NIST Unveils Crypto Standards ProposalFeedback Sought on Development Process
Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards.
In November, NIST suspended one of its special publications regarding cryptographic standards after reports surfaced that the NSA may have corrupted NIST cryptography guidance dealing with generation of random bits (see NIST to Review Crypto Guidance Methods).
Now, NIST is seeking public comment on a draft document that describes a new method for how the agency develops those cryptographic standards. The draft of Interagency Report 7977, "NIST Cryptographic Standards and Guidelines Development Process," outlines the proposed principles, processes and procedures of NIST's cryptographic standards efforts.
Donna Dodson, chief of NIST's Computer Security Division, says the agency is reviewing its existing standards and guidelines to create a new approach to ensure they adhere to the principles laid out in IR 7977. "If any issues are found, they will be addressed as quickly as possible," Dodson says.
NIST is seeking feedback on the draft document, which describes its revised approach for developing cryptographic documents; engaging experts in industry, academia and government; and communicating with stakeholders. Public comments will be posted on the NIST website and used to create a revised document.
Comments on the draft can be submitted to firstname.lastname@example.org by April 18.
In 2006, NIST issued Special Publication 800-90 (now SP 800-90A), Deterministic Random Bit Generators, guidance that specifies mechanisms for the generation of random bits using deterministic methods, an algorithm which, given a particular input, will always produce the same output.
NIST decided to conduct the review of how it develops cryptographic standards after the New York Times and ProPublica published an article in September that reported the NSA had cracked or circumvented much of the encryption that shields global commerce and banking systems, trade secrets and medical records and Internet communications (see Report: NSA Circumvented Encryption). NIST suspended SP 800-90A as it conducts its review.
NIST works closely with the NSA in the development of cryptographic standards because of the NSA's vast expertise in cryptography and the Federal Information Security Management Act requires it to consult with the NSA on standards.
"We're being a little more cautious, but we certainly have not stopped any of our engagements," Matt Scholl, deputy chief of NIST's Computer Security Division, said in an interview with Information Security Media Group in November (see NIST Review Won't Disrupt Work with NSA). "We certainly have not stopped asking them some of the hard questions that we looked at them to help us with, as well with everybody else. In the areas where we are working to produce standards guidelines, best practices, we're still collaborating."