JEP 129: NSA Suite B Cryptographic Algorithms
|Discussion||security dash dev at openjdk dot java dot net|
|Endorsed by||Brian Goetz|
|Relates to||7044060: Need to support NSA Suite B Cryptography algorithms|
Provide implementations of the cryptographic algorithms required by NSA Suite B.
Provide default implementations of the Suite B cryptographic algorithms in the JDK so that Java applications can meet appropriate security standards required by the U.S. government, financial institutions, etc. Ensure that the implementations in our various crypto providers are interoperable; e.g., if the same algorithm is supported by both the SunPKCS11 and SunJCE providers then basic testing should be done to ensure interoperability.
Most of the algorithms required by NSA Suite B are already supported by the JDK by various crypto providers such as SunEC (ECDH key agreement, ECDSA signature), SUN (SHA256, SHA384 message digests), SunJCE (AES cipher with ECB/CBC/OFB/CFB modes), SunPKCS11 (depending on the native PKCS11 library; but we may need to enhance the provider code to work with native implementations). Also, for EC related algorithms, we need to make sure that the required curves and parameters are supported.
This enhancement will only cover the required NSA Suite B algorithms. Following the NSA's guidance on the protocol level would be a separate effort.
NSA Suite B cryptography has been approved by NIST for use by the U.S. Government and specified in NIST standards and recommendations.
In 2005 the NSA announced Suite B Cryptography, which built on the National Policy on the use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (CNSSP-15). In addition to the AES, Suite B includes cryptographic algorithms for key exchange, digital signatures, and hashing; specifically:
Encryption: Advanced Encryption Standard (AES) -- FIPS PUB 197 (with key sizes of 128 and 256 bits). See FIPS PUB 197 at the National Institute of Standards and Technology, FIPS Publications listing.
Key Exchange: The Ephemeral Unified Model and the One-Pass Diffie Hellman (referred to as ECDH) -- NIST Special Publication 800-56A (using the curves with 256 and 384- bit prime moduli).
Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) -- FIPS PUB 186-3 (using the curves with 256 and 384-bit prime moduli).
Hashing: Secure Hash Algorithm (SHA) -- FIPS PUB 180-3 (using SHA-256 and SHA-384).
AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.
AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.
Another suite of NSA cryptography, Suite A, contains some classified algorithms that will not be released. Suite A will be used for the protection of some categories of especially sensitive information.
NSA Suite B Cryptography also provide guidance for using Suite B cryptography with internet protocols:
Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements (IPMEIR) is being implemented in government equipment to foster interoperability with commercial industry. IPMEIR Version 1.0.0 Core, dated 31 May 2010 and Elliptic Curve Cryptography Groups IPMEIR IS Version 1.0, dated 13 May 2010 support the Commercial Interoperability Specification Suite B Strategy by providing commercial IPsec network product producers and traditional government network encryptor vendors with minimum interoperability requirements.
IPsec using the Internet Key Exchange (IKE) or IKEv2: "Suite B Cryptography for IPsec", RFC 4869
TLS: "Suite B Cipher Suites for TLS", RFC 5430
TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)
S/MIME: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)", RFC 5008
SSH: "AES Galois Counter Mode for the Secure Shell Transport Layer Protocol", draft-igoe-secsh-aes-gcm-02.txt
Protocol profiles will be developed to aid in the selection of options to promote interoperability. NIST has developed an IPsec profile, NIST Special Publication 500-267, "A Profile for IPv6 in the U.S. Government -- Version 1.0".
This JEP does not propose to implement this protocol guidance.
At the crypto provider level, the only implementations missing that need to be supported are:
SUN/SunJCE/SunEC/SunPKCS11: Add oids for the supported algorithms.
SUN provider: Support DSA keysizes of (L, N) where L is bit length of p and N is bit length of q: (2048, 224), (2048, 256). Support for the (3072, 256) pair isn't included in this effort, but can be added later if the need arises.
SunJCE provider: Support for AES cipher w/ GCM and CCM modes. (Note: This is being tracked by a separate JEP, Support AEAD CipherSuites).
At the Java API level, we will need to add a DSA API to support both L/N and pass to the underlying provider implementations. Currently, only L is supported, e.g., DSAKeyPairGenerator.
Need to add:
Regression Tests: known-answer tests to validate the implementation of the new algorithms,
SQE/Product Tests: Interoperability tests for algorithms commonly supported by multiple crypto providers
Risks and Assumptions
Intellectual Property: A key aspect of Suite B Cryptography is its use of elliptic curve technology instead of classic public key technology. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom, Inc., covering a variety of elliptic curve technology. Under the license, NSA has the right to grant a sublicense to vendors building certain types of products or components that can be used for protecting national security information. More information is available here.
Doc: Need to update all relevant security whitepaper, provider doc, reference guides w/ the newly supported algorithms
Legal: Need to update the list of supported crypto algorithms for export control paperwork.