[Cryptography] NIST should publish Suite A

Peter Bowen pzbowen at gmail.com
Mon Nov 11 23:31:48 EST 2013

On Mon, Nov 11, 2013 at 5:31 AM, ianG <iang at iang.org> wrote:
> On 10/11/13 16:14 PM, CodesInChaos wrote:
>>> NIST should publish Suite A
>> How would you verify that the published "Suite A" is the real Suite A?
> Good question ... I guess there are likely 1000s of contractors that know
> what the real Suite A consists of because they make kit that includes it.
> Creating a 'deception suite' would have a low chance of success, and failure
> to keep the secret will achieve worse results.

A good starting point would be to look at the publicly available
documentation about Type 1 algorithms and which are likely to make up
Suite A.

There appear to be two primary Type 1 asymmetric/public key
algorithms: FIREFLY and MAYFLY.  FIREFLY is the older of the two and
appears to be based on Finite Field DLP or RSA.  MAYFLY is based on
Elliptic Curves.  The NSA has developed a hybrid or transition
approach called "Enhanced FIREFLY" that allows systems to use EC when
both ends support it and fall back to basic FIREFLY when they do not.
>From the TACLANE Operator's Manual (helpfully published by the
Government of Canada[1] among others):

"Enhanced FIREFLY (EFF) is a key management technique that makes use
of existing FIREFLY technology to implement Elliptic Curve
cryptography (specifically, a form of the MAYFLY Elliptic Curve
technology). TACLANE is able to use MAYFLY with other enhanced-capable
TACLANEs. TACLANE can also negotiate down, if necessary, to Basic FF
for TACLANEs that have not been upgraded to support EFF. Enhanced
FIREFLY therefore serves as a bridge between the existing FIREFLY
infrastructure and the move to a solely Elliptic Curve solution"

PKCS11 Version 2.0 Draft 2 (from RSA's FTP server[2]) helpfully
provides a little more detail about MAYFLY.  A MAYFLY public key
object has four attributes:
- Prime p (512 to 1024 bits, in steps of 64 bits)
- Subprime q (160 bits)
- Base g (512 to 1024 bits, in steps of 64 bits)
- Public value W

p, q, and g are collectively the "MAYFLY parameters".  The MAYFLY
private key objects are very similar except replace "Public value W"
with "Private value w".
This description is virtually identical to the ECDSA public and
private key objects in the same specification.

A common block cipher algorithm in Suite A is MEDLEY.  MEDLEY can be
used in the same modes as AES: ECB, CBC, CFB, OFB, CTR, and GCM.[3]
GCM is probably the preferred mode of operation for IPSEC-like use.[4]
 MEDLEY may have very small block sizes - 4 bytes and 8 bytes.[5]  It
does appear to be slower than its predecessor BATON (one vendor has
300Mb/s for BATON and 200Mb/s for MEDLEY[6]).

The "MEDLEY Implementation Standard" is dated 30 November 2001, which
is four days after the FIPS PUB 197 (AES) was published.  GCM was not
published until 2004, which suggests that, like AES, MEDLEY had GCM
introduced at a later date.  My money would be on MEDLEY being a
variant of one of the AES finalist algorithms, quite possibly Rijndael

I'm sure there is more information that can be easily gleaned from
public sources, but it is clear the EC is a core part of Suite A.


[1] http://publications.gc.ca/gazette/archives/p2/2007/2007-01-10/pdf/E100_Operator_Manual_Rev%201.4.pdf
[2] ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2drft2.pdf
[3] https://www.fbo.gov/notices/22563fe5c3731049cbb5ff885e1de83b
[4] http://cryptome.org/cerdec-poet.htm
[5] http://www.disa.mil/Services/Network-Services/UCCO/~/media/Files/DISA/Services/UCCO/UCR2013-Draft/12UCFramework2013Section12.pdf
[6] http://www2.l-3com.com/cs-east/pdf/unitycp.pdf

More information about the cryptography mailing list