National Institute of Standards and Technology: Difference between revisions

President [[Theodore Roosevelt]] appointed [[Samuel Wesley Stratton|Samuel W. Stratton]] as the first director. The budget for the first year of operation was $40,000. The Bureau took custody of the copies of the [[kilogram]] and [[Metre|meter]] bars that were the standards for US measures, and set up a program to provide [[metrology]] services for United States scientific and commercial users. A laboratory site was constructed in [[Washington, D.C.|Washington, DC]], and instruments were acquired from the national physical laboratories of Europe. In addition to weights and measures, the Bureau developed instruments for electrical units and for measurement of light. In 1905 a meeting was called that would be the first "National Conference on Weights and Measures".

Initially conceived as purely a [[metrology]] agency, the Bureau of Standards was directed by [[Herbert Hoover]] to set up divisions to develop commercial standards for materials and products.<ref name=Perry55/> Some of these standards were for products intended for government use, but product standards also affected private-sector consumption. Quality standards were developed for products including some types of clothing, automobile brake systems and headlamps, [[antifreeze]], and electrical safety. During [[World War I]], the Bureau worked on multiple problems related to war production, even operating its own facility to produce [[Crown glass (optics)|optical glass]] when European supplies were cut off. Between the wars, [[Harry Diamond (engineer)|Harry Diamond]] of the Bureau developed a [[Instrument approach|blind approach]] radio aircraft landing system. During [[Governmental impact on science during World War II|World War II, military research and development]] was carried out, including development of [[radio propagation]] forecast methods, the [[proximity fuze]] and the standardized airframe used originally for [[Project Pigeon]], and shortly afterwards the autonomously radar-guided [[ASM-N-2 Bat|Bat]] anti-ship guided bomb and the [[Project Kingfisher|Kingfisher family]] of torpedo-carrying missiles.

NIST had an operating [[budget]] for [[fiscal year]] 2007 (October 1, 2006{{snd}}September 30, 2007) of about $843.3 million. NIST's 2009 budget was $992 million, and it also received $610 million as part of the [[American Recovery and Reinvestment Act of 2009|American Recovery and Reinvestment Act]].<ref>{{cite journal | title=NIST Budget, Planning and Economic Studies | journal=NIST | publisher=National Institute of Standards and Technology | date=October 5, 2010 | url=https://www.nist.gov/public_affairs/budget/index.cfm | access-date=October 6, 2010 | url-status=live | archive-url=https://web.archive.org/web/20100922195101/http://www.nist.gov/public_affairs/budget/index.cfm | archive-date=September 22, 2010 | df=mdy-all }}</ref> NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 1,800 NIST associates (guest researchers and engineers from American companies and foreign countries) complement the staff. In addition, NIST partners with 1,400 manufacturing specialists and staff at nearly 350 affiliated centers around the country. NIST publishes the '''''[[#Handbook 44|Handbook 44]]''''' that provides the "Specifications, tolerances, and other technical requirements for weighing and measuring devices".

