NIST Re-evaluating Cryptography Guidance
By Eric Chabrow
NIST, in a supplemental bulletin issued last week, strongly recommends that a key part of the guidance being re-evaluated “no longer be used.”
The guidance under review specifies mechanisms for the generation of random bits using deterministic methods (an algorithm which, given a particular input, will always produce the same output), which are based on either hash functions, block cipher algorithms or number theoretic problems, which in turn are based on elliptic curves. The NIST bulletin says the method based on number theoretic problems should no longer be used.
Cryptographers raised renewed concerns over the published guidance, Special Publication 800-90A, which specifies techniques for the generation of random bits by applications using cryptography, after revelations that the NSA circumvented much of the encryption that shields Internet communications (see Report: NSA Circumvented Encryption).
“Recognizing community concern regarding some specific standards, we reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C to give the public a second opportunity to view and comment on the standards,” says a NIST statement, which did not mention the suspension of the guidance based on number theoretic problems. “If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.”
NIST often revises its guidance as technologies and processes change, but it’s highly unusual – though not unheard of – for the Commerce Department unit to re-evaluate a special publication a year after it’s issued because of other reasons, such as experts questioning the reliability of the guide. SP 800-90A was finalized in January 2012. By re-opening the guidance for further comments, NIST effectively makes the document a draft, and not a finalized guide.
A NIST spokeswoman stopped short of saying NIST had withdrawn the publication. The other two guides, SP 800-90B and 800-90C, have only appeared as drafts and were never finalized. Stakeholders have until Nov. 6 to comment on all three drafts.
Asked if other NIST cryptography and encryption guidance would be reviewed for possible inappropriate NSA influence, Donna Dodson, NIST’s Computer Security Division chief, says the institute plans to continue its current approach with a “re-invigorated sense of purpose.” Dotson, who also serves as NIST’s deputy chief cybersecurity adviser, says NIST and NSA officials will meet to discuss the agency’s motivation behind its recommendations on the guidance. But she didn’t provide additional details about those sessions, including who would participate in them and when they would occur.
“We’ll systematically work on continuously reviewing standards, especially those where new technologies have changed the risk landscape,” Dodson says. “We’ll continue to work with the worldwide cryptography community to produce strong standards in an open and transparent way that have strong mathematical underpinnings.”
The NSA declined to comment on the developments.
Reputation at Stake
Seth David Schoen, a senior staff technologist and encryption specialist at the Electronic Frontier Foundation, a technology civil rights organization, expects NIST will re-open other guidance, calling it “a perfectly natural step.” NIST’s reputation is at stake, Schoen says. “It’s very damaging, both for NIST’s reputation – creating a risk that implementers will actively avoid NIST standards – and for the actual safety of end-users and organizations who rely on cryptography to protect themselves every day,” he says. “It also undermines the sense of collegiality and trust that prevail within standards-development organizations and the research community, communities that historically have been able to proceed as if contributors’ technical contributions were made in good faith.”
Federal law requires NIST to collaborate with the NSA in developing its IT security guidance, a practice NIST champions because some of the brightest cryptographic minds work for the Defense Department agency.
Dodson says NIST works with NSA and other federal agencies, such as the Department of Homeland Security, in a number of ways in developing its IT security standards. “These interactions include face-to-face meetings and/or discussions at NIST workshops or other events,” she says. “We give talks or attend conferences and workshops hosted by other organizations where NSA staff may also be in attendance. NIST cryptography experts also participate with NSA and other agencies on U.S. and international committees sponsored by non-profit standards development organizations.”
But some in the cryptography community say the NSA may have used these types of interactions to exploit NIST’s guidance for its own advantage.
Phil Zimmermann, the cryptographer who created in 1991 the data encryption program known as Pretty Good Privacy, or PGP, is among those experts who suspect the NSA used its sway to get NIST to create SP 800-90 set of guidance. Zimmermann characterizes number theoretic problems as inferior to other approaches, and suggests those weaknesses could allow NSA to exploit them.
“The natural instincts of a good crypto-engineer is to use block ciphers and hash functions as a basis to generate random bit streams,” he says. “Nobody who has any common sense in crypto-design would use a number theoretic algorithm to do it. It’s just too damn slow, for one thing. And, to do it using a public-key algorithm where somebody who knows the private key for it, which isn’t part of the algorithm to predict its output, is just reckless and stupid and should never have been put into the NIST document. [For] everybody who looked at it, it didn’t pass the sniff test.”
Concerns over NSA’s influence over NIST’s cryptography standard aren’t new. An article written by Bruce Schneier, the highly regarded cryptographer and author, raised questions about it in 2007.
“It’s in the standard only because it’s been championed by the NSA,” Schneier wrote. “The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn’t large enough to make the algorithm unusable … but it’s cause for concern. Cryptographers are a conservative bunch: We don’t like to use algorithms that have even a whiff of a problem.”