Commercial National Security Algorithm Suite

Last updated
Timeline for the transition to CNSA 2.0 CNSA 2p0 timeline.png
Timeline for the transition to CNSA 2.0

The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the TOP SECRET level. Two versions of CNSA exist: the pre-quantum 1.0 of 2015 and the quantum-resistant 2.0 of 2022. [1] [2] [3] [4] [5] [6]

Contents

Contents

CNSA 1.0

A singular parameter length is provided for protection up to TOP SECRET level.

Components of CNSA 1.0
PurposeAlgorithmStandardParameter Length Bits of Security Notes
Symmetric encryption AES FIPS 197 256256
Digital Signature Elliptic Curve Digital Signature Algorithm (ECDSA) FIPS 186-4 384192Use curve P-384 only.
RSA FIPS 186-4 3072128Minimum modulus size, can be larger.
Key agreement Elliptic-curve Diffie–Hellman (ECDH)NIST SP 800-56Ar3384192Use curve P-384 only.
Diffie–Hellman key exchange RFC   3526 3072128Minimum modulus size, can be larger.
RSA FIPS SP 800-56Br2 3072128Minimum modulus size, can be larger.
Message digest SHA-2 FIPS 180-4 384192Use exactly SHA-384.

The CNSA 1.0 transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons. [7] [8] [9]

Documents describing the integration of CNSA 1.0 with Internet protocols include:

CNSA 2.0

In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. Again, all parameters are provided for TOP SECRET level. [10]

Components of CNSA 2.0 [11]
PurposeAlgorithmStandardParameter Length Bits of Security Notes
Symmetric encryption AES FIPS 197-upd1 256256
Key agreement ML-KEM FIPS 203 ML-KEM-1024256
Digital signature ML-DSA FIPS 204 ML-DSA-87256
Message digest of data SHA-2 FIPS 180-4 384 or 512192 or 256
Digital signature of firmware and software Leighton-Micali NIST SP 800-208 192 or 256192 or 256All standard parameter sets are approved, the minimum being SHA256/192. SHA256/192 is the recommended choice.
Xtended Merkle NIST SP 800-208 192 or 256192 or 256All standard parameter sets are approved, the minimum being SHA256/192.
Message digest for hardware integrity checks
SHA-3 FIPS 202384 or 512192 or 256Allowed for internal hardware functionality only (e.g., boot-up integrity checks)

Note that compared to CNSA 1.0, CNSA 2.0:

Documents describing the integration of CNSA 2.0 with Internet protocols include:

References

  1. Cook, John (2019-05-23). "NSA recommendations | algorithms to use until PQC". www.johndcook.com. Retrieved 2020-02-28.
  2. "Announcing the Commercial National Security Algorithm Suite 2.0" (PDF). media.defense.gov. 2022-09-07. Archived from the original (PDF) on September 8, 2022. Retrieved 2024-06-10.
  3. "CNSA Suite and Quantum Computing FAQ" (PDF). cryptome.org. January 2016. Retrieved 24 July 2023.
  4. "Use of public standards for the secure sharing of information among national security systems, Advisory Memorandum 02-15 CNSS Advisory Memorandum Information Assurance 02-15". Committee on National Security Systems. 2015-07-31. Archived from the original on 2020-02-28. Retrieved 2020-02-28.
  5. "Commercial National Security Algorithm Suite". apps.nsa.gov. 19 August 2015. Archived from the original on 2022-02-18. Retrieved 2020-02-28.
  6. Housley, Russ; Zieglar, Lydia (July 2018). "RFC 8423 - Reclassification of Suite B Documents to Historic Status". tools.ietf.org. Retrieved 2020-02-28.
  7. "NSA's FAQs Demystify the Demise of Suite B, but Fail to Explain One Important Detail – Pomcor". 9 February 2016. Retrieved 2020-02-28.
  8. "A riddle wrapped in a curve". A Few Thoughts on Cryptographic Engineering. 2015-10-22. Retrieved 2020-02-28.
  9. Koblitz, Neal; Menezes, Alfred J. (2018-05-19). "A Riddle Wrapped in an Enigma". Cryptology ePrint Archive.
  10. "Post-Quantum Cybersecurity Resources". www.nsa.gov. Retrieved 2023-03-03.
  11. "Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0" (PDF). media.defense.gov. National Security Agency. September 2022. Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10. Archived from the original (PDF) on September 8, 2022. Retrieved 2024-04-14.