In September 2013, both ''[[The Guardian]]'' and ''[[The New York Times]]'' reported that NIST allowed the [[National Security Agency]] (NSA) to insert a [[cryptographically secure pseudorandom number generator]] called [[Dual EC DRBG]] into NIST standard [[NIST SP 800-90A|SP 800-90]] that had a [[kleptographic]] [[Backdoor (computing)|backdoor]] that the NSA can use to covertly predict the future outputs of this [[pseudorandom number generator]] thereby allowing the surreptitious decryption of data.<ref name=FCW>{{cite web|last=Konkel|first=Frank|title=What NSA's influence on NIST standards means for feds|url=http://fcw.com/articles/2013/09/06/nsa-nist-standards.aspx|work=FCW|publisher=1105 Government Information Group|access-date=September 10, 2013|date=September 6, 2013|url-status=dead|archive-url=https://web.archive.org/web/20130910030443/http://fcw.com/Articles/2013/09/06/NSA-NIST-standards.aspx|archive-date=September 10, 2013|df=mdy-all}}</ref> Both papers report<ref name=Guardian>{{cite web|title=Revealed: how US and UK spy agencies defeat internet privacy and security|url=https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security|work=The Guardian|access-date=September 7, 2013|author=James Borger|author2=Glenn Greenwald|date=September 6, 2013|url-status=live|archive-url=https://web.archive.org/web/20130918135152/http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security|archive-date=September 18, 2013|df=mdy-all}}</ref><ref>{{cite news|title=N.S.A. Able to Foil Basic Safeguards of Privacy on Web|url=https://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0|newspaper=The New York Times|access-date=September 7, 2013|author=Nicole Perlroth|date=September 5, 2013|archive-url=https://web.archive.org/web/20130908112919/http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0|archive-date=September 8, 2013|url-status=live}}</ref> that the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006. The whistle-blowing document states that "eventually, NSA became the sole editor". The reports confirm suspicions and technical grounds publicly raised by cryptographers in 2007 that the EC-DRBG could contain a [[kleptographic]] backdoor (perhaps placed in the standard by NSA).<ref>{{cite magazine|last=Schneier|first=Bruce|title=Did NSA Put a Secret Backdoor in New Encryption Standard?|url=https://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115|magazine=Wired|publisher=Condé Nast|date=November 15, 2007|access-date=September 10, 2013|url-status=live|archive-url=https://archive.today/20120919094854/http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115|archive-date=September 19, 2012|df=mdy-all}}</ref>

NIST responded to the allegations, stating that "NIST works to publish the strongest cryptographic standards possible" and that it uses "a transparent, public process to rigorously vet our recommended standards".<ref>{{cite web|last=Byers|first=Alex|title=NSA encryption info could pose new security risk – NIST weighs in<!-- - Rosenworcel: Refunds for long retrans blackouts -->|url=http://www.politico.com/morningtech/0913/morningtech11574.html|work=Politico|date=September 6, 2013 |access-date=September 10, 2013|url-status=live|archive-url=https://web.archive.org/web/20130927151824/http://www.politico.com/morningtech/0913/morningtech11574.html|archive-date=September 27, 2013|df=mdy-all}}</ref> The agency stated that "there has been some confusion about the standards development process and the role of different organizations in it...The National Security Agency (NSA) participates in the NIST cryptography process because of its recognized expertise. NIST is also required by statute to consult with the NSA."<ref>{{cite web|last=Perlroth|first=Nicole|title=Government Announces Steps to Restore Confidence on Encryption Standards|url=http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?ref=technology|work=[[The New York Times]]|date=September 10, 2013|access-date=September 11, 2013|url-status=live|archive-url=https://web.archive.org/web/20131029225705/http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?ref=technology|archive-date=October 29, 2013|df=mdy-all}}</ref> Recognizing the concerns expressed, the agency reopened the public comment period for the SP800-90 publications, promising that "if vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible".<ref>{{cite journal|title=Cryptographic Standards Statement|url=https://www.nist.gov/director/cybersecuritystatement-091013.cfm|publisher=National Institute of Standsards in Technology|access-date=September 11, 2013|author=Office of the Director, NIST|journal=NIST |date=September 10, 2013|url-status=live|archive-url=https://web.archive.org/web/20130912234248/http://www.nist.gov/director/cybersecuritystatement-091013.cfm|archive-date=September 12, 2013|df=mdy-all}}</ref> Due to public concern of this [[cryptovirology]] attack, NIST rescinded the EC-DRBG algorithm from the NIST SP 800-90 standard.<ref name="nist_abandonment">{{cite news|url=https://www.nist.gov/itl/csd/sp800-90-042114.cfm|work=National Institute of Standards and Technology|title=NIST Removes Cryptography Algorithm from Random Number Generator Recommendations|date=April 21, 2014|url-status=live|archive-url=https://web.archive.org/web/20160829031025/http://www.nist.gov/itl/csd/sp800-90-042114.cfm|archive-date=August 29, 2016|df=mdy-all}}</ref>