by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : December 2013
[BrieFing] In the wake of reports that the Na- tional Security Agency successfully inserted a backdoor into government speci cations for generating crypto- graphic keys, the National Institute of Standards and Technology has begun a formal review of its processes for developing crypto standards. NIST did not mention the NSA's backdoor programs in announcing its review, referring only to concerns in the cryptographic community raised by "recent news reports about leaked classi ed documents." But reports from documents released by former NSA contractor Edward Snowden indicate that a random number generator included in NIST recommendations for creating crypto keys is vulnerable to attacks that can reveal keys being generated. Matthew Scholl, deputy director of NIST's Computer Security Division, said the reports were the catalyst for the review. NIST, which develops standards for the federal government that often are adopted by other governments and by industry, in September reopened public review of a suite of publications that contain the suspect speci cation. The newly announced review focuses on the development process rather than the soundness of any standards. "Our mission is to protect the na- tion's IT infrastructure and information through strong cryptography," NIST said in a statement announcing the review. "We cannot carry out that mis- sion without the trust and assistance of the world's cryptographic experts." Unfortunately, that trust has been eroded by revelations that the NSA --- NIST's partner in crypto development --- has attempted to subvert the process by inserting vulnerabilities into systems and by reports that it might have succeeded. Random number and bit generation are important in cryptography because they are used to provide seeds for crypto keys, which must be unpredictable to effectively protect data being encrypted. NIST, in the 800 series of special publi- cations, speci es methods for random number generation that can be used with government encryption systems. These documents are: • SP 800-90A, Recommendations for Random Number Generation Using De- terministic Random Bit Generators. • SP 800-90B, Recommendation for the Entropy Sources Used in Random Bit Generation. • SP 800-90C, Recommendations for Random Bit Generator Constructions. The random number generator in question is Dual EC_DRBG, the Dual Elliptic Curve Deterministic Random Bit Generator. Distrust in the NSA's participation in crypto standards-making has deep roots, dating back to at least 1976 when many believed that it had inserted a backdoor into the Data Encryption Standard, the approved algorithm for government encryption. More recently, information about a wide-ranging set of programs to weaken technical standards and subvert commercial operations to facilitate data collection has raised seri- ous concerns about not only random number generation but other possible backdoors as well. "NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST stan- dards development process," the agency said in its statement. "Trust is critical to the adoption of strong cryptographic algorithms. To ensure that our guid- ance has been developed according to the highest standard of inclusive- ness, transparency and security, NIST has initiated a formal review of our standards development efforts." Although NIST not infrequently reopens public review of speci c stan- dards or other products when prob- lems are found or suspected, Scholl could not say if there was a precedent for this type of broad review of process- es. But he said, "It is not out of line for NIST to do this." The agency is cataloging the pro- cesses' goals and objectives, principles of operation, processes for identifying algorithms for standardization, methods of review and resolving public comment and other procedures. It will bring in an outside organization to evaluate the pro- cess and invite public comment. It also will review the existing body of crypto- graphic work to ensure that its develop- ment meets these standards. "If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible," NIST said. • NSA's tampering could put crypto standards in doubt BY WILLIAM JACKSON GCN DECEMBER 2013 • GCN.COM 5 "Trust is critical to the adoption of strong cryptographic algorithms." --- NIST STATEMENT