About IA at NSA Partners Rowlett Awards Award Recipients Background Nomination Procedures Links IA Client and Partner Support IA News IA Events IA Mitigation Guidance Media Destruction Guidance Security Configuration Guides Applications Archived Guides Cisco Router Guides Database Servers Fact Sheets Industrial Control Systems (ICS) IPv6 Operating Systems Supporting Documents Switches VoIP and IP Telephony Vulnerability Technical Reports Wireless System Level IA Guidance TEMPEST Overview TEMPEST Products: Level I Certified Confirmed Deficiencies Suspended Terminated No Longer Produced TEMPEST Products: Level II Certified Confirmed Deficiencies Suspended Terminated No Longer Produced TEMPEST Company POCs Certified Suspended Terminated Trusted Computing IA Academic Outreach National Centers of Academic Excellence in IA Education Colloquium Institutions SEAL Program IA Courseware Evaluation Program Institutions Student Opportunities IA Business and Research IA Business Affairs Office Certified Product Sales and Support Commercial COMSEC Evaluation Program Commercial Satellite Protection Program Independent Research and Development Program User Partnership Program Partnerships with Industry NIAP and COTS Product Evaluations IA Programs Commercial Solutions for Classified Program Global Information Grid High Assurance Platform HAP Technology Overview HAP Technology Partner Program HAP Resource Library Inline Media Encryptor Suite B Cryptography NSA Mobility Program IA Careers Contact Information
Suite B Cryptography / Cryptographic Interoperability
The rapid and secure sharing of information is vital to the strategic and national interests of the U.S. and its Allies. Whether communicating with a tactical user at the frontlines of a battlefield or a law enforcement officer in a mobile command during a terrorist attack, the speed and security of sending and receiving information may impact a number of consequences such as casualties and collateral damage. Because of the highly complex nature of modern communications technology, it is extremely important that the federal government, industry, foreign partners, and international organizations cooperate to achieve secure interoperability. NSA has been and continues to be dedicated to providing widespread cryptographic interoperability capabilities to protect classified national security systems. NSA has developed two major efforts to promote widespread cryptographic interoperability:
[This information is intended to inform cryptographic developers and end users of cryptographic products]
The Cryptographic Interoperability Strategy (CIS) was developed to increase assured rapid sharing of information both within the U.S. and between the U.S. and its partners through the use of a common suite of public standards, protocols, algorithms, and modes. The implementation of CIS will facilitate the development of a broader range of secure cryptographic products which will be available to a wide customer base. Operational examples include enabling the U.S. Government to securely share intelligence information with State and Local First Responders and for war fighters to securely share information on the battlefield with non-traditional coalition partners. To achieve the Strategy, NSA is working to influence International standards groups such as the Internet Engineering Task Force (IETF).
One public standard for algorithms that has become popular is known as Suite B. Suite B is a publicly-available set of algorithms that may be used to protect classified national security systems and information. Suite B includes cryptographic algorithms for confidentiality, key exchange, digital signature, and hashing. The combination of Suite B algorithms and the NSA-approved specification of the standards-based protocols are considered to be the Suite B Cryptography – the core of CIS.
The NSA Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified National Security System (NSS) data. This will provide the ability to securely communicate using a solution based on commercial Suite B standards. Specific protocols are in the CSfC Capability Packages. Visit the Commercial Solutions for Classified Program site for more information.
CNSSP-15, National Information Assurance Policy on the Use of Public Standards for Secure Sharing of Information Among Security Systems
The Committee on National Security Systems (CNSS) established a cryptographic interoperability policy for Information Assurance (IA) and IA-enabled IT products acquired by U.S. Government Departments and Agencies to protect national security systems (NSS) and information therein.
The CNSSP-15 policy states that:
In the event that mission requirements preclude meeting these CNSSP-15 requirements, permission to use NSA-approved mission-specific security protocols and cryptographic algorithms may be granted by NSA. For a copy of CNSSP-15, please visit the CNSS website.
Suite B Algorithms
The Suite B Algorithms were approved by the National Institute of Standards and Technology (NIST) and have been adopted by NSA. The Suite B Algorithms consists of cryptographic algorithms for confidentiality, key exchange, digital signature, and hashing. Specifically:
ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 currently provide adequate protection for classified information up to the SECRET level. AES with 128-bit keys and SHA-256 currently provide adequate protection for classified information up to the SECRET level.
Because the adoption of elliptic curve cryptography has been slow, NSA has allowed a transition period for ECDH and ECDSA. During this transition, Diffie-Hellman (DH) Key Exchange, Digital Signature Algorithm (DSA), and Rivest-Shamir-Adelman Algorithm (RSA) may be used with a 2048-bit modulus to protect classified information up to the SECRET level.
AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.
NSA discourages the use of AES-128 or SHA-256 for equipment/products designed to protect NSS and information therein. Sponsors/vendors that are planning to develop products with AES-128, SHA-256, DH, DSA, and/or RSA 2048-bit modulus are encouraged to contact NSA prior to such development. In situations where Suite B is not feasible or appropriate, other NSA-approved algorithms and protocols may be used. Because these exceptions must be approved by NSA, product sponsors and developers should contact NSA early in the development process.
Certain commercial IA and IA-enabled IT products that contain cryptography and the technical data regarding them are subject to Federal Government export controls. Export of products that implement NIST standards that define Suite B or associated technical data must comply with Federal Government regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Information about export regulations is available at: http://www.bis.doc.gov/index.html.
Standards and Protocols
NSA is developing cryptographic interoperability specifications for some standards-based security protocols. NSA has also established interoperability testing processes for both the government off-the-shelf (GOTS) products undergoing certification or approval for use and commercial off-the-shelf (COTS) products undergoing the CSfC Components Listing process.
NSA leverages Federal and internet standards and protocols as it develops the cryptographic interoperability specifications/profiles. Several Internet Engineering Task Force (IETF) protocol standards have been identified by NSA as having potential widespread interoperability use. Several IETF RFCs have been established to allow the use of Suite B Cryptography with these protocols. (See NSA-approved Protocols section below.)
In addition to the IETF standards, an implementer must consult the relevant NIST standards and the Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program in order to understand NIST’s validation requirements.
Modes of Operation
The Galois/Counter Mode (GCM) is the preferred AES mode. NIST Special Publication 800-38D, Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode, contains an application independent description of GCM. RFC 4106 and RFC 4869 describe the use of GCM in IPsec Encapsulating Security Payload (ESP). RFC 5288 describes the use of GCM in Transport Layer Security (TLS).
NSA is developing key management guidance to support products that contain Suite B Cryptography. A base set of certificate and CRL formats to support interoperability among Suite B solutions may be found in Suite B Base Certificate and Certificate Revocation List (CRL) Profile, RFC 5759 and companion document Suite B Certificate and CRL Examples. The Suite B Profile of Certificate Management over CMS is RFC 6403.
NSA-Approved Specification of Protocols
In order to meet the CNSSP-15 requirement, cryptographic products must use the appropriate Suite B protocols. Information about these protocols and/or specifications may be obtained by contacting the National Cryptographic Solutions Management Office (NCSMO). At this time, NSA has completed the following requirement/specification:
NSA expects the following protocol to be completed by the 3QFY13:
NSA is currently looking at the potential standardization and specification of the following:
The following documents provide guidance for using Suite B cryptography with internet protocols:
Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements (IPMEIR) is being implemented in government equipment to foster interoperability with commercial industry. IPMEIR Version 1.0.2 dated 29 March 2013 support the CIS by providing commercial IPsec network product producers and traditional government network encryptor vendors with minimum interoperability requirements.
NSA Cryptographic Interoperability Testing
Per CNSSP-15, NSA has established an interoperability testing process that is comprised of two testing requirements: Protocol Conformance Testing and Interoperability Technical Testing.
Protocol Conformance Testing is performed as a bench test and is limited to the basic protocol elements. It is based on the interoperability requirements for each NSA-approved specification of standards-based security protocol and constitutes a set of tests that ensure that a product implements the protocol according to the NSA interoperability requirements. This test will be conducted at the National Information Assurance Program (NIAP) labs during commercial testing for the CSfC Components Listing process or in parallel with the Security Validation Testing phase for the GOTS certification or approval for use process.
Interoperability Technical Testing is performed after a product has passed conformance testing and is designed to validate whether a product can interoperate/communicate with other previously-tested and interoperable equipment. The testing is restricted to a single protocol (layer) at a time. It is meant to test products in a realistic operational environment, including communication over the Defense Information System Network (DISN). The technical testing will be conducted at the Joint Interoperability Test Command (JITC) or other NSA-approved interoperability testing facility. Products in both the CSFC Components Listing process and the GOTS certification or approval for use process will follow the same technical testing procedures.
NSA will identify those cryptographic products that have passed cryptographic interoperability testing and will make the NSA Cryptographic Interoperability List (NCIL) available on the NSA.gov website.
