Tuesday, July 15, 2014

NIST: don't trust NSA

Well, well, well:
The US National Institute of Standards and Technology (NIST) has been urged to hire more crypto experts so it can confidently tell the NSA to take a hike.

A report (PDF) from NIST's Visiting Committee on Advanced Technology (VCAT) – which scrutinizes and advises the institute – scolds NIST for being too reliant on the NSA's cryptography expertise. VCAT cited the adoption and backing the use of the dodgy Dual EC DRBG algorithm, an NSA-championed random number generator that was later found to be flawed [PDF].


"NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted," the report suggests. "This may be accomplished by NIST itself or by engaging the cryptographic community during the development and review of any particular standard."

The report goes on to suggest other transparency measures, including the use of open competitions to build new standards and maintaining better documentation on how standards are developed.
NIST is, of course, the National Institute of Standards and Technology, the folks who set standards like the Advanced Encryption Standard (AES).  In the past, NSA has been very influential in the standards committees.

The problem is, there are two sides to the NSA: a data protection side, and a data collection side.  The Snowden revelations showed just how little care is being spent by the data protection side.

And now NITS has figured that out.


Cap'n Jan said...

NITS? To be followed by 'wits'?

Fair Winds and Following Seas,

Cap'n Jan

Borepatch said...

Ha! Fortunate type ...

Graybeard said...

A good news post for once. Good to see the NIST grow a pair on this.