The U.S. National Institute of Standards and Technology (NIST) has released the second draft of its “Cryptographic Standards and Development Process,” a document intended to provide principles and guidance on the creation of cryptographic standards. Crypto standards developed by NIST serve as the basis for secure communications and interactions across the internet.
Access applauds NIST for the new draft — which expands upon and strengthens the language behind important principles first set out in the previous draft — and for actively and transparently engaging with the public on these important issues. We also encourage NIST to include specific language directed at the National Security Agency (NSA) before the text is finalized.
The new draft is the response to news reports that raised serious questions about the relationship between the NSA and NIST. Leaked documents demonstrated that NSA officials had taken advantage of NIST’s statutory requirement to consult with the NSA to undermine security standards and maintain surveillance capabilities. The NSA’s most well known function is to engage in Signals Intelligence (SIGINT), essentially electronic surveillance. However, the NSA is also tasked with Information Assurance, securing communication systems against these types of attacks. By weakening encryption standards in order to further its SIGINT mission, the NSA has abdicated its Information Assurance duties to provide technical expertise to NIST. We have previously described this history in greater detail, which can read on the Access blog.
In February of 2014, NIST published its initial draft of these guidelines, which was followed by a period of public comment. The initial draft outlined six principles that it would use to guide its standard-setting mission: Transparency, Openness, Technical Merit, Balance, Integrity, and Continuous Improvement. Access and a coalition of private sector companies and civil society organizations submitted detailed comments on the draft, asking for greater clarification on each principle as well as for the addition of a seventh principle, usability. In November a separate coalition sent a letter that reiterated the initial comments and set out four additional recommendations, including clear commitments by NIST to maintain independence from surveillance activities and to seek additional independent, full-time technical expertise.
This new draft incorporates several of these recommendations. NIST not only added to the document a Usability principle (as well as a principle related to intellectual property), but it also committed to provide mathematical proofs for encryption standards as often as possible and said it would guard against undue or improper influence. Additionally, among other things, the updated draft clarifies the text in other principles, provides greater detail on NIST policies and procedures, and commits the agency to strengthening cryptographic capabilities.
However, not all changes were positive. Under the Balance principle, NIST expressly reserves the right to weigh “implications related to law enforcement and national security.” NIST also includes security concerns when evaluating the Technical Merits of a proposed standard. We strongly urge NIST to remove these considerations from the standards development process. Weakening encryption algorithms for the benefit of law enforcement and national security is contrary to NIST’s role in establishing and endorsing strong, robust, and secure standards.
Comments on the new draft are due before March 27, 2015 and may be submitted by email to [email protected]. Separately, NIST has also announced an intent to withdraw six Federal Information Processing Standards, and is accepting comments on those proposals until March 2, 2015.