According to reports by the Guardian, the New York Times (NYT) and ProPublica, the US National Security Agency (NSA) can bypass encryption that protects much of the data on the web.
The report said the NSA inserted a back door into a 2006 release of the encryption standard adopted by the US National Institute of Standards and Technology (Nist).
The standard was later adopted by the International Organisation for Standardisation (ISO), which has 163 member countries.
Following the revelation, Nist has announced it will re-open the public vetting process for the encryption standard, according to the New York Times.
“We want to assure the IT cyber security community that the transparent, public process used to rigorously vet our standards is still in place,” Nist said in a statement.
The US federal agency said it would not deliberately weaken a cryptographic standard.
Adding further detail to initial reports, the NYT has revealed exactly how the NSA was able to compromise the encryption standard.
Internal memos leaked by Snowden suggest the NSA was responsible for one of the random number generators used in the 2006 Dual EC DRBG Nist standard.
As author of the random number generator, the NSA was able to predict the scrambling protocols, enabling it to access encrypted data.
The leaked memos also indicate that NSA worked behind the scenes to push the same standard into the ISO and to become the sole editor of the standard.
The NYT said cryptographers have long had mixed feelings about Nist’s close relationship with the NSA, but many said last week’s revelations had confirmed their worst fears and eroded their confidence in Nist standards.
Nist said that because of cryptographers’ concerns, it would reopen the public comment period for three standards that use the random number generator in question.
“If vulnerabilities are found in these or any other Nist standard, we will work with the cryptographic community to address them as quickly as possible,” the agency said.
Read more about Prism
- Security Think Tank: Prism fallout could be worse than security risks
- Security Think Tank: Prism is dangerous for everyone
- Security Think Tank: Prism – Sitting duck or elaborate honeypot?
- NSA surveillance whistleblower reveals identity
- US repeatedly hacked China, claims NSA whistleblower
- FBI spies on internet users
- UK links to US internet surveillance remain unclear
- Technology companies call for more transparency over data requests
- Compliance: The Edward Snowden, NSA program controversy continues