NIST Tardy on Cryptography Standards ReportReview of Expert Advice on New Process Cited for the Delay
Nearly 10 months after the National Institute of Standards and Technology issued a draft report proposing changes in how it develops cryptographic standards, following allegations that the National Security Agency tampered with a NIST cryptographic algorithm, the institute has yet to finalize that guidance.
NIST spokesman Chad Boutin acknowledges that it's unusual for NIST to go more than half a year after publishing a first draft of a report without either issuing a second draft or producing a final report on its guidance.
Elaine Barker, a NIST mathematician who's overseeing the new NIST process to develop cryptographic standards, says in a statement that the delay in issuing a second draft of the new report is based on the institute's careful review of feedback NIST received last spring from stakeholders and a panel of IT security experts who reviewed Interagency Report 7977. "NIST Cryptographic Standards and Guidelines Development Process," which was published on Feb. 18 (see NIST Unveils Crypto Standards Proposal).
Revised Draft Due in Early 2015
Barker says NIST plans to release the next draft of IR 7977 in early 2015, and then solicit further comments from the public. That means NIST likely won't adopt the new, finalized processes until next spring or later. The goal of NIST's effort is to prevent the NSA from helping NIST develop standards that could be used by the intelligence agency as a backdoor to secretly gather information from organizations that employ NIST-developed algorithms.
Cryptographer Bart Preneel of Belgium's Katholieke Universiteit Leuven, who reviewed the draft interagency report as a member of a special panel known as the Committee of Visitors of the Visiting Committee on Advanced Technology (NIST's primary advisory committee known as VCAT), says he isn't bothered by the delay. "The VCAT report has recommended that NIST senior management clarify the relationship between NIST and NSA, and this relationship may well affect the final formulation of the NIST IR 7977 final document," Preneel says. "This clarification process may take time."
Though not formally adopted, Barker says NIST used the processes detailed in the draft interagency report in developing the latest draft of Special Publication 800-90A, "Recommendation for Random Number Generation Using Deterministic Random Bit Generators," which was issued late last month. NIST in November 2013 suspended SP 800-90A after reports that the NSA corrupted NIST cryptography guidance dealing with generation of random bits. The revised SP 800-90A excludes the algorithm the NSA reportedly corrupted.
"NIST did adhere to the principles in the current draft interagency report in developing the revised SP 800-90A," Barker says. "As the interagency report gets finalized, we will work to ensure all our future crypto standards and guidelines continue to adhere to our publicly stated principles and processes."
But some information security experts who filed public comments to the original draft of IR 7977 and Committee of Visitors members raise questions about whether NIST has gone far enough to demonstrate that it's being transparent in its dealings with the NSA regarding the development of cryptographic standards.
Committee of Visitors member Ellen Richey, executive vice president and chief enterprise risk and legal officer for VISA, says NIST, in the draft interagency report, is moving in the right direction to ensure transparency and openness in the way it develops cryptography standards, but it needs to do more.
Richey says her views on the draft report remain the same as last spring, when she said the interagency report draft seems intended simply to confirm the principles under which NIST has been operating.
"There is no indication that anything was problematic or has been changed," Richey says, referring to the draft interagency report. "This would seem an insufficient response to the acknowledged weaknesses that led to the inclusion of the Dual_EC_DRBG (the tampered algorithm) in SP 800-90.
"To demonstrate that it is practicing as well as stating its commitment to transparency and continuous improvement, NIST should acknowledge in its final standards and guidelines development process, or in an introductory document, that it has identified improvements to its processes and call out what those improvements are."
Federal law requires NIST to work with the NSA in developing information security standards, including cryptography. But some IT security experts, including Preneel, the cryptographer, contend there should be limits on that collaboration.
"What NIST can do is to be very careful with advice from NSA, to expand its own expertise, to consult extensively with the academic community and to be extremely careful when the NSA proposes an algorithm," he says.
Inequality in Knowledge
The NSA has far more cryptographic expertise than does NIST, which Preneel says creates challenges. "In some cases, it is very useful for NIST to receive the advice of the NSA, but in some other cases the advice of the NSA may be against the interest of NIST and/or the broader public," he says. "The problem is that NIST may not know in which situation they are.
"This situation is inherent to the inequality in knowledge. That is why the VCAT report recommends to strengthen the cryptographic expertise of NIST and why NIST should rely as much as possible on the broader scientific community to support and evaluate their work. But it seems unrealistic to believe that the knowledge gap between NIST and NSA can be completely resolved."
NIST's Barker says the institute's leaders believe they've been addressing the concerns of the cryptography community as they develop and revise standards. "We will continue to do our best to work with the community to develop strong cryptographic standards and guidelines," she says.
Cryptographer Bruce Schneier explains why he sees IR 7977 as being ineffective.
But the cryptographer who discovered the tainted algorithm, Bruce Schneier, said he believes revising the way NIST employs NSA advice on cryptographic standards will prove ineffective because the secret Foreign Intelligence Surveillance Court could still allow the NSA to meddle under the guise of national security.
"Law can trump technology," Schneier says, explaining that the FISA court could issue a secret ruling to make it illegal for anyone to disclose NSA-tainted algorithms and standards.
"Who cares what the [draft NIST] report says?" he asks. "Is the report law? Will someone go to jail if the report's inaccurate?" The answer, he says, is no.
What's needed is not a new NIST report but for Congress to change the law to prohibit the NSA from secretly meddling in security standards, says Schneier, chief technology officer of incident response provider Co3 Systems.