NIST Says It Never Worked With The NSA To Weaken Encryption Standards

    September 10, 2013

Last week, it was revealed that the NSA works tirelessly to break through all forms of encryption. One of the more worrisome revelations from the leak was that the agency worked with the National Institute of Standards and Technology to introduce intentionally weak encryption standards. Now NIST is saying that never happened.

In a statement today, NIST denies ever helping the NSA to weaken encryption standards. The organization adds that it would never “deliberately weaken a cryptographic standard.” Here’s the relevant part of the statement:

NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.

There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards.

While NIST denies ever helping the NSA to weaken standards, it does admit that it works with the agency on encryption standards. In fact, the group is “required by statute to consult” with the agency during its “cryptography development process because of [the NSA’s] recognized expertise.”

In other words, NIST has to work with the NSA on encryption standards, but it doesn’t actively weaken said standards at the agency’s bequest. Conspiracy theorists might say that the NSA inserted the vulnerabilities in NIST’s standards without the group noticing. It’s not exactly that far out of a theory considering everything else we’ve learned about the agency thus far.

To help remove some of the skepticism it’s facing, NIST has also announced that it’s reopened the public comment period for its latest standards publication. This will give the public another chance to look through the latest encryption standards to see if they find anything out of the ordinary.

[Image: Wikimedia Commons] [h/t: The Hill]