OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [kmip] Fwd: KMIP Suite B Profile - Deprecated


That is basically my take on it too. No new math, just use the options with more bits. The big policy piece is that they repackaged the program with a new name. 

NSA is calling for Suite B to be transition in favor of Commericial National Security Algorithm Suite which is effectively minLoS 192. Odd way to say Deprecated- but I think that is the simplest way to discribe it.

 In Government/Policy wonk speak that is the first line of the introduction  that notes " NSA's announcement of changes from Suite B cryptography to CNSA Suite"  

I think the intent is to differentiate what was considered good: "Suite B" to what the new definition of good is: "CNSA" 

The key language is found on page 9

"For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition." 
.... which also notes that you can use ECDH and RSA (but its not preferred"

The impact currently points to your minLoS of 192 and dropping minLoS 128. That might make the profile easier? Only one level of security to concern ourselves with.

From a security policy perspective there is the point that policy is simplified as all classification levels will be required to use minLoS 192.


Chuck White

Fornetix

Don’t Just Manage Encryption – Orchestrate It.

 


This message contains information from Fornetix LLC which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited.

-------- Original message --------
From: Tim Hudson <tjh@cryptsoft.com>
Date: 6/22/16 17:10 (GMT-05:00)
To: Saikat Saha <saikat.saha@oracle.com>
Cc: kmip@lists.oasis-open.org
Subject: Re: [kmip] Fwd: KMIP Suite B Profile - Deprecated

Suite B is not deprecated - it continues. There is a new initiative to provide a mechanism for quantum resistant algorithm and its handling.
That initiative has not yet provided any results as such in terms of recommendations (that I'm aware of) for new algorithms. 

This is made clear at https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm

What the advisory guidance from that group at https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm is that for anyone currently using Suite B to work only with the TOP SECRET specification level rather than the SECRET specification level on the basis of current perceptions as to possible future quantum computing vulnerability of algorithms at smaller key sizes. 

Basically recommendations have moved from minLOS 128 to minLOS 192.

At least that is my understanding.

Tim.



On Thu, Jun 23, 2016 at 2:56 AM, Saikat Saha <saikat.saha@oracle.com> wrote:

Team,


Let us discuss in tomorrow's meeting in this regard.


Thanks,

Saikat



-------- Forwarded Message --------
Subject: KMIP Suite B Profile - Deprecated
Date: Wed, 22 Jun 2016 13:05:51 +0000
From: Robert Wagner <rwagner@dowless.com>
To: saikat.saha@oracle.com <saikat.saha@oracle.com>, tjc@cryptsoft.com <tjc@cryptsoft.com>
CC: kwburgi@tycho.ncsc.mil <kwburgi@tycho.ncsc.mil>


Dear Technical Committee,

As you may be aware, Suite B is deprecated and replace with the Commercial National Security Algorithm (CNSA) Suite. 

See:  https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

The basic information for this was released in July, 2015 (see CNSS Advisory Memorandum, Information Assurance 02-15, July 2015 at https://www.cnss.gov/CNSS/issuances/Memoranda.cfm)


As such, several of the Key Lengths mentioned in your Suite B profile are prohibited for National Security Systems(see page 3 of the FAQ PDF). 

I am writing you to determine when a CNSA profile for KMIP 1.2 will be publicly available.


I look forward to your response,

Robert Wagner

Dowless and Associates




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]