The National Institute of Standards and Technology continues to collaborate with the National Security Agency on its IT security guidance even as NIST investigates whether the spy agency meddled with one of its special publications.
NIST announced late last week that it had launched a formal review of how it develops cryptographic standards because of concerns that the NSA might have corrupted a series of its cryptographic reports, SP 800-90A, B and C (see NIST to Review Crypto Guidance Methods).
Asked whether the trust NIST computer scientists have with the NSA staff has diminished, Matt Scholl, deputy chief of NIST's Computer Security Division, answers: "It's around the same."
"We're being a little more cautious, but we certainly have not stopped any of our engagements," he says in an interview with Information Security Media Group. "We certainly have not stopped asking them some of the hard questions that we looked at them to help us with, as well with everybody else. In the areas where we are working to produce standards guidelines, best practices, we're still collaborating."
Scholl, citing NIST Director Patrick Gallagher, says one reason NIST collaborates with the NSA on cryptography standards is that the NSA employs some of the smartest mathematicians in the world. "Collaborating and working with them in this space is both appropriate and beneficial to us," Scholl says.
Collaboration is Required
NIST, by law and policies, is required to collaborate with the NSA, other federal agencies, industry and academia in developing its array of IT security best practices.
In 2006, NIST issued Special Publication 800-90 (now SP 800-90A), Deterministic Random Bit Generators, guidance that specifies mechanisms for the generation of random bits using deterministic methods, an algorithm which, given a particular input, will always produce the same output.
A year later, cryptographer Bruce Schneier, writing in Wired, suggested the random-number standards might contain a backdoor to allow the NSA to spy on organizations employing the random bit generators.
Scholl says he believes NIST looked into Schneier's allegations at the time. "I'm not sure what the exact deliberations were, which is why I think a process review is important to assure that all these comments are considered and looked at," he says.
NIST decided to conduct the review after The New York Times and ProPublica published an article in September that reported the NSA had cracked or circumvented much of the encryption that shields global commerce and banking systems, trade secrets and medical records and Internet communications (see Report: NSA Circumvented Encryption).
Applying Lessons Learned
Though the review is focused on how NIST develops its cryptographic standards, the lessons learned from the examination could be applied to the way NIST develops other IT security standards, Scholl says. "The information that we gather definitely will be informative and impactful to the NIST 800 series [which addresses IT security and information risk management] and the cybersecurity standards that we produce in general," he says.
NIST doesn't have a timetable for when the review will be completed. Scholl says NIST is more concerned about achieving milestones than adhering to a schedule. The milestones include understanding goals and objectives, principles of operation, processes for identifying algorithms for standardizations and methods for reviewing and resolving public comment.
Meanwhile, the deadline for public comments on the reopened random bit generator guidance Nov. 6. Scholl wouldn't commit to a time when NIST would decide whether it would issue revised guidance on the random bit generator. "That will really be dependent on the comments that we receive and whether they're cogent and consistent," he says. "A lot of it is really going to be driven on the type of feedback we receive as far as what the turnaround time is going to be."
Assuring trust with the cryptographic community is a major reason behind NIST's review. NIST seeks to be transparent, "open for everyone to see," as Scholl puts it, on how the processes it employs to create guidance. "More than anything else, this is about ensuring the trust and confidence in people so that they use crypto," he says. "NIST's work in the end is NIST's work. We stand by and believe in the technical merits of what we put out."