NIST To Review Standards After Cryptographers Cry Foul Over NSA Meddling
from the about-time dept
The federal institute that sets national standards for how government, private citizens and business guard the privacy of their files and communications is reviewing all of its previous recommendations.
The move comes after ProPublica, The Guardian and The New York Times disclosed that the National Security Agency had worked to secretly weaken standards to make it easier for the government to eavesdrop.
The review, announced late Friday afternoon by the National Institute for Standards and Technology, will also include an assessment of how the institute creates encryption standards.
The institute sets national standards for everything from laboratory safety to high-precision timekeeping. NIST's cryptographic standards are used by software developers around the world to protect confidential data. They are crucial ingredients for privacy on the Internet, and are designed to keep Internet users safe from being eavesdropped on when they make purchases online, pay bills or visit secure websites.
But as the investigation by ProPublica, The Guardian and The New York Times in September revealed, the National Security Agency spends $250 million a year on a project called "SIGINT Enabling" to secretly undermine encryption. One of the key goals, documents said, was to use the agency's influence to weaken the encryption standards that NIST and other standards bodies publish.
"Trust is crucial to the adoption of strong cryptographic algorithms," the institute said in a statement on their website. "We will be reviewing our existing body of cryptographic work, looking at both our documented process and the specific procedures used to develop each of these standards and guidelines."
The NSA is no stranger to NIST's standards-development process. Under current law, the institute is required to consult with the NSA when drafting standards. NIST also relies on the NSA for help with public standards because the institute doesn't have as many cryptographers as the agency, which is reported to be the largest employer of mathematicians in the country.
"Unlike NSA, NIST doesn't have a huge cryptography staff," said Thomas Ptacek, the founder of Matasano Security, "NIST is not the direct author of many of most of its important standards."
Matthew Scholl, the deputy chief at the Computer Security Division of the institute, echoed that statement, "As NIST Director Pat Gallagher has said in several public settings, NIST is designed to collaborate and the NSA has some of the world's best minds in cryptography." He continued, "We also have parallel missions to protect federal IT systems, so we will continue to work with the NSA."
Some of these standards are products of public competitions among academic cryptography researchers, while others are the result of NSA recommendations. An important standard, known as SHA2, was designed by the NSA and is still trusted by independent cryptographers and software developers worldwide.
NIST withdrew one cryptographic standard, called Dual EC DRGB, after documents provided to news organizations by the former intelligence contractor Edward Snowden raised the possibility that the standard had been covertly weakened by the NSA.
Soon after, a leading cryptography company, RSA, told software writers to stop using the algorithm in a product it sells. The company promised to remove the algorithm in future releases.
Many cryptographers have expressed doubt about NIST standards since the initial revelations were published. One popular encryption library changed its webpage to boast that it did not include NIST-standard cryptography. Silent Circle, a company that makes encryption apps for smartphones, promised to replace the encryption routines in its products with algorithms not published by NIST.
If the NIST review prompts significant changes to existing encryption standards, consumers will not see the benefit immediately. "If the recommendations change, lots of code will need to change," said Tanja Lange, a cryptographer at the University of Technology at Eindhoven, in the Netherlands. "I think that implementers will embrace such a new challenge, but I can also imagine that vendors will be reluctant to invest the extra time."
In Friday's announcement, NIST pointed to its long history of creating standards, including the role it had in creating the first national encryption standard in the 1970s — the Data Encryption Standard, known as DES. "NIST has a proud history in open cryptographic standards, beginning in the 1970s with the Data Encryption Standard," the bulletin said. But even that early standard was influenced by the NSA.
During the development of DES, the agency insisted that the algorithm use weaker keys than originally intended — keys more susceptible to being broken by super computers. At the time, Whitfield Diffie, a digital cryptography pioneer, raised serious concerns about the keys. "The standard will have to be replaced in as few as five years," he wrote.
The weakened keys in the standard were not changed. DES was formally withdrawn by the institute in 2005.
The announcement is the latest effort by NIST to restore the confidence of cryptographers. A representative from NIST announced in a public mailing list, also on Friday, that the institute would restore the original version of a new encryption standard, known as SHA3, that had won a recent design competition but altered by the institute after the competition ended. Cryptographers charged that NIST's changes to the algorithm had weakened it.
The SHA3 announcement referred directly to cryptographers' concerns. "We were and are comfortable with that version on technical grounds, but the feedback we've gotten indicates that a lot of the crypto community is not comfortable with it," wrote John Kelsey, NIST's representative. There is no evidence the NSA was involved in the decision to change the algorithm.
The reversal took Matthew Green, a cryptographer at Johns Hopkins University, by surprise. "NIST backed down! I'm not sure they would have done that a year ago," he said.
Originally posted at ProPublica.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cryptography, nist, nsa, standards
Reader Comments
Subscribe: RSS
View by: Time | Thread
DES
It's a shame they're not still in that line of work anymore.
[ link to this | view in chronology ]
Re: DES
[ link to this | view in chronology ]
Re: DES
[ link to this | view in chronology ]
Re: Re: DES
So the idea was: lower the amount of information the block cipher was outputting, and give less information to the attacker every round. Brute-force when they were discussing this was out of the question because they were discussing this during the 70's (when even 48-bit keys, their original recommendation for the key length, was unfeasible for supercomputers). This was mostly a stop-gap measure because, especially IBM, knew that DES would not last into the 90's as an encryption standard.
