The United States National Institute of Standards and Technology (NIST) is the body that develops and certifies encryption standards, approving them for US government and commercial use.
For the last year or so we here at BestVPN have strongly advocated a move away from NIST standards in light of it approving encryption standards widely known to have been compromised by its close working partner, the NSA.
‘Given what we now know of the NSA’s systematic efforts to weaken or built back doors into international encryption standards, there is every reason to question the integrity of NIST algorithms… the New York Times has accused the NSA of circumventing the NIST approved encryption standards by either introducing undetectable backdoors, or subverting the public development process to weaken the algorithms…’
A big problem is that compliance with NIST standards is a prerequisite to obtaining US government contracts, so many companies have preferred not to rock the boat. As we have noted,
‘When you consider that NIST certified cryptographic standards are pretty much ubiquitous worldwide throughout all areas of industry and business that rely on privacy (including the VPN industry), this is all rather chilling. Perhaps precisely because so much relies on these standards, cryptography experts have been unwilling to face up to the problem.’
We are therefore pleased to report that the Electronic Frontier Foundation (EFF) has joined 20 civil society organizations and companies in sending a letter to NIST to ‘re-emphasize the importance of creating a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities,’ noting that,
‘These broken standards appear to have led to a serious impact on U.S. technology companies, which “may lose as much as $35 billion in the next three years from foreign customers choosing not to buy their products over concern they cooperate with spy programs”.’
The first recommendation is perhaps the most telling,
‘NIST must publicly and irrefutably commit itself to independence from the NSA’s signals intelligence mission and any government surveillance programs, activities, or authorities.’
Whether the letter itself will have any effect we find doubtful, but it does signal a growing unease and dissatisfaction within the industry that may eventually lead to concrete reform.
The full text of the letter complete with its signatories is available below.