Interoperability testing does not test for IA security. Products will still be required to undergo security testing per NSTISSIP-11. Passing interoperability testing does not guarantee passing the security requirements in either the CSfC Components Listing process or GOTS certification or approval for use process.
An NSA Cryptographic Interoperability Testing Handbook will be available on this website in 2013. It will contain more details about the testing requirements and processes.
In addition to developing the interoperability requirements and test plans, NSA will make available a conformance test tool for each approved protocol. The test tools will provide to the sponsors and/or vendors a way to test their products prior to the actual conformance testing, thereby decreasing the likelihood of interoperability failure. The following conformance test tool is currently available:
The Internet Protocol Security (IPsec) Conformance Evaluator (ICE) test tool is available for public distribution. The focus of the ICE test tool is to validate the conformance of the IPsec protocols in products against the interoperability requirements (specifications) established and approved by NSA.
To obtain a copy of ICE test tool and to provide feedback, an IPsec implementer or partner must submit an official request to the NSA Network Solutions Division. Address your request to the contact information below:
Disclaimer: The item is provided "as is." Any expressed or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this item, even if advised of the possibility of such damage.
Recipient agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of Recipient or third parties, damage to or destruction of property of Recipient or third parties, and infringement or other violations of intellectual property or technical data rights.
Starting in 3QFY13, the TLS Conformance Evaluator (TCE) test tool will be available for public distribution.
To obtain a copy of the TCE test tool and to provide feedback, an official request must be submitted to the NCSMO. Address your request to the contact information below:
A key aspect of Suite B Cryptography is its use of elliptic curve technology instead of classic public key technology. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom, Inc. covering a variety of elliptic curve technology. Under the license, NSA has the right to grant a sublicense to vendors building certain types of products or components that can be used for protecting national security information. Click here to view a sample license.
Click for more information www.nsa.gov/ia/contacts/index.shtml
RFC 6090, Fundamental Elliptic Curve Cryptography Algorithms, addresses the existence of prior art with some of the elliptic curve technology.
The following guides are provided to assist sponsor and/or vendors in developing and integrating Suite B into their products:
Suite B Implementers' Guide to FIPS 186-3 (ECDSA)
The Suite B Implementers' Guide to FIPS 186-3 (ECDSA) specifies the Elliptic Curve Digital Signature Algorithm (ECDSA) from the Digital Signature Standard, FIPS 186-3, that will be used in future and existing cryptographic protocols for Suite B products. It also includes the Suite B elliptic curve domain parameters, along with example data for the ECDSA signature algorithm and auxiliary functions that are necessary for ECDSA implementations to be in compliance with FIPS 186-3 and Suite B.
Suite B Implementers' Guide to NIST SP 800-56A
The Suite B Implementers' Guide to NIST SP 800-56A further details the specific Elliptic Curve Diffie-Hellman (ECDH) key-agreement schemes from NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography that will be used in future and existing cryptographic protocols for Suite B products. Also included are the elliptic curves and domain parameters, key generation methods, the ECDH primitives, key derivation functions, and other auxiliary functions that are necessary for ECDH scheme implementations to be in compliance with NIST SP 800-56A and Suite B.
Handling Requirements of Suite B Cryptography
Because it does not contain any classified algorithms or technology, users may be able to handle these cryptographic products as non-Controlled COMSEC Items (non-CCI). Users will have to account for these cryptographic products as cryptographic high valued products (CHVPs) once it is keyed. As a result, customers using Suite B cryptographic products may be able to save time, costs, and manpower.
Secure & Interoperable Cryptographic Products: The Ultimate Goal
The use of Suite B algorithms and NSA-approved specifications of standards-based protocols can only ensure interoperability among the cryptographic products used to protect NSS and information therein. Creating secure cryptographic components, products and solutions involves much more than simply implementing a specific cryptographic protocol or suite of cryptographic algorithms. Information Assurance (IA) and IA-enabled products to be used on systems entering, processing, storing, displaying, or transmitting national security information must be validated or certified in accordance with National Security Telecommunications and Information System Security Policy (NSTISSP) No. 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products.” As we move toward the use of more commercial solutions and using publicly-available algorithms and protocols, achieving interoperability and security validation/certification should be considered the ultimate goal of sponsors and vendors alike.
Point of Contact
Questions about Suite B Cryptography, Cryptographic Interoperability Strategy (CIS), or the NSA Cryptographic Interoperability Testing (NCIT) requirements and process should contact the National Cryptographic Solutions Management Office (NCSMO) at (410) 854-8577.
Date Posted: Jan 15, 2009 | Last Modified: Apr 29, 2013 | Last Reviewed: Apr 29, 2013