Following revelations that the National Security Agency (NSA) deliberately weakened cryptographic standards put out by the U.S. National Institute of Standards and Technology (NIST), NIST recently proposed a series of principles to guide cryptography standards-setting going forward. Access, together with a coalition of eleven other digital rights, technology, privacy, and open government groups, submitted a letter today calling on NIST to strengthen cryptography principles, noting in particular that the principles must be “modified and amended to provide greater transparency and access.”
NIST is responsible for setting many of the standards that form the basis for encryption on the internet. NIST is required by U.S. law to consult with the NSA in the development of these standards. This is in part due to the NSA’s second – albeit lesser known – mission, to help defend information systems (“Information Assurance” in NSA parlance). Unfortunately, the NSA’s efforts to keep the internet secure often takes a back seat to the NSA’s now-infamous role in mass surveillance and foreign intelligence gathering.
In September 2013, the Guardian, the New York Times, and ProPublica reported that the NSA used its position to weaken encryption standards, thereby putting internet users around the world at risk. NIST responded to these revelations by re-opening some of its standards for public comment, but has refused to say to what extent or in which ways the NSA has exerted its authority to alter other standards. NIST serves an important and unique role in the technology community, which depends on their cryptography standards. In our letter, Access points out that if NIST is to continue to play this role guiding cryptography standards, “… it needs to take drastic and affirmative actions to re-commit itself to its core mission and to remove any traces of impropriety.”
NIST recently published a new document which sets out principles to guide its cryptography standards-setting processes. The document relies on six core principles: transparency, openness, technical merit, balance, integrity, and continuous improvement. In the letter, we commented on the draft document, stressing that future implementation of each of these principles must be stronger than what NIST has currently set. For example, we make clear that under the Transparency principle, NIST must publicly explain the extent and nature of the NSA’s consultation on future standards and any modifications made at the NSA’s request. Furthermore, we say that the Technical Merit principle should include a requirement that NIST publish a security proof for all standards at the time they are released for public comment.
Finally, Access and our partners called on NIST to add a seventh principle: usability. The Usability principle would ensure that standards that are mathematically sound do not become unsafe due to user difficulties. Proper implementation of cryptography standards is vital to ensuring total protection.
It is unclear when NIST will publish the final draft of the document, or to what extent the agency will integrate the comments that it receives. Access and our partners will continue to push for open and accountable standards-setting processes.