|
|
 |
Cryptomodernization and Suite B
Public key cryptography has become ubiquitous. As time passes, however, longer keys and stronger algorithms become essential for long-term information assurance. SPYRUS solves this critical problem with our support for the U.S. Government Suite B standard for cryptographic algorithms.
The new cryptographic algorithms are significantly faster and more compact, and are secure enough to protect sensitive and even some classified data for at least 50 years. SPYRUS recommends that users migrate away from RSA, triple-DES, and MD5/SHA-1 algorithms to the newer algorithms, including elliptic curve cryptography (ECC), AES, and SHA-2. SPYRUS is the first company to support these algorithms across its entire product line.
Information Security for the Future
The War on Terror has highlighted the need for our federal, state and local government agencies to communicate quickly and securely with one another and with our international allies. The information to be exchanged can have different levels of sensitivity: some information may be classified, some unclassified but sensitive, and some information intended for public dissemination must first be validated as authentic.
To address these and other issues, the U.S. Government has initiated a cryptographic modernization program. Classified Suite A algorithms are required for U.S. Government-internal use. Unclassified Suite B algorithms can be used to protect unclassified and classified data; to facilitate information sharing across federal, state, and local governments; and with our allies and multinational coalition partners.
The Suite B Algorithms: ECC, AES, and SHA-2
The U.S. Department of Defense (DoD) understands that although sensitive data must be protected for decades, there is also a current need to share information securely with other agencies. The National Security Agency (NSA) has taken unprecedented steps to enable secure information sharing at both domestic and international levels.
In June 2003, the NSA announced that for particular applications, NSA-approved implementations of the Advanced Encryption Standard AES-128 algorithm could be used to protect classified information up to the Secret level, and AES-192 and AES-256 could be used to protect Top Secret data. In October 2003, the NSA licensed 26 key patents in the field of elliptic curve cryptography from Certicom, Inc., for national-security-related applications, involving key sizes over 255 bits and FIPS 140-2 certification, among other requirements. At the 2005 RSA Conference, the NSA announced that the unclassified Suite B algorithms can be authorized for multinational and domestic information sharing of Secret and Top Secret data with P-384 ECC keys, using the EC Diffie-Hellman key establishment scheme, the ECDSA digital signature algorithm, SHA-384, and AES-256. For FOUO, SBU, LEO, and similar unclassified but sensitive data, P-256 ECC keys, SHA-256, and AES-128 are required. A minimum of P-256, SHA-256, and AES-128 is also recommended for most commercial applications, although very long-term data storage may benefit from the stronger key lengths.
ECC Performance Advantages
From both size and performance standpoints for equivalent security and information assurance, elliptic curve cryptography is the best choice for reasons such as the following.
- ECC operations are far faster than their RSA equivalents. The time required for an RSA algorithm decryption or signature operation increases with the cube of the key size. To increase the key length from 1024 bits to 15,360 bits takes 153 or 3,375 times as long. The time required for an ECC key agreement operation also increases with the cube of the key size, but to go from the equivalent 163-bit ECC key to 521-bits requires only 32 times as long.
- If long-term, high-strength security is the most important factor, the benefits of ECC are even more pronounced. For greatest security, private key operations must be confined to hardware tokens, including smart cards and hardware security nodules (HSMs). These devices are limited in available RAM and computational power. Generating an 8,192-bit or 15,360-bit RSA key on such devices is completely impractical. Generating a P-521 key on a LYNKS HSM or Rosetta Series II security device, on the other hand, requires only a few seconds, and P-384 and P-256 operations are even faster.
SPYRUS Support for the Global Information Grid and Commercial Markets
Although the need for government security for storing and sharing information is vitally important, it is no less important for many commercial and private organizations to have the same protection. The privacy and authenticity of medical information, adoption records, sealed court records, witness protection information, and census records all require the strongest cryptographic algorithms available, and regulations require security for many decades.
SPYRUS anticipates that the Suite B algorithms will be broadly accepted within government and commercial organizations worldwide and will set the standard for years to come.
The entire SPYRUS product line supports Suite B, including the Rosetta Series II USB and Smart Card security devices, the LYNKS Series II HSM (PCMCIA and USB), the Hydra Privacy Card Series II, En-Sign Security Device Management software, Security In A Box, and Signal Identity Manager.
Rosetta Series II USB |
Rosetta Series II Smart Card |
Hydra Privacy Card Series II |
|
|
 |
| SPYRUS Software Products |
LYNKS Series II HSM
(USB) |
LYNKS Series II HSM
(PCMCIA) |
|
|
