Journalism in the Public Interest

Government Standards Agency “Strongly” Suggests Dropping its Own Encryption Standard

The decision follows revelations about the NSA’s covert influence on computer security standards.


NIST chief Patrick Gallagher (right) testifies before the Senate in June. NSA director Keith Alexander is on the left. (AP/J. Scott Applewhite)

Following revelations about the NSA’s covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards.

But in a little-noticed footnote, NIST went a step further, saying it is “strongly” recommending against even using one of the standards. The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry.

As ProPublica, the New York Times, and the Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world.  

In its statement Tuesday, NIST acknowledged that the NSA participates in creating cryptography standards “because of its recognized expertise” and because NIST is required by law to consult with the spy agency.

“We are not deliberately, knowingly, working to undermine or weaken encryption,” NIST chief Patrick Gallagher said at a public conference Tuesday.

Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn’t enabled by default. Developers creating applications for the platform must choose to enable it.

The New York Times noted earlier this week that documents provided by Snowden show the spy agency played a crucial role in writing the standard that NIST is now cautioning against using, which was first published in 2006.

The NIST standard describes what is known as an “elliptic curve-based deterministic random bit generator.” This bit of computer code is one way to produce random numbers that are the cornerstone of encryption technology used on the Internet. If the numbers generated are not random but in fact predictable, the encryption can be more easily cracked.

The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator.

Researchers say the evidence of NSA influence raises questions about whether any of the standards developed by NIST can be trusted.

“NIST's decisions used to be opaque and frustrating,” said Matthew Green, a professor at Johns Hopkins University. “Now they're opaque and potentially malicious. Which is too bad because NIST performs such a useful service.”

Cryptographers have long suspected the standard in question was faulty. Seven years ago, a pair of researchers in the Netherlands authored a paper that said the random number generator was insecure and that attacks against it could “be run on an ordinary PC.” A year after that, in 2007, two Microsoft engineers flagged the standard as potentially containing a backdoor.

Following the criticism, the standard was revised in 2007 to include an optional workaround.

The NSA has long been involved in encryption matters at the standards institute.

"NIST follows NSA's lead in developing certain cryptographic standards," a 1993 Government Accountability Office report noted.

A 2002 law mandates that NIST set information security standards and lists the NSA merely as one of several other agencies that must be consulted.

Asked how often standards are reopened, NIST spokesperson Gail Porter, said, “It’s not frequent, but it does happen.” She added that it would be “difficult to give you an exact number of times.”

Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST’s recent recommendations and as always, will take the appropriate action to protect our customers."

The NSA declined to comment.

So what does this mean in practical terms for the average private internet user.

Security of accounts, moneys, private information security…???

Are we gaining or losing, and if so, what are we gaining or losing?

We will gain security if a few conditions are met:
1) Software developers stop using this standard which has been broken, or engineered to be easily breakable
2) The NSA doesn’t undermine the new cryptographic standards.

If either of those conditions are not met, we’re basically in the same boat as we are now.

Essentially, the NSA or any other entity able to use the backdoor that seems to be built in can decrypt any information sent using the flawed encryption technique.  Right now, it appears that only the NSA knows how to predict the supposedly “random” numbers used to encrypt the data using this particular scheme.

What is much more alarming than the fact that this particular algorithm is not completely secure is that while this is just one of many encryption algorithms, it is entirely possible (and in my opinion, likely) that the NSA has undermined other cryptographic standards in a similar way.

The significance of the revelations about NSA is that now most people know that little is secret if anyone wants to know. The significance of Snowden is that he was a contractor, not a public servant. If Snowden blabbed in public, how many other contractors may be blabbing outside NSA to another agency, to private industry, or just to friends?

When anyone of interest to an organization having access to their communications cannot be sure how they are being monitored or even manipulated, what happens to trust in any of these institutions?

If one is a legislator or public official, how do you know that you have not been spied on, lied to, manipulated, or otherwise de-fanged in case you want to to go hunting (like investigative reporters do)?

Seems to me as if NSA is undermining their own intent, which is to protect the country. We’ve never had a shortage of skullduggery. However, with this development, are we on the way to no one, foreign or domestic, losing all confidence in the portrayed position of any major institutions: like government agencies, Google, etc. Does anyone mean what they say, or are most of us just willy-nilly puppets on a string?

Darryl Phillips

Sep. 13, 2013, 11:24 p.m.

Carrier pigeons would seem a good idea, but they also have a back door.

Wow. All we need to do is shelve the old standard and the NSA will never, ever decrypt our future communications. Sure. What do you think is the NSA’s specialty?

Darryl Phillips

Sep. 13, 2013, 11:54 p.m.

Perhaps the best defense is the old denial of service approach. Everyone should include a few words in each email. Plutonium. Terror. Al Qaeda. Osama. And so on. Let them spend their time decrypting everything, or trying to.

In practicle terms the current situation has very mixed implications for the average person. There have been many articles and public statements by people in a position to know that there is no privacy.There are already Snowden revelations that the standards for banking and money transfer encryption are compromised. The knowledge that the encryption used can be broken will lead to increased efforts by many parties to crack the security. Over time new standards will be created as well as new implementations of encryption. Short term we are just learning of the full extent of the problem. We will face an uncertain period of probably falling data security fllowed by efforts to correct the problem. There are people that could make a much better guess than I can but my guess is several years of uncertainty followed by improvement of the situation.

nelson ferrer

Sep. 14, 2013, 1:49 p.m.

The government and the businesses that have interests in the use of the internet WILL NEVER allow privacy within the internet. NEVER. It is within their personal interests to “stay informed”. After all - information is power.!!!!!!

