NSA Suite B and OpenSSL

7 March 2024 (updated 7 March 2024)

% Remco Bloemen % 2014-05-12

The Good

At Coblue we use NSA Suite B as implemented in OpenSSL as our library for cryptography. Suite B has two security levels which, in proper intelligence agency fashion, are named SECRET and TOP SECRET. Since the we value security more than a slight performance difference, we use the strongest set. This implies using the following four primitives:

Encryption: 256 bit AES-GCM
Key exchange: 384 bit ECDH over curve p384
Signatures: 384 bit ECDSA over curve p384
Hashing: 384 bit SHA 2

Inside the NSA

Suite B also involves specific requirements on how to implement and use them. This is written down in various RFC, NIST and FIPS publications, most of which are about implementation details, but I recommend reading NIST SP 800 38D chapter 8, as it sets safety limits on the length of messages, the number of messages and IV generation for AES-GCM.

OpenSSL

The choice for the OpenSSL library was made because it supports all the algorithms in Suite B. It is open source and used by the majority of web servers for their cryptography. The project is developed by both European and U.S. based developers and has received NIST FIPS 140 certification. This makes it a reliable, if not the default, choice.

Above and beyond

Secure web servers (for https) require at least TLS version 1.2 to support this set of algorithms. Since support was not common at the time, we maintained patches to OpenSSL, Apache and Qt in order to be among the first to support a full Suite B implementation on our web servers and in our software.

To go above and beyond TOP SECRET security we added the Scrypt as a key derivation algorithm, pinned our certificates and developed a simple secure socket protocol that bypassed the complexities of TLS. All of this is packaged in a statically linked native client.

The Bad

These choices turned out to be foresightful and have saved us and our users from being affected by many high-impact security breaches:

MD5 and SHA 1: Marc Steven’s attack has made it feasible to break signatures using these hashing algorithms, to proof his concept he created a server with a roque certificate which was accepted by all browsers. Evidence from Flame suggests that intelligence agencies knew about it for longer. Coblue was saved by using SHA 2 and pinning our certificates instead of relying on certificate chains and authorities.
DigiNotar: This certificate authority was completely compromised allowing the issuing of false certificates. Coblue was again saved by having its certificates pinned.
BEAST and Lucky 13: These are attacks on the CBC block cipher mode, stream ciphers like AES-GCM were not affected. As a response many servers switched to the RC4 stream cipher. Coblue never used the CBC mode.
RC4: This stream cipher has already been broken in 2001, which resulted in widespread cracking of WEP keys. Despite this, it is still used (sometimes in slightly modified form) as part of WPA, SSL, BitTorrent, Skype, PDF. According to one source, 50% of the webservers are using RC4 in early 2014. Coblue never used RC4.
CRIME and BREACH: Like BEAST it allows an attacker to guess bytes of the plaintext by abusing the TLS compression mode. Coblue never
HeartBleed: This is a severe bug in OpenSSL’s TLS implementation that allowed an attacker to read out arbitrary. Coblue was unaffected because we stopped using TLS for client-server communication.

This list doesn’t include the numerous vulnerabilities that have been found in browsers, browser plugins and web applications. None of these are relevant for Coblue since our applications are not web-based.

The Ugly

The Snowden revelations have shown that it is not unreasonable to consider the whole of the PKI infrastructure to be compromised. Man in the middle attacks are

However,

OpenSSL code quality is not nearly up to our standards
The code base is too large
OpenSSL is vulnerable to side-channel attacks
OpenSSL has bad memory protection
TLS is overly complex
Suite B requires many primitives: AES, GHASH, SHA256, HMAC, PBKDF2, ECDH, ECDSA
SHA length extension, requiring workarounds in HMAC and PBKDF2.
NSA is known to manipulate standards (EC-DRNG)
NIST EC p384 is suspect of NSA manipulatation *
To get good security we had to forgo TLS and implement a much simpler ECDHAES-GCM protocol.