Commercial National Security Algorithm Suite


The Commercial National Security Algorithm Suite is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the TOP SECRET level. Two versions of CNSA exist: the pre-quantum 1.0 of 2015 and the quantum-resistant 2.0 of 2022.

Contents

CNSA 1.0

A singular parameter length is provided for protection up to TOP SECRET level.
PurposeAlgorithmStandardParameter LengthBits of SecurityNotes
Symmetric encryptionAESFIPS 197256256
Digital SignatureElliptic Curve Digital Signature Algorithm 384192Use curve P-384 only.
Digital SignatureRSA3072128Minimum modulus size, can be larger.
Key agreementElliptic-curve Diffie–Hellman NIST SP 800-56Ar3384192Use curve P-384 only.
Key agreementDiffie–Hellman key exchange3072128Minimum modulus size, can be larger.
Key agreementRSA3072128Minimum modulus size, can be larger.
Message digestSHA-2384192Use exactly SHA-384.

The CNSA 1.0 transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons.
Documents describing the integration of CNSA 1.0 with Internet protocols include:
  • RFC 9151 Commercial National Security Algorithm Suite Profile for TLS and DTLS 1.2 and 1.3
  • RFC 9206 Commercial National Security Algorithm Suite Cryptography for Internet Protocol
  • RFC 9212 Commercial National Security Algorithm Suite Cryptography for Secure Shell
  • RFC 8755 Using Commercial National Security Algorithm Suite Algorithms in Secure/Multipurpose
  • RFC 8756 Commercial National Security Algorithm Suite Profile of Certificate Management over CMS
  • RFC 8603 Commercial National Security Algorithm Suite Certificate and Certificate Revocation List Profile

    CNSA 2.0

In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. Again, all parameters are provided for classified information up to TOP SECRET level.
PurposeAlgorithmStandardParameter LengthBits of SecurityNotes
Symmetric encryptionAESFIPS 197-upd1256256
Key agreementML-KEMFIPS 203ML-KEM-1024256
Digital signatureML-DSAFIPS 204ML-DSA-87256
Message digest of dataSHA-2384 or 512192 or 256
Digital signature of firmware and softwareLeighton-Micali192 or 256192 or 256All standard parameter sets are approved, the minimum being SHA256/192. SHA256/192 is the recommended choice.
Digital signature of firmware and softwareXtended Merkle192 or 256192 or 256All standard parameter sets are approved, the minimum being SHA256/192.

Note that compared to CNSA 1.0, CNSA 2.0:
  • Suggests separate post-quantum algorithms for software/firmware signing for use immediately
  • Allows SHA-512
  • Announced the selection of CRYSTALS-Kyber and CRYSTALS-Dilithium early, with the expectation that they will be mandated only when the final standards and FIPS-validated implementations are released. RSA, Diffie-Hellman, and elliptic curve cryptography will be deprecated at that time.
Documents describing the integration of CNSA 2.0 with Internet protocols include:
  • draft-becker-cnsa2-smime-profile-01 Commercial National Security Algorithm Suite Profile for Secure/Multipurpose Internet Mail Extensions
  • draft-becker-cnsa2-ssh-profile-02 Commercial National Security Algorithm Suite Profile for SSH
  • draft-becker-cnsa2-tls-profile-02 Commercial National Security Algorithm Suite Profile for TLS 1.3
  • draft-guthrie-cnsa2-ipsec-profile-01 Commercial National Security Algorithm Suite 2.0 Profile for IPsec
  • draft-jenkins-cnsa2-cmc-profile-01 Commercial National Security Algorithm Suite Profile of Certificate Management over CMS
  • draft-jenkins-cnsa2-pkix-profile-03 Commercial National Security Algorithm Suite Certificate and Certificate Revocation List Profile