National Security Agency / Central Security Service - Top Banner

The rapid and secure sharing of information is vital to the strategic and national interests of the U.S. and its Allies. Whether communicating with a tactical user at the frontlines of a battlefield or a law enforcement officer in a mobile command during a terrorist attack, the speed and security of sending and receiving information may impact a number of consequences such as casualties and collateral damage. Because of the highly complex nature of modern communications technology, it is extremely important that the federal government, industry, foreign partners, and international organizations cooperate to achieve secure interoperability. NSA has been and continues to be dedicated to providing widespread cryptographic interoperability capabilities to protect classified national security systems.  NSA has developed two major efforts to promote widespread cryptographic interoperability:

• Cryptographic Interoperability Strategy
• NSA Commercial Solutions for Classified Program

[This information is intended to inform cryptographic developers and end users of cryptographic products]

The Cryptographic Interoperability Strategy (CIS) was developed to increase assured rapid sharing of information both within the U.S. and between the U.S. and its partners through the use of a common suite of public standards, protocols, algorithms, and modes. The implementation of CIS will facilitate the development of a broader range of secure cryptographic products which will be available to a wide customer base. Operational examples include enabling the U.S. Government to securely share intelligence information with State and Local First Responders and for war fighters to securely share information on the battlefield with non-traditional coalition partners. To achieve the Strategy, NSA is working to influence International standards groups such as the Internet Engineering Task Force (IETF).

One public standard for algorithms that has become popular is known as Suite B. Suite B is a publicly-available set of algorithms that may be used to protect classified national security systems and information. Suite B includes cryptographic algorithms for confidentiality, key exchange, digital signature, and hashing. The combination of Suite B algorithms and the NSA-approved specification of the standards-based protocols are considered to be the Suite B Cryptography – the core of CIS. 

The NSA Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified National Security System (NSS) data. This will provide the ability to securely communicate using a solution based on commercial Suite B standards.  Specific protocols are in the CSfC Capability Packages. Visit the Commercial Solutions for Classified Program site for more information.

CNSSP-15, National Information Assurance Policy on the Use of Public Standards for Secure Sharing of Information Among Security Systems

The Committee on National Security Systems (CNSS) established a cryptographic interoperability policy for Information Assurance (IA) and IA-enabled IT products acquired by U.S. Government Departments and Agencies to protect national security systems (NSS) and information therein. 

The CNSSP-15 policy states that:

• NSA-approved cryptography is required to protect NSS and information therein.
• Widespread cryptographic interoperability among NSS requires:
• The use of NSA-approved public standards-based security protocols;
• IA and IA-enabled IT products with integrated cryptography acquired to protect NSS and information therein shall adhere to the following:
• After 1 October 2015, the appropriate Suite B cryptographic algorithms (see Suite B Algorithms below) or a commensurate suite of NSA-approved cryptographic algorithms shall be included;
• Prior to 1 October 2015, the appropriate Suite B cryptographic algorithms (see Suite B Algorithms below) and/or the appropriate legacy cryptographic algorithms, or a commensurate suite of NSA-approved cryptographic algorithms shall be included;
• Be compliant with NSA-approved public key and key management infrastructures as appropriate; and
• Successfully complete security protocol interoperability testing by an NSA-approved security protocol interoperability testing service.
• Public key and key management infrastructures that support the use of IA and IA-enabled IT products that protect NSS must be approved by NSA and must comply with CNSSP-15.
• To ensure interoperability, after 1 October 2015, U.S. Government Department and Agencies’ infrastructures that provide products and services to support IA and IA-enabled IT products protecting NSS and the information therein shall be able to support NSA-approved Suite B certificates and the Suite B cryptographic algorithms.
• IA and IA-enabled products acquired to protect NSS and the information that resides therein shall be evaluated and validated in accordance with NSTISSP-11.

In the event that mission requirements preclude meeting these CNSSP-15 requirements, permission to use NSA-approved mission-specific security protocols and cryptographic algorithms may be granted by NSA. For a copy of CNSSP-15, please visit the CNSS website.

