Security Experts:

Review of NIST Crypto Standards and Development Process Kicks Off

The National Institute of Standards and Technology (NIST) announced May 14 that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has started a review of the institute's cryptographic standards and guidelines program.

The review was born out of several months of controversy caused by reports of efforts by the NSA to subvert crypto standards and technology in an operation known as 'Bullrun.' The revelations became public as a result of the fallout surrounding the leaks by Edward Snowden.

To support its review of the institute's guidelines, the committee has formed a panel of experts to assess NIST's existing cryptographic standards and guidelines and the process through which they have been developed. The panel members are: Vint Cerf of Google; Edward Felten of Princeton University; Steve Lipner of Microsoft Corporation; Bart Preneel of Katholieke Universiteit Leuven; Ellen Richey of Visa; Ron Rivest of the Massachusetts Institute of Technology (MIT); and Fran Schrotter of the American National Standards Institute (ANSI).

"Our mission is to protect the nation’s IT infrastructure and information by promoting strong cryptography," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher in a statement. "We look forward to the VCAT’s review to help ensure we have the most transparent and effective process for doing that."

In November, NIST began an internal review of its development process and announced it would seek public input and an independent review due to concerns in the security community about the integrity of the institute's activities. In February, NIST released a draft document called 'NIST IR 7977: NIST Cryptographic Standards and Guidelines Development Process' for a two-month public comment period.

The panel will review NIST’s current processes as described in NIST IR 7977 as well as the public comments and NIST cryptographic standards and guidelines. The committee may also seek input from other experts.

Panel members will provide individual assessments to the VCAT Subcommittee on Cybersecurity, which will report its findings and any recommendations to the full VCAT. The subcommittee will provide an update on its progress on June 11, 2014, at the next VCAT meeting. Upon reviewing the expert assessments and the proposed recommendations of the subcommittee, the VCAT will issue its recommendations to NIST.

"Most of the crypto we trust was shepherded into standards by the US government," said Dan Kaminsky, chief scientist of White Ops. "The feds employ and fund a huge amount of cryptographic talent, and use these standards in agencies all across the country. So the assumption was that the standards themselves would only receive attention that would improve their quality, not degrade. Recent disclosures destroyed that assumption."

"I'm genuinely impressed with who NIST has brought in as an outside committee," he added. "I know many of these engineers - this is a distinguished group, to say the least - and they're the right people to begin this journey. But bureaucracy is complicated and the question is always going to be how much influence will they be given. Still, this is a critical first step."

The reports from the panel members, subcommittee and VCAT will be available at www.nist.gov/director/vcat/.

*This story was updated with additional commentary.

view counter