This document gives a good overview of how NIST develops cryptographic standards and guidelines. It’s still in draft, and comments are appreciated.
Given that NIST has been tainted by the NSA’s actions to subvert cryptographic standards and protocols, more transparency in this process is appreciated. I think NIST is doing a fine job and that it’s not shilling for the NSA, but it needs to do more to convince the world of that.
wumpus • March 4, 2014 8:47 AM
@Bob S.
Just how else is NIST supposed to work? You imply have two choices, listen to the NSA or “roll your own encryption”. While they may still have limited abilities to test on their own, they still listen to outside parties. One can only hope that they will weigh these (real, not shill) parties a big better should the NSA try something as obvious as the recent RNG debacle.
“Public comment period: February 18, 2014 through April 18, 2014”
Anybody plan on commenting?
Clive Robinson • March 4, 2014 9:12 AM
The problem, is not just NIST, but any standards body can be manipulated by members of a working group, with “other or split loyalties”.
So resolving the issue of who gets on a working group and how you “keep them honest” and free of vested interest is not easy.
Any one remember Micro$haft manipulating standards or any one of a hundred organisations fighting for their own bit of turf?
Bob S. • March 4, 2014 9:52 AM
@wumpus
Re: How is NIST supposed to work?
In my view, trust is broken and NIST is Humpty Dumpty. It sure doesn’t help that the LAW requires NSA consultation (interference) and NIST must beg for NSA coders.
There is movement afoot to take away US domination of internet standards and regulation.
Sadly, I must conclude our government botched it and it’s someone else’s turn.
Lisa • March 4, 2014 1:28 PM
I will believe that NIST is not a front for the NSA, when they withdraw the flawed “Dual_EC_DRBG” random number generator, and publish the full methods used to derived the NIST Elliptic Curve constants.
Until then, it is safe to assume that NIST primary motive is to undermine security for repressive governments and criminal organizations.
David • March 4, 2014 1:45 PM
@Lisa
I think NIST has already done what you suggest. The standard for Dual_EC_DRNG was withdrawn and public comments reopened. Two other related standards also had their public comment reopened. The NIST explicitly recommended that people NOT use Dual_EC_DRNG until the questions surrounding it were answered. NIST cannot publish “the full methods used to derive” the curve constants because NIST doesn’t know how it was done. That’s the reason why they’re withdrawing the standard. I suspect the Director of NIST is rather seriously pissed with NSA over this affair.
I don’t know what else we could ask NIST to do that they have not already done. I’m willing to believe that NIST was taken in by NSA rather than that they were willing accomplices. And I believe NIST will be much more suspicious of NSA’s “consultations” on cryptographic matters in the future.
Lisa • March 4, 2014 2:34 PM
@David
With regard to Dual_EC_DRBG, what you state sounds like really good news and show that there is still hope for NIST. However I can’t find any reference that NIST has officially withdrew it from the list of approved DRNG’s. Could you please provide a link?
And with regard to the NIST ECC curve constants, if NIST does not know where they come from, or cannot release it, then all the better to for NIST to completely withdraw all support for it.
As an alternative, NIST should instead adopt the BrainPool elliptic curves. At least BSI, which is the German NIST equivalent, has fully reviewed, documented, and published the entire procedure on how the BrainPool curve constants were selected/generated.
I really do hope that NIST takes every step possible to show that security really is their primary goal. If ever there was a need for NIST to clean house of any weak, compromised, or improperly vetted standards, it is now.
Jason • March 4, 2014 2:59 PM
Sabotaging encryption by getting NIST to choose insecure values of encryption constants is pretty sneaky. But NIST is also in charge of general units of measurement. I’m waiting for the next step: sabotaging encryption by getting NIST to choose insecure values of universal constants.
Hack the coulomb! Bury a payload in the fine structure constant!
Mike B • March 4, 2014 3:23 PM
It’s a good thing that the rest of the world doesn’t trust NIST. They can keep using their second class broken standards while US firms can use the good stuff.
Nick P • March 4, 2014 4:47 PM
From the document:
“NIST works closely with the NSA in the development of cryptographic standards. This is done because of the NSA’s vast expertise in cryptography and because NIST, under the Federal Information Security Management Act of 2002, is statutorily required to consult with the NSA on standards.”
So, NSA is a good resource for them, is a major customer, and is a legally mandated collaborator. That NIST works closely with them is expected. That this gives NSA an opportunity to poison NIST’s work also comes naturally. I agree with Bruce that most of NIST probably isn’t in on the scheme. Although, one or more might be NSA collaborators in their schemes. Just need more peer review basically.
Seems like IETF is having more trouble with infiltrators:
I think it’s also only fair to point out that NIST has done far more good for our security than bad overall. Their various security guides, AES/SHA3 competitions, etc. can help plenty. If anything, we should squarely put the blame on NSA for pretending to improve NIST’s security efforts while subverting them.
Clive Robinson • March 4, 2014 6:25 PM
@ Nick P,
Hmm NSA, blame, AES, brings back memories…
I remember a lot of people not being to happy with what became the AES winner, they did not like some of the underlying structures and made rumblings about “new and un-proven”.
As it turns out that AES is quite weak, not –as far as we know– as an algorithm but as an implemntation, which might account as to why the NSA only rate it for “data at rest”.
I’ve often said I belive that the NSA manipulated the AES competition and I’ve not yet seen an reason to change my mind.
Which brings us onto the SHA3 competition again the winner has some of the underlying structures that caused huffing and puffing in AES. However this time the huffing and puffing was about poor performance.
Whilst I’ve not taken the time to test an implementation of SHA3 for side channel leakage, I can’t help but think “what if?”.
The thing about hashes is they have rather more uses than symetrical encryption and their normal usage is rather less amenable to “offline” usage than encryption…
As they say “It’s an itch that won’t go away” but it is a heck of a sight more difficult to scratch.
Which is why I still maintain for the minimal work involved using two orthagonal algorithms in series is a reasonable thing to do if you want to aim for the security “high watermark”.
Nick P • March 4, 2014 7:00 PM
@ Clive Robinson
They might have manipulated them. Yet, the algorithms ended up being good over time and security community fixed implementation issues. Without AES, imagine what crap applications would be using. So, I still think businesses needing crypto were better off with NIST’s effort than without it.
I’m all for the security community giving their recommendations plenty of scrutiny. We’re supposed to be doing that anyway, though, right? 😉
Patrick Y • March 4, 2014 7:38 PM
Why are documents like this in PDF form, rather than simply web pages?
Somehow I am reluctant to download and view a PDF from NIST. It’s either got an IP address homing bug in it, or will be swapped out with a version with a homing bug a few days after you post the link.
name.withheld.for.obvious.reasons • March 4, 2014 10:31 PM
I left IEEE as their mission and the actual actions did not match up. My statement was that instead of “delivering technology to humanity” that it was really delivering humanity to technology. I backed my world view with my action(s), I find myself quite alone in this respect. I stand by both my statements and actions. Wonder when others will find the guts to do the same. Even though I remain semi-anonymous, my actions are not–they happen with my full name attached. I challenge anyone else to do the same.
Nick P • March 4, 2014 10:51 PM
@ name.withheld
Well put. The thing that saddens me about IEEE is same as ACM: so much brilliance hidden behind a paywall and other restrictions. Much of the best stuff I’ve posted here to secure computers was published via one of those organizations. Yet, people need to shell out around three digits for access. One would think their search engines would be better for those rates. (sigh)
Side note: I’m very grateful for CiteseerX. That should be default publishing mechanism, funded by donations and indexed by Google.
Figureitout • March 5, 2014 8:39 AM
Jason
–Yeah, that’s my prediction. Teaching children false physics and science to hide exploits behind an illusion of “knowledge”. The end will be near.
NobodySpecial • March 5, 2014 10:14 AM
@jason – and a bigger problem if NIST becomes equivalent to NSA in peoples minds.
We build a lot of equipment that has to be tested and inspected, those calibrations are tied to NIST standards. We use NIST because it is a lot cheaper and easier to get NIST traceable calibration than German, Swiss or Japanese.
If foreign customers start refusing NIST it’s going to get very expensive to do business when every machine tool has to be separately certified by a dozen different nationals standards labs.
Godel • March 5, 2014 6:03 PM
@ Clive Robinson
http://slashdot.org/story/13/09/28/0219235/did-nist-cripple-sha-3
“In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA.
‘NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,’ writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes.”
Nick P • March 5, 2014 10:19 PM
@ Godel
So, now that it’s only 128 or 256 bit security they can crack it. Those darned strength reductions! 😉
The more likely explanation is that four modes is pretty confusing and an unnecessary amount of work to support on the many platforms that will use the standard. They’ve narrowed it down to two modes: basic with good strength and extra-strong. Avoiding 384 and 512-bit might also benefit with resource constrained devices, allowing them to use the standard. I’ve never known anyone to use the 224 or 384 for normal operations. The 512 bit is considered overkill by most who know that the attacks will be on endpoints and logic rather than primitives.
So, nothing about that quote makes me worry. The article you linked also has a response from the Keccak team saying essentially the article claimed BS and the modifications didn’t change the main primitives of Keccak. They said they were a subset of the original Keccak that narrowed the options to a few secure ones. If anything, I’m seeing practical changes rather than subversive ones.
AlanS • March 6, 2014 3:21 PM
December presentation on possible NSA backdoor by one of the authors of NIST SP 800-90A: 800-90 and Dual EC DRBG
Also see 2007 Bruce article (he appears to have worked with the author of the above): Did NSA Put a Secret Backdoor in New Encryption Standard?
Truther • March 6, 2014 6:22 PM
NIST was the group that revised their WTC7 collapse report several times over at least seven years since 9/11. They are the government agency that claims small fires brought down an entire 47-story building into its own footprint despite never being hit by a plane, dozens of witnesses on video saying the building was going to come down, video evidence showing that small sub-building on the roof collapsing before the rest of the building, and BBC announcing on live TV the building’s demise more than 30 minutes before it collapsed.
Until NIST comes clean on this, they will forever be yet another corrupt and ultimately unnecessary government organization. We have now have several instances of well-publicized evil against the citizens of the US. Their 2014 taxpayer-funded $850M budget is not justified. We would be better served by eliminating this entity altogether and have the private sector pick up anything that’s really necessary. IEEE is a good example of setting standards without government.
Give me strength • March 10, 2014 11:24 AM
@Truther
No it’s the lizard men of the Illuminati… wait… Just who’s funding you? your a dam partizan for the space aliens and their probes..
[Runs away waving his hands]
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bob S. • March 4, 2014 7:35 AM
Looks like incest is inevitable:
“The NSA is no stranger to NIST’s standards-development process.
Under current law, the institute is required to consult with the NSA when drafting standards.
NIST also relies on the NSA for help with public standards because the institute doesn’t have as many cryptographers as the agency, which is reported to be the largest employer of mathematicians in the country.”
Propublica
Seems to me NIST works for the NSA and there is no independence whatsoever.