@nelson- I couldn’t agree more. Anyone who believes changing encrypting standards will defeat the NSA efforts to crack codes and leave all of us alone, needs to wake up. That is not in the best interests of the NSA, nor commercial enterprises.

Think about it for a minute. Why would we want to provide terrorists or any other enemy in general, a free zone where they can plan attacks with impunity? No, my money is on the NSA continuing to do what it does best, decrypting any attempt at privacy for our national security interests. Even OBL knew that.

We’d best focus on making their work legal and limited so as to not damage personal freedom and intellectual property.

We can kiss our privacy good bye forever!

So long as we have the likes of Lindsey Graham and Dianne Feinstein in Washington DC weakening our constitution every step of the way. Unfortunately when they leave we will get their clones to replace them, unless of course voters demand and obtain a pledge from their representatives to uphold the protections afforded by our constitution before casting their votes for them.

The FACT is that at the present time there is no privacy. If you wish to keep your conversations private, then talk face to face or use the snail mail and hope it is not intercepted and covertly read.

Do everything on the supposition that ALL electronic ommunication is being monitored and or read, listened to and stored.

Doug Pederson

Sep. 14, 2013, 6:17 p.m.

I’d like to see way less secrecy. Especially with Government and Big Business. If we knew all their secrets the World would be a safer place. I have few secrets that are of much importance. It’s our government we should know everything they do. Same goes for business. They are trying to get us all wound up about secrecy so they don’t have to divulge their crimes. And it’s working.

No More Secrets Period.

if you are not a criminal or terrorist, you have nothing to hide and have no need for encryption.
so let us know your financial, medical and any other information we desire to see.

Here is how they figured: average people won’t encrypt. Only people who want privacy encrypts. Only a small percentage of people in this world encrypts. NSA deems those who use encryption have something worth hiding. NSA then only needs to focus their attention on those who use encryption. Hence their statement of spying on a small number of Internet traffic is true.

Re: James Miller

You forgot one:

3) Software developers don’t make any other mistakes when including encryption in thier programs.

Way too often developers make mistakes in their implementations that have the effect of putting an awesomely strong lock on a screen door. Errors like that are how credit card and password info gets stolen from ecommerse sites. Security is only as strong as the weakest link in the chain.

Doug, tell whistle-blowers who get harassed that you don’t think they should be allowed to have secrets.  Or the kid trying to leave his abusive parents.  The reason we have secrecy is to protect them, not us.  It’s to protect the people who do the most to destroy the bad kinds of secrets.

Anyway, how I see the secrecy end of things is two-fold.

First, the point of security is to delay, not stop, an attacker. In military terms, you want a war of attrition, making them pay the maximum price for their eventual victory.  That means encrypting everything you can as well as you can, especially stuff that’s not a secret.  Demoralize them by making them read reports on what you had for lunch.  Needles in haystacks are easy to find, with the right technology.  Needles in stacks of needles, not so much.  To that end, start using the TOR network, too—yes, it’s possible to track you, but it’s more work spent to do so.

Second, the more open and distributed the process, the harder it would be to compromise the organization to sneak in a back door.  That probably means (annoying as it might be to change) running a Linux distribution as your operating system and probably using PGP for encryption.

Third, if your concern is less the NSA than opportunistic attacks or if you’re dealing with the Open Source software developed in the public eye, keep your software up to date.  Sony was hacked (two out of three times) because they couldn’t be bothered to update their web servers.

Fourth, avoid centralized communication.  If I want to get information out of Facebook or GMail, I only need to find a couple of guys to take to lunch or jobs to fill.  If your system of choice is a peer-to-peer network (Diaspora or RetroShare, as examples) means compromising your contacts to get to you.

Longer term, contact your elected representatives and explain that you believe they’ve been misled in their constituents’ opinions on surveillance and the reach of government.  Sympathize with how they were lied to, in light of the leaks.  Accusing them of corruption (presumably true) isn’t going to get their attention, but offering a port in the storm gives them a chance to save face.

Keith Alexanderia

Sep. 16, 2013, 11:01 a.m.

“the algorithm contains a weakness that can only be described as a backdoor.”

By Bruce Schneier
Wired News
November 15, 2007

John. The secrets that the whistleblowers want out are kept out of the media by the not so free media.

Recently a whistleblower told me that the town council tried and failed to get a restraining order prohibiting him from attending the open budget meeting..

Whistleblowers want info out.

At the budget meeting. The guy got his 10 minutes and would get to come up again at the end of the line. They thwarted him by having town staff stand in line and take up time. This is for the citizens not the town staff.

Total transparency in Corporations and Government is the only solution.

I think this whole issue only serves those that are corrupt and stealing the economy from us. I may be wrong but I don’t think so.

abinico warez

Sep. 17, 2013, 3:36 p.m.

From having developed products that include encryption, I know for a fact that if the govt can’t crack it, you will not be allowed to use it. And yes, there are techniques that are virtually impossible to crack, and actually they are quite simple to implement.

Doug Pederson

Sep. 17, 2013, 6:30 p.m.

I have my own search engine / MultiMedia Player. Bling Google Corpernic and the rest all have file size limits that they can search.
I just create a really huge file and append what I want kept from them at the end of said file. My program has no such limits.

You’d be surprised at how small the file sizes are starting at 2MB up to 100Mb.

Then hide this app that you use to look at your secrets at the end of a 200MB file.

This article is part of an ongoing investigation:

Dragnets: Tracking Censorship and Surveillance

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Get Updates

Our Hottest Stories