Technical Summary
The United States Government has published guidelines for
"NSA Suite B Cryptography", which defines cryptographic
algorithm policy for national security applications. This
document defines a profile of TLS which is conformant with
Suite B.
Working Group Summary
This document is not the product of any IETF working group.
Document Quality
This document explains the requirements for a TLS implementation
to be considered "Suite B conformant". There is strong consensus
from the people that are defining that term.
Personnel
Russ Housley (housley@vigilsec.com) is the Document Shepherd.
Sean Turner (turners@ieca.com) is the Responsible Area Director.
RFC Editor Note
Please make the following changes:
1) page 7: ClientHellomessage -> ClientHello message
2) Make the existing Annex as Annex A and add the following as Annex B:
Annex B: Changes Since RFC 5430
The changes from RFC 5430 [RFC5430] are:
- Moved the transitional profile for use with TLS version 1.0, TLS version 1.1
and DTLS version 1.0 to an Annex.
- Removed the requirement of section 4 of RFC 5430 that a Suite B TLS 1.2
Client offer the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 or
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 cipher suites.
- A Suite B TLS system configured at a minimum level of security of 128 bits MUST use
either use TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
with the first being preferred.
- A Suite B TLS system configured at a minimum level of security of 128 bits MUST
use either ECDSA on the secp256r1 curve with SHA-256 or ECDSA on the secp384r1 curve with SHA-384.
One party can authenticate with ECDSA on the secp256r1 curve and SHA-256 when the other party
authenticates with ECDSA on the secp384r1 curve and SHA-384.
- A system desiring to negotiate a Suite B TLS connection at a minimum level of security of 128 bits
MUST generate a "Supported Elliptic Curves Extension", MUST include secp256r1 in the extension and
SHOULD include secp384r1 in the extension.
- A client and server, in order to verify digital signatures in a Suite B TLS system configured
at a minimum level of security of 128 bits, MUST support secp256r1 and SHOULD support secp384r1.
- A Suite B TLS client configured at a minimum level of security of 128 bits MUST offer
SHA-256 with ECDSA and SHOULD offer SHA-384 with ECDSA in the signature_algorithms extension.
- Certification path validation MUST only include certificates containing an ECDSA public key on the
secp256r1 curve or on the secp384r1 curve. The ECDSA public keys used in the certification path MUST be
in non-descending order of size from the end entity public key to the root public key.
- A Suite B TLS server configured at a minimum level of security of 128 bits MUST include ECDSA with
SHA-256 and SHOULD include ECDSA with SHA-384 in the supported_signature_algorithms field of the
CertificateRequest message.
- A Suite B TLS client configured at a minimum level of security of 128 bits MUST use ECDSA on the
secp256r1 curve and SHA-256 or ECDSA on the secp384r1 curve and SHA-384.
- A Suite B TLS server configured at a minimum level of security of 128 bits MUST use either ECDSA on the
secp256r1 curve and SHA-256 or ECDSA on the secp384r1 curve and SHA-384 when signing the
ServerKeyExchange message.