Government Announces Steps to Restore Confidence on Encryption Standards

The National Institute of Standards and Technology, the federal agency charged with recommending cybersecurity standards, said that it would reopen the public vetting process for an encryption standard, after reports that the National Security Agency had written the standard and could break it.

Internal memos leaked by a former National Security Agency contractor, Edward Snowden, suggest that the NSA generated one of the random number generators used in a 2006 NIST standard — called the Dual EC DRBG standard — which contains a back door for the NSA. In publishing the standard, NIST acknowledged “contributions” from NSA, but not primary authorship. Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.” Cryptographers have long had mixed feelings about NIST’s close relationship with the NSA, but many said last week’s revelations had confirmed their worst fears and eroded their confidence in NIST standards entirely.