The EFF and a long list of civil and privacy groups have sent a letter to NIST, emphasizing the need for the agency to create “a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities.”
The letter comes at a time when the agency is in the process of putting together the final version of a document that lays out the way that it will develop cryptographic standards and guidelines. In the wake of the Edward Snowden revelations that showed the National Security Agency had worked to weaken cryptographic standards produced by NIST, the agency, which is responsible for setting technical standards in the United States, has undertaken a review of its crypto standards process. One piece of that process is that in the future, any NSA contributions to NIST standards will be public.
The most damaging revelation from NIST’s perspective was that the NSA had used its influence to ensure that a random number generator contained what amounted to a backdoor, making it easier for NSA to break the security of communications protected by algorithms that use the RNG. The Dual EC_DRBG episode was a serious black eye for NIST, and officials at the agency acknowledged that, saying the crypto standards review was an important step.
“The damage is broad and deep, not just to NIST but to industry and government at large,”Matthew Scholl, Deputy Chief of the NIST computer security division said last year at the time the review was announced. “We are trying to ensure we maintain the confidence of and keep the active participation of external crypto communities in our work. We want to ensure we maintain confidence and trust in what we do and continue to get that participation–which we get when we have confidence and trust.”
The letter from the EFF and more than a dozen other organizations said that there’s much more work to be done.
“In September 2013, the public learned that the National Security Agency (NSA) abused its consultative authority with NIST to artificially lower encryption standards. In the wake of these revelations, civil society has repeatedly called on NIST to increase transparency and accountability in its encryption standards-setting process. These activities by the NSA have already had a measurable impact on the U.S. economy and have resulted in the global distrust of U.S.-led encryption standards.3 While we commend you on the progress made so far, we urge that much more must be done to restore the public’s trust in the agency and to ensure that secure communications tools and technologies are built on solid foundations,” the letter says.
Earlier this year, the Visiting Committee on Advanced Technology’s Committee of Visitors, a panel of outside experts appointed to given technical recommendations to NIST, found that the agency had relied too heavily on NSA guidance on cryptographic standards, a problem that led to the Dual EC_DRBG fiasco.
“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report.
In the letter published today, the organizations make a number of recommendations, including that “NIST must publicly and irrefutably commit itself to independence from the NSA’s signals intelligence mission and any government surveillance programs, activities, or authorities”; review its memorandum of understanding with NSA; expand its technical expertise in order to decrease its reliance on NSA; and establish a permanent advisory board for standards-setting.
“NIST’s encryption standards impact the daily lives of users around the world on a frequent basis — civil society should be a central part of the conversations,” the letter says.
The letter was sent to several top officials at NIST, including the acting director, and was copied to President Barack Obama. It’s signed by the Electronic Privacy Information Center, Silent Circle, the World Privacy Forum and a number of other organizations.