Enterprise Applications Security, Embedded SSH, Embedded SSL, Embedded SSH, Embedded IPSEC and OpenSSH/OpenSSL Alternatives, FIPS certified, FIPS certification, FIPS 140-2 - Device Security Framework
Mocana Corporation - Securing Devices, Applications & the Enterprise.
NEWSLETTER   
Newsletter Sign Up contactus
Free Trial
Home > Downloads > Suite B Cryptography >
DSF
(Device Security
Framework)
DSF for Android
DSF for Freescale
NanoCert
NanoCrypto
NanoDefender
NanoSec
NanoSSH
NanoSSL
NanoVOIP
NanoWireless
 
Suite B Cryptography
Most Mocana products share a common cryptographic "engine" that includes a set of algorithms called "Suite B". But what is "Suite B Cryptography" and why is it important?

The NSA has directed most government agencies to use a secret set of unpublished algorithms, called Suite A, to encrypt and authenticate highly classified, sensitive communications and super-critical systems. Unfortunately, because Suite A is so secret, government organizations that use it cannot easily link securely to partner organizations outside the government, or even to less-sensitive networks inside the government, simply because those other organizations don't have clearance to "speak the language". Suite B was developed to address this.

Suite B is a set of cryptographic techniques standardized upon by the National Security Agency as part of its Cryptographic Modernization Program. The algorithms are supposed to serve as an interoperable cryptographic base that can be used for unclassified information and most classified information at the same time, and it was formally announced in February 2005.

Suite B consists of:
  • Block Encryption via the Advanced Encryption Standard (AES), with key sizes of 128 or 256 bits. Suite B specifies that AES should be used in the Galois/Counter Mode (GCM) mode.
  • Digital Signatures via the Elliptic-Curve Digital Signature Algorithm (ECDSA)
  • Key Agreement via Elliptic-Curve Diffie-Hellman (ECDH) algorithm
  • Message Digests via the Secure Hash Algorithm (specifically SHA-256 and SHA-384)
Per CNSSP-15 (Committee on National Security Systems Policy 15), the 256-bit elliptic curve (specified in FIPS 186-2), SHA-256, and AES with 128-bit keys should be used for protecting classified information up to the "Secret" level, while users should upgrade to the 384-bit elliptic curve (specified in FIPS 186-2), SHA-384, and AES with 256-bit keys when protecting information classified as "Top Secret".

Government agencies often buy Suite B devices or software when most of their network is Suite A, but they need to communicate securely with an outside vendor. Then there will be a node on the network where information is decrypted from A and re-encrypted into B for transmission to allies, outside vendors, etc.  B hardware encryptors tend to be much less expensive than A encryptors (since the number of vendors that produce A encryptors is extremely limited, and under govt contract.)

Some government agencies and contractors don't need Suite A at all, but their materials are still considered too sensitive for traditional commercial crypto implementations.  So NSA will mandate Suite B. Still other agencies won't be mandated to use suite B internally at all... their requirements docs might just specify the use of a FIPS 140-2 level 1 validated cryptographic implementation. But since they'll still need to occasionally communicate with agencies that "speak" mostly suite A or suite B, they'll need Suite B, too.

In December 2006, NSA submitted an Internet Draft standard proposal for implementing Suite B as part of IPsec. This draft was accepted for publication by IETF as RFC 4869.

NSA has said that "Suite B only specifies the cryptographic algorithms to be used. Many other factors need to be addressed in determining whether a particular device implementing a particular set of cryptographic algorithms should be used to satisfy a particular requirement.

These include:
  • The quality of the implementation of the cryptographic algorithm in software, firmware, or hardware.
  • Operational requirements associated with U.S. Government-approved key and key-management activities.
  • The uniqueness of the information to be protected (e.g., special intelligence, nuclear command and control, U.S.-only data).
  • Requirements for interoperability both domestically and internationally.
The process by which these factors are addressed is outside the scope of Suite B. Suite B focuses only on cryptographic technology, a small piece of an overall information assurance system."

A common question that arises about Suite B is "Does NIST or NSA "validate" Suite B implementations, the way NIST certifies software as "FIPS 140-2 validated"?

The answer is "Not yet"… but a process, known as "GOTS for Secret", is under development by NSA. This process will someday allow vendors to build products using Suite B cryptography to meet a set of NSA security standards appropriate for protecting information up to the SECRET level. Another certification process is also coming down the pipe called the "Commercial Solutions Partnership Program (CSPP)". It's supposed to enable agencies to put together their own combinations of commercial off-the-shelf security products to protect information up to the SECRET level. The National Information Assurance Partnership (NIAP) with new Standard Protection Profiles, relying on NIST’s Cryptographic Module Validation Program is envisioned as forming the eventual basis of the CSPP.

Want to know more about Mocana's Suite B offerings? Email us, or speak to a sales rep now by dialing 415-617-0055.

Untitled Document

Sales | Support | Contact | Privacy Policy | FAQs | Site Map | Referral Program
Copyright © 2010 Mocana Corporation