NIST Suggests Dropping Encryption Standard
Following revelations about the NSA's covert influence on computer security standards, the National Institute of Standards and Technology (NIST) decided to revisit some of its encryption standards but until then, it is "strongly" recommending against even using one of the standards.
Recognizing community concern regarding some specific cryptographic standards, NIST reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards. NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible. The public comments will close on November 6, 2013.
However, NIST's Computer Security Division has released a supplemental security bulletin, in which NIST is recommending against even using one of the standards.
"Concern has been expressed about one of the DRBG algorithms in SP 800 -90/90A and ANS X9.82: the Dual Elliptic Curve Deterministic Ran dom Bit Generation (Dual_EC_DRBG) algorithm," NIST said. "NIST strongly recommends that, pending the resolution of the security concerns and there-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."
As last week's reported the New York Times and the Guardian documents provided by Edward Snowden suggest that the NSA has heavily influenced the encryption standard, which has been used around the world.
NIST has acknowledged that the NSA participates in creating cryptography standards.
"NIST has a long history of extensive collaboration with the world?s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA."
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large," NIST said in a statement, responding to news reports have questioned the cryptographic standards development process.
The NIST standard describes an "elliptic curve-based deterministic random bit generator," code used to produce random numbers essential for encryption technology.
The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator.
However, NIST's Computer Security Division has released a supplemental security bulletin, in which NIST is recommending against even using one of the standards.
"Concern has been expressed about one of the DRBG algorithms in SP 800 -90/90A and ANS X9.82: the Dual Elliptic Curve Deterministic Ran dom Bit Generation (Dual_EC_DRBG) algorithm," NIST said. "NIST strongly recommends that, pending the resolution of the security concerns and there-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used."
As last week's reported the New York Times and the Guardian documents provided by Edward Snowden suggest that the NSA has heavily influenced the encryption standard, which has been used around the world.
NIST has acknowledged that the NSA participates in creating cryptography standards.
"NIST has a long history of extensive collaboration with the world?s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA."
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large," NIST said in a statement, responding to news reports have questioned the cryptographic standards development process.
The NIST standard describes an "elliptic curve-based deterministic random bit generator," code used to produce random numbers essential for encryption technology.
The Times reported that the Snowden documents suggest the NSA was involved in creating the number generator.