The SafeLogic Blog

I'm asked about Suite B at least once per week.  The questions usually come from customers and end users (non-Federal, mainly healthcare, actually).  So let's talk about what Suite B really is, and how it pertains to federal and private sector enterprises.

Suite B is the designation for the collection of commercial algorithms deemed acceptable by the NSA for processing data in classified environments.  Suite A is also a collection of algorithms used to protect information in a classified environment, but unlike Suite B, the algorithms themselves are classified in Suite A.  So don't expect any future blog posts discussing those!

The Suite B algorithms are as follows:

• Encryption: Advanced Encryption Standard (AES) - FIPS PUB 197 with key sizes of 128 and 256 bits in CBC or GCM mode
• Hashing: Secure Hash Algorithm (SHA) - FIPS PUB 180-4 when using SHA-256 and SHA-384
• Key Exchange: Elliptic Curve Diffie Hellman: NIST Special Publication 800-56A when using curves with 256- and 384-bit prime moduli
• Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) – FIPS PUB 186-3 when using the curves with 256- and 384-bit prime moduli

In the words of SafeLogic's technical advisor Whit Diffie, “The importance of validating cryptographic implementation is second to nothing in information security.”  Implementations should be validated in accordance with the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, Revised Fact Sheet National Information Assurance Acquisition Policy, the details of which are highlighted.

Beyond the mechanisms specified in NSTISSP No. 11, there are no third-party certification programs for Suite B compliance.  Currently, the only affirmation of compliance comes from the vendor themselves... something to keep in mind when evaluating a crypto solution.

About Suite B and FIPS 140

Suite B and FIPS 140 are complementary but completely different programs.  FIPS 140 is the technical standard that specifies requirements for cryptographic modules (self tests, integrity checks, key management, etc.).  Suite B is the collection of non-classified algorithms deemed acceptable for use in classified environments/applications.  Suite B does not imply FIPS 140 conformance, just as FIPS 140 doesn't imply Suite B conformance.  Suite B algorithms are included among those approved by NIST for use in FIPS 140, but there are others available as well.

Ray, What's the Point?

My point is simply this: by electing to use Suite B algorithms, you are assured of the highest level of encryption.  They are approved for use  in FIPS 140 validated solutions, which in turn makes them suitable for FISMA and other standards.  There is no scenario in enterprise or consumer usage in which Suite B algorithms are not appropriate.

My mother used to tell me that it was always better to be overdressed than underdressed.  While James Bond's tuxedo wasn't ideal for chasing down bad guys with machine guns, Rambo would never have made it past the door of the diplomatic cocktail party that 007 blended right into.

Suite B is Bond's tuxedo - timeless, classic, and it will get you wherever you need to go.  When implemented with proper key management and other controls, these algorithms have been chosen to protect your information better than any other commercially available option out there.