As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Science and Technology, the federal agency charged with recommending cybersecurity standards.
By NICOLE PERLROTH
SAN FRANCISCO — The federal agency charged with recommending cybersecurity standards said Tuesday that it would reopen the public vetting process for an encryption standard, after reports that the National Security Agency had written the standard and could break it.
“We want to assure the I.T. cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” The National Institute of Standards and Technology said in a public statement. “N.I.S.T. would not deliberately weaken a cryptographic standard.”
The announcement followed reports published by The New York Times, The Guardian and ProPublica last Thursday about the N.S.A.’s success in foiling much of the encryption that protects vast amounts of information on the Web. The Times reported that as part of its efforts, the N.S.A. had inserted a back door into a 2006 standard adopted by N.I.S.T. and later by the International Organization for Standardization, which counts 163 countries as members.
For encryption to be secure, the system must generate secret prime numbers randomly. That random number generation process — which is based on mathematical algorithms — makes it practically impossible for an attacker, or intelligence agency, to predict the scrambling protocols that would allow it to unscramble an encrypted message.
But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.
Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”
At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”
Cryptographers have long had mixed feelings about N.I.S.T.’s close relationship with the N.S.A., but many said last week’s revelations had confirmed their worst fears and eroded their confidence in N.I.S.T. standards entirely.
“We’ll have to re-evaluate that relationship,” Matthew D. Green, a cryptography researcher at Johns Hopkins University, wrote in a blog post Thursday. “Trust has been violated.”
(Mr. Green said on Twitter Monday that Johns Hopkins asked him to remove that blog post. He was allowed to reinstate it hours later after the university realized the content was based on public news reports. The university later apologized.)
On Tuesday, N.I.S.T. attributed the allegations to confusion and noted that it was required, by statute, to consult with the N.S.A.
“There has been some confusion about the standards development process and the role of different organizations in it,” the agency’s statement read. “N.I.S.T. has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (N.S.A.) participates in the N.I.S.T. cryptography process because of its recognized expertise. N.I.S.T. is also required by statute to consult with the N.S.A.”
The agency said that because of cryptographers’ concerns, it would reopen the public comment period for three publications — Special Publication 800-90A and drafts of Special Publications 800-90B and 800-90C — which all use the random number generator in question.
“If vulnerabilities are found in these or any other N.I.S.T. standard, we will work with the cryptographic community to address them as quickly as possible,” the agency’s statement said.
“I know from firsthand communications that a number of people at N.I.S.T. feel betrayed by their colleagues at the N.S.A.,” Mr. Green said in an interview Tuesday. “Reopening the standard is the first step in fixing that betrayal and restoring confidence in N.I.S.T.”