NSA Suite B and OpenSSL

Remco Bloemen

2014-05-12

The Good

At Coblue we use NSA Suite B as implemented in OpenSSL as our library for cryptography. Suite B has two security levels which, in proper intelligence agency fashion, are named SECRET and TOP SECRET. Since the we value security more than a slight performance difference, we use the strongest set. This implies using the following four primitives:

Inside the NSA
Inside the NSA

Suite B also involves specific requirements on how to implement and use them. This is written down in various RFC, NIST and FIPS publications, most of which are about implementation details, but I recommend reading NIST SP 800 38D chapter 8, as it sets safety limits on the length of messages, the number of messages and IV generation for AES-GCM.

OpenSSL

The choice for the OpenSSL library was made because it supports all the algorithms in Suite B. It is open source and used by the majority of web servers for their cryptography. The project is developed by both European and U.S. based developers and has received NIST FIPS 140 certification. This makes it a reliable, if not the default, choice.

Above and beyond

Secure web servers (for https) require at least TLS version 1.2 to support this set of algorithms. Since support was not common at the time, we maintained patches to OpenSSL, Apache and Qt in order to be among the first to support a full Suite B implementation on our web servers and in our software.

To go above and beyond TOP SECRET security we added the Scrypt as a key derivation algorithm, pinned our certificates and developed a simple secure socket protocol that bypassed the complexities of TLS. All of this is packaged in a statically linked native client.

The Bad

These choices turned out to be foresightful and have saved us and our users from being affected by many high-impact security breaches:

This list doesn’t include the numerous vulnerabilities that have been found in browsers, browser plugins and web applications. None of these are relevant for Coblue since our applications are not web-based.

The Ugly

The Snowden revelations have shown that it is not unreasonable to consider the whole of the PKI infrastructure to be compromised. Man in the middle attacks are

However,