by Dietrich Schmitz
In my last story, Is OpenSSL's Cryptography Broken?, I reported the ongoing developments surrounding a suspect security problem with the implementation of openssl.
The story, unfortunately, continues to unfold with suspicion now turning to confirmation in a NY Times report that the NSA inserted altered random number generator code into the Dual Eliptic Curve Deterministic Random Bit Generator so as to predict private key encoding and provide a 'backdoor' entry point mechanism. (Image credit: fearlessmen.com)
Despite strong denials coming from the National Institute of Standards and Technology (NIST) who oversaw the development of the Eliptic Curve Cryptography (ECC) standard, many now are left having a strong distrust of the agency. From a The Register story NIST publicly responded:
The story, unfortunately, continues to unfold with suspicion now turning to confirmation in a NY Times report that the NSA inserted altered random number generator code into the Dual Eliptic Curve Deterministic Random Bit Generator so as to predict private key encoding and provide a 'backdoor' entry point mechanism. (Image credit: fearlessmen.com)
Despite strong denials coming from the National Institute of Standards and Technology (NIST) who oversaw the development of the Eliptic Curve Cryptography (ECC) standard, many now are left having a strong distrust of the agency. From a The Register story NIST publicly responded:
The US National Institute of Standards and Technology (NIST) has vehemently denied accusations that it deliberately weakened encryption standards to help the NSA's monitoring activities.
"We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place," said NIST in a statement.
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large."
The statement from NIST said that working with the NSA was 'standard operating procedure' and required by law. In an attempt to throw a 'wet blanket' on the bonfire, NIST has reopened the standard for public comment.
Regardless, one outspoken Developer, Bruce Schnierer, said in a podcast:
NIST took a big credibility hit unfortunately. There are good people there doing good work but we don't know which of their standards are tainted, we don't know how much collaboration there is with the NSA.
And unfortunately because trust is lost when they get up and say the NSA doesn't affect our standards we don't believe them. We need a way to get back trust.
In other news the IETF offered up a 'fool-proof' plan to PRISM-proof the Internet.
What is the take-away?
Cryptography standards have all now been put into question in addition to the public relations disaster that confronts NIST.
Whether or not NIST will recover remains to be seen as it is quite likely that all cryptography standards will require rigorous audits.
In the meantime, the prevailing perception is that many cryptographic standards have been compromised and privacy is not assured by virtue of their use on the Internet. As such, it will take a significant amount of time to pragmatically review each standard and thoroughly vet code before a level of confidence in these needed privacy measures will be restored.
And, the question of whether or not trust should be placed in agencies such as NIST is now the main focus and primary concern. Is NIST history? Only time will tell.
-- Dietrich
