Gov’t standards agency “strongly” discourages use of NSA-influenced algorithm
Source: Ars Technica
Following revelations about the National Security Agency's (NSA) covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards. But in a little-noticed footnote, NIST went a step further, saying it is "strongly" recommending against even using one of the standards.
The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry.
As ProPublica, The New York Times, and The Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world. In its statement Tuesday, the NIST acknowledged that the NSA participates in creating cryptography standards "because of its recognized expertise" and because the NIST is required by law to consult with the spy agency. "We are not deliberately, knowingly, working to undermine or weaken encryption," NIST chief Patrick Gallagher said at a public conference Tuesday.
Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn't enabled by default. Developers creating applications for the platform must choose to enable it.
Read more: http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/
The algorithm in question uses Elliptic Curve cryptography to generate pseudo-random numbers that are supposed to be suitable for cryptographic purposes.
As it turns out, the NSA may have insisted on using an elliptic curve constant that may be of a class of constants that are cryptographically weak, meaning the NSA knows how to crack them easily.
When another federal agency is saying "Don't use this algorithm," it's time to listen!
Ghost Dog
(16,881 posts)eg: http://gigaom.com/2013/09/09/pgp-inventor-phil-zimmermann-open-source-legislative-judicial-actions-needed-to-pushback-surveillance-state/
(Should not normally be necessary, until now I'd thought...).
backscatter712
(26,355 posts)...when he released the first versions of PGP.
I'd consider that an endorsement.
devils chaplain
(602 posts)I have nothing illegal to hide, but it is appalling to me that digital privacy is somehow not considered a right. That is not a good precedent.
My public PGP key is in post 6 below and also in my profile, feel free to test your own PGP to say hi!
devils chaplain
(602 posts)-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.21 (MingW32)
mQENBFIs9qIBCACwOb7W/r+sWxUzvobYq23asiZrBgZMU97lJUwYo1y0ScfRWkou DUi9fALnmwLzOo9Lrzq3UCKjbklZmfGRnsv9eQxfBjuZapDEs6Zl+WYx4NqAc2jj xmvMYs+WLqqsiLkTJ3jhNeWRL1vCF5p21RPT5q7VV0V6oncyUZPzqemR0uhV7M5/ 5HhbGc8AsSNVFFA1pIgliSPC1dmUco6i2ZvXf5LSN2030lCopsX8kOKz7X1DXxPt 3owTYv4DOT8s7wP81C194SZCVU/AtXsCOY9pInQzJvgYfeETdPOsSXCv/ZjKPrtJ sUV238tX1NYUZOnMI/aq1YzpwxzDyt0SojxxABEBAAG0HXByaXZhdGUgPHByaXZh dGVAcHJpdmFjeS5jb20+iQE5BBMBAgAjBQJSLPaiAhsPBwsJCAcDAgEGFQgCCQoL BBYCAwECHgECF4AACgkQehANNypq+CwFYQf/bgZod8vw+a7jIiC83f7DvMOE+ZmC yFUr10HsaTiycCpJwP9r0anpyIs6+G+UAopiVa1G0+TzYpKlJeBnfGjOSwRIA6bC mSa2LQflZ2wEI1IH62zmuuiy/0Yyjme2CctVEcDU41oH1JcDRg6Ql+qXlTZjllsV LGg/XcGh3cPSrGlNT1uY8iFxeqGvm2KWT7++ymGQ3Lrew2rI7Td5XSkLltEShubD vOqKI6kFAPoHiWZbhG8EjqoQnbVLjI4Fp3f3LsRFh32SQg6dDEetYPRttSOf0okq O2UIFkqnUHe77CXGBrMbF1WbpxeLhgtoUu3hKyOiSzEzG75QkbIo7sGR/A== =Qppr
-----END PGP PUBLIC KEY BLOCK-----
Uncle Joe
(58,342 posts)Thanks for the thread, backscatter.