By Jeff Larson and Justin Elliott/ProPublica
Following revelations about the NSA’s covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced last week it is revisiting some of its encryption standards.
But in a little-noticed footnote, NIST went a step further, saying it is “strongly” recommending against even using one of the standards.
The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry.
As ProPublica, the New York Times, and the Guardian reported two weeks ago, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world.
In its statement Tuesday, NIST acknowledged that the NSA participates in creating cryptography standards “because of its recognized expertise” and because NIST is required by law to consult with the spy agency.
“We are not deliberately, knowingly, working to undermine or weaken encryption,” NIST chief Patrick Gallagher said at a public conference Tuesday.
Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn’t enabled by default. Developers creating applications for the platform must choose to enable it.
The New York Times noted earlier this week that documents provided by Snowden show the spy agency played a crucial role in writing the standard that NIST is now cautioning against using, which was first published in 2006.
The NIST standard describes what is known as an “elliptic curve-based deterministic random bit generator.” This bit of computer code is one way to produce random numbers that are the cornerstone of encryption technology used on the Internet. If the numbers generated are not random but in fact predictable, the encryption can be more easily cracked.
The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator.
Researchers say the evidence of NSA influence raises questions about whether any of the standards developed by NIST can be trusted.
“NIST’s decisions used to be opaque and frustrating,” said Matthew Green, a professor at Johns Hopkins University. “Now they’re opaque and potentially malicious. Which is too bad because NIST performs such a useful service.”
Cryptographers have long suspected the standard in question was faulty. Seven years ago, a pair of researchers in the Netherlands authored a paper that said the random number generator was insecure and that attacks against it could “be run on an ordinary PC.”
A year after that, in 2007, two Microsoft engineers flagged the standard as potentially containing a backdoor. Following the criticism, the standard was revised in 2007 to include an optional workaround.
The NSA has long been involved in encryption matters at the standards institute.
“NIST follows NSA’s lead in developing certain cryptographic standards,” a 1993 Government Accountability Office report noted.
A 2002 law mandates that NIST set information security standards and lists the NSA merely as one of several other agencies that must be consulted.
Asked how often standards are reopened, NIST spokesperson Gail Porter, said, “It’s not frequent, but it does happen.” She added that it would be “difficult to give you an exact number of times.”
Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company “is evaluating NIST’s recent recommendations and as always, will take the appropriate action to protect our customers.”
The NSA declined to comment.
–
Previously:
* Five More Organizations Join Lawsuit Against NSA.
* A Scandal Of Historic Proportions.
* Item: NSA Briefing.
* The Case Of The Missing NSA Blog Post.
* The NSA Is Out Of Control.
* Patriot Act Author Joins Lawsuit Against NSA.
* Obama’s Promises Disappear From Web.
* Why NSA Snooping Is A Bigger Deal In Germany.
* Item: Today’s NSA Briefing.
* NSA Briefing: It Just Got Worse (Again).
* Song of the Moment: Party at the NSA.
* It Not Only Can Happen Here, It Is Happening Here.
* What NSA Transparency Looks Like.
* America’s Lying About Spying: Worse Than You Think.
* Obama Continues To Lie His Ass Off About The NSA.
* The Surveillance Reforms Obama Supported Before He Was President.
* America’s Spying: Worse Than You Think.
* Has The U.S. Government Lied About Its Snooping? Let’s Go To The Videotape.
* Who Are We At War With? That’s Classified.
* Six Ways Congress May Reform NSA Snooping.
* NSA Says It Can’t Search Its Own E-Mails.
* Does The NSA Tap That?
* Obama Explains The Difference Between His Spying And Bush’s Spying.
* FAQ: What You Need To Know About The NSA’s Surveillance Programs.
* NSA: Responding To This FOIA Would Help “Our Adversaries”.
* Fact-Check: The NSA And 9/11.
* The NSA’s Black Hole: 5 Things We Still Don’t Know About The Agency’s Snooping.
* Defenders Of NSA Surveillance Citing Chicago Case Omit Most Of Mumbai Plotter’s Story.
* Obama’s War On Truth And Transparency.
* ProPublica’s Guide To The Best Stories On The Growing Surveillance State.
–
See also:
* Jimmy Carter: America’s Shameful Human Rights Record.
* James Goodale: Only Nixon Harmed A Free Press More.
* Daniel Ellsberg: Obama Has Committed Impeachable Offenses.
–
Comments welcome.
Posted on September 15, 2013