Content deleted Content added
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.1 |
m v2.05b - Bot T19 CW#83 - Fix errors for CW project (Heading start with three "=" and later with level two) |
||
| (20 intermediate revisions by 18 users not shown) | |||
Line 1:
{{Short description|Set of cryptographic algorithms by the NSA}}
The '''Commercial National Security Algorithm Suite''' ('''CNSA''') is a set of cryptographic algorithms [[Promulgation|promulgated]] by the [[National Security Agency]] as a replacement for [[NSA Suite B Cryptography]] algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the [[Classified information#Top_Secret_(TS)|top secret]] level, while the NSA plans for a transition to [[quantum-resistant cryptography]].<ref>{{Cite web|url=https://www.johndcook.com/blog/2019/05/23/nsa-recommendations/|title=NSA recommendations {{!}} algorithms to use until PQC|last=Cook|first=John|date=2019-05-23|website=www.johndcook.com|access-date=2020-02-28}}</ref><ref name=":0">{{Cite web|url=https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF|archive-url=https://web.archive.org/web/20220908002358/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF|url-status=dead|archive-date=September 8, 2022|title=Announcing the Commercial National Security Algorithm Suite 2.0|date=2022-09-07|website=media.defense.gov|language=en|access-date=2024-06-10}}</ref><ref>{{cite web|url=https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf|title=CNSA Suite and Quantum Computing FAQ|website=cryptome.org|date=January 2016|access-date=24 July 2023}}</ref><ref>{{Cite web|url=https://www.cnss.gov/CNSS/issuances/Memoranda.cfm|title=Use of public standards for the secure sharing of information among national security systems, Advisory Memorandum 02-15 CNSS Advisory Memorandum Information Assurance 02-15|date=2015-07-31|website=Committee on National Security Systems|url-status=dead|archive-url=https://web.archive.org/web/20200228180443/https://www.cnss.gov/CNSS/issuances/Memoranda.cfm|archive-date=2020-02-28|access-date=2020-02-28}}</ref><ref>{{Cite web|url=https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm|title=Commercial National Security Algorithm Suite|date=19 August 2015|website=apps.nsa.gov|archive-url=https://web.archive.org/web/20220218193742/https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm|archive-date=2022-02-18|language=en|access-date=2020-02-28}}</ref><ref>{{Cite journal|url=https://tools.ietf.org/html/rfc8423|title=RFC 8423 - Reclassification of Suite B Documents to Historic Status|date=July 2018|website=tools.ietf.org|language=en|access-date=2020-02-28 |last1=Housley |first1=Russ |last2=Zieglar |first2=Lydia }}</ref>
[[File:CNSA 2p0 timeline.png|thumb|Timeline for the transition to CNSA 2.0]]
The 1.0 suite included:
* [[Advanced Encryption Standard]] with 256 bit keys
Line 8 ⟶ 11:
* [[RSA (cryptosystem)|RSA]] with a minimum modulus size of 3072.<ref name=":0" />
The CNSA transition is notable for moving [[RSA (cryptosystem)|RSA]] from a temporary ''legacy'' status, as it appeared in Suite B, to ''supported'' status. It also did not include the [[Digital Signature Algorithm]]. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons.<ref>{{Cite web|url=https://pomcor.com/2016/02/09/nsas-faqs-demystify-the-demise-of-suite-b-but-fail-to-explain-one-important-detail/|title=NSA's FAQs Demystify the Demise of Suite B, but Fail to Explain One Important Detail – Pomcor|date=9 February 2016 |language=en-US|access-date=2020-02-28}}</ref><ref>{{Cite web|url=https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/|title=A riddle wrapped in a curve|date=2015-10-22|website=A Few Thoughts on Cryptographic Engineering|language=en|access-date=2020-02-28}}</ref><ref>{{Cite journal|
== Version 2.0 Announcement ==
In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms.<ref>{{Cite web |title=Post-Quantum Cybersecurity Resources |url=https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/ |access-date=2023-03-03 |website=www.nsa.gov}}</ref>
CNSA 2.0 includes:<ref name=":0" />
* [[Advanced Encryption Standard]] with 256 bit keys
* [[CRYSTALS-Kyber|Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM aka CRYSTALS-Kyber)]] with parameter set ML-KEM-1024
* [[Lattice-based cryptography|Module-Lattice-Based Digital Signature Standard (ML-DSA aka CRYSTALS-Dilithium)]] with parameter set ML-DSA-87
* [[SHA-2]] with 384 or 512 bits
* [[eXtended Merkle Signature Scheme]] (XMSS) and [[Leighton-Micali Signatures]] (LMS) with all parameters approved, with SHA256/192 recommended
Note that compared to CNSA 1.0, CNSA 2.0:
* Suggests separate post-quantum algorithms (XMSS/LMS) for software/firmware signing for use immediately
* Allows SHA-512
* Announced the selection of CRYSTALS-Kyber and CRYSTALS-Dilithium early, with the expectation that they will be mandated only when the final standards and FIPS-validated implementations are released.
