A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.
The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.
“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report.
The committee was tasked with looking at various aspects of the standards development process and the events that led up to Dual EC_DRBG finding its way into the SP 800 90 standard. One of the major revelations of the Edward Snowden documents last year was that the algorithm may have a back door that enabled the NSA to decrypt traffic secured by products that use Dual EC. NIST later removed the RNG from the standard, and officials at RSA Security, which had made Dual EC the default RNG in its BSAFE library, recommended that its customers use a different RNG.
Committee members said that in light of the Snowden revelations, any other NIST standards developed with the help of NSA experts should be reviewed, as well.
“While the actual damage caused by such a back-door to users of NIST cryptographic standards may be small (few users may have used Dual-EC-DRBG), the damage to NIST and its credibility for developing trustworthy cryptographic standards is considerable. Not only do other NIST standards developed in coordination with the NSA now need critical review, but the process for developing future standards needs re-assessment and reformulation,” wrote VCAT committee member Ron Rivest, one of the designers of the original RSA algorithm and a professor at MIT.
“The most salient aspect of the necessary review is the past and future reliance of NIST on the NSA for cryptographic expertise.”
The committee members also include Vint Cerf of Google, Ed Felten of Princeton, Steve Lipner of Microsoft, Bart Preneel of Katholieke Universiteit Leuven in Belgium and Fran Schrotter of the American National Standards Institute.
In addition to the recommendations around Dual EC, the committee also made broader recommendations about the way that NIST develops standards in the future. The committee said NIST needs to hire more cryptographers and be more open and transparent about its interactions with NSA.
“It is of paramount importance that NIST’s process for developing cryptographic standards is open and transparent and has the trust and support of the cryptographic community. This includes improving the discipline required in carefully and openly documenting such developments,” the report says.
“NIST should also develop and implement a plan to further increase the involvement of the cryptographic community, including academia and industry, in the standards-development process.”
NIST officials said the organization is already in the process of making some changes that the committee recommends.
“Ensuring we have a process that delivers strong cryptography and protects the integrity of our standards and guidelines is our highest priority,” said Acting NIST Director Willie May. “We appreciate this review by the VCAT and the individual Committee of Visitor experts. NIST has already taken several steps to strengthen the process for developing cryptographic standards and will carefully consider these recommendations.”