Sunday, December 1, 2013

Can We Trust NIST?



In 1976 the United States government saw the need for a national encryption standard to ensure all future safety of data in transit across networks. This Federal Processing standard was issued to the NBS (National Bureau of Standards) now named NIST (National Institute of Standards and Technology) where they solicited proposals for a cipher that would meet rigorous design criteria for use in government classified information and commercial entities. The only candidate that was deemed acceptable was IBM’s Lucifer cipher that would be applied as the Data Encryption Standard (DES).  In the announcement  of this standard, many criticized and cited a shortened key length and the mysterious number of "S-boxes" used in the algorithm. Many suspected these modifications as evidence of improper interference from the National Security Agency (NSA) and that the algorithm had been covertly weakened by the intelligence agency so that they but no-one else could easily read encrypted messages. The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote “In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness”. By the early 1990s, the DES algorithm was considered broken and insecure due to its key length and number of S-boxes. By 1999 with the use of average home computer, it was estimated that DES could be broken within 22 hours. Ultimately, it was suspected that NSA had this capability in the 1970s. 

Presently, NIST has issued a new cryptographic algorithm called Secure Hash Algorithm-3, or SHA-3. A hash function is similar to an encryption algorithm however, the plaintext data is encrypted but cannot be decrypted back to the original plaintext. Just like in the DES algorithm many cryptographers are questioning NSA involvement with NIST in this new cryptographic algorithm. Based on the Edward Snowden revelations it was indicated that NSA had planted a vulnerability in the SHA3 algorithm. According to Bruce Schneier, one of the fathers of modern cryptography, “the security community has relied on NIST to develop agreed-upon standards because they were a really good, honest broker, and they were perceived to be fair and unbiased. But recent events have dealt a blow to that perception” It appears the only way for NIST to gain back its creditability is through total transparency and review panels. The Federal Government issued a statement “NIST use[s] a transparent, public process to rigorously vet our recommended standards. If vulnerabilities are found, we work with the cryptographic community to address them as quickly as possible.” 

Moving forward NIST is transparent and openness is crucial but on the other hand it must still maintain a relationship with NSA for the protection of National Security.

No comments:

Post a Comment