Commercial National Security Algorithm Suite

Last updated

The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the top secret level, while the NSA plans for a transition to quantum-resistant cryptography. [1] [2] [3] [4] [5] [6]

Timeline for the transition to CNSA 2.0 CNSA 2p0 timeline.png
Timeline for the transition to CNSA 2.0

The suite includes:

The CNSA transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons. [7] [8] [9]

In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. [10]

CNSA 2.0 includes [2] :

Note that compared to CNSA 1.0, CNSA 2.0:

The CNSA 2.0 and CNSA 1.0 algorithms, detailed functions descriptions, specifications, and parameters are below: [11]

CNSA 2.0

AlgorithmFunctionSpecificationParameters
Advanced Encryption Standard (AES)Symmetric block cipher for information protection FIPS PUB 197 Use 256-bit keys for all classification levels.
CRYSTALS-KyberAsymmetric algorithm for key establishmentTBDUse Level V parameters for all classification levels.
CRYSTALS-DilithiumAsymmetric algorithm for digital signaturesTBDUse Level V parameters for all classification levels.
Secure Hash Algorithm (SHA)Algorithm for computing a condensed representation of information FIPS PUB 180-4 Use SHA-384 or SHA-512 for all classification levels.
Leighton-Micali Signature (LMS)Asymmetric algorithm for digitally signing firmware and software NIST SP 800-208 All parameters approved for all classification levels. SHA256/192 recommended.
Xtended Merkle Signature Scheme (XMSS)Asymmetric algorithm for digitally signing firmware and software NIST SP 800-208 All parameters approved for all classification levels.

CNSA 1.0

AlgorithmFunctionSpecificationParameters
Advanced Encryption Standard (AES)Symmetric block cipher for information protection FIPS PUB 197 Use 256-bit keys for all classification levels.
Elliptic Curve Diffie-Hellman (ECDH) Key ExchangeAsymmetric algorithm for key establishment NIST SP 800-56A Use Curve P-384 for all classification levels.
Elliptic Curve Digital Signature Algorithm (ECDSA)Asymmetric algorithm for digital signatures FIPS PUB 186-4 Use Curve P-384 for all classification levels.
Secure Hash Algorithm (SHA)Algorithm for computing a condensed representation of information FIPS PUB 180-4 Use SHA-384 for all classification levels.
Diffie-Hellman (DH) Key ExchangeAsymmetric algorithm for key establishment IETF RFC 3526 Minimum 3072-bit modulus for all classification levels
[Rivest-Shamir-Adleman] RSAAsymmetric algorithm for key establishment FIPS SP 800-56B Minimum 3072-bit modulus for all classification levels
[Rivest-Shamir-Adleman] RSAAsymmetric algorithm for digital signatures FIPS PUB 186-4 Minimum 3072-bit modulus for all classification levels

Related Research Articles

In cryptography, key size or key length refers to the number of bits in a key used by a cryptographic algorithm.

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

Articles related to cryptography include:

NSA Suite B Cryptography was a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It was to serve as an interoperable cryptographic base for both unclassified information and most classified information.

IEEE P1363 is an Institute of Electrical and Electronics Engineers (IEEE) standardization project for public-key cryptography. It includes specifications for:

Java Card is a software technology that allows Java-based applications (applets) to be run securely on smart cards and more generally on similar secure small memory footprint devices which are called "secure elements" (SE). Today, a secure element is not limited to its smart cards and other removable cryptographic tokens form factors; embedded SEs soldered onto a device board and new security designs embedded into general purpose chips are also widely used. Java Card addresses this hardware fragmentation and specificities while retaining code portability brought forward by Java.

Patent-related uncertainty around elliptic curve cryptography (ECC), or ECC patents, is one of the main factors limiting its wide acceptance. For example, the OpenSSL team accepted an ECC patch only in 2005, despite the fact that it was submitted in 2002.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

A BLS digital signature, also known as Boneh–Lynn–Shacham (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

The following outline is provided as an overview of and topical guide to cryptography:

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with popular algorithms currently used in the market is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.

In cryptography, Post-Quantum Extended Diffie-Hellman (PQXDH) is a Kyber-based post-quantum cryptography upgrade to the Diffie–Hellman key exchange. It is notably being incorporated into the Signal Protocol, an end-to-end encryption protocol.

References

  1. Cook, John (2019-05-23). "NSA recommendations | algorithms to use until PQC". www.johndcook.com. Retrieved 2020-02-28.
  2. 1 2 3 "Announcing the Commercial National Security Algorithm Suite 2.0" (PDF). media.defense.gov. 2022-09-07. Retrieved 2024-06-10.
  3. "CNSA Suite and Quantum Computing FAQ" (PDF). cryptome.org. January 2016. Retrieved 24 July 2023.
  4. "Use of public standards for the secure sharing of information among national security systems, Advisory Memorandum 02-15 CNSS Advisory Memorandum Information Assurance 02-15". Committee on National Security Systems. 2015-07-31. Archived from the original on 2020-02-28. Retrieved 2020-02-28.
  5. "Commercial National Security Algorithm Suite". apps.nsa.gov. 19 August 2015. Archived from the original on 2022-02-18. Retrieved 2020-02-28.
  6. Housley, Russ; Zieglar, Lydia (July 2018). "RFC 8423 - Reclassification of Suite B Documents to Historic Status". tools.ietf.org. Retrieved 2020-02-28.
  7. "NSA's FAQs Demystify the Demise of Suite B, but Fail to Explain One Important Detail – Pomcor". 9 February 2016. Retrieved 2020-02-28.
  8. "A riddle wrapped in a curve". A Few Thoughts on Cryptographic Engineering. 2015-10-22. Retrieved 2020-02-28.
  9. Koblitz, Neal; Menezes, Alfred J. (2018-05-19). "A Riddle Wrapped in an Enigma". Cryptology ePrint Archive.
  10. "Post-Quantum Cybersecurity Resources". www.nsa.gov. Retrieved 2023-03-03.
  11. "Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0" (PDF). media.defense.gov. National Security Agency. September 2022. Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10. Retrieved 2024-04-14.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.