Talk:National Institute of Standards and Technology/Archives/2013

Latest comment: 11 years ago by Poindexter Propellerhead in topic NSA and NIST


NIST and ANSI

What is the division of labor between the American National Standards Institute and the NIST -- how do they avoid generating 2 conflicting standards for the same thing?

The answer to this question is not trivial. But here's a quick answer - somewhat superficial but probably good enough. First, NIST creates standards for federal use. ANSI creates standards for industry. So they have two different audiences. Nonetheless there is overlap since both frequently want, for example, to buy off-the-shelf items that interoperate. In any case, NIST avoids conflicting standards in part because NIST experts will already be cognizant of efforts at the time that ANSI embarks on the creation of a standard (and vice versa). Indeed, NIST representatives often serve as committee members of ANSI and other standards-setting organizations. This is not to say that conflicts don't happen but there is almost always an effort at 'harmonization' so that if NIST does create its own standard (for statutory reasons for example), it is not in conflict with another organization's version of the same thing. -- Donlibes 02:54, 8 August 2007 (UTC)

WRONG WRONG WRONG - NIST sets the standards for NOBODY, not even the federal government. The organizations like AISI, ASTM and ISO set them. NIST works on the measurement science to make the numbers that come out of the standards the best they can be. For example, physicists at NIST have won 4 Nobel Prizes for working on the precise measurement of the second, but don't define it. They work to the external definition and the consensus votes within these other organizations. Don, you work at NIST and should know better than what you wrote. 173.73.20.72 (talk) 00:40, 8 September 2013 (UTC)

NSA and NIST

The Times article says:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

This article is wrong in a subtlety. Standards are not adopted by NIST, but by ASTM, AISI, ISO and other bodies. If the NSA put this in, it was via ISO ("pushed it on the international group. . ."), NOT NIST.

173.73.20.72 (talk) 00:36, 8 September 2013 (UTC)

The article is not wrong. SP 800-90 is a NIST standard listed on the NIST website. See http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf The SP actually stands for NIST Special Publication. The pseudorandom number generator was inserted into this publication (and the document still exists, see web site above) before it was submitted to ISO. Note: NIST is accredited as a standards setting agency by ANSI -- see the ANSI web site for a list of all US accredited standards setting organisations. The Guardian article has slightly more info. Please re-insert the text you deleted.

Ross Fraser (talk) 05:55, 8 September 2013 (UTC)

NIST is designated by ANSI as the US DELEGATE TO ISO, NOT any standards "setting" agency. NIST is a non-regulatory agency that DOES NOT SET standards. Standards are set by consensus by organizations like ISO. NIST can't tell anyone to do anything, with very limited subpoena exceptions like the National Construction Safety Team.
The article says people suspected in 2006 that NIST had helped the NSA get that into the standard, and a Microsoft engineer found it in 2007. Post hoc ergo propter hoc. Just because it was there does not mean NIST put it in. These standards have many authors, and BTW just because NIST put out an SP does not make NIST the author of the contents. There are thousands of SPs that are simply printings of externally generated and approved standards. Although there is no proof that NIST put it in (BTW also, ISO has records of all the changes - maybe someone should commit a little journalism and check into it), for the sake of argument let's presume they did. ISO standards are approved by committees of representatives from all countries that have an interest in that standard. The NSA, as stated in the article where they worked "that international organization", had to convince dozens of countries to leave it in. Grenada has as much input as the US. So this would be a MUCH wider problem than just NIST, and there is no proof that NIST did anything. Also, just as it is far from the case that if a reporter writes it it is true, just because AISI has something on their web site does not make it accurate. The list on the AISI web site are NOT standards SETTING organizations, they are National Metrological Institutes. AISI, ASTM, ISO, SAE etc SET the standards via voting in committees by members that have stakes in the standards.
The two reporters were very careful to parse their words and make statements back to back to imply connections and cause-effect. They likely saw a bullet on a powerpoint slide, put it together with speculations and tried to pass it off as proven. Especially the Times article, there are simply a string of (mostly) unproven assertions and rumors that the reporters are trying to get the reader to string together.
I read the SP you cite. In the title, it says "recommendation". In the intro, it cites legislative authority of which I was underinformed, and NIST does indeed set the crypto standards - for federal government non-spook use. NOT the Internet. It explicitly states it is uncopyrighted and available for use by anyone else ON A VOLUNTARY BASIS. Is this what you mean by NIST "set" this standard for the NSA to open up the Internet for them?? By tossing it out there and saying "use it if you want, whatever"?? This publication isn't even part of the standard - it's something for the committee to consider in discussions to see if they want it in. You and these articles WAY overstate NIST's role. They are not proven sources and this section, as I said, if it goes back has to be re-written to remove assertions and implications of NIST's complicity with the NSA. The evidence is not there.71.246.223.207 (talk) 15:20, 8 September 2013 (UTC)
No one has claimed NIST sets standards for the Internet: that is done by the IETF. SP800-90 was, is and always will be a NIST publication issued by NIST and available on their web site as a special publication. However, the pseudorandom number generator described in SP800-90 has gone on to be used in some implementations of the TLS protocol, which *is* an important part of the Internet. See the WP article Dual_EC_DRBG (which has not been written or edited by me). The reporters (and now others) have made the allegation that the NSA interfered with a NIST technical publication (which NIST itself refers to as a cryptographic standard" -- see below). Whatever might be said about the reporting by the NYT, it is reporting by the NYT (and the Guardian and Pro Publica, and others) and hence is certainly a reputable source; especially in a section titled "Controversy". And NIST itself has responded to this controversy:
"NIST WEIGHS IN: One of the biggest revelations from yesterday’s Guardian/NYT/Pro Publica stories, at least for D.C. bureaucrats, was that the NSA worked under-the-radar to inject a security weakness into a standard released by the National Institute of Standards and Technology in 2006. For its part, NIST — which has a key role in President Barack Obama’s cybersecurity plans — didn’t explicitly address the reports in a statement Thursday night. But it did say it works to fix any security holes that it knows about.
“NIST works to publish the strongest cryptographic standards possible,” the agency said in a statement. “We use a transparent, public process to rigorously vet our recommended standards. If vulnerabilities are found, we work with the cryptographic community to address them as quickly as possible.”
http://www.politico.com/morningtech/0913/morningtech11574.html
See also the FCW article "What NSA's influence on NIST standards means for feds" at http://fcw.com/articles/2013/09/06/nsa-nist-standards.aspx It provides further background and a broader perspective on the issue's significance.
Please re-insert the text you deleted. You are very welcome to add whatever sourced material you would like to provide balance to the encyclopedic coverage of this issue. Ross Fraser (talk) 07:28, 9 September 2013 (UTC)
I put it back in. If someone thinks it's flawed, okay, but I didn't think that blanking was the answer. Also, I try to assume good faith at all times, but anonymous pro-NIST edits coming from IPs that are within 20 miles of NIST headquarters... ummm... I hope there's no COI here. Poindexter Propellerhead (talk) 22:52, 9 September 2013 (UTC)