The National Institute on Standards and Technology (NIST) released the second draft of a process document describing how NIST develops cryptographic standards in an announcement on Friday.
The second draft of NIST IR7797: NIST Cryptographic Standards and Guidelines contains updates to the first draft written in February 2014, as well as changes to the process in response to feedback from a July 2014 report by the Visiting Committee on Advanced Technology (VCAT).
The VCAT was convened in fall 2013 in response to cryptographic community concerns about an algorithm in NIST and ISO standards, Dual EC DRBG. The algorithm may have been weakened to create vulnerabilities in Transport Layer Security/ Secure Sockets Layer (TLS/SSL), https, Secure Shell (SSH), encrypted chat, Virtual Private Network (VPN), and Voice Over IP (VOIP) connections.
The VCAT created a Committee of Visitors (CoV) to serve as technical experts to review the current cryptographic standards and guidelines development process and make recommendations on improvements to the process. The members of the CoV are as follows:
- Vint Cerf, Vice President and Chief Evangelist, Google
- Edward Felten, Director, Center for Information Technology Policy, Robert E. Kahn Professor of Computer Science and Public Affairs, Princeton University
- Steve Lipner, Partner Director of Software Security Microsoft Corporation
- Bart Preneel, Professor Katholieke Universiteit Leuven, Belgium
- Ellen Richey, Executive Vice President, Chief Enterprise Risk Officer and Chief Legal Officer, Visa
- Ron Rivest, Vannevar Bush Professor, Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology
- Fran Schrotter, Senior Vice President and Chief Operating Officer, American National Standards Institute
The new draft contains language focusing on transparency and describing the interactions between NIST and the National Security Agency (NSA) in the development of cryptographic standards, explaining how NIST and the NSA will interact with each other. The process ensures that NIST attributes to the NSA all algorithms, standards, guidelines, and comments made by NSA staff.
NIST is a non-regulatory federal agency within the US Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.