This is both a good thing the NSA did and a bad thing, because we all know now that there was no security in obscurity. It was found out eventually and by then there was untold amounts of information encrypted with DES. But it did act as one of the few times they worked to strengthen encryption instead of weaken it. I think the NSA is actually staffed by many talented people who would like nothing more than to make extremely strong ciphers (like what happened during the elliptic curve encryption fad) but are constantly chained down by superiors (like what happened during the elliptic curve's random number generator) ordering to place backdoors into their own work.
[ link to this | view in chronology ]
Re: Re: Re: DES
Umm, no it didn't.
"There were instances where a block cipher could be compromised because of weaknesses in the substitution table."
You're conflating shorter keys with substitution table weaknesses. They're not the same.
[ link to this | view in chronology ]
Re: Re: DES
if it was just the key the standard would simply be the length of the Key, it is not.
So YES, shortening the key could very well make the cypher stronger.
Again, if you have no idea how encryption works, you might be led to believe key size is everything, but in cryptography, "size is not everything", but the method of encryption IS..
perhaps you need to learn a little bit about the subject before shooting your mouth off !!
[ link to this | view in chronology ]
Re: Re: Re: DES
I think no such thing. Perhaps you should read what I actually wrote.
"So YES, shortening the key could very well make the cypher stronger."
It did not, and I know of no case in which it ever has. Perhaps in your zeal to defend the NSA you can also provide the math to support your assertion?
blah blah blah "..the method of encryption IS.. "
The method of encryption is everything? Use what ever method you like, put a two bit key on it and I'll break it pretty quickly.
"perhaps you need to learn a little bit about the subject before shooting your mouth off !!"
Perhaps you should follow your own advice.
[ link to this | view in chronology ]
But hey, any excuse to attach the NSA is worth a try.
[ link to this | view in chronology ]
Re:
Also...why is it wrong to attack (not attach) the NSA? Are they for some reason supposed to be immune from criticism?
[ link to this | view in chronology ]
Re: Re:
Standards are defined by empirical methods, such as the standard for 1 meter would be defined as a certain number of wavelengths of a laser at a specific frequency, if NIST feel that this measurement is suitable as a measurement for distance, it "sets that as the primary standard".
Science and industry (the state of the art) defines the standards and NIST set them standards (in stone).
All standards are and what NIST does is make sure everyone is working on the same basic physical values, they define the standard for 1 gram for example, so that industry can calibrate their scales to that primary standard, not that that ever happens.
what happens is those as set as "primary standards", and they are used to calibrate 'secondary standards' that are certified to certify "working standards".
So a company that builds scales for measuring your gold collection, would have their scales calibrated against a NIST secondary standard, so if they measure your gold to be 1 gram it is within the allowable limits of that secondary standard and is calibrated against the NIST primary standard.
So no setting and defining standards are not the same things at all.
Nothing wrong with attacking the NSA if it is done for real reasons, and you don't use everyone else to do it for you, or don't base it on opinion or assumptions.
And if those attacks are based on facts, and not what 'someone said', and if it is done for the right reasons, and not for the reason that it give you the opportunity to attack the Government, and does not rely on 'the Snowdens' who has questionable honesty and integrity.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
NIST had a process that chose the best standards, then it changes the winner after the contest, so it LITERALLY defines standards. Changing the winner is the opposite of 'enshrine'.
Secondly, we know from the Snowden leaks that NSA has hijacked that standards process and boasted about it cracking cryptography in 2010 to GCHQ.
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
So Mike is right, you are wrong.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mike, this is NOT "from the about-time dept"!!!
Here's the ProPublica condition that you've violated:
But readers will interpret the insertion of Techdirt's characteristically schmaltzy phrase (here, "from the about-time dept") for sub-head as meaning the source is Techdirt itself, and so I'd rule that an editorial change which isn't allowed under the above terms.
Besides that, every time I see you run one of these ProPublica fillers, even I, long-term reader and sharp-eyed, tend to at first think it's a Techdirt "staff" writer.
I'm sure you'll ignore this. Hilarity ensues.
[ link to this | view in chronology ]
Re: Mike, this is NOT "from the about-time dept"!!!
[ link to this | view in chronology ]
Re: Re: Mike, this is NOT "from the about-time dept"!!!
[ link to this | view in chronology ]
Re: Re: Re: Mike, this is NOT "from the about-time dept"!!!
[ link to this | view in chronology ]
Re: Mike, this is NOT "from the about-time dept"!!!
You are calling foul over a tiny sub-heading? How could anyone (other than you?) be fooled into thinking the source of the article is TD or that TD intended as such, when the AUTHOR on the right is listed as ProPublica AND it says so at the very end of the article!
Now that I've proven you wrong (not a hard thing to do by the way, I now find it as easy to do as breathing), why don't you strap your big boy pants on, waddle back here to TD and apologize? No? Too proud? Don't want the Lone Ranger OOTB to be seen in public apologizing to Megaphone Mike, Satan's Spawn, Google's play-boy?
[ link to this | view in chronology ]
Re: Mike, this is NOT "from the about-time dept"!!!
[ link to this | view in chronology ]
Re: Mike, this is NOT "from the about-time dept"!!!
[ link to this | view in chronology ]
If you need to use something right away, go with Dan Bernstein's curves and protocols instead.
[ link to this | view in chronology ]
History is being written. Your turn, pseudo-democratic Governments.
[ link to this | view in chronology ]
Re:
They blatantly claim privilege and declare everyones best interests are being met by disenfranchising their opponents.
[ link to this | view in chronology ]
The economics of software development
It's not extra time, it's the extra expense. Where I work, we use cryptography heavily. The day after it became clear that certain algorithms were in question, everything stopped while we evaluated our (very large) software base to find and replace any usage of these algorithms. I estimate the wages spent to do this in my department alone exceeded a half million dollars.
[ link to this | view in chronology ]