NIST recommends against NSA-influenced standards by Frank Konkel.
From the post:
The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now “strongly” recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.
NIST’s Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.
“NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used,” the bulletin states.
The NIST bullentin, SUPPLEMENTAL ITL BULLETIN FOR SEPTEMBER 2013, is important for several reasons.
First, it is fair warning to security designers to not use the encryption described in SP 800-90A. Use of SP 800-90A after this report is a slam dunk on security malpractice.
Second, it reminds us that while rare, there are government agencies who take their missions to serve the public quite seriously. Who are prone to honest actions and statements.
Quite unlike the departments of State and Defense, where the real question isn’t whether they are lying, but of the motivation for lying.