The National Institute of Standards and Technology is “strongly” recommending companies no longer follow one of its encryption guidelines until the agency can redraft the guideline with new public input.
The strength of NIST’s encryption and cryptology standards has been called into question since leaked documents revealed the National Security Agency had built loopholes into NIST encryption standards — perhaps without NIST’s knowledge, and definitely without the private sector’s knowledge.
NIST Director Patrick Gallagher defended the transparency of his agency’s process during a talk at the Amazon Web Services Public Sector Summit on Tuesday.
“NIST’s role is to support technical understanding of the strongest, most secure computer security, including encryption, when you can,” he said. “We are not deliberately, knowingly, working to undermine or weaken encryption technologies.”
But legally, NIST has to consult NSA on all encryption standards. Which is why, two days ago, NIST reopened the public comment period on three of its guidelines, “even though the documents have not been changed since their public review last year,” according to a NIST release.
And yesterday, the agency went further with the announcement it would redraft the main encryption guideline in question. The algorithm laid out for cryptologists in the standard was first released in 2006, and updated in January 2012.
But security experts have been suspect as far back as 2007. Cryptologist and security expert Bruce Schneier said the standard “makes no sense” and advised people not to use it. “Both NIST and the NSA have some explaining to do,” he wrote for Wired at the time.
The comment period on the new draft will last 60 days.