| SAN FRANCISCO, July 14
SAN FRANCISCO, July 14 U.S. government standards
for software may enable spying by the National Security Agency
through widely used coding formulas that should be jettisoned,
some of the country's top independent experts concluded in
papers released on Monday.
Such mathematical formulas, or curves, are an arcane but
essential part of most technology that prevents interception and
hacking, and the National Institute of Standards and Technology
(NIST) has been legally required to consult with the NSA's
defensive experts in approving them and other cryptography
But NIST's relationship with the spy agency came under fire
in September after reports based on documents from former NSA
contractor Edward Snowden pointed to one formula in particular
as a Trojan horse for the NSA.
NIST discontinued that formula, called Dual Elliptic Curve,
and asked its external advisory board and a special panel of
experts to make recommendations that were published on Monday
alongside more stinging conclusions by the individual experts.
Noting the partially obscured hand of the NSA in creating
Dual Elliptic Curve - which Reuters reported was most broadly
distributed by security firm RSA [USN:nL2N0JZ1B6] - the group
delved into the details of how it and other NIST standards
emerged. It found incomplete documentation and poor explanations
in some cases; in others material was withheld pending legal
As a whole, the panels recommended that NIST review its
obligation to confer with the NSA and seek legal changes "where
it hinders its ability to independently develop the best
cryptographic standards to serve not only the United States
government but the broader community."
They also urged NIST to weigh the advice of individual task
force members who made more dramatic suggestions, such as
calling for the replacement of a larger set of curves approved
for authenticating users, in part because they were selected
through unclear means by the NSA.
"It is possible that the specified curves contain a back
door somehow," said Massachusetts Institute of Technology
professor Ron Rivest, a co-founder of RSA and the source of the
letter R in its name. Though the curves could be fine, he wrote,
"it seems prudent to assume the worst and transition away."
More broadly, Rivest wrote, "NIST should ask the NSA for
full disclosure regarding all existing standards... If NSA
refuses to answer such an inquiry, then any standard developed
with significant NSA input should be assumed to be `tainted,'"
absent proof of security acceptable to outsiders.
In an email exchange, Rivest told Reuters that "NIST needs
to have a process whereby evidence is publicly presented" about
how the curves were chosen.
The curves faulted on Monday had been questioned by
outsiders after media reports in September said the NSA could
break much widely used security software, without detailing
which ones or how. "These curves are ubiquitous in commercial
cryptography," Johns Hopkins University professor Matthew Green
said in an interview. "If you connected to Google or Facebook
today, you probably used one."
Rivest's long association with RSA, now part of electronic
storage maker EMC Corp, made his remarks more poignant.
But prominent task force colleagues including Internet
co-creator Vint Cerf and Ed Felten, former chief technologist at
Federal Trade Commission, also gave strongly worded verdicts on
the Department of Commerce unit.
"It cannot be accepted that NIST's responsibilities should
be co-opted by the NSA's intelligence mission," wrote Cerf, who
now works at Google Inc.
While Rivest called the internal history of Dual Elliptic
Curve a "smoking gun" with an "almost certain" NSA back door,
Felten wrote that NSA might not remain alone in its ability to
use it and other possible NIST-approved holes for spying.
In each of three cases, including Dual Elliptic Curve and
the more common curves faulted by Rivest, Felten said the
suspected back door access "reduces the security of users
against attack by other adversaries, including organized crime
groups or foreign intelligence services."
The NSA might have been able to generate curves that pass
cursory security tests but are still breakable through the aid
of sheer computing power, because it can try millions of curves
and get a few that fit its goals. But a researcher working for
another country could discover the flaw, Felten said.
In the case of the curves approved under the FIPS 186
standard for authenticating digital signatures, NIST should
start over and pick its own curves publicly rather than relying
on the NSA, Felten and others said.
Several experts said NIST had to hire more cryptographers
and strengthen its internal processes to avoid relying on NSA.
NIST acting Director Willie May agreed in a statement,
saying his agency "must strengthen its in-house cryptography
capabilities to ensure we can reach independent conclusions
about the merits of specific algorithms or standards."
NIST did not respond to a Reuters email asking about the
fate of the suspect curves.
(Reporting by Joseph Menn; Editing by Ken Wills)