Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
Let's talk about Suite B
May 21, 2013 •Ray Potter
I'm asked about Suite B at least once per week. The questions usually come from customers and end users (non-Federal, mainly healthcare, actually). So let's talk about what Suite B really is, and how it pertains to federal and private sector enterprises.
Suite B is the designation for the collection of commercial algorithms deemed acceptable by the NSA for processing data in classified environments. Suite A is also a collection of algorithms used to protect information in a classified environment, but unlike Suite B, the algorithms themselves are classified in Suite A. So don't expect any future blog posts discussing those!
The Suite B algorithms are as follows:
- Encryption: Advanced Encryption Standard (AES) - FIPS PUB 197 with key sizes of 128 and 256 bits in CBC or GCM mode
- Hashing: Secure Hash Algorithm (SHA) - FIPS PUB 180-4 when using SHA-256 and SHA-384
- Key Exchange: Elliptic Curve Diffie Hellman: NIST Special Publication 800-56A when using curves with 256- and 384-bit prime moduli
- Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) – FIPS PUB 186-3 when using the curves with 256- and 384-bit prime moduli
In the words of SafeLogic's technical advisor Whit Diffie, “The importance of validating cryptographic implementation is second to nothing in information security.” Implementations should be validated in accordance with the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, Revised Fact Sheet National Information Assurance Acquisition Policy, the details of which are highlighted.
Beyond the mechanisms specified in NSTISSP No. 11, there are no third-party certification programs for Suite B compliance. Currently, the only affirmation of compliance comes from the vendor themselves... something to keep in mind when evaluating a crypto solution.
About Suite B and FIPS 140
Suite B and FIPS 140 are complementary but completely different programs. FIPS 140 is the technical standard that specifies requirements for cryptographic modules (self tests, integrity checks, key management, etc.). Suite B is the collection of non-classified algorithms deemed acceptable for use in classified environments/applications. Suite B does not imply FIPS 140 conformance, just as FIPS 140 doesn't imply Suite B conformance. Suite B algorithms are included among those approved by NIST for use in FIPS 140, but there are others available as well.
Ray, What's the Point?
My point is simply this: by electing to use Suite B algorithms, you are assured of the highest level of encryption. They are approved for use in FIPS 140 validated solutions, which in turn makes them suitable for FISMA and other standards. There is no scenario in enterprise or consumer usage in which Suite B algorithms are not appropriate.
My mother used to tell me that it was always better to be overdressed than underdressed. While James Bond's tuxedo wasn't ideal for chasing down bad guys with machine guns, Rambo would never have made it past the door of the diplomatic cocktail party that 007 blended right into.
Suite B is Bond's tuxedo - timeless, classic, and it will get you wherever you need to go. When implemented with proper key management and other controls, these algorithms have been chosen to protect your information better than any other commercially available option out there.
Ray Potter
Ray Potter is the Founder of SafeLogic, which was spun off from his previous venture, the Apex Assurance Group consulting firm. He brings over 20 years of security and compliance experience, including leading teams at Cisco and Ernst & Young, to the operations team at SafeLogic. Ray loves playing guitar and flying airplanes.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)