NSA Suite B Cryptography was a set of cryptographic algorithmspromulgated by theNational Security Agency as part of itsCryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and mostclassified information.
Suite B was announced on 16 February 2005. A corresponding set of unpublished algorithms,Suite A, is "used in applications where Suite B may not be appropriate. Both Suite A and Suite B can be used to protect foreign releasable information, US-Only information, and Sensitive Compartmented Information (SCI)."[1]
| Purpose | Algorithm | Standard | Parameter Length | Notes | |
|---|---|---|---|---|---|
| Secret | Top-Secret | ||||
| Symmetric encryption | AES | FIPS 197 | 128 | 256 | For traffic flow, AES should be used with either the Counter Mode (CTR) for low bandwidth traffic or theGalois/Counter Mode (GCM) mode of operation for high bandwidth traffic (seeBlock cipher modes of operation). |
| Digital Signature | Elliptic Curve Digital Signature Algorithm (ECDSA) | FIPS 186-2 | 256 | 384 | CurvesP-256 andP-384, the latter providing 192-bit security. |
| Key agreement | Elliptic-curve Diffie–Hellman (ECDH) | NIST SP 800-56A | 256 | 384 | Same as above. |
| Message digest | SHA-2 | FIPS 180-3 | 256 | 384 | |
In addition, "[d]uring the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level."[2]
In 2015, NSA replaced Suite B with theCommercial National Security Algorithm Suite (CNSA). The general selection of algorithms types remain unchanged. DSA was removed. DH and RSA were reclassified as "supported" instead of "legacy" with the minimum modulus size raised to 3072 bits. In 2018, the Suite B IETF RFC documents were reclassified as historical.[3]
In December 2006, NSA submitted an Internet Draft on implementing Suite B as part ofIPsec. This draft had been accepted for publication byIETF as RFC 4869, later made obsolete by RFC 6379.
Certicom Corporation ofOntario, Canada, which was purchased byBlackBerry Limited in 2009,[4] holds someelliptic curve patents, which have been licensed by NSA for United States government use. These include patents onECMQV, but ECMQV has been dropped from Suite B. AES and SHA had been previously released and have no patent restrictions. See also RFC 6090.
As of October 2012, CNSSP-15[5] stated that the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys are sufficient for protecting classified information up to theSecret level, while the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys are necessary for the protection ofTop Secret information.
However, as of August 2015, NSA indicated that only the Top Secret algorithm strengths should be used to protect all levels of classified information.[1]
In 2018 NSA withdrew Suite B in favor of the CNSA.
Using an algorithm suitable to encrypt information is not necessarily sufficient to properly protect information. If the algorithm is not executed within a secure device the encryption keys are vulnerable to disclosure. For this reason, the US federal government requires not only the use of NIST-validated encryption algorithms, but also that they be executed in a validated Hardware Security Module (HSM) that provides physical protection of the keys and, depending on the validation level, countermeasures against electronic attacks such as differential power analysis and other side-channel attacks. For example, using AES-256 within anFIPS 140-2validated module is sufficient to encrypt only US Government sensitive, unclassified data. This same notion applies to the other algorithms.
In August 2015, NSA announced that it is planning to transition "in the not too distant future" to a new cipher suite that isresistant toquantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition."[1] New standards are estimated to be published around 2024.[6]
The Suite B algorithms have been replaced byCommercial National Security Algorithm (CNSA) Suite algorithms in 2015.[7]