Movatterモバイル変換

[0]ホーム

Jump to content

Commercial National Security Algorithm Suite

Edit links

From Wikipedia, the free encyclopedia

Set of cryptographic algorithms by the NSA

TheCommercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithmspromulgated by theNational Security Agency as a replacement forNSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to theTOP SECRET level. Two versions of CNSA exist: the pre-quantum 1.0 of 2015 and thequantum-resistant 2.0 of 2022.^[1]^[2]^[3]^[4]^[5]^[6]

[edit]

CNSA 1.0

[edit]

A singular parameter length is provided for protection up to TOP SECRET level.

Components of CNSA 1.0
Purpose	Algorithm	Standard	Parameter Length	Bits of Security	Notes
Symmetric encryption	AES	FIPS 197	256	256
Digital Signature	Elliptic Curve Digital Signature Algorithm (ECDSA)	FIPS 186-4	384	192	Use curveP-384 only.
Digital Signature	RSA	FIPS 186-4	3072	128	Minimum modulus size, can be larger.
Key agreement	Elliptic-curve Diffie–Hellman (ECDH)	NIST SP 800-56Ar3	384	192	Use curveP-384 only.
	Diffie–Hellman key exchange	RFC 3526	3072	128	Minimum modulus size, can be larger.
	RSA	FIPS SP 800-56Br2	3072	128	Minimum modulus size, can be larger.
Message digest	SHA-2	FIPS 180-4	384	192	Use exactly SHA-384.

The CNSA 1.0 transition is notable for movingRSA from a temporarylegacy status, as it appeared in Suite B, tosupported status. It also did not include theDigital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons.^[7]^[8]^[9]

Documents describing the integration of CNSA 1.0 with Internet protocols include:

RFC 9151 Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3
RFC 9206 Commercial National Security Algorithm (CNSA) Suite Cryptography for Internet Protocol
RFC 9212 Commercial National Security Algorithm (CNSA) Suite Cryptography for Secure Shell (SSH)
RFC 8755 Using Commercial National Security Algorithm Suite Algorithms in Secure/Multipurpose
RFC 8756 Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS
RFC 8603 Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile

CNSA 2.0

[edit]

In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. Again, all parameters are provided for classified information up to TOP SECRET level.^[10]

Components of CNSA 2.0^[11]
Purpose	Algorithm	Standard	Parameter Length	Bits of Security	Notes
Symmetric encryption	AES	FIPS 197-upd1	256	256
Key agreement	ML-KEM	FIPS 203	ML-KEM-1024	256
Digital signature	ML-DSA	FIPS 204	ML-DSA-87	256
Message digest of data	SHA-2	FIPS 180-4	384 or 512	192 or 256
Digital signature of firmware and software	Leighton-Micali	NIST SP 800-208	192 or 256	192 or 256	All standard parameter sets are approved, the minimum being SHA256/192. SHA256/192 is the recommended choice.
Digital signature of firmware and software	Xtended Merkle	NIST SP 800-208	192 or 256	192 or 256	All standard parameter sets are approved, the minimum being SHA256/192.

Note that compared to CNSA 1.0, CNSA 2.0:

Suggests separate post-quantum algorithms (XMSS/LMS) for software/firmware signing for use immediately
Allows SHA-512
Announced the selection of CRYSTALS-Kyber and CRYSTALS-Dilithium early, with the expectation that they will be mandated only when the final standards and FIPS-validated implementations are released. RSA, Diffie-Hellman, and elliptic curve cryptography will be deprecated at that time.

Documents describing the integration of CNSA 2.0 with Internet protocols include:

draft-becker-cnsa2-smime-profile-01 Commercial National Security Algorithm (CNSA) Suite Profile for Secure/Multipurpose Internet Mail Extensions (S/MIME)
draft-becker-cnsa2-ssh-profile-02 Commercial National Security Algorithm (CNSA) Suite Profile for SSH
draft-becker-cnsa2-tls-profile-02 Commercial National Security Algorithm (CNSA) Suite Profile for TLS 1.3
draft-guthrie-cnsa2-ipsec-profile-01 Commercial National Security Algorithm (CNSA) Suite 2.0 Profile for IPsec
draft-jenkins-cnsa2-cmc-profile-01 Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS
draft-jenkins-cnsa2-pkix-profile-03 Commercial National Security Algorithm Suite Certificate and Certificate Revocation List Profile

References

[edit]

^Cook, John (2019-05-23)."NSA recommendations | algorithms to use until PQC".www.johndcook.com. Retrieved2020-02-28.
^"Announcing the Commercial National Security Algorithm Suite 2.0"(PDF).United States Department of Defense. 2022-09-07. Archived fromthe original(PDF) on September 8, 2022. Retrieved2024-06-10.
^"CNSA Suite and Quantum Computing FAQ"(PDF).cryptome.org. January 2016. Retrieved24 July 2023.
^"Use of public standards for the secure sharing of information among national security systems, Advisory Memorandum 02-15 CNSS Advisory Memorandum Information Assurance 02-15".Committee on National Security Systems. 2015-07-31. Archived fromthe original on 2020-02-28. Retrieved2020-02-28.
^"Commercial National Security Algorithm Suite".apps.nsa.gov. 19 August 2015. Archived fromthe original on 2022-02-18. Retrieved2020-02-28.
^Housley, Russ; Zieglar, Lydia (July 2018)."RFC 8423 - Reclassification of Suite B Documents to Historic Status".tools.ietf.org. Retrieved2020-02-28.
^"NSA's FAQs Demystify the Demise of Suite B, but Fail to Explain One Important Detail – Pomcor". 9 February 2016. Retrieved2020-02-28.
^"A riddle wrapped in a curve".A Few Thoughts on Cryptographic Engineering. 2015-10-22. Retrieved2020-02-28.
^Koblitz, Neal; Menezes, Alfred J. (2018-05-19)."A Riddle Wrapped in an Enigma".Cryptology ePrint Archive.
^"Post-Quantum Cybersecurity Resources".www.nsa.gov. Retrieved2023-03-03.
^"Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0"(PDF).United States Department of Defense.National Security Agency. May 2025. Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10. Retrieved2026-01-26.{{cite web}}: CS1 maint: url-status (link)

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics,Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97,89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Modn Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Public-key cryptography

Algorithms

Integer factorization	Benaloh Blum–Goldwasser Cayley–Purser Damgård–Jurik GMR Goldwasser–Micali Naccache–Stern Paillier Rabin RSA Okamoto–Uchiyama Schmidt–Samoa
Discrete logarithm	BLS Cramer–Shoup DH DSA ECDH X25519 X448 ECDSA EdDSA Ed25519 Ed448 ECMQV EKE ElGamal signature scheme MQV Schnorr SPEKE SRP STS
Lattice/SVP/CVP/LWE/SIS	BLISS Kyber NewHope NTRUEncrypt NTRUSign RLWE-KEX RLWE-SIG
Others	AE CEILIDH EPOC HFE IES Lamport McEliece Merkle–Hellman Naccache–Stern knapsack cryptosystem Three-pass protocol XTR SQIsign SPHINCS⁺

Theory

Standardization

Topics

v t e Cryptographic hash functions andmessage authentication codes
List Comparison Known attacks
Common functions	MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2
SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)
Other functions	BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool
Password hashing/ key stretching functions	Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt
General purpose key derivation functions	HKDF KDF1/KDF2
MAC functions	CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC
Authenticated encryption modes	CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB
Attacks	Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack
Design	Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction
Standardization	CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA
Utilization	Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category