In an age of rampant network breaches and theft of sensitive information, the National Institute of Standards and Technology is promoting strong encryption and recently released a final document outlining exactly how its researchers will develop cryptographic standards.
The NIST Cryptographic Standards and Guidelines Development Process — more than two years in the making — is a framework for engaging people and institutions across the globe about the best practices for securing information and communications.
"Our goal is to develop strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders," said Donna Dodson, NIST chief cybersecurity advisor and associate director for cybersecurity at the IT Laboratory, which took the lead on the document's development. "While our primary stakeholder is the federal government, our work has global reach across the public and private sectors. We want a process that results in standards and guidelines that can be used to secure information systems worldwide."
The process hinges on nine principles, including transparency, balance, integrity — that of NIST and the standards themselves — technical merit, usability and global acceptability.
NIST spokesperson Jennifer Huergo noted the "'global acceptability' principle was added to this final draft in response to public comments and reflects the global nature of today's commerce."
The guidelines also urge researchers to focus on non-proprietary solutions that "are unencumbered by royalty-bearing patented technologies." However, the document notes that NIST "may select algorithms with associated patents if the technical benefits outweigh the potential costs."
With the guidelines in place, NIST will begin working with stakeholders — including federal agencies, academics and private sector researchers and companies — to develop the standards by which government agencies will have to abide. As is generally the case, private industry is also expected to rely on these standards, though on a voluntary basis.
"Cryptographic standards and guidelines for the protection of federal information systems have always been a key component" of NIST's Computer Security Division, according to the document. "They must be robust and have the confidence of the cryptographic community in order to be widely adopted and effective at securing information systems worldwide."
As the debate over strong encryption and backdoors continues — despite the FBI dropping its high-profile case against Apple — NIST researchers acknowledged the "possibility for tension" between the standards and law enforcement interests.
The document cites this as a potential conflict, though maintains that NIST is an independent body and "remains committed to strong cryptography due to its vital role in protecting information and information systems."