recommended reading

NIST Removes NSA-Tainted Algorithm From Cryptographic Standards

Charles Dharapak/AP File Photo

The National Institute of Standards and Technology has finally removed a cryptographic algorithm from its draft guidance on random number generators, more than six months after leaked top-secret documents suggested the algorithm had been deliberately sabotaged by the National Security Agency.

The announcement came as NIST opened to a final round of public comments its revised Special Publication 800-90a, which contains three algorithms now that the Dual Elliptic Curve Deterministic Random Bit Generator has been removed following negative feedback from the public.

According to documents leaked by former contractor Edward Snowden in September, NSA “became the sole editor” of Special Publication 800-90 and allegedly introduced weaknesses to the now-removed algorithm. NIST responded swiftly to that news, recommending against using the standards and suggesting reopening them to public scrutiny in an effort to rebuild trust with the public.

Evidently, NIST received a mouthful. And based on statements from the agency, Dual_EC_DRBG must have performed poorly in evaluations, too.

“In September 2013, news reports prompted public concern about the trustworthiness of Dual_EC_DRBG. As a result, NIST immediately recommended against the use of the algorithm and reissued SP 800-90A for public comment,” NIST said in a statement. “Some commenters expressed concerns that the algorithm contains a weakness that would allow attackers to figure out the secret cryptographic keys and defeat the protections provided by those keys. Based on its own evaluation, and in response to the lack of public confidence in the algorithm, NIST removed Dual_EC_DRBG from the Rev. 1 document.”

NIST’s statement further highlighted the potential weaknesses of Dual_EC_DRBG.

Back in September, approximately 70 government vendors were still using it, even though questions about the algorithm’s integrity dated as far back as 2007. NIST published the standards in 2006.

“NIST recommends that vendors currently using Dual_EC_DRBG who want to remain in compliance with federal guidance, and who have not yet made the previously recommended changes to their cryptographic modules, should select an alternative algorithm and not wait for further revision of the Rev. 1 document,” the agency stated. “NIST advises federal agencies and other buyers of cryptographic products to ask vendors if their cryptographic modules rely on Dual_EC_DRBG, and if so, to ask their vendors to reconfigure those products to use alternative algorithms.”

NIST is required by statute to consult with the NSA on cryptographic matters. With public acknowledgement that at least one of its cryptographic standards wasn’t up to snuff because of the NSA, it’s likely that future collaboration between both agencies will come under more intense public scrutiny.

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Hospital Breach Affects Thousands of Patients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.