First, a lot of NIST crypto standards are relatively anodyne; for instance, the NIST GCM standard basically just explains how to do multiplication in GF(2^128), and the NIST CTR mode standard just lays out a bunch of ways you can arrange your counter block. Those standards remain valuable and aren't likely to harbor backdoors.

Second, it has always been the case that favorable responses from the USG in general and NSA in particular have cast a pall over proposed standards. Isn't that why there's a RIPEMD160, for instance?

There has always been suspicion, but nothing close to proof. Now that there is close to proof that the NSA has been inserting weaknesses for themselves (unlike the DES S-Box modifications they made which actually strengthened it) The Clipper proposal seemed to suggest the NIST/NSA was interested in strong cryptosystems with explicit, transparent backdoors, and they also had the export limitations, so many non-conspiracy theory people assumed the NSA was more interested in cryptanalyzing foreign communications and keeping our domestic cryptosystems out of foreign hands.

What used to be long held cryptoanarchist conspiracy theories are no longer so far fetched, as now the NIST/NSA is more concerned with targeting the existing communication networks of friendly western democracies/domestic intercept, on which terrorists may piggyback, instead of foreign non-aligned powers.

That is, the greatest threat is no longer foreign comm networks and cryptosystems, but domestic. We have become the adversary.

Anyway, what do you call AES? It was selected as the winner by the NIST and it has widespread industry adoption.

No. You didn't read my comment. The notion that NSA might know of weaknesses in any standard it endorsed has never been far-fetched. It's closer to an article of faith among cryptographers. Again: there are whole standards that exist solely because of that concern.

Yes but whenever NSA "suggests" changes such as certain constants or like classic S-boxes from DES. Those don't usually come with a clear explanation, more like "here makes these change, it will be better, trust us" kind of idea.

Another point is that most people (especially non-US citizens) don't necessarily view NSA and NIST as separate. They are seen as part of the same government. More like 2 offices in the same government department.

Now this also brings about an interesting thing I have been thinking about. NSA is also in charge of protecting its own data. So recommendations, practices and policies they tweak go into keeping its (and other agencies') classified data secure.

Given that they have managed to "tweak" and insert backdoors in some algorithms or systems, how likely they are to recommend those systems for its own and other government agency use? Do they want the communication or keys to the nuclear launch sites to use the "tweaked" version. They would need to have an pretty good feel that no other agency out there has also figured out the back door.

And in the DES s-box case, you'd have been right to trust them, because they fixed a vulnerability in DES 20 years before the theory behind it would become public. They couldn't disclose the reasoning behind the new s-boxes without disclosing differential cryptanalysis, because they generated the new s-boxes by first generating random candidates and then testing them for resilience against differential cryptanalysis.

True and that is the problem they are facing. Before when they came in and said "trust us it is better" NIST and everyone would say "yup we trust you". Now it has switched to "no way, you are just building in a backdoor". That is the sad part.

That's why the generally design the backdoor so that it's based on a key that only they have.

For example, with Dual EC DRBG, researchers discovered that it would be possible to create the constants based on another constant, with which you could predict the output easily. But without prior knowledge of that constant, it would be an infeasible brute-force search to find it.

Likewise, previous publicly known backdoors like the one in the export version of Lotus Notes depended on a key that the NSA had. There it was even simpler, and not obfuscated; it would just encrypt a portion of the session key with the NSA's public key, which they could decrypt and the easily brute-force the rest of the session key.[1]

The NSA doesn't want to make security weak against arbitrary attackers, they just want to give themselves the keys.

[1]: http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html

Ah, it makes sense now. Thank you for explaining it.

Exactly.

I believe we will see a rise in credibility of foreign (for Americans) standard bodies. It could be Germany (would it be BSI?) or other country. I know for example Redhat had been getting their Common Criteria cert (needed to easier sell their systems to some government agencies) from Germany's BSI, but it was because of red tape not credibility.

http://investors.redhat.com/releasedetail.cfm?ReleaseID=7168...

I believe similar things will happen with other standards, products and services related to security. It will be beneficial to advertise that it was some other rather agencies that certified the product/stand besides NIST. Or that somehow this service or product is better because we know NSA didn't stick its fingers in the pie. Kind of a negative advertisement. A real shame. This will hurt American companies (including jobs, taxes) quite a bit.

As a rule of thumb I would recommend that no government agency be trusted about any projects they develop. Everyone would be better off {blank stare} Beyond that, there really needs to be more focus on open-source and public code review with an industry funded focus group that takes on reviewing core elements of technology and the internet down to the atomic level.

The chances are that if there are flaws and deliberate corruption to be discovered, it is to be discovered now. Not every line of code needs reviewing at all times, whole projects need periodic, thorough review.

Can I just say, I wish someone at some kind of reputable journal would calculate the damage and cost of what our government has done. It goes far beyond the obvious costs, by affecting things like, e.g., Apple's new, excellently timed iPhone 5S Touch ID feature, which will surely not go over well with consumers, especially globally. The US Government has now taken a pipe to the shins of most valuable company on the globe; all because our psychopaths in charge aspire to being despotic authoritarians that have to control everything in order to prevent discovery of their incompetence.