NSA Suite B Cryptography

• NIST, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, [http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf Special Publication 800-56A]
• [https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm Suite B Cryptography Standards]
• {{IETF RFC|5759|link=no}}, Suite B Certificate and Certificate Revocation List (CRL) Profile
• {{IETF RFC|6239|link=no}}, Suite B Cryptographic Suites for Secure Shell (SSH)
• {{IETF RFC|6379|link=no}}, Suite B Cryptographic Suites for IPsec
• {{IETF RFC|6460|link=no}}, Suite B Profile for Transport Layer Security (TLS)

These RFC have been downgraded to historic references per {{IETF RFC|8423|link=no}}.

In December 2006, NSA submitted an Internet Draft on implementing Suite B as part of IPsec. This draft had been accepted for publication by IETF as RFC 4869, later made obsolete by RFC 6379.

Certicom Corporation of Ontario, Canada, which was purchased by BlackBerry Limited in 2009, holds some elliptic curve patents, which have been licensed by NSA for United States government use. These include patents on ECMQV, but ECMQV has been dropped from Suite B. AES and SHA had been previously released and have no patent restrictions. See also RFC 6090.

As of October 2012, CNSSP-15 stated that the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the Secret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of Top Secret information.

However, as of August 2015, NSA indicated that only the Top Secret algorithm strengths should be used to protect all levels of classified information.

In 2018 NSA withdrew Suite B in favor of the CNSA.

NSA Suite B contains the following algorithms:{{cite web |url=http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml |title=Fact Sheet NSA Suite B Cryptography |url-status=dead |archive-url=https://web.archive.org/web/20100322225318/https://www.nsa.gov/ia/programs/suiteb_cryptography/ |archive-date=Mar 22, 2010 |access-date=Dec 23, 2024}} of the NSA

In August 2015, NSA announced that it is planning to transition "in the not too distant future" to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition." New standards are estimated to be published around 2024.{{cite web | url = https://www.imperialviolet.org/2018/12/12/cecpq2.html | date = 2018-12-12 | title = CECPQ2 | first = Adam | last = Langley | work = Imperial Violet Blog }}

Using an algorithm suitable to encrypt information is not necessarily sufficient to properly protect information. If the algorithm is not executed within a secure device the encryption keys are vulnerable to disclosure. For this reason, the US federal government requires not only the use of NIST-validated encryption algorithms, but also that they be executed in a validated Hardware Security Module (HSM) that provides physical protection of the keys and, depending on the validation level, countermeasures against electronic attacks such as differential power analysis and other side-channel attacks. For example, using AES-256 within an FIPS 140-2 [https://www.mocana.com/blog/fips-validated-vs-fips-compliant-whats-the-difference validated] module is sufficient to encrypt only US Government sensitive, unclassified data. This same notion applies to the other algorithms.

The Suite B algorithms have been replaced by Commercial National Security Algorithm (CNSA) Suite algorithms:{{cite web | url = https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm | title = Commercial National Security Algorithm Suite | access-date = 2019-05-25 | date = 2015-08-19 | publisher = National Security Agency }}

• Advanced Encryption Standard (AES), per FIPS 197, using 256 bit keys to protect up to TOP SECRET
• Elliptic Curve Diffie-Hellman (ECDH) Key Exchange, per FIPS SP 800-56A, using Curve P-384 to protect up to TOP SECRET.
• Elliptic Curve Digital Signature Algorithm (ECDSA), per FIPS 186-4
• Secure Hash Algorithm (SHA), per FIPS 180-4, using SHA-384 to protect up to TOP SECRET.
• Diffie-Hellman (DH) Key Exchange, per RFC 3526, minimum 3072-bit modulus to protect up to TOP SECRET
• RSA for key establishment (NIST SP 800-56B rev 1) and digital signatures (FIPS 186-4), minimum 3072-bit modulus to protect up to TOP SECRET

• NSA cryptography

{{reflist | 30em | refs=

{{cite web | title = CNSSP-15 National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems | url = https://www.cnss.gov/CNSS/issuances/Policies.cfm | website = Committee on National Security Systems}}

{{cite web | last = Gardner | first = W. David | date = 11 February 2009 | title = BlackBerry Maker Acquires Certicom For $106 Million | url = http://www.informationweek.com/mobile/mobile-devices/blackberry-maker-acquires-certicom-for-$106-million-/d/d-id/1076527 | website = Information Week}}

{{cite web | title = Suite B Cryptography | url = https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml | website = National Security Agency | access-date = 2015-08-16 | archive-url = https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml | archive-date = 2015-08-15 | url-status = dead }}

}}

{{Cryptography public-key}}

Category:Cryptography standards

Category:National Security Agency cryptography

Category:Standards of the United States