Just three days ago, following suggestions emanating from Edward Snowden leaks that the NSA engaged in subverting cryptographic security standards, the US National Institute of Standards and Technology (NIST) issued a statement. "We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place.
"NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large."
But it added, "The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA."
This was widely interpreted as a blank denial that the NSA had interfered with NIST standards. But NIST has possibly changed its stance by announcing that "NIST strongly recommends that [SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation] no longer be used."
This is a crypto algorithm believed to be described, but not specified, in the Snowden-based Guardian report published last week: "NSA makes modifications to commercial encryption software and devices 'to make them exploitable', and that NSA 'obtains cryptographic details of commercial cryptographic information security systems through industry relationships.'"
Quite separately, John Gilmore has stated that from his own experience NSA agents have been involved in the IPv6 standards process, and have effectively prevented end-to-end encryption on mobile devices.
The existence of a backdoor in the elliptic curve algorithm has long been known. Microsoft cryptologists Dan Shumow and Niels Ferguson described a possible backdoor in 2007. At the time, Bruce Schneier wrote in Wired, "the algorithm contains a weakness that can only be described a backdoor;" adding, "both NIST and the NSA have some explaining to do."
But it seems that it has taken six years and the Snowden leaks for these concerns to be taken seriously. In reality, NIST has not admitted to a backdoor in the algorithm, and its warning against use of the algorithm makes no mention of the NSA. It has merely said that "recent community commentary has called into question the trustworthiness of these default elliptic curve points," and that because of this "NIST Special Publication 800-90A is being re-issued as a draft for public comment," and "NIST is reopening the drafts of SP 800-90B."
It will be interesting to see whether this process discovers absolute proof of an existing backdoor, manages to remove it, or indicates who was responsible for its inclusion. NIST's credibility is on the line. At the very least, it will need to demonstrate that if it did happen, new procedures will ensure that it can never happen again.