International Standards Body Rejects Weakened IOT Encryption Methods Pushed By The NSA

from the bleak-days-for-Big-Surveillance dept

The NSA has again been outed for pushing compromised encryption standards. An early Snowden leak showed the agency paid RSA $10 million to promote a weakened encryption standard. RSA offered up a denial that didn't exactly contradict the evidence provided by the leaked documents. A few years later, NIST (National Institute of Standards and Technology) removed the Dual Elliptic Curve algorithm from its recommendations, citing its distrust of the agency pushing for its adoption: the NSA. Dual EC appeared to be deliberately weakened, reducing encryption-breaking efforts to a matter of seconds, rather than hours or days.

The NSA is once again at the center of an encryption controversy. This time the intended target of weakened encryption standards is the Internet of Things. As Kieran McCarthy of The Register reports, the NSA's hard-sell approach backfired, leaving its preferred attack vectors encryption algorithms locked out by an international standards body.

The "Simon" and "Speck" cryptographic tools were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a global standard. But the pair of techniques were formally rejected earlier this week by the International Organization of Standards (ISO) amid concerns that they contained a backdoor that would allow US spies to break the encryption. The process was also marred by complaints from encryption experts of threatening behavior from American snoops.

Researchers report being attacked by NSA reps when its preferred algorithms were questioned. Some of the terms used to describe the NSA's reactions to criticism include "outrageously adversarial" and "bullying."

There appears to be no evidence researchers found a backdoor present in the encryption methods as originally delivered. The ISO's rejection was mostly based on the NSA's past untrustworthiness and its attempt to add backdoor-esque code to the IOT encryption software. The NSA's failure to gets its favored methods instituted as industry standards has apparently led to personal attacks on researchers opposing its efforts. That's not exactly going to swing crucial votes its way in upcoming standards decisions.

The NSA has remained silent as other US government agencies complain about criminals "going dark." It may join them if it continues to be shut out by standards bodies and software developers.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, iot, nsa, trust

Companies: iso