[ISN] Overreliance on the NSA led to weak crypto standard, NIST advisers find

http://www.computerworld.com/s/article/9249738/Overreliance_on_the_NSA_led_to_weak_crypto_standard_NIST_advisers_find By Lucian Constantin IDG News Service July 15, 2014 The National Institute of Standards and Technology needs to hire more cryptographers and improve its collaboration with the industry and academia, reducing its reliance on the U.S. National Security Agency for decisions around cryptographic standards. Lack of internal expertise in certain areas of cryptography and too much trust in the NSA led the NIST to ignore security concerns about a pseudorandom number generator called Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) in 2006, technical experts who reviewed the organization’s standards development process said in a report released Monday. Media reports last year based on secret documents leaked by former NSA contractor Edward Snowden claimed that the NSA used its influence over NIST to insert a backdoor into Dual_EC_DRBG and possibly weaken other cryptographic standards. The revelations called into question the integrity of NIST’s standard-making processes and damaged the organization’s reputation in the cryptographic community. The new report by NIST’s Visiting Committee on Advanced Technology (VCAT) is based on assessments by a panel of outside technical experts including Internet pioneer Vint Cerf, who is vice president and chief evangelist at Google; cryptographer and MIT professor Ron Rivest, who co-authored the widely used RSA encryption algorithm; Edward Felten, professor and director of the Center for Information Technology Policy at Princeton University; Ellen Richey, executive vice president and chief enterprise risk officer at Visa; Steve Lipner, partner director of software security at Microsoft; Belgian cryptographer and cryptanalyst Bart Preneel, who works as a professor at the University of Leuven; and Fran Schrotter, senior vice president and chief operating officer of the American National Standards Institute. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail