New FAQ for CNSA 2.0
Stern, Morgan B
CNSA 2.0 will be required to protect US National Security Systems (NSS) in the future. Based on our stakeholders' feedback we have added answers to a variety of new questions in our FAQ. This includes:
-Clarification that only single-tree variants of SP 800-208's stateful hash-based signature algorithms are allowed in CNSA 2.0
-Added details regarding the flexibilities allowed in the signing infrastructures of commercial hardware/software manufacturers so that vendors can comply with the timelines of our quantum resistant signing requirements for their firmware/software.
-Clarification that ML-DSA-87 can be used for software/firmware signing, though we expect a longer time period before its availability, and so it may not meet our hardware deadlines.
-Added context on our views on hybrid key establishment.
-Clarification that only cryptographic primitives in CNSA can be used in commercial products to protect NSS. Cryptographic functionality provided by primitives not included in CNSA do not have any approved commercial solutions and we explicitly list some such functionality.
Looking forward to continued community engagement. Thanks for the questions over the last few years.
Morgan Stern
NSA Cybersecurity
John Mattsson
Dear Morgan Stern,
Thanks for the clarification that ML-DSA-87 can be used also for software/firmware signing and that multitree algorithms are not allowed. That was not clear in the original document.
I am looking forward to implementation guidance for CNSA 2.0 similar to the IETF RFCs produced for CNSA 1.0. I particularly liked how the CNSA 1.0 RFCs mandated several things that are only MAY or SHOULD in the original protocol specifications. Several things from the CNSA 1.0 RFCs has been adopted by 3GPP after contributions from Ericsson. Having public recommendations from organisations such as NSA, NIST, BSI, or ANSSI makes it much easier to strengthen security in various standards.
One thing in the new FAQ that seems to confuse people is the texts "Can I use SLH-DSA (aka SPHINCS+) to sign software?" and "Q: Can I use SHA-3 as a hash?". Some people read this
as new information from NSA regarding the security of SLH-DSA and SHA-3. If NSA updated the FAQ it would be good to clarity that CNSA 2.0 tries to include as few algorithms as possible, that everything that is not explicitly approved is not approved, and
that not being approved does not mean that NSA has concluded that the security is bad.
In fact, I read the text "The SHA-2 selections are sufficient for security"
as NSA agreeing that SHA-3 is technically
superior (except for compatibility with existing NSA systems).
Cheers,
John Preuß Mattsson
From:
'Stern, Morgan B' via pqc-forum <pqc-...@list.nist.gov>
Date: Thursday, 18 April 2024 at 21:03
To: 'pqc-...@list.nist.gov' <pqc-...@list.nist.gov>
Subject: [pqc-forum] New FAQ for CNSA 2.0
NSA has updated our guidance on our Commercial National Security Algorithm Suite 2.0 (CNSA 2.0): https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedia.defense.gov%2F2022%2FSep%2F07%2F2003071836%2F-1%2F-1%2F1%2FCSI_CNSA_2.0_FAQ_.PDF&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb83a4cbc7f4a4af2e2e908dc5fda2b34%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638490637839078572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=kNac8GXCR4MUZ5iyQKqwYfv45%2FZ6O5u0jEb1yRcMdxU%3D&reserved=0
CNSