by Dietrich Schmitz
The story, unfortunately, continues to unfold with suspicion now turning to confirmation in a NY Times report that the NSA inserted altered random number generator code into the Dual Eliptic Curve Deterministic Random Bit Generator so as to predict private key encoding and provide a 'backdoor' entry point mechanism. (Image credit: fearlessmen.com)
Despite strong denials coming from the National Institute of Standards and Technology (NIST) who oversaw the development of the Eliptic Curve Cryptography (ECC) standard, many now are left having a strong distrust of the agency. From a The Register story NIST publicly responded:
The US National Institute of Standards and Technology (NIST) has vehemently denied accusations that it deliberately weakened encryption standards to help the NSA's monitoring activities.
"We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place," said NIST in a statement.
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large."
NIST took a big credibility hit unfortunately. There are good people there doing good work but we don't know which of their standards are tainted, we don't know how much collaboration there is with the NSA.
And unfortunately because trust is lost when they get up and say the NSA doesn't affect our standards we don't believe them. We need a way to get back trust.