NSA Suite B Cryptography was a set of cryptographic algorithms
promulgated
Promulgation is the formal proclamation or the declaration that a new statutory or administrative law is enacted after its final approval. In some jurisdictions, this additional step is necessary before the law can take effect.
After a new law ...
by the
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
as part of its
Cryptographic Modernization Program
The Cryptographic Modernization Program is a Department of Defense directed, NSA Information Assurance Directorate led effort to transform and modernize Information Assurance capabilities for the 21st century. It has three phases:
*Replacement- Al ...
. It was to serve as an interoperable cryptographic base for both unclassified information and most
classified information
Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
.
Suite B was announced on 16 February 2005. A corresponding set of unpublished algorithms,
Suite A, is "used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI)."
In 2018, NSA replaced Suite B with the
Commercial National Security Algorithm Suite The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US Nat ...
(CNSA).
Suite B's components were:
*
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
(AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or the
Galois/Counter Mode
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achiev ...
(GCM) mode of operation for high bandwidth traffic (see
Block cipher modes of operation
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transforma ...
)
symmetric encryption
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...
*
Elliptic Curve Digital Signature Algorithm
In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.
Key and signature-size
As with elliptic-curve cryptography in general, the b ...
(ECDSA)
digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
s
*
Elliptic Curve Diffie–Hellman
In mathematics, an ellipse is a plane curve surrounding two focus (geometry), focal points, such that for all points on the curve, the sum of the two distances to the focal points is a constant. It generalizes a circle, which is the special ty ...
(ECDH)
key agreement In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing ...
*
Secure Hash Algorithm 2 (SHA-256 and SHA-384)
message digest
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
General information
* NIST, ''Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography,'
Special Publication 800-56ASuite B Cryptography Standards* , Suite B Certificate and Certificate Revocation List (CRL) Profile
* , Suite B Cryptographic Suites for Secure Shell (SSH)
* , Suite B Cryptographic Suites for IPsec
* , Suite B Profile for Transport Layer Security (TLS)
These RFC have been downgraded to historic references per .
History
In December 2006, NSA submitted an Internet Draft on implementing Suite B as part of
IPsec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
. This draft had been accepted for publication by
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
as RFC 4869, later made obsolete by RFC 6379.
Certicom
BlackBerry Limited is a Canadian software company specializing in cybersecurity. Founded in 1984, it was originally known as Research In Motion (RIM). As RIM, it developed the BlackBerry brand of interactive pagers, smartphones, and tablets ...
Corporation of
Ontario
Ontario ( ; ) is one of the thirteen provinces and territories of Canada.Ontario is located in the geographic eastern half of Canada, but it has historically and politically been considered to be part of Central Canada. Located in Central Ca ...
, Canada, which was purchased by
BlackBerry Limited
BlackBerry Limited is a Canadian software company specializing in cybersecurity. Founded in 1984, it was originally known as Research In Motion (RIM). As RIM, it developed the BlackBerry brand of interactive pagers, smartphones, and tablets ...
in 2009,
holds some
elliptic curve patents, which have been licensed by NSA for United States government use. These include patents on
ECMQV
MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified ...
, but ECMQV has been dropped from Suite B. AES and SHA had been previously released and have no patent restrictions. See also RFC 6090.
As of October 2012, CNSSP-15
stated that the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to the
Secret
Secrecy is the practice of hiding information from certain individuals or groups who do not have the "need to know", perhaps while sharing it with other individuals. That which is kept hidden is known as the secret.
Secrecy is often controvers ...
level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection of
Top Secret
Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
information.
However, as of August 2015, NSA indicated that only the Top Secret algorithm strengths should be used to protect all levels of classified information.
In 2018 NSA withdrew Suite B in favor of the CNSA.
Quantum resistant suite
In August 2015, NSA announced that it is planning to transition "in the not too distant future" to a new cipher suite that is
resistant to
quantum
In physics, a quantum (plural quanta) is the minimum amount of any physical entity (physical property) involved in an interaction. The fundamental notion that a physical property can be "quantized" is referred to as "the hypothesis of quantizati ...
attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition."
New standards are estimated to be published around 2024.
Algorithm implementation
Using an algorithm suitable to encrypt information is not necessarily sufficient to properly protect information. If the algorithm is not executed within a secure device the encryption keys are vulnerable to disclosure. For this reason, the US federal government requires not only the use of NIST-validated encryption algorithms, but also that they be executed in a validated Hardware Security Module (HSM) that provides physical protection of the keys and, depending on the validation level, countermeasures against electronic attacks such as differential power analysis and other side-channel attacks. For example, using AES-256 within an
FIPS 140-2
The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publ ...
br>
validatedmodule is sufficient to encrypt only US Government sensitive, unclassified data. This same notion applies to the other algorithms.
Commercial National Security Algorithm Suite
The Suite B algorithms have been replaced by
Commercial National Security Algorithm (CNSA) Suite algorithms:
* Advanced Encryption Standard (AES), per FIPS 197, using 256 bit keys to protect up to TOP SECRET
* Elliptic Curve Diffie-Hellman (ECDH) Key Exchange, per FIPS SP 800-56A, using Curve P-384 to protect up to TOP SECRET.
* Elliptic Curve Digital Signature Algorithm (ECDSA), per FIPS 186-4
* Secure Hash Algorithm (SHA), per FIPS 180-4, using SHA-384 to protect up to TOP SECRET.
* Diffie-Hellman (DH) Key Exchange, per RFC 3526, minimum 3072-bit modulus to protect up to TOP SECRET
* RSA for key establishment (NIST SP 800-56B rev 1) and digital signatures (FIPS 186-4), minimum 3072-bit modulus to protect up to TOP SECRET
See also
*
NSA cryptography
The vast majority of the National Security Agency's work on cryptography, encryption is classified information, classified, but from time to time NSA participates in standardization, standards processes or otherwise publishes information about it ...
References
{{Cryptography public-key
Cryptography standards
National Security Agency cryptography
Standards of the United States