Suite B
Suite B is a security standard developed by the National Security Agency (NSA) that establishes a cryptographic interoperability strategy. Suite B is similar to SP 800-131a, but it has tighter restrictions. Suite B can run in two modes: 128-bit and 192-bit. To use the 192-bit mode, we must apply the unrestricted policy file to the JDK in the ISAM Java™ components. When we apply the unrestricted policy, the JDK uses the stronger cipher required for the 192-bit mode. Applying Suite B on the ISAM Base components has the following prerequisites:
- TLS version 1.2 protocol for the SSL context
- Suite B-approved cipher suites
- Certificates:
- 128-bit mode certificates must be signed with SHA256withECDSA.
- 192-bit mode certificates must be signed with SHA384withECDSA.
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
The Security Verify Access Base component communication uses certificates generated by the policy server. The strength and algorithms to create these certificates differ for each Suite B security mode. We cannot convert from the 128-bit mode to the 192-bit mode (or any other security mode) without completely regenerating all the SVA certificates. The certificates are not compatible with previous releases of ISAM. Previous release Security Verify Access clients cannot communicate with the ISAM 8.0 policy server in this mode. A requirement from the National Security Agency (NSA) to specify a cryptographic interoperability strategy. This standard is similar to SP800-131 with some tighter restrictions. Suite B can run in two modes: 128-bit or 192-bit. If we are using 192-bit mode with ISAM Java applications, we must apply the unrestricted policy file to the JDK to use the stronger cipher that mode requires. Suite B requirements are:
- The use of TLSv1.2 protocol.
- Suite B approved Cipher suites
- Certificates:
- 128-bit mode certificates must be signed with SHA256withECDSA
- 192-bit mode certificates must be signed with SHA384withECDSA
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Parent topic: Security standards configurations (compliance types)