http://www.computerworld.com/s/article/9249738/Overreliance_on_the_NSA_led_to_weak_crypto_standard_NIST_advisers_find
By Lucian Constantin
IDG News Service
July 15, 2014
The National Institute of Standards and Technology needs to hire more
cryptographers and improve its collaboration with the industry and
academia, reducing its reliance on the U.S. National Security Agency for
decisions around cryptographic standards.
Lack of internal expertise in certain areas of cryptography and too much
trust in the NSA led the NIST to ignore security concerns about a
pseudorandom number generator called Dual_EC_DRBG (Dual Elliptic Curve
Deterministic Random Bit Generator) in 2006, technical experts who
reviewed the organization's standards development process said in a report
released Monday.
Media reports last year based on secret documents leaked by former NSA
contractor Edward Snowden claimed that the NSA used its influence over
NIST to insert a backdoor into Dual_EC_DRBG and possibly weaken other
cryptographic standards. The revelations called into question the
integrity of NIST's standard-making processes and damaged the
organization's reputation in the cryptographic community.
The new report by NIST's Visiting Committee on Advanced Technology (VCAT)
is based on assessments by a panel of outside technical experts including
Internet pioneer Vint Cerf, who is vice president and chief evangelist at
Google; cryptographer and MIT professor Ron Rivest, who co-authored the
widely used RSA encryption algorithm; Edward Felten, professor and
director of the Center for Information Technology Policy at Princeton
University; Ellen Richey, executive vice president and chief enterprise
risk officer at Visa; Steve Lipner, partner director of software security
at Microsoft; Belgian cryptographer and cryptanalyst Bart Preneel, who
works as a professor at the University of Leuven; and Fran Schrotter,
senior vice president and chief operating officer of the American National
Standards Institute.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
