Since the mid-1990's, there has been an awareness that public-key systems could be compromised by quantum computers. This has resulted in a critical requirement to protect systems from future deployment of cryptanalytically relevant quantum computers (CRQC).
Over the years there has been significant progress in research conducted by various industries, academics and governments that concludes that quantum computing will someday come to fruition. This research provides further credible proof that now is the time to prepare for effectively transitioning to quantum-resistant (QR) algorithms, which includes such things as planning and budgeting. By doing so, National Security Systems (NSS) and related assets can be assured continuous protection once cryptanalytically relevant quantum computers do arrive.
What is the Commercial National Security Algorithm (CNSA) Suite 2.0 and what does it apply to?
A recent cybersecurity advisory from the United States National Security Agency (NSA) notified NSS operators, owners and vendors of what the future requirements for quantum-resistant algorithms will be for NSS. These post-quantum algorithms have been thoroughly tested and analyzed to assure they are secure against attacks from quantum computers and computer technology that is currently in use.
NSA’s Commercial National Security Algorithm Suite 2.0 serves as an update to the current algorithms in CNSA 1.0. When further updates to algorithms are required, the version number will be modified.
The algorithms provided in the Commercial National Security Algorithm Suite apply to all NSS use of public cryptographic algorithms. This includes all used on NSS, whether classified or unclassified. The use of any other cryptographic algorithms that are not approved by the National Manager are typically forbidden unless a waiver has been obtained.
In this review of NSA’s Commercial National Security Algorithm Suite 2.0, we will focus on the following areas:
- Algorithms for Software and Firmware Signing
- Symmetric Key Algorithms
- General Use Quantum-Resistant Public Key Algorithms
- General Timing and Transition Method
Algorithms for Software and Firmware Signing
For some time, The National Institute of Standards and Technology (NIST) has standardized algorithms for software and firmware signing. However, this changed with the release of the Commericial National Security Algorithm 2.0, and now NSA is using these algorithms for this specific use case.
There are three reasons why CNSA 2.0 algorithms are to be used for software and firmware signing:
1. These algorithms have already been standardized by NIST. Other post-quantum signature algorithms have not been standardized as of yet.
2. There is an urgent need for this signature use-case.
3. This usage helps keep track of how many times a specific public key is used in signing software or firmware.
NIST Special Publication 800-208 specifies the algorithms chosen for software and firmware signing. NSA has approved all the algorithms in NIST SP 800-208, but specifically recommends using Leighton-Micali with SHA-256/192. All requirements of SP 800-208 must be met to prevent weakening the signatures’ security. Xtended Merkle Signature Scheme (XMSS) is the other CNSA 2.0 algorithm approved for software and firmware signing. NSA recommends that vendors begin adopting these signatures immediately.
Symmetric Key Algorithms
The requirements for symmetric key algorithms have only changed slightly from CNSA 1.0 to CNSA 2.0. Advanced Encryption Standard (AES) as specified under FIPS Pub 197 which uses 256-bit keys for all classification levels remains as a symmetric-key algorithm. With CNSA 2.0, Secure Hash Algorithm (SHA) 384 or 512 as specified under FIPS Pub 180-4, is approved for all classification levels.
General-Use Quantum-Resistant Public Key Algorithms
Commercial National Security Algorithm Suite 2.0s general-use quantum-resistant public key algorithms are the main public-key algorithms used by most applications. Currently, these algorithms have been selected by and recommended by NIST for standardization for post-quantum cryptography. As of yet, neither FIPS-validated implementations nor final standards are available. The NSA has announced the selection of these future NSS requirements to allow vendors to prepare for the required implementation of these standards.
The CNSA 2.0 quantum-resistant public-key algorithms will be:
- CRYSTALS-Kyber as asymmetric algorithm for key establishment
- CRYSTALS-Dilithium as asymmetric algorithm for digital signatures
General Timing and Transition Method
The transition timing for NSA’s Commercial National Security Algorithm Suite 2.0 will depend upon the proliferation of standards-based implementations. The NSA is aware that different technologies will have different paces for adopting QR algorithms. It expects that the NSS transition to QR algorithms should be complete by 2035. When configuring systems during the transition period, NSS owners and operators are required to prefer CNSA 2.0 algorithms where feasible.
The NSA recommends that the transition for software and firmware signing begins immediately in addition to:
- CNSA 2.0 signing algorithms will be used by 2025 for new software and firmware.
- Deployed software and firmware that is not CNSA 1.0 compliant be transitioned to CNSA 2.0 compliant algorithms by 2025.
- All deployed software and firmware transitioned to CNSA 2.0 signatures by 2030.
Additional requirements for implementing other CNSA 2.0 requirements for NSS, include:
- Begin transitioning immediately for software and firmware to CNSA 2.0 by 2025 and by 2030, exclusively use CNSA 2.0.
- Support and prefer CNSA 2.0 by 2025 for cloud services and web browsers/servers by 2025 and only use CNSA 2.0 by 2033.
- Begin supporting and preferring CNSA 2.0 by 2026 for traditional networking equipment, such as VPNs or routers and exclusively use CNSA 2.0 by 2030.
- Support and prefer CNSA 2.0 by 2027 for operating systems and only use CNSA 2.0 by 2033.
- Large public-key infrastructure systems and other niche equipment should support and prefer CNSA 2.0 by 2030 and by 2033, only use CNSA 2.0.
- Update or replace non-compliant custom applications and legacy equipment by 2033.
In line with NSA’s recommendations, companies should immediately prepare for post-quantum technology and protect the future of their business. By identifying and evaluating vulnerabilities, this leads to a crypto infrastructure ‘compatibility’ with quantum-safe algorithms. Start by testing PQC algorithms in your environment!