Welcome to the National Security Agency - NSA/CSS

The secure sharing of information among Department of Defense, coalition forces, and first responders motivates the need for widespread cryptographic interoperability and for NSA-approved information assurance products that meet appropriate security standards to protect classified information.

A Cryptographic Interoperability Strategy (CIS) was developed to find ways to increase assured rapid sharing of information both within the U.S. and between the U.S. and partners through the use of a common suite of public standards, protocols, algorithms and modes referred to as the "Secure Sharing Suite" or S.3. The implementation of CIS will facilitate the development of a broader range of secure cryptographic products which will be available to a wide customer base. Some operational examples include enabling the U.S. Government to share intelligence information securely with State and local First Responders and providing war fighters on the battlefield the capability to share time-sensitive information securely with non-traditional coalition partners. To achieve the Strategy, NSA is working to influence International standards groups as well as national policies for securing National Security Systems. The use of selected public cryptographic standards and protocols and Suite B is the core of CIS.

Commercial Solutions for Classified (CSFC) will allow COTS information assurance products to be used in layered solutions to protect classified information.  Click on the “Commercial Solutions for Classified Program” tab for more information.

Suite B cryptography has been selected from cryptography that has been approved by NIST for use by the U.S. Government and specified in NIST standards or recommendations.  Suite B Cryptography is formalized in CNSSP-15, National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems, dated March 2010.

Standards
The focus has been to leverage Federal and Internet standards, protocols and algorithms. Several Internet Engineering Task Force (IETF) protocol standards have been identified as having potential widespread use. IETF Request for Comments (RFCs) have been established to allow the use of Suite B Cryptography with these protocols.  Additional IETF protocols are being assessed for their potential widespread use.  The development of Internet Drafts to allow the use of Suite B Cryptography is either underway or being considered for these.

The next three sections identify the current IETF and NIST algorithm, protocol and modes standards that relate to Suite B Cryptography.

Algorithms
In 2005, NSA publicly announced Suite B Cryptography which built on the National Policy on the use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (CNSSP-15). CNSSP-15 has been updated to address CIS and Suite B. In addition to AES, Suite B includes cryptographic algorithms for key exchange, digital signatures, and hashing; specifically:
Encryption:
Advanced Encryption Standard (AES) - FIPS PUB 197 (with keys sizes of 128 and 256 bits)

Key Exchange:
The Ephemeral Unified Model and the One-Pass Diffie Hellman (referred to as ECDH) - NIST Special Publication 800-56A (using the curves with 256 and 384- bit prime moduli)

Digital Signature:
Elliptic Curve Digital Signature Algorithm (ECDSA) – FIPS PUB 186-3 (using the curves with 256 and 384-bit prime moduli)

Hashing:
Secure Hash Algorithm (SHA) - FIPS PUB 180-4 (using SHA-256 and SHA-384)

AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. Until the conclusion of the transition period defined in CNSSP-15, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

NSA also defined another algorithm suite, Suite A, which contains both classified and unclassified algorithms. Suite A will be used in applications where Suite B may not be appropriate.  Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI).

Certain commercial IA and IA-enabled IT products that contain cryptography and the technical data regarding them are subject to Federal Government export controls.   Export of products that implement the NIST standards that define Suite B or associated technical data must comply with the Federal Government regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce.  Information about export regulations is available at: http://www.bis.doc.gov/index.html

Protocols
The following documents provide guidance for using Suite B cryptography with internet protocols:
IPsec using the Internet Key Exchange (IKE) or IKEv2: "Suite B Cryptographic Suites for IPsec," RFC 6379

"Suite B Profile for Internet Protocol Security (IPsec)," RFC 6380

TLS: "Suite B Profile for TLS," RFC 6460

"TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)"

S/MIME: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)," RFC 6318

SSH: "AES Galois Counter Mode for the Secure Shell Transport Layer Protocol," RFC 5647

Suite B Cryptographic Suites for SSH," RFC 6239

Protocol profiles will be developed to aid in the selection of options to promote interoperability. NIST has developed an IPsec profile, NIST Special Publication 500-267, "A Profile for IPv6 in the U.S. Government – Version 1.0,".

