The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the top secret level, while the NSA plans for a transition to quantum-resistant cryptography.[1] [2] [3] [4] [5] [6]
The suite includes:
The CNSA transition is notable for moving RSA from a temporary legacy status, as it appeared in Suite B, to supported status. It also did not include the Digital Signature Algorithm. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons.[7] [8] [9]
In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms.[10]
CNSA 2.0 includes:
Note that compared to CNSA 1.0, CNSA 2.0:
The CNSA 2.0 and CNSA 1.0 algorithms, detailed functions descriptions, specifications, and parameters are below:[11]
CNSA 2.0
Algorithm | Function | Specification | Parameters | |
---|---|---|---|---|
Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | FIPS PUB 197 | Use 256-bit keys for all classification levels. | |
CRYSTALS-Kyber | Asymmetric algorithm for key establishment | TBD | Use Level V parameters for all classification levels. | |
CRYSTALS-Dilithium | Asymmetric algorithm for digital signatures | TBD | Use Level V parameters for all classification levels. | |
Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | FIPS PUB 180-4 | Use SHA-384 or SHA-512 for all classification levels. | |
Leighton-Micali Signature (LMS) | Asymmetric algorithm for digitally signing firmware and software | NIST SP 800-208 | All parameters approved for all classification levels. SHA256/192 recommended. | |
Xtended Merkle Signature Scheme (XMSS) | Asymmetric algorithm for digitally signing firmware and software | NIST SP 800-208 | All parameters approved for all classification levels. |
CNSA 1.0
Algorithm | Function | Specification | Parameters | |
---|---|---|---|---|
Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | FIPS PUB 197 | Use 256-bit keys for all classification levels. | |
Elliptic Curve Diffie-Hellman (ECDH) Key Exchange | Asymmetric algorithm for key establishment | NIST SP 800-56A | Use Curve P-384 for all classification levels. | |
Elliptic Curve Digital Signature Algorithm (ECDSA) | Asymmetric algorithm for digital signatures | FIPS PUB 186-4 | Use Curve P-384 for all classification levels. | |
Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | FIPS PUB 180-4 | Use SHA-384 for all classification levels. | |
Diffie-Hellman (DH) Key Exchange | Asymmetric algorithm for key establishment | IETF RFC 3526 | Minimum 3072-bit modulus for all classification levels | |
[Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for key establishment | FIPS SP 800-56B | Minimum 3072-bit modulus for all classification levels | |
[Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for digital signatures | FIPS PUB 186-4 | Minimum 3072-bit modulus for all classification levels |