In November 2013, NIST announced that it would be conducting an internal review of all of its cryptographic standards and peer-review development process in the wake of revelations that the NSA has been able to weaken its encryption algorithms to carry out surveillance.
Documents leaked by Edward Snowden in September showed that the NSA spends $250 million a year on a project called “SIGINT Enabling” to secretly undermine encryption. A main goal of that effort is to “use the agency’s influence” within the peer-review process to weaken the encryption standards that NIST and other standards bodies around the world publish.
“Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines,” wrote Donna Dodson, chief of the Computer Security Division at NIST, at the time. “NIST is also deeply concerned by these reports, some of which have questioned the integrity of the NIST standards development process.”
Shortly thereafter, NIST recommended that its elliptic curve specification no longer be used in light of how involved the NSA was in developing it. "Eventually, NSA became the sole editor,” as Infosecurity previously reported. Vendors followed suit, with RSA “strongly recommending” that its developers discontinue use of the NIST-developed cryptography. In addition, Silent Circle shut down its secure mail service, which used NIST encryption standards.
After a two-month public comment period, NIST’s primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has now begun its review. Also, the committee has formed a panel of experts to support that review.
“Our mission is to protect the nation’s IT infrastructure and information by promoting strong cryptography. We look forward to the VCAT’s review to help ensure we have the most transparent and effective process for doing that,” said under-secretary of commerce for standards and technology and NIST director, Patrick D. Gallagher.
Called the Committee of Visitors, the external panel members are heavy hitters: Vint Cerf of Google; Edward Felten of Princeton University; Steve Lipner of Microsoft; Bart Preneel of Katholieke Universiteit Leuven; Ellen Richey of Visa Inc.; Ron Rivest of the Massachusetts Institute of Technology (MIT); and Fran Schrotter of the American National Standards Institute (ANSI).
Panel members will provide individual assessments to the VCAT Subcommittee on Cybersecurity, which will report its findings and any recommendations to the full VCAT. The subcommittee will provide an update on its progress on June 11, 2014, at the next VCAT meeting.