JDK-8046119 : JEP 129: NSA Suite B Cryptographic Algorithms
  • Type: JEP
  • Component: security-libs
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Fix Versions: 8
  • Submitted: 2011-05-03
  • Updated: 2017-06-14
  • Resolved: 2017-06-14
Related Reports
Relates :  
Description
Summary
-------

Provide implementations of the cryptographic algorithms required by
[NSA Suite B](http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography).


Goals
-----

Provide default implementations of the Suite B cryptographic algorithms in the
JDK so that Java applications can meet appropriate security standards required
by the U.S. government, financial institutions, etc.  Ensure that the
implementations in our various crypto providers are interoperable; e.g., if the
same algorithm is supported by both the SunPKCS11 and SunJCE providers then
basic testing should be done to ensure interoperability.

Most of the algorithms required by NSA Suite B are already supported by the JDK
by various crypto providers such as SunEC (ECDH key agreement, ECDSA
signature), SUN (SHA256, SHA384 message digests), SunJCE (AES cipher with
ECB/CBC/OFB/CFB modes), SunPKCS11 (depending on the native PKCS11 library; but
we may need to enhance the provider code to work with native
implementations). Also, for EC related algorithms, we need to make sure that
the required curves and parameters are supported.


Non-Goals
---------

This enhancement will only cover the required NSA Suite B algorithms.
Following the NSA's guidance on the protocol level would be a separate effort.


Motivation
----------

NSA Suite B cryptography has been approved by NIST for use by the
U.S. Government and specified in NIST standards and recommendations.


Description
-----------

In 2005 the NSA announced Suite B Cryptography, which built on the National
Policy on the use of the Advanced Encryption Standard (AES) to Protect National
Security Systems and National Security Information (CNSSP-15). In addition to
the AES, Suite B includes cryptographic algorithms for key exchange, digital
signatures, and hashing; specifically:

  - Encryption: Advanced Encryption Standard (AES) -- FIPS PUB 197 (with key
    sizes of 128 and 256 bits). See FIPS PUB 197 at the National Institute of
    Standards and Technology, FIPS Publications listing.

  - Key Exchange: The Ephemeral Unified Model and the One-Pass Diffie Hellman
    (referred to as ECDH) -- NIST Special Publication 800-56A (using the curves
    with 256 and 384- bit prime moduli).

  - Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) --
    FIPS PUB 186-3 (using the curves with 256 and 384-bit prime moduli).

  - Hashing: Secure Hash Algorithm (SHA) -- FIPS PUB 180-3 (using SHA-256 and
    SHA-384).

AES with 128-bit keys provides adequate protection for classified information
up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime
modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide
adequate protection for classified information up to the SECRET level. During
the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH,
DSA and RSA can be used with a 2048-bit modulus to protect classified
information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit
prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are
required to protect classified information at the TOP SECRET level. Since some
products approved to protect classified information up to the TOP SECRET level
will only contain algorithms with these parameters, algorithm interoperability
between various products can only be guaranteed by having these parameters as
options.

Another suite of NSA cryptography, Suite A, contains some classified algorithms
that will not be released. Suite A will be used for the protection of some
categories of especially sensitive information.

NSA Suite B Cryptography also provide guidance for using Suite B cryptography
with internet protocols:

  - Internet Protocol Security (IPsec) Minimum Essential Interoperability
    Requirements (IPMEIR) is being implemented in government equipment to
    foster interoperability with commercial industry. IPMEIR Version 1.0.0
    Core, dated 31 May 2010 and Elliptic Curve Cryptography Groups IPMEIR IS
    Version 1.0, dated 13 May 2010 support the Commercial Interoperability
    Specification Suite B Strategy by providing commercial IPsec network
    product producers and traditional government network encryptor vendors with
    minimum interoperability requirements.

  - IPsec using the Internet Key Exchange (IKE) or IKEv2: "Suite B Cryptography
    for IPsec", RFC 4869

  - TLS: "Suite B Cipher Suites for TLS", RFC 5430

  - TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter
    Mode (GCM)

  - S/MIME: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)",
    RFC 5008

  - SSH: "AES Galois Counter Mode for the Secure Shell Transport Layer
    Protocol", draft-igoe-secsh-aes-gcm-02.txt

  - Protocol profiles will be developed to aid in the selection of options to
    promote interoperability. NIST has developed an IPsec profile, NIST Special
    Publication 500-267, "A Profile for IPv6 in the U.S. Government -- Version
    1.0".

This JEP does not propose to implement this protocol guidance.

At the crypto provider level, the only implementations missing that need to be
supported are:

  - SUN/SunJCE/SunEC/SunPKCS11: Add oids for the supported algorithms.

  - SUN provider: Support DSA keysizes of (L, N) where L is bit length of p and
    N is bit length of q: (2048, 224), (2048, 256). Support for the (3072, 256)
    pair isn't included in this effort, but can be added later if the need 
    arises.

  - SunJCE provider: Support for AES cipher w/ GCM and CCM modes. (Note: This
    is being tracked by a separate JEP, Support AEAD CipherSuites).

At the Java API level, we will need to add a DSA API to support both L/N and
pass to the underlying provider implementations.  Currently, only L is
supported, e.g., DSAKeyPairGenerator.


Testing
-------

Need to add:

  1. Regression Tests: known-answer tests to validate the implementation of the
     new algorithms,

  2. SQE/Product Tests: Interoperability tests for algorithms commonly
     supported by multiple crypto providers


Risks and Assumptions
---------------------

Intellectual Property: A key aspect of Suite B Cryptography is its use of
elliptic curve technology instead of classic public key technology.  In order
to facilitate adoption of Suite B by industry, NSA has licensed the rights to
26 patents held by Certicom, Inc., covering a variety of elliptic curve
technology. Under the license, NSA has the right to grant a sublicense to
vendors building certain types of products or components that can be used for
protecting national security information. More information is available
[here](http://www.nsa.gov/ia/contacts/index.shtml).


Impact
------

  - Doc: Need to update all relevant security whitepaper, provider doc,
    reference guides w/ the newly supported algorithms

  - Legal: Need to update the list of supported crypto algorithms for export
    control paperwork.