The NSA Suite B Specification and Cisco Security Equipment

Courtesy of anitasweb @ rgbstock.com

Once more, the idea for this article came about from a student question received in a training session I conducted in the suburban Washington, DC metro area. As the title suggests, the organization for which the attendee worked had to be compliant to the NSA Suite B standard. We’ll briefly explore this standard and the applicable Cisco hard-ware which meets this specification.

As the NSA document references below, the Suite B standard specifies specific cryptographic algorithms for use with the two highest levels of information classification, Secret and Top Secret.  These two categories, along with the one entitled Confidential, comprise the three degrees of security for documents deemed classified (confidential is the lowest security level, followed by secret, then top secret in increasing order). For general interest, I included a government document that details the proper use of these classification levels in communications.

NSA details that the following cryptographic algorithms be used to provide protection to information classified at the Secret level: Elliptical Curve Signatures (256 bit), Secure Hash Algorithm (256 bit), and the (AES) Advanced Encryption Standard (128 bit). For the Top Secret level, this is increased to 384 bits for both Elliptical Curve and the Secure Hash Algorithm and 256 bit length for AES. Not surprisingly, one of the primary goals of the Suite B set of standards is interoperability. The NSA description even goes as far as to mention the implementation of this standard between cooperating countries in a warfare scenario.

Now that the standard is described, let’s briefly examine a Cisco product which is currently being marketed as being compliant to Suite B. The 5940 series Embedded Services Router is best described as a module which can be installed in a variety of different enclosures and environments. The literature mentions that it is ruggedized and especially suited to mobility over rugged terrain along with its ability to manage integrated voice, video, and data. The photograph in the data sheet vividly illustrates its small form factor by its placement next to a small set of keys.

As the 5940 data sheet indicates, an impressive array of security features are available as well as flexible Unified Communications options. I have included the RFC reference below for further reading on Suite B; note that its authors are members of NSA.

References:

NSA Suite B Cryptography

RFC 4869 – Suite B Cryptographic Suites for IPsec

Cisco 5940 Series Embedded Services Router

In this article

Join the Conversation

1 comment

  1. Ken Murphy Reply

    Depending on the level of classification (ex Secret), just matching crypto settings on a router is not enough. The solution must also include anti-tamper hardware. The VIASAT IPS-250 is the first example of non-CCI (Controlled Cryptographic Item) Suite-B encryption up to US SECRET.

    Now if some high speed company out there wants to take the 5940 and harden it and have NSA approve it for Secret you’d have a winner.