Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Farewell to NIST?
SECURITY SHELF

Farewell to NIST? 

Instead of establishing their own standards bodies, many governments just follow NIST like sheep. In the corporate world, cryptographic products that do not comply with NIST standards have traditionally been shunned, partially due to being perceived as non-standard implementations, and partially due to the absence of other credible standards.

The problem with NIST cryptographic standards is twofold. First, their mission is not to protect the world’s data, in fact their mission isn’t to protect corporate data either. Their mandate is to protect US federal government information that is deemed to not involve national security issues. At first glance it seems logical that if a cryptographic standard is good enough for the US Government, it must be good enough for other countries and their businesses. If the standard can be fully understood and the risks contemplated, it may indeed make good business sense to adopt it. But blindly following a standard issued by a foreign government is fraught with danger.

The second issue with NIST is that its standards have clearly been influenced by the NSA, and not always for the better. In 2007, cryptographer Bruce Schneier explained that one of the approved random number generators contained in NIST Special Publication 800-90 called Dual_EC_DRBG was “in the standard only because it’s been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.”His article explained that the source of constants used to define the algorithm’s elliptic curve were not disclosed and that other researchers, Dan Shumow and Niels Ferguson, showed that

“these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.”

Schneier concluded, “both NIST and the NSA have some explaining to do.”

In September 2013, The Guardian published documents confirming that one of the NSA’s goals was to “influence policies, standards and specifications for commercial public key technologies.” It became clear that the NSA was deliberately weakening the encryption standards adopted by developers.

In July 2014 NIST released a report from their Visiting Committee on Advanced Technology (VCAT). The report to the NIST Director included recommendations on how NIST could improve the cryptographic standards development process. One of the four categories of recommendations in the report is a clarification of the relationship between NIST and the NSA:

“NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted. This may be accomplished by NIST itself or by engaging the cryptographic community during the development and review of any particular standard.

The VCAT recommends that NIST senior management reviews the current requirement for interaction with the NSA and requests changes where it hinders its ability to independently develop the best cryptographic standards to serve not only the United States Government but the broader community.”

While this recommendation is noble, it fails to take into account that NIST remains an Agency of the US Government.

As a sovereign nation, the United States is free to make laws that govern the conduct of its citizens and to direct its agencies in accordance with governmental priorities. While American citizens may be constitutionally protected against governmental intrusion, those outside US borders do not enjoy this protection. American laws are not unique in this respect; Canadian criminal laws concerning wiretapping have long excluded parties communicating outside Canada.

The US government, along with Canada and others, have turned the Internet into a massive surveillance apparatus. Their priority is not the security of individuals and corporations nor privacy. It is unrealistic to expect any government agency to act in opposition to the goals of its own government. It’s time to create an independent international cryptographic standards body and say farewell to crypto standards from NIST.

Related posts