International Standards Body Rejects Weakened IOT Encryption Methods Pushed By The NSA
from the bleak-days-for-Big-Surveillance dept
The NSA has again been outed for pushing compromised encryption standards. An early Snowden leak showed the agency paid RSA $10 million to promote a weakened encryption standard. RSA offered up a denial that didn't exactly contradict the evidence provided by the leaked documents. A few years later, NIST (National Institute of Standards and Technology) removed the Dual Elliptic Curve algorithm from its recommendations, citing its distrust of the agency pushing for its adoption: the NSA. Dual EC appeared to be deliberately weakened, reducing encryption-breaking efforts to a matter of seconds, rather than hours or days.
The NSA is once again at the center of an encryption controversy. This time the intended target of weakened encryption standards is the Internet of Things. As Kieran McCarthy of The Register reports, the NSA's hard-sell approach backfired, leaving its preferred attack vectors encryption algorithms locked out by an international standards body.
The "Simon" and "Speck" cryptographic tools were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a global standard.
But the pair of techniques were formally rejected earlier this week by the International Organization of Standards (ISO) amid concerns that they contained a backdoor that would allow US spies to break the encryption. The process was also marred by complaints from encryption experts of threatening behavior from American snoops.
Researchers report being attacked by NSA reps when its preferred algorithms were questioned. Some of the terms used to describe the NSA's reactions to criticism include "outrageously adversarial" and "bullying."
There appears to be no evidence researchers found a backdoor present in the encryption methods as originally delivered. The ISO's rejection was mostly based on the NSA's past untrustworthiness and its attempt to add backdoor-esque code to the IOT encryption software. The NSA's failure to gets its favored methods instituted as industry standards has apparently led to personal attacks on researchers opposing its efforts. That's not exactly going to swing crucial votes its way in upcoming standards decisions.
The NSA has remained silent as other US government agencies complain about criminals "going dark." It may join them if it continues to be shut out by standards bodies and software developers.
Filed Under: encryption, iot, nsa, trust
Companies: iso
