Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Review of NIST Crypto Standards and Development Process Kicks Off

The National Institute of Standards and Technology (NIST) announced May 14 that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has started a review of the institute’s cryptographic standards and guidelines program.

The National Institute of Standards and Technology (NIST) announced May 14 that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has started a review of the institute’s cryptographic standards and guidelines program.

The review was born out of several months of controversy caused by reports of efforts by the NSA to subvert crypto standards and technology in an operation known as ‘Bullrun.’ The revelations became public as a result of the fallout surrounding the leaks by Edward Snowden.

To support its review of the institute’s guidelines, the committee has formed a panel of experts to assess NIST’s existing cryptographic standards and guidelines and the process through which they have been developed. The panel members are: Vint Cerf of Google; Edward Felten of Princeton University; Steve Lipner of Microsoft Corporation; Bart Preneel of Katholieke Universiteit Leuven; Ellen Richey of Visa; Ron Rivest of the Massachusetts Institute of Technology (MIT); and Fran Schrotter of the American National Standards Institute (ANSI).

“Our mission is to protect the nation’s IT infrastructure and information by promoting strong cryptography,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher in a statement. “We look forward to the VCAT’s review to help ensure we have the most transparent and effective process for doing that.”

In November, NIST began an internal review of its development process and announced it would seek public input and an independent review due to concerns in the security community about the integrity of the institute’s activities. In February, NIST released a draft document called ‘NIST IR 7977: NIST Cryptographic Standards and Guidelines Development Process’ for a two-month public comment period.

The panel will review NIST’s current processes as described in NIST IR 7977 as well as the public comments and NIST cryptographic standards and guidelines. The committee may also seek input from other experts.

Panel members will provide individual assessments to the VCAT Subcommittee on Cybersecurity, which will report its findings and any recommendations to the full VCAT. The subcommittee will provide an update on its progress on June 11, 2014, at the next VCAT meeting. Upon reviewing the expert assessments and the proposed recommendations of the subcommittee, the VCAT will issue its recommendations to NIST.

“Most of the crypto we trust was shepherded into standards by the US government,” said Dan Kaminsky, chief scientist of White Ops. “The feds employ and fund a huge amount of cryptographic talent, and use these standards in agencies all across the country. So the assumption was that the standards themselves would only receive attention that would improve their quality, not degrade. Recent disclosures destroyed that assumption.”

“I’m genuinely impressed with who NIST has brought in as an outside committee,” he added. “I know many of these engineers – this is a distinguished group, to say the least – and they’re the right people to begin this journey. But bureaucracy is complicated and the question is always going to be how much influence will they be given. Still, this is a critical first step.”

The reports from the panel members, subcommittee and VCAT will be available at www.nist.gov/director/vcat/.

*This story was updated with additional commentary.

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...