Modes of Operation
The Galois/Counter Mode (GCM) is the preferred AES mode.  NIST Special Publication 800-38D, Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode, contains an application independent description of GCM.  RFC 4106 and RFC 4869 describe the use of GCM in IPsec Encapsulating Security Payload (ESP).  RFC 5288 describes the use of GCM in Transport Layer Security (TLS).

The Cipher Block Chaining (CBC) mode has been approved for use in IKE and IKEv2 as well as IEEE 802.11.  NIST Special Publication 800-38A, Recommendations for Block Cipher Modes of Operation – Methods and Techniques, contains an application independent description of CBC.   RFC 3602 and RFC 6379 describe the use of CBC with IPsec.

Infrastructure
NSA is developing an infrastructure to support products that contain Suite B Cryptography. A base set of certificate and CRL formats to support interoperability among Suite B solutions may be found in "Suite B Certificate and Certificate Revocation List (CRL) Profile," RFC 5759 and companion document Suite B Certificate and CRL Examples.  The “Suite B Profile of Certificate Management over CMS” is RFC 6403.

Evaluation and Validation
Creating secure cryptographic components, products and solutions involves much more than simply implementing a specific cryptographic protocol or suite of cryptographic algorithms. Information Assurance (IA) and IA-enabled products to be used on systems entering, processing, storing, displaying, or transmitting national security information must be validated or certified in accordance with NSTISSP No. 11, Revised Fact Sheet National Information Assurance Acquisition Policy.

Interoperability and Conformance Testing
Enabling the secure sharing of information through widespread cryptographic interoperability is the goal of CIS. 

Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements (IPMEIR) is being implemented in government equipment to foster interoperability with commercial industry. IPMEIR Version 1.0.1, dated 16 December 2011 supports the commercial interoperability specification Suite B strategy by providing commercial IPsec network product producers and traditional government network encryptor vendors with minimum interoperability requirements.

Intellectual Property
A key aspect of Suite B Cryptography is its use of elliptic curve technology instead of classic public key technology. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom, Inc. covering a variety of elliptic curve technology. Under the license, NSA has the right to grant a sublicense to vendors building certain types of products or components that can be used for protecting national security information. Click here to view a sample license.

Click for more information www.nsa.gov/ia/contacts/index.shtml

RFC 6090, Fundamental Elliptic Curve Cryptography Algorithms, addresses the existence of prior art with some of the elliptic curve technology.

Implementation Guides

Suite B Implementers' Guide to FIPS 186-3 (ECDSA)
The Suite B Implementers' Guide to FIPS 186-3 (ECDSA) specifies the Elliptic Curve Digital Signature Algorithm (ECDSA) from the Digital Signature Standard, FIPS 186-3, that will be used in future and existing cryptographic protocols for Suite B products. It also includes the Suite B elliptic curve domain parameters, along with example data for the ECDSA signature algorithm and auxiliary functions that are necessary for ECDSA implementations to be in compliance with FIPS 186-3 and Suite B.

Suite B Implementers' Guide to FIPS 186-3 (ECDSA) - February 2010

Suite B Implementers' Guide to NIST SP 800-56A
The Suite B Implementers' Guide to NIST SP 800-56A further details the specific Elliptic Curve Diffie-Hellman (ECDH) key-agreement schemes from NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptographythat will be used in future and existing cryptographic protocols for Suite B products. Also included are the elliptic curves and domain parameters, key generation methods, the ECDH primitives, key derivation functions, and other auxiliary functions that are necessary for ECDH scheme implementations to be in compliance with NIST SP 800-56A and Suite B.

Suite B Implementers' Guide to NIST SP 800-56A

Companion document Mathematical Routines for NIST Prime Elliptic Curves