The National Institute of Standards and Technology’s job is to produce standards and advance technologies to protect the federal government’s information system’s integrity.
The NIST produces standards of that have been subjected to rigorous review prior to being implemented, and so many in the private sector adopt the NIST standards for their own use.
The National Security Agency (NSA), currently the government’s poster child for invasive surveillance techniques and operations, also happens to be a leading authority on cryptography, and they work directly with NIST on the development of the complex random bit generator algorithms used in advanced cryptography mechanisms.
Now there is strong suspicion that the NSA “backdoored” the NIST’s random bit generator by weakening the encryption process, and the NIST is in the awkward position of having to announce that they can not endorse their own encryption standard anymore because “recent community commentary has called into question the trustworthiness of these default elliptic curve points.”
For an organization like the NIST, this has to sting more than a little.
In a statement on the matter, NIST officials said “we want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place. NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.”
They went on to clarify their relationship with the NSA, saying “NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA.”
The result of the controversy is that NIST has opened a public comment period so that researchers can further examine the standards and examine their reliability.
“If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” NIST stated.