What is “Suite B Encryption”

Where I grew up there was a local farmers market that sold Sweet Bee Honey. To this day, any time I hear Suite B I automatically think of honey.

The major difference between “Sweet Bee” and Suite B is that when I buy the honey, I know exactly what I am getting. With Suite B however, many vendors advertise a Suite B Solution and say that their product meets NSA Suite B certifications. The problem with statements like this, is that today, there is no Suite B certification or validation process in place for a vendor to submit their solution (although one is currently under development). Therefore, statements indicating that a company is already Suite B certified are intentionally misleading.

NSA Suite B Algorithms

What are NSA Suite B algorithms?  Suite B is a set of four cryptographic algorithms standardized by the National Security Agency (NSA). The algorithms serve as a method to ensure the security of classified and unclassified information passed through public networks.

Suite B consists of:

  • Block Encryption via the Advanced Encryption Standard (AES), with key sizes of 128 or 256 bits. Suite B specifies that AES should be used in the Galois/Counter Mode (GCM) mode.
  • Digital Signatures via the Elliptic-Curve Digital Signature Algorithm (ECDSA).
  • Key Agreement via Elliptic-Curve Diffie-Hellman (ECDH) algorithm.
  • Message Digests via the Secure Hash Algorithm (specifically SHA-256 and SHA-384).

The Committee on National Security Systems Policy 15 (CNSSP-15), states that AES with 128 and 256-bit elliptic curve and SHA-256 should be used for protecting classified information up to the SECRET level, while users should upgrade to the 384-bit elliptic to protect information classified as TOP SECRET.

The NSA has created a Conformance Evaluator (ICE) tool to gauge the compliance of Internet Protocol Security (IPSec) against NSA Suite B regulations. With this in place it will be possible for vendors to build solutions that apply the standard; however, the NSA notes, “Creating secure cryptographic components, products and solutions involves much more than simply implementing a specific cryptographic protocol or suite of cryptographic algorithms.” This is just as true for Suite B as it is for any other implementation.

The NSA currently does not have a system to validate Suite B implementations, but a process, known as GOTS for Secret, is being developed. GOTS for Secret will allow vendors to certify products up to the SECRET level using Suite B cryptography. These products will be required to meet a set of NSA security standards appropriate for protecting information up to the SECRET level. The Commercial Solutions Partnership Program (CSPP) is another certification program that will allow agencies to create their own combination of commercial off-the-shelf (COTS) products to protect information up to the SECRET level. CSPP will be formed based on The National Information Assurance Partnership (NIAP) new Standard Protection Profiles and the National Institute of Standard’s and Technology’s (NIST) Cryptographic Module Validation Program. 

These processes are not yet in place though, so the next time that a vendor says one of their products meet important security certifications including the NSA’s Suite B, be sure to ask them exactly what they mean.