Suite B Algorithms

The Suite B Algorithms were approved by the National Institute of Standards and Technology (NIST) and have been adopted by NSA. The Suite B Algorithms consists of cryptographic algorithms for confidentiality, key exchange, digital signature, and hashing. Specifically:

ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 currently provide adequate protection for classified information up to the SECRET level. AES with 128-bit keys and SHA-256 currently provide adequate protection for classified information up to the SECRET level. 

Because the adoption of elliptic curve cryptography has been slow, NSA has allowed a transition period for ECDH and ECDSA. During this transition, Diffie-Hellman (DH) Key Exchange, Digital Signature Algorithm (DSA), and Rivest-Shamir-Adelman Algorithm (RSA) may be used with a 2048-bit modulus to protect classified information up to the SECRET level. 

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

NSA discourages the use of AES-128 or SHA-256 for equipment/products designed to protect NSS and information therein. Sponsors/vendors that are planning to develop products with AES-128, SHA-256, DH, DSA, and/or RSA 2048-bit modulus are encouraged to contact NSA prior to such development.  In situations where Suite B is not feasible or appropriate, other NSA-approved algorithms and protocols may be used. Because these exceptions must be approved by NSA, product sponsors and developers should contact NSA early in the development process.

Certain commercial IA and IA-enabled IT products that contain cryptography and the technical data regarding them are subject to Federal Government export controls. Export of products that implement NIST standards that define Suite B or associated technical data must comply with Federal Government regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Information about export regulations is available at: http://www.bis.doc.gov/index.html.

Standards and Protocols

NSA is developing cryptographic interoperability specifications for some standards-based security protocols.  NSA has also established interoperability testing processes for both the government off-the-shelf (GOTS) products undergoing certification or approval for use and commercial off-the-shelf (COTS) products undergoing the CSfC Components Listing process.

NSA leverages Federal and internet standards and protocols as it develops the cryptographic interoperability specifications/profiles. Several Internet Engineering Task Force (IETF) protocol standards have been identified by NSA as having potential widespread interoperability use. Several IETF RFCs have been established to allow the use of Suite B Cryptography with these protocols.  (See NSA-approved Protocols section below.)

In addition to the IETF standards, an implementer must consult the relevant NIST standards and the Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program in order to understand NIST’s validation requirements.

Modes of Operation

The Galois/Counter Mode (GCM) is the preferred AES mode. NIST Special Publication 800-38D, Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode, contains an application independent description of GCM. RFC 4106 and RFC 4869 describe the use of GCM in IPsec Encapsulating Security Payload (ESP). RFC 5288 describes the use of GCM in Transport Layer Security (TLS).

The Cipher Block Chaining (CBC) mode has been approved for use in IKEv2 as well as IEEE 802.11. NIST Special Publication 800-38A, Recommendations for Block Cipher Modes of Operation – Methods and Techniques, contains an application independent description of CBC. RFC 3602 and RFC 6379 describe the use of CBC with IPsec.

Certificate Infrastructure

NSA is developing key management guidance to support products that contain Suite B Cryptography. A base set of certificate and CRL formats to support interoperability among Suite B solutions may be found in Suite B Base Certificate and Certificate Revocation List (CRL) Profile, RFC 5759 and companion document Suite B Certificate and CRL Examples.  The Suite B Profile of Certificate Management over CMS is RFC 6403.

