In the current global environment, rapid and secure information sharing is important to protect our Nation, its citizens and its interests. Strong cryptographic algorithms and secure protocol standards are vital tools that contribute to our national security and help address the ubiquitous need for secure, interoperable communications.
Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA's Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS). Below, we announce preliminary plans for transitioning to quantum resistant algorithms.
Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms. For those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.
For those vendors and partners that have already transitioned to Suite B, we recognize that this took a great deal of effort on your part, and we thank you for your efforts. We look forward to your continued support as we work together to improve information security for National Security customers against the threat of a quantum computer being developed. Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, which has made it clear that elliptic curve cryptography is not the long term solution many once hoped it would be. Thus, we have been obligated to update our strategy.
It is important to note that we aren't asking vendors to stop implementing the Suite B algorithms and we aren't asking our national security customers to stop using these algorithms. Rather, we want to give more flexibility to vendors and our customers in the present as we prepare for a quantum safe future. Where elliptic curve protocols are to be used, we prefer Suite B standards be used to the fullest extent possible as they have a long history of security evaluation and time tested implementation that newer proposals do not yet have.
For example, CSfC deployments involving an IKE/IPsec layer may use RFC 2409-conformant implementations of the IKE standard (IKEv1) together with large, high-entropy, pre-shared keys and the AES-256 encryption algorithm. RFC 2409 is the only version of the IKE standard that leverages symmetric pre-shared keys in a manner that may achieve quantum resistant confidentiality. Additionally, MACsec key agreement as specified in IEEE 802.1X-2010, and the RFC 4279 TLS specification provide further options for implementing quantum resistant security measures today. These options also involve key agreement schemes that leverage large symmetric pre-shared keys.
With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.
During the current transition phase, the following public algorithms should be used to protect IA and IA-enabled IT products with integrated cryptography acquired by U.S. Government Departments and Agencies to protect NSS and the information that resides therein:
A CNSS Advisory Memo is or will soon be available on the CNSS website. This CNSS Advisory Memo will serve as the official interim guidance to NSS customers until a revision to CNSSP-15, National Information Assurance Policy on the Use of Public Standards for Secure Sharing of Information Among National Security Systems, is published codifying the increased near-term algorithm flexibility described above.
The NSA Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate using a layered commercial solution based on public cryptography and secure protocol standards. Visit the Commercial Solutions for Classified Program site for more information including the current CSfC Components List.
Point of Contact
Date Posted: Jan 15, 2009 | Last Modified: Aug 19, 2015 | Last Reviewed: Aug 19, 2015