The federal institute that sets national
standards for how government, private citizens and business guard the privacy
of their files and communications is reviewing all
of its previous recommendations.
The move comes after ProPublica,
The Guardian and The New York Times disclosed that the National
Security Agency had worked to secretly weaken standards to make it easier for
the government to eavesdrop.
The review, announced late Friday afternoon by the National Institute for Standards and Technology, will also include an assessment of how the institute creates encryption standards.
The institute sets national standards for
everything from laboratory safety to high-precision timekeeping. NIST’s cryptographic standards are used by software developers
around the world to protect confidential data. They are crucial
ingredients for privacy on the Internet, and are designed to keep Internet
users safe from being eavesdropped on when they make purchases online, pay
bills or visit secure websites.
But as the investigation by ProPublica, The
Guardian and The New York Times in September revealed, the National Security
Agency spends $250 million a year on a project called “SIGINT
Enabling” to secretly undermine encryption. One of the key goals,
documents said, was to use the agency’s influence to weaken the encryption
standards that NIST and other standards bodies publish.
“Trust is crucial to the adoption of strong
cryptographic algorithms,” the institute said in a statement
on their website. “We will be reviewing our existing body of cryptographic
work, looking at both our documented process and the specific procedures used
to develop each of these standards and guidelines.”
The NSA is no stranger to NIST’s
standards-development process. Under current law, the institute is required to
consult with the NSA when drafting standards. NIST also relies on the NSA for
help with public standards because the institute doesn’t have as many
cryptographers as the agency, which is reported to be the largest
employer of mathematicians in the country.
“Unlike NSA, NIST doesn’t have a huge
cryptography staff,” said Thomas Ptacek, the founder
of Matasano Security,
“NIST is not the direct author of many of most of its important standards.”
Matthew Scholl, the deputy chief at the Computer Security Division of the institute, echoed that statement, “As NIST Director Pat Gallagher has said in several public settings, NIST is designed to collaborate and the NSA has some of the world’s best minds in cryptography.” He continued, “We also have parallel missions to protect federal IT systems, so we will continue to work with the NSA.”
Some of these standards are products of public
competitions among academic cryptography researchers, while others are the
result of NSA recommendations. An important standard, known as SHA2, was
designed by the NSA and is still trusted by independent cryptographers and software
developers worldwide.
NIST
withdrew one cryptographic standard, called Dual EC DRGB, after documents
provided to news organizations by the former intelligence contractor Edward
Snowden raised the possibility that the standard had been covertly weakened by
the NSA.
Soon after, a leading cryptography company, RSA,
told software writers to stop using the algorithm in a product it sells. The
company promised to remove the algorithm in future releases.
Many cryptographers have expressed doubt about
NIST standards since the initial revelations were published. One popular encryption library changed
its webpage to boast that it did not include NIST-standard
cryptography. Silent Circle, a company that makes encryption apps for smartphones, promised to
replace the encryption routines in its products with algorithms not published
by NIST.
If the NIST review prompts significant changes to
existing encryption standards, consumers will not see the benefit immediately.
“If the recommendations change, lots of code will need to change,” said Tanja Lange, a cryptographer at the University of Technology
at Eindhoven, in the Netherlands. “I think that implementers will embrace such
a new challenge, but I can also imagine that vendors will be reluctant to
invest the extra time.”
In Friday’s announcement, NIST pointed to its
long history of creating standards, including the role it had in creating the
first national encryption standard in the 1970s — the Data Encryption
Standard, known as DES. “NIST has a proud history in open cryptographic
standards, beginning in the 1970s with the Data Encryption Standard,” the
bulletin said. But even that early standard was influenced by
the NSA.
During the
development of DES, the agency insisted that the algorithm use weaker keys than
originally intended — keys more susceptible to being broken by super
computers. At the time, Whitfield Diffie, a digital
cryptography pioneer, raised
serious concerns about the keys. “The standard will have to be replaced
in as few as five years,” he wrote.
The weakened keys in the standard were not
changed. DES was formally withdrawn by the
institute in 2005.
The announcement is the latest effort by NIST to
restore the confidence of cryptographers. A representative from NIST announced
in a public mailing list, also on Friday, that the institute would restore the
original version of a new encryption standard, known as SHA3, that had won a
recent design competition but altered by the institute after the competition
ended. Cryptographers charged that NIST’s changes to the algorithm had weakened
it.
The SHA3 announcement referred directly to
cryptographers’ concerns. “We were and are comfortable with that version on
technical grounds, but the feedback we’ve gotten indicates that a lot of the
crypto community is not comfortable with it,” wrote John Kelsey, NIST’s
representative. There is no evidence the NSA was involved in the decision to
change the algorithm.
The reversal took Matthew Green, a cryptographer
at Johns Hopkins University, by surprise. “NIST backed down! I’m not sure they
would have done that a year ago,” he said.
Update: A NIST spokesperson responded on Monday afternoon (this story initially stated that NIST declined to comment).