NSA-Approved Specification of Protocols

In order to meet the CNSSP-15 requirement, cryptographic products must use the appropriate Suite B protocols. Information about these protocols and/or specifications may be obtained by contacting the National Cryptographic Solutions Management Office (NCSMO). At this time, NSA has completed the following requirement/specification:

• Internet Protocol Security (IPsec)

NSA expects the following protocol to be completed by the 3QFY13:

• Transport Layer Security (TLS) Protocol

NSA is currently looking at the potential standardization and specification of the following:

• Transport Layer Security (TLS) Protocol for Virtual Private Networks (VPN) (Note: This is often confused as Secure Sockets Layer (SSL) Protocol.)
• Datagram Transport Layer Security (DTLS) – Secure Real-Time Protocol (SRTP)
• Session Description Protocol (SDP) - SRTP
• Secure/Multipurpose Internet Mail Extensions (S/MIME) Protocol
• Secure Shell Transport Layer (SSH) Protocol

The following documents provide guidance for using Suite B cryptography with internet protocols:

Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements (IPMEIR) is being implemented in government equipment to foster interoperability with commercial industry. IPMEIR Version 1.0.2 dated 29 March 2013 support the CIS by providing commercial IPsec network product producers and traditional government network encryptor vendors with minimum interoperability requirements.

IPsec using the Internet Key Exchange Version 2 (IKEv2): "Suite B Profile for Internet Protocol Security (IPsec)," RFC 6380

TLS: "Suite B Profile for Transport Layer Security (TLS)," RFC 6460

S/MIME: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)," RFC 6318

SSH: "Suite B Cryptographic Suites for Secure Shell (SSH),” RFC 6239

NIST has developed an IPsec profile, NIST Special Publication 500-267, "A Profile for IPv6 in the U.S. Government – Version 1.0"

NSA Cryptographic Interoperability Testing

Per CNSSP-15, NSA has established an interoperability testing process that is comprised of two testing requirements: Protocol Conformance Testing and Interoperability Technical Testing.

Protocol Conformance Testing is performed as a bench test and is limited to the basic protocol elements. It is based on the interoperability requirements for each NSA-approved specification of standards-based security protocol and constitutes a set of tests that ensure that a product implements the protocol according to the NSA interoperability requirements. This test will be conducted at the National Information Assurance Program (NIAP) labs during commercial testing for the CSfC Components Listing process or in parallel with the Security Validation Testing phase for the GOTS certification or approval for use process.

Interoperability Technical Testing is performed after a product has passed conformance testing and is designed to validate whether a product can interoperate/communicate with other previously-tested and interoperable equipment. The testing is restricted to a single protocol (layer) at a time. It is meant to test products in a realistic operational environment, including communication over the Defense Information System Network (DISN). The technical testing will be conducted at the Joint Interoperability Test Command (JITC) or other NSA-approved interoperability testing facility. Products in both the CSFC Components Listing process and the GOTS certification or approval for use process will follow the same technical testing procedures.

NSA will identify those cryptographic products that have passed cryptographic interoperability testing and will make the NSA Cryptographic Interoperability List (NCIL) available on the NSA.gov website.

Interoperability testing does not test for IA security. Products will still be required to undergo security testing per NSTISSIP-11.  Passing interoperability testing does not guarantee passing the security requirements in either the CSfC Components Listing process or GOTS certification or approval for use process.

An NSA Cryptographic Interoperability Testing Handbook will be available on this website in 2013. It will contain more details about the testing requirements and processes.

Availability of Conformance Test Tools

In addition to developing the interoperability requirements and test plans, NSA will make available a conformance test tool for each approved protocol. The test tools will provide to the sponsors and/or vendors a way to test their products prior to the actual conformance testing, thereby decreasing the likelihood of interoperability failure. The following conformance test tool is currently available:

• IPsec Conformance Evaluator (ICE) Test Tool

The Internet Protocol Security (IPsec) Conformance Evaluator (ICE) test tool is available for public distribution. The focus of the ICE test tool is to validate the conformance of the IPsec protocols in products against the interoperability requirements (specifications) established and approved by NSA.

To obtain a copy of ICE test tool and to provide feedback, an IPsec implementer or partner must submit an official request to the NSA Network Solutions Division. Address your request to the contact information below:

E-mail:  ice_po@nsa.gov

Mail:
NSA Network Solutions Division
9800 Savage Road, Suite #6711
Fort Meade, Maryland 20755

Disclaimer: The item is provided "as is." Any expressed or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this item, even if advised of the possibility of such damage.

