|
 Such mathematical formulas, or curves, are an arcane but essential
part of most technology that prevents interception and hacking, and
the National Institute of Standards and Technology (NIST) has been
legally required to consult with the NSA’s defensive experts in
approving them and other cryptography standards.
But NIST’s relationship with the spy agency came under fire in
September after reports based on documents from former NSA
contractor Edward Snowden pointed to one formula in particular as a
Trojan horse for the NSA.
NIST discontinued that formula, called Dual Elliptic Curve, and
asked its external advisory board and a special panel of experts to
make recommendations that were published on Monday alongside more
stinging conclusions by the individual experts.
Noting the partially obscured hand of the NSA in creating Dual
Elliptic Curve - which Reuters reported was most broadly distributed
by security firm RSA - the group delved into the details of how it
and other NIST standards emerged. It found incomplete documentation
and poor explanations in some cases; in others material was withheld
pending legal review.
As a whole, the panels recommended that NIST review its obligation
to confer with the NSA and seek legal changes “where it hinders its
ability to independently develop the best cryptographic standards to
serve not only the United States government but the broader
community.”
They also urged NIST to weigh the advice of individual task force
members who made more dramatic suggestions, such as calling for the
replacement of a larger set of curves approved for authenticating
users, in part because they were selected through unclear means by
the NSA.
“It is possible that the specified curves contain a back door
somehow,” said Massachusetts Institute of Technology professor Ron
Rivest, a co-founder of RSA and the source of the letter R in its
name. Though the curves could be fine, he wrote, “it seems prudent
to assume the worst and transition away.”
More broadly, Rivest wrote, “NIST should ask the NSA for full
disclosure regarding all existing standards... If NSA refuses to
answer such an inquiry, then any standard developed with significant
NSA input should be assumed to be `tainted,’” absent proof of
security acceptable to outsiders.
In an email exchange, Rivest told Reuters that “NIST needs to have a
process whereby evidence is publicly presented” about how the curves
were chosen.
The curves faulted on Monday had been questioned by outsiders after
media reports in September said the NSA could break much widely used
security software, without detailing which ones or how. “These
curves are ubiquitous in commercial cryptography,” Johns Hopkins
University professor Matthew Green said in an interview. “If you
connected to Google or Facebook today, you probably used one.”
[to top of second column] |
Rivest’s long association with RSA, now part of electronic storage
maker EMC Corp, made his remarks more poignant. But prominent task
force colleagues including Internet co-creator Vint Cerf and Ed
Felten, former chief technologist at Federal Trade Commission, also
gave strongly worded verdicts on the Department of Commerce unit.
“It cannot be accepted that NIST’s responsibilities should be
co-opted by the NSA’s intelligence mission,” wrote Cerf, who now
works at Google Inc.
While Rivest called the internal history of Dual Elliptic Curve a
“smoking gun” with an “almost certain” NSA back door, Felten wrote
that NSA might not remain alone in its ability to use it and other
possible NIST-approved holes for spying.
In each of three cases, including Dual Elliptic Curve and the more
common curves faulted by Rivest, Felten said the suspected back door
access “reduces the security of users against attack by other
adversaries, including organized crime groups or foreign
intelligence services.”
The NSA might have been able to generate curves that pass cursory
security tests but are still breakable through the aid of sheer
computing power, because it can try millions of curves and get a few
that fit its goals. But a researcher working for another country
could discover the flaw, Felten said.
In the case of the curves approved under the FIPS 186 standard for
authenticating digital signatures, NIST should start over and pick
its own curves publicly rather than relying on the NSA, Felten and
others said.
Several experts said NIST had to hire more cryptographers and
strengthen its internal processes to avoid relying on NSA.
NIST acting Director Willie May agreed in a statement, saying his
agency “must strengthen its in-house cryptography capabilities to
ensure we can reach independent conclusions about the merits of
specific algorithms or standards."
NIST did not respond to a Reuters email asking about the fate of the
suspect curves.
(Reporting by Joseph Menn; Editing by Ken Wills)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
 |
