Commercial National Security Algorithm Suite

Last updated

The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the top secret level, while the NSA plans for a transition to quantum-resistant cryptography. [1] [2] [3] [4] [5] [6]

Timeline for the transition to CNSA 2.0 CNSA 2p0 timeline.png
Timeline for the transition to CNSA 2.0

The suite includes:

The CNSA transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons. [7] [8] [9]

In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. [10]

CNSA 2.0 includes: [2]

Note that compared to CNSA 1.0, CNSA 2.0:

The CNSA 2.0 and CNSA 1.0 algorithms, detailed functions descriptions, specifications, and parameters are below: [11]

CNSA 2.0

AlgorithmFunctionSpecificationParameters
Advanced Encryption Standard (AES)Symmetric block cipher for information protection FIPS PUB 197 Use 256-bit keys for all classification levels.
Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM aka CRYSTALS-Kyber)Asymmetric algorithm for key establishment FIPS PUB 203 Use ML-KEM-1024 parameter set for all classification levels.
Module-Lattice-Based Digital Signature Standard (aka CRYSTALS-Dilithium)Asymmetric algorithm for digital signatures FIPS PUB 204 Use ML-DSA-87 parameter set for all classification levels.
Secure Hash Algorithm (SHA)Algorithm for computing a condensed representation of information FIPS PUB 180-4 Use SHA-384 or SHA-512 for all classification levels.
Leighton-Micali Signature (LMS)Asymmetric algorithm for digitally signing firmware and software NIST SP 800-208 All parameters approved for all classification levels. SHA256/192 recommended.
Xtended Merkle Signature Scheme (XMSS)Asymmetric algorithm for digitally signing firmware and software NIST SP 800-208 All parameters approved for all classification levels.

CNSA 1.0

AlgorithmFunctionSpecificationParameters
Advanced Encryption Standard (AES)Symmetric block cipher for information protection FIPS PUB 197 Use 256-bit keys for all classification levels.
Elliptic Curve Diffie-Hellman (ECDH) Key ExchangeAsymmetric algorithm for key establishment NIST SP 800-56A Use Curve P-384 for all classification levels.
Elliptic Curve Digital Signature Algorithm (ECDSA)Asymmetric algorithm for digital signatures FIPS PUB 186-4 Use Curve P-384 for all classification levels.
Secure Hash Algorithm (SHA)Algorithm for computing a condensed representation of information FIPS PUB 180-4 Use SHA-384 for all classification levels.
Diffie-Hellman (DH) Key ExchangeAsymmetric algorithm for key establishment IETF RFC 3526 Minimum 3072-bit modulus for all classification levels
[Rivest-Shamir-Adleman] RSAAsymmetric algorithm for key establishment FIPS SP 800-56B Minimum 3072-bit modulus for all classification levels
[Rivest-Shamir-Adleman] RSAAsymmetric algorithm for digital signatures FIPS PUB 186-4 Minimum 3072-bit modulus for all classification levels

Related Research Articles

In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

Articles related to cryptography include:

NSA Suite B Cryptography was a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and most classified information.

Patent-related uncertainty around elliptic curve cryptography (ECC), or ECC patents, is one of the main factors limiting its wide acceptance. For example, the OpenSSL team accepted an ECC patch only in 2005, despite the fact that it was submitted in 2002.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

The following outline is provided as an overview of and topical guide to cryptography:

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. Most widely-used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security", where n-bit security means that the attacker would have to perform 2n operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

Hash-based cryptography is the generic term for constructions of cryptographic primitives based on the security of hash functions. It is of interest as a type of post-quantum cryptography.

Kyber is a key encapsulation mechanism (KEM) designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function. It won the NIST competition for the first post-quantum cryptography (PQ) standard. NIST calls its standard Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM).

In cryptography, Post-Quantum Extended Diffie-Hellman (PQXDH) is a Kyber-based post-quantum cryptography upgrade to the Diffie–Hellman key exchange. It is notably being incorporated into the Signal Protocol, an end-to-end encryption protocol.

References

  1. Cook, John (2019-05-23). "NSA recommendations | algorithms to use until PQC". www.johndcook.com. Retrieved 2020-02-28.
  2. 1 2 3 "Announcing the Commercial National Security Algorithm Suite 2.0" (PDF). media.defense.gov. 2022-09-07. Retrieved 2024-06-10.
  3. "CNSA Suite and Quantum Computing FAQ" (PDF). cryptome.org. January 2016. Retrieved 24 July 2023.
  4. "Use of public standards for the secure sharing of information among national security systems, Advisory Memorandum 02-15 CNSS Advisory Memorandum Information Assurance 02-15". Committee on National Security Systems. 2015-07-31. Archived from the original on 2020-02-28. Retrieved 2020-02-28.
  5. "Commercial National Security Algorithm Suite". apps.nsa.gov. 19 August 2015. Archived from the original on 2022-02-18. Retrieved 2020-02-28.
  6. Housley, Russ; Zieglar, Lydia (July 2018). "RFC 8423 - Reclassification of Suite B Documents to Historic Status". tools.ietf.org. Retrieved 2020-02-28.
  7. "NSA's FAQs Demystify the Demise of Suite B, but Fail to Explain One Important Detail – Pomcor". 9 February 2016. Retrieved 2020-02-28.
  8. "A riddle wrapped in a curve". A Few Thoughts on Cryptographic Engineering. 2015-10-22. Retrieved 2020-02-28.
  9. Koblitz, Neal; Menezes, Alfred J. (2018-05-19). "A Riddle Wrapped in an Enigma". Cryptology ePrint Archive.
  10. "Post-Quantum Cybersecurity Resources". www.nsa.gov. Retrieved 2023-03-03.
  11. "Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0" (PDF). media.defense.gov. National Security Agency. September 2022. Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10. Retrieved 2024-04-14.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.