JEP 129: NSA Suite B Cryptographic Algorithms

OwnerValerie Peng
StatusClosed / Delivered
Discussionsecurity dash dev at openjdk dot java dot net
Endorsed byBrian Goetz
Created2011/05/03 20:00
Updated2017/06/14 23:26


Provide implementations of the cryptographic algorithms required by NSA Suite B.


Provide default implementations of the Suite B cryptographic algorithms in the JDK so that Java applications can meet appropriate security standards required by the U.S. government, financial institutions, etc. Ensure that the implementations in our various crypto providers are interoperable; e.g., if the same algorithm is supported by both the SunPKCS11 and SunJCE providers then basic testing should be done to ensure interoperability.

Most of the algorithms required by NSA Suite B are already supported by the JDK by various crypto providers such as SunEC (ECDH key agreement, ECDSA signature), SUN (SHA256, SHA384 message digests), SunJCE (AES cipher with ECB/CBC/OFB/CFB modes), SunPKCS11 (depending on the native PKCS11 library; but we may need to enhance the provider code to work with native implementations). Also, for EC related algorithms, we need to make sure that the required curves and parameters are supported.


This enhancement will only cover the required NSA Suite B algorithms. Following the NSA's guidance on the protocol level would be a separate effort.


NSA Suite B cryptography has been approved by NIST for use by the U.S. Government and specified in NIST standards and recommendations.


In 2005 the NSA announced Suite B Cryptography, which built on the National Policy on the use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information (CNSSP-15). In addition to the AES, Suite B includes cryptographic algorithms for key exchange, digital signatures, and hashing; specifically:

AES with 128-bit keys provides adequate protection for classified information up to the SECRET level. Similarly, ECDH and ECDSA using the 256-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-256 provide adequate protection for classified information up to the SECRET level. During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

AES with 256-bit keys, Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384 are required to protect classified information at the TOP SECRET level. Since some products approved to protect classified information up to the TOP SECRET level will only contain algorithms with these parameters, algorithm interoperability between various products can only be guaranteed by having these parameters as options.

Another suite of NSA cryptography, Suite A, contains some classified algorithms that will not be released. Suite A will be used for the protection of some categories of especially sensitive information.

NSA Suite B Cryptography also provide guidance for using Suite B cryptography with internet protocols:

This JEP does not propose to implement this protocol guidance.

At the crypto provider level, the only implementations missing that need to be supported are:

At the Java API level, we will need to add a DSA API to support both L/N and pass to the underlying provider implementations. Currently, only L is supported, e.g., DSAKeyPairGenerator.


Need to add:

  1. Regression Tests: known-answer tests to validate the implementation of the new algorithms,

  2. SQE/Product Tests: Interoperability tests for algorithms commonly supported by multiple crypto providers

Risks and Assumptions

Intellectual Property: A key aspect of Suite B Cryptography is its use of elliptic curve technology instead of classic public key technology. In order to facilitate adoption of Suite B by industry, NSA has licensed the rights to 26 patents held by Certicom, Inc., covering a variety of elliptic curve technology. Under the license, NSA has the right to grant a sublicense to vendors building certain types of products or components that can be used for protecting national security information. More information is available here.