Tech

NIST ups transparency in new crypto standards

The National Institute of Standards and Technology has released its final version of a controversial document that lays out the process by which its creates its cryptography standards.

By Greg Otto

April 1, 2016

The National Institute of Standards and Technology has released the final version of a controversial document that lays out the process by which it agrees cryptography standards.

The agency’s standards were questioned after documents leaked by Edward Snowden showed that a NIST-approved encryption algorithm — the Dual Elliptic Curve random number generator (Dual_EC_DRBG) — contained a backdoor for the National Security Agency. The algorithm came under further scrutiny when it was revealed that Juniper Network’s firewall was manipulated by exploiting the backdoor.

Shortly afterwards, the Dual_EC_DRBG algorithm was removed from NIST special publications and other standards handbooks.

But the agency’s Chief Cyber Security Advisor Donna Dodson went further, announcing NIST would be reviewing and overhauling the processes it uses to decide on the cryptographic standards it approves.

The document published earlier this week is the final fruit of that process, containing nine principles that NIST is supposed to adhere to when creating strong crypto standards, including transparency, openness and global acceptability.

The “global acceptability” was included, according to NIST, to reflect “the global nature of today’s commerce.” Leveraging the U.S.’ leading position in the development of internationally recognized security benchmarks in also a component of the Obama administration’s International Strategy for Cyberspace.

“Our goal is to develop strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders,” said Dodson in a release. “While our primary stakeholder is the federal government, our work has global reach across the public and private sectors. We want a process that results in standards and guidelines that can be used to secure information systems worldwide.”

NIST also acknowledged in the release that there is the “possibility for tension” between its own goals and the missions of law enforcement and national security agencies. Encryption has been a white-hot topic, particularly since the Justice Department tried to force Apple to bypass the security features of an iPhone before a third-party found a way into the device.

The final document can be found on NIST’s website.

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.