NIST trying to win back crypto-cred after NSA sabotage

The National Institution for Standards and Technology is one of the key players in setting standards for cryptography. Following the Snowden-leaked revelation that its standards-setting efforts had been infiltrated and sabotaged by the NSA, it is embarking on a charm-offensive to lure cryptographers back into its processes. It's reassessing all of its standards, and then conducting a public consultation on its conclusions. And they're having independent auditors to look at their process.

As part of what it characterizes as a "rigorous" review of its cryptographic guidance development, NIST says it will investigate its goals and objectives; principles of operation; processes for identifying cryptographic algorithms for standardization; methods for reviewing and resolving public comments; and other important procedures.

"Once complete, we will invite public comment on this process," the statement says. "We also will bring in an independent organization to conduct a formal review of our standards development approach and to suggest improvements. Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable."

NIST to Review Crypto Guidance Methods (via Engadget)

Notable Replies

  1. And they are doing it while working hand in hand with the NSA.

    No thanks.

  2. What if you just encrypted your data like 50 different times using different protocols and then on top of that encode your message into Welsh. That's a pretty secure language by the looks of it.

    neges hon yn cael ei amgryptio gan Gymraeg.

  3. infiltrated and sabotaged

    collaborated more likely

  4. NIST has two masters. The NSA and the US Public. Currently the NSA is not advancing the interests of the US Public. NIST needs to chose which master it is going to serve.

    If NIST chooses to serve the interests of the US Public again, it can easily demonstrate that decision. Just advance a standard that protects privacy.

    A month ago, when we were discussing NSA's Operation Bullrun, User bardfin had a great suggestion:

    We need open-hardware ASICs that do nothing but dump true physical-noise-derived random numbers, in a SIM card package or SDCARD or USB or something that can be pulled out, swapped out, upgraded, thrown away when or if it is determined to have an implementation weakness — at a price point that is pennies. We need them on a single-layer process, mounted in a clear epoxy, so they can be put under a microscope and audited physically so we can say "this isn't counterfeit".

    Trust-able sources of random numbers would be one way NIST could demonstrate they are not the NSA's puppet.

    With a good source of random numbers, I could pre-share a few gigs of random every place I needed point to point privacy. Then it would be fairly straight forward to build a brutally simple variant of SSH that always used symmetric crypto and derived the keys from the pre-shared random file.

  5. Assuming at this point that any US govt entity actually has the general public as a master seems really super optimistic. My george carlin / george orwell bitter cynicism doubts that - at the same time a more hopeful me wants to believe in that kind of idealism.

Continue the discussion

10 more replies