May 21st, 2014

The National Institute of Standards and Technology, a non-regulatory agency within the U.S. Department of Commerce that oversees encryption protocol such as FIPS validation, announced that it is beginning an independent review process to evaluate its standards and guidelines. This comes in the wake of concerns that one of its encryption algorithms may have been turned into a "backdoor" tool by the National Security Agency, Tripwire reported.

Panel to review encryption materials and development process 
After commencing an internal review process in November, the institute is now upholding its promise to seek public comment and submit to an independent evaluation. The organization's primary advisory committee, the Visiting Committee on Advanced Technology, will conduct the review, assessing the group's encryption standards and reliability.

The catalyst for these measures was the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), which is believed to have been weakened by the NSA for the purpose of surveillance activities, the news source noted. Although the NIST has since decided to "abandon" this particular encryption algorithm, the number generator was previously included in its "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (NIST Special Publication 800-90A, Rev. 1).

"NIST has played a very valuable role in the international cryptographic community, but NIST has also made a serious error of judgment, in particular when standardizing the Dual_EC_DRBG," said panel member and cryptographer Bart Preneel of Belgium's Katholieke Universiteit Leuven, according to GovInfoSecurity.

Keeping data secure
Beyond potential NSA utilization, the weakness of the algorithm in question could have enabled hackers to "resolve the secret cryptographic keys and defeat its protections," GCN reported. Currently, the institute recommends that organizations immediately switch to one of the three alternative algorithms instead of using Dual_EC_DRBG, if they haven't made changes already.

"Our mission is to protect the nation's IT infrastructure and information by promoting strong cryptography. We look forward to the VCAT's review to help ensure we have the most transparent and effective process for doing that," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher.

The panel plans to offer updates on the review process on June 11, at the next VCAT meeting. Encryption is a valuable component of secure file sharing solutions, helping to keep data safe from unauthorized viewers. This process aims to ensure encryption recommendation and resources are held to the highest standards.