|image credit: Another Print Please/Flickr|
In response to last week’s widespread reports revealing that the National Security Agency (NSA) spends huge sums in an effort to “covertly influence” companies and crack encryption, the National Institute of Standards and Technology (NIST) has denied its reported role in the scheme.
The Guardian, The New York Times and ProPublica cited documents handed over by PRISM leaker Edward Snowden indicating that the NSA was able to get NIST to change their security standard in 2006.
The new standard, recommended by the NSA, reportedly included vulnerabilities that could later be exploited by NSA hackers in order to more easily spy on private communications.
Unsurprisingly, NIST now denies any such role.
“We want to assure the [information technology] cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” NIST said in a statement issued on Tuesday.
The Hill points out that a great deal is on the line with this allegation.
“NIST is not a regulatory agency — it only helps private groups agree on voluntary standards and guidelines,” The Hill notes. “If outside groups stop trusting the NIST, it could undermine the agency’s usefulness.”
“NIST would not deliberately weaken a cryptographic standard,” NIST said.
“We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large,” the agency said in their statement.
The ProPublica report cited classified NSA memos indicating that the encryption weakness, discovered in 2007 by two cryptographers working for Microsoft, was indeed engineered by the NSA.
“The NSA wrote the standard and aggressively pushed it on the international group, privately calling the effort ‘a challenge in finesse,’” ProPublica reported.
“Eventually, NSA became the sole editor,” the classified memo states.
NIST also acknowledged that the NSA does indeed help their “cryptography development process because of its recognized expertise.”
In response to the public’s concern, NIST reopened the public comment period for the cryptography standards.
“If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” the agency said in their statement.
This article first appeared at End the Lie.