Recipient agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of Recipient or third parties, damage to or destruction of property of Recipient or third parties, and infringement or other violations of intellectual property or technical data rights.

• Transport Layer Security (TLS) Conformance Evaluator (TCE) Test Tool

Starting in 3QFY13, the TLS Conformance Evaluator (TCE) test tool will be available for public distribution. 

To obtain a copy of the TCE test tool and to provide feedback, an official request must be submitted to the NCSMO.  Address your request to the contact information below:

E-mail:  tce_po@nsa.gov

Mail:
National Cryptographic Solutions Management Office
Attn: NCIT Management Team
9800 Savage Road, Suite #6724
Fort Meade, Maryland 20755

Intellectual Property

A key aspect of Suite B Cryptography is its use of elliptic curve technology instead of classic public key technology. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom, Inc. covering a variety of elliptic curve technology. Under the license, NSA has the right to grant a sublicense to vendors building certain types of products or components that can be used for protecting national security information. Click here to view a sample license.

Click for more information www.nsa.gov/ia/contacts/index.shtml

RFC 6090, Fundamental Elliptic Curve Cryptography Algorithms, addresses the existence of prior art with some of the elliptic curve technology.

Implementation Guides

The following guides are provided to assist sponsor and/or vendors in developing and integrating Suite B into their products:

Suite B Implementers' Guide to FIPS 186-3 (ECDSA)

The Suite B Implementers' Guide to FIPS 186-3 (ECDSA) specifies the Elliptic Curve Digital Signature Algorithm (ECDSA) from the Digital Signature Standard, FIPS 186-3, that will be used in future and existing cryptographic protocols for Suite B products. It also includes the Suite B elliptic curve domain parameters, along with example data for the ECDSA signature algorithm and auxiliary functions that are necessary for ECDSA implementations to be in compliance with FIPS 186-3 and Suite B.
Suite B Implementers' Guide to FIPS 186-3 (ECDSA) - February 2010

Suite B Implementers' Guide to NIST SP 800-56A

The Suite B Implementers' Guide to NIST SP 800-56A further details the specific Elliptic Curve Diffie-Hellman (ECDH) key-agreement schemes from NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography that will be used in future and existing cryptographic protocols for Suite B products. Also included are the elliptic curves and domain parameters, key generation methods, the ECDH primitives, key derivation functions, and other auxiliary functions that are necessary for ECDH scheme implementations to be in compliance with NIST SP 800-56A and Suite B.

Suite B Implementers' Guide to NIST SP 800-56A

Companion document Mathematical Routines for NIST Prime Elliptic Curves

Handling Requirements of Suite B Cryptography

Because it does not contain any classified algorithms or technology, users may be able to handle these cryptographic products as non-Controlled COMSEC Items (non-CCI).  Users will have to account for these cryptographic products as cryptographic high valued products (CHVPs) once it is keyed.  As a result, customers using Suite B cryptographic products may be able to save time, costs, and manpower. 

Secure & Interoperable Cryptographic Products:  The Ultimate Goal

The use of Suite B algorithms and NSA-approved specifications of standards-based protocols can only ensure interoperability among the cryptographic products used to protect NSS and information therein. Creating secure cryptographic components, products and solutions involves much more than simply implementing a specific cryptographic protocol or suite of cryptographic algorithms.  Information Assurance (IA) and IA-enabled products to be used on systems entering, processing, storing, displaying, or transmitting national security information must be validated or certified in accordance with National Security Telecommunications and Information System Security Policy (NSTISSP) No. 11, “National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products.”  As we move toward the use of more commercial solutions and using publicly-available algorithms and protocols, achieving interoperability and security validation/certification should be considered the ultimate goal of sponsors and vendors alike.

Point of Contact

Questions about Suite B Cryptography, Cryptographic Interoperability Strategy (CIS), or the NSA Cryptographic Interoperability Testing (NCIT) requirements and process should contact the National Cryptographic Solutions Management Office (NCSMO) at (410) 854-8577.