The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the TOP SECRET level. Two versions of CNSA exist: the pre-quantum 1.0 of 2015 and the quantum-resistant 2.0 of 2022. [1] [2] [3] [4] [5] [6]
A singular parameter length is provided for protection up to TOP SECRET level.
Purpose | Algorithm | Standard | Parameter Length | Bits of Security | Notes |
---|---|---|---|---|---|
Symmetric encryption | AES | FIPS 197 | 256 | 256 | |
Digital Signature | Elliptic Curve Digital Signature Algorithm (ECDSA) | FIPS 186-4 | 384 | 192 | Use curve P-384 only. |
RSA | FIPS 186-4 | 3072 | 128 | Minimum modulus size, can be larger. | |
Key agreement | Elliptic-curve Diffie–Hellman (ECDH) | NIST SP 800-56Ar3 | 384 | 192 | Use curve P-384 only. |
Diffie–Hellman key exchange | RFC 3526 | 3072 | 128 | Minimum modulus size, can be larger. | |
RSA | FIPS SP 800-56Br2 | 3072 | 128 | Minimum modulus size, can be larger. | |
Message digest | SHA-2 | FIPS 180-4 | 384 | 192 | Use exactly SHA-384. |
The CNSA 1.0 transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons. [7] [8] [9]
Documents describing the integration of CNSA 1.0 with Internet protocols include:
In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. Again, all parameters are provided for TOP SECRET level. [10]
Purpose | Algorithm | Standard | Parameter Length | Bits of Security | Notes |
---|---|---|---|---|---|
Symmetric encryption | AES | FIPS 197-upd1 | 256 | 256 | |
Key agreement | ML-KEM | FIPS 203 | ML-KEM-1024 | 256 | |
Digital signature | ML-DSA | FIPS 204 | ML-DSA-87 | 256 | |
Message digest of data | SHA-2 | FIPS 180-4 | 384 or 512 | 192 or 256 | |
Digital signature of firmware and software | Leighton-Micali | NIST SP 800-208 | 192 or 256 | 192 or 256 | All standard parameter sets are approved, the minimum being SHA256/192. SHA256/192 is the recommended choice. |
Xtended Merkle | NIST SP 800-208 | 192 or 256 | 192 or 256 | All standard parameter sets are approved, the minimum being SHA256/192. | |
Message digest for hardware integrity checks | |||||
SHA-3 | FIPS 202 | 384 or 512 | 192 or 256 | Allowed for internal hardware functionality only (e.g., boot-up integrity checks) |
Note that compared to CNSA 1.0, CNSA 2.0:
Documents describing the integration of CNSA 2.0 with Internet protocols include: