ a tiniest bit from what corpos say when they want not to say a thing. Smoke and mirrors wrapped in weasel words.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 2:56pm

    I wonder what else did the government meddle in?

    link to this | view in chronology ]

  • icon
    PopeRatzo (profile), 10 Sep 2013 @ 3:18pm

    Keep it up, Techdirt

    I'm really grateful that Techdirt has taken it upon itself to be a major conduit about news regarding the overreach and misdeeds of our national security/corporate apparatus.

    I'm sure there are a lot of tech stories that the editors of Techdirt would rather be talking about, but this is by far the most important issue facing us.

    I'm surprised, and pleased at some of the places I'm finding links to Techdirt stories about this issue. People ARE taking notice, and this is not just a story of the day that's going to go away tomorrow.

    Thank you for spending time on this instead of just passing along another meaningless Apple product roll-out press release, as some tech sources seem to be doing today.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 4:02pm

    Ok, what's next

    Ok, so if the Government's been involved in it don't trust it.

    So as a Private Citizen (or is it suspect???) What's my best choice in NSA free Encryption?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2013 @ 8:10pm

      Re: Ok, what's next

      Make it up yourself and don't tell anyone haha...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2013 @ 5:02pm

    Who's going to trust NIST and the US gov now? There needs to be a completely new international body formed, much like W3C, for the purpose of creating new security standards.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Sep 2013 @ 1:26am

    I don't read it that way.

    Recognizing community concern regarding some specific standards, we reopened the public comment period for...

    I see that as an opportunity to raise certain concerns. Such as the ones Mike pointed out:

    If the standards are designed by the NSA in a manner that makes the security aspect inscrutable to even the most experienced cryptographers without simplifying the standard, then that's not doing any good.

    Yes, but the "cryptographic community" seems to include the NSA... sometimes in key positions.

    They claim to be listening to "concerns". What remains to be seen is whether
    they will actually act on these concerns.

    More interesting is whether they'll try to immediately address the "NSA
    personel in key positions" of their standards process. They may wish to
    consider that in order to avoid any *appearance* of impropriety.

    Doing that may help in the acceptence of their standard. I do not think
    they wish to be known as the standards body saddled with the negative
    aspects of a "Approved by the NSA" reputation.

    Think ISO and OOXML.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 11 Sep 2013 @ 3:27am

    FEAR NOT OLD MCDONNALD! We have foxes and other carnivorous animals to take care of the farm.

    link to this | view in chronology ]

  • identicon
    n0s, 11 Sep 2013 @ 10:05pm

    the only good america is a dead america

    Yellowstone, please blow the fascist state of america off the map. We have no choice, its the only way we will ever be free ever again.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.