14 DAY TRIAL // It’s been over a year since the first NSA leaks made their way into the media and quite a few months since it was revealed that the intelligence agency built a backdoor into one of the random number generators it built that was being promoted by the US National Institute of Standards and Technology (NIST).
A new report from the Institute’s Visiting Committee on Advanced Technology (VCAT) is making it clear that NIST has become too reliant on the NSA’s cryptography expertise and even mentions the adoption and backing the use of Dual EC DRBG, the controversial algorithm built by the NSA in which it conveniently left a backdoor.
Random number generators (RNG) are vital in cryptography since they create unique strings of numbers that can thwart someone’s effort to decrypt intercepted data. The one mentioned above was not only built by the NSA, but it also came with a flaw that can only be described as a backdoor. Basically, if the NSA has the secret numbers, it can crack any encryption that has this RNG at its center.
The report comes specifically as a result of the allegations based on Edward Snowden’s leaked documents regarding the Dual EC DRBG number generator and other algorithms the NSA created for the purpose of mass surveillance.
The report tries to clarify the extent of the relationship NIST is allowed to have with the NSA.
“NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted. This may be accomplished by NIST itself or by engaging the cryptographic community during the development and review of any particular standard,” VCAT writes.
“The VCAT recommends that NIST senior management reviews the current requirement for interaction with the NSA and requests changes where it hinders its ability to independently develop the best cryptographic standards to serve not only the United States Government but the broader community,” it continues.
Furthermore, NIST needs to become more transparent to fend off any scandals in the future, but also to better interact with the security community as a whole. VCAT mentions in the report that one of the reasons NIST is in this situation today is because it doesn’t have enough experts to look over algorithms for weaknesses.
All in all, NIST should not only hire more people with cryptography knowledge, but also to cut ties with the NSA.