Cryptographical Strength

Home , Camellia (cipher), NSA Suite B Cryptography

1 Cryptographical Strength • Cryptographical strength needed today • Equivalent cryptographical strength 1.1 NSA Suite B Cryptography • NSA Suite B with 128 bit strength • NSA Suite B with 192 bit strength • Microsoft Windows with suite B support • strongSwan VPN solution with suite B support • NIST versus Brainpool ECC standard curves 1.2 Elliptic Curves • What are elliptic curves? • Cryptographic applications for elliptic curves • ECDH, ECDSA, ECIES 1.3 Authenticated Encryption with Associated Data (AEAD) • Highly parallel encryption and authentication in a single pass • AES-GCM, AES-CCM, CAMELLIA-GCM, CAMELLIA-CCM • AES-GMAC (Authentication only with NULL encryption)

5 NSA Suite B Homepage • http://www.nsa.gov/ia/programs/suiteb_cryptography/

The NSA comprises to [conflicting] divisions: • Signals Intelligence (SIGINT) • Information Asssurance (IA) The NSA documents leaked by William Snowden leaves us with big doubts whether the IA branch can work independently of the SIGINT division.

Abbreviations • GOTS Government Off-The-Shelf • COTS Commercial Off-The-Shelf

8 Introducing Compliance to Suite B Cryptography • http://technet.microsoft.com/en-us/library/dd566200%28WS.10%29.aspx netsh Commands for Windows Firewall with Advanced Security • http://technet.microsoft.com/en-us/library/cc771920%28WS.10%29.aspx

9 strongSwan Open Source Project • http://www.strongswan.org

Suite B Interoperability with Microsoft Windows • http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB

Elliptic Curve Sets • NIST ECC standard curves defined in FIPS 186-4 and used in NSA Suite B http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf • Brainpool ECC standard curves defined by the Brainpool Group (BSI et al.) http://www.ecc-brainpool.org/download/Domain-parameters.pdf

Cryptographic Applications • The following ECC algorithms have been defined: • ECDH (Elliptic Curve Diffie-Hellman) for secret key exchange • ECIES (Elliptic Curve Integrated Encryption Scheme) for public key encryption • ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures • Elliptic curve certificates based on the X.509 standard can either be ordered from several trust centers (e.g. Certicom) or can be generated with OpenSSL 0.9.8. • A set of 5 prime-based elliptic curves have been standardized by NIST: http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf • Several ECC cipher suites based on the NIST curves have been defined for the TLS secure transport layer and for IPsec.

20 NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf This Recommendation specifies an algorithm called Galois/Counter Mode (GCM) for authenticated encryption with associated data. GCM is constructed from an approved symmetric key block cipher with a block size of 128 bits, such as the Advanced Encryption Standard (AES) algorithm. Thus, GCM is a mode of operation of the AES algorithm. GCM provides assurance of the confidentiality of data using a variation of the Counter mode of operation for encryption. GCM provides assurance of the authenticity of the confidential data (up to about 64 gigabytes per invocation) using a universal hash function that is defined over a binary Galois (i.e., finite) field. GCM can also provide authentication assurance for additional data (of practically unlimited length per invocation) that is not encrypted. If the GCM input is restricted to data that is not to be encrypted, the resulting specialization of GCM, called GMAC, is simply an authentication mode on the input data. In the rest of this document, statements about GCM also apply to GMAC. The two functions of GCM are called authenticated encryption and authenticated decryption. Each of these functions is relatively efficient and parallelizable; consequently, high-throughput implementations are possible in both hardware and software. IPsec ESP Overhead: 8 octet IV, 16/12/8 octet authentication tag • RFC 4106 “The Use of Galois/Counter Mode (GCM) in IPsec ESP” • RFC 4309 “Using AES CCM Mode with IPsec ESP“ • RFC 4312 “The Camellia Cipher Algorithm and Its Use With IPsec”