Our Comments On NIST’s Cryptographic Standards Review Process
The US National Institute of Standards and Technology (NIST) has taken a first, important step in making sure no flaws or trapdoors end up in their cryptographic standards: they put out for public comment a document that describes the high-level principles for standardizing cryptography at NIST. In this post, I will discuss recent events that lead NIST to take this step and the comments CDT submitted last Friday in response.
NIST is not a household name by any means. As the official US agency for producing technical standards, research and precision measurement, NIST often works outside of the spotlight, but as an essential component to the infrastructure that runs the world around us, both online and offline. A critical area of NIST’s work is in standardizing cryptography – crypto being the complex math behind the lock icon in your web browser when you make a purchase or engage in private activity online. Cryptography keeps information secret (confidential) and works to ensure that people are who they say they are online (authentication). The recent Heartbleed fiasco showed just how much our online environment relies on crypto; a simple one-line bug in a critical piece of software exposed passwords, social security numbers, and the keys used by services online to keep information secret.
Last Fall, NIST’s cryptographic standards work was thrust into the spotlight when three news outlets each reported that the US National Security Agency (NSA) had ongoing programs to undermine cryptographic standards for surveillance. The NSA appears to even have planted a backdoor in one particular cryptographic standard that NIST standardized. The scrutiny resulting from these revelations prompted many to ask how many of NIST’s cryptographic standards might also be subverted.
While there were cries from some to scratch NIST’s decades of experience and expertise and find a new venue in which to agree on cryptographic standards, NIST read the writing on the wall and decided to clean house, so to speak. NIST began a public, independent review of all the cryptographic standards they have published over the years to look for any other evidence of problems. The first task in this effort was to publish a high-level document that describes the guiding principles that underlie their cryptographic standards work. CDT submitted comments this past Friday.
In our comments we laud NIST for articulating the principled foundation for its cryptographic standardization work, but we point out there is room for improvement. We discussed two particular principles that we felt are missing: due process and avoiding undue influence. Due process essentially means everyone is treated fairly throughout the process and no stakeholder is disadvantaged or given special treatment. We saw evidence of a lack of due process last year when it was clear that NIST had made some changes to the parameters in a cryptographic standard that appeared to reduce the security of that particular standard; that is, exactly the kinds of inappropriate security downgrades we’ve seen the NSA in the past argue are necessary for national security. I used to work in elections and we would say a fair election is one in which the loser is convinced they lost. You can think of this principle in a similar manner: when the process chooses one technical solution (e.g., a cryptographic algorithm) over another, there will undoubtedly be people who had good ideas that were not chosen and those people may have strong interests in the resulting standard.
The other principle we stressed was that of avoiding undue influence. If the allegations that the NSA has worked to subvert NIST’s cryptographic standards process are true – and there is no real smoking gun – that means that the process is not designed to aggressively minimize subversion and improper influences that could result in a weak or compromised standard. Given how widespread NIST cryptographic standards are used in practice, eliminating improper influence is very important. For example, NIST should be able to say that it will under no circumstances weaken a cryptographic standard for national security or law enforcement purposes or entities. Just as we don’t build doors on our homes to be weak enough for the government to break down, we shouldn’t build cryptographic algorithms that are fundamentally weak so that they are easier to break into.
At CDT we want to see strong cryptography continue to flourish. Crypto helps keep people safe online and their information secret, and it’s important that there is an unbiased and sound venue to agree on highly secure, efficient, and interoperable cryptographic standards. We are hopeful that NIST’s current effort to shore up its standards process and examine standards from the past for flaws results in a venue for standardizing cryptography that few will complain about… except for, perhaps, the NSA and its global surveillance partners.