** RSA, Diffie-Hellman, and elliptic curve cryptography will be deprecated at that time.
The CNSA 2.0 and CNSA 1.0 algorithms, detailed functions descriptions, specifications, and parameters are below:<ref name=nsaCNSA>{{cite web|url=https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |archive-url=https://web.archive.org/web/20220908002358/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |url-status=dead |archive-date=September 8, 2022 |title=Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0 |date=September 2022 |publisher=[[National Security Agency]]|website=media.defense.gov|access-date=2024-04-14|at=Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10.}}</ref>
'''CNSA 2.0'''
{| class="wikitable"
|-
! Algorithm
! Function
! Specification
! Parameters
|-
| Advanced Encryption Standard (AES)
| Symmetric block cipher for information protection
| [[doi:10.6028/NIST.FIPS.197-upd1|FIPS PUB 197]]
| Use 256-bit keys for all classification levels.
|-
| Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM aka CRYSTALS-Kyber)
| Asymmetric algorithm for key establishment
| [[doi:10.6028/NIST.FIPS.203|FIPS PUB 203]]
| Use ML-KEM-1024 parameter set for all classification levels.
|-
| Module-Lattice-Based Digital Signature Standard (aka CRYSTALS-Dilithium)
| Asymmetric algorithm for digital signatures
| [[doi:10.6028/NIST.FIPS.204|FIPS PUB 204]]
| Use ML-DSA-87 parameter set for all classification levels.
|-
| Secure Hash Algorithm (SHA)
| Algorithm for computing a condensed representation of information
| [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS PUB 180-4]
| Use SHA-384 or SHA-512 for all classification levels.
|-
| Leighton-Micali Signature (LMS)
| Asymmetric algorithm for digitally signing firmware and software
| [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf NIST SP 800-208]
| All parameters approved for all classification levels. SHA256/192 recommended.
|-
| Xtended Merkle Signature Scheme (XMSS)
| Asymmetric algorithm for digitally signing firmware and software
| [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf NIST SP 800-208]
| All parameters approved for all classification levels.
|}
'''CNSA 1.0'''
{| class="wikitable"
|-
! Algorithm
! Function
! Specification
! Parameters
|-
| Advanced Encryption Standard (AES)
| Symmetric block cipher for information protection
| [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf FIPS PUB 197]
| Use 256-bit keys for all classification levels.
|-
| Elliptic Curve Diffie-Hellman (ECDH) Key Exchange
| Asymmetric algorithm for key establishment
| [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf NIST SP 800-56A]
| Use Curve P-384 for all classification levels.
|-
| Elliptic Curve Digital Signature Algorithm (ECDSA)
| Asymmetric algorithm for digital signatures
| [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS PUB 186-4]
| Use Curve P-384 for all classification levels.
|-
| Secure Hash Algorithm (SHA)
| Algorithm for computing a condensed representation of information
| [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS PUB 180-4]
| Use SHA-384 for all classification levels.
|-
| Diffie-Hellman (DH) Key Exchange
| Asymmetric algorithm for key establishment
| [https://datatracker.ietf.org/doc/html/rfc3526 IETF RFC 3526]
| Minimum 3072-bit modulus for all classification levels
|-
| [Rivest-Shamir-Adleman] RSA
| Asymmetric algorithm for key establishment
| [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf FIPS SP 800-56B]
| Minimum 3072-bit modulus for all classification levels
|-
| [Rivest-Shamir-Adleman] RSA
| Asymmetric algorithm for digital signatures
| [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS PUB 186-4]
| Minimum 3072-bit modulus for all classification levels
|}
== References ==
{{Reflist}}
{{Cryptography navbox|block|public-key|hash}}
[[Category:Cryptography standards]]
Line 17 ⟶ 124:
[[Category:Standards of the United States]]
{{Crypto-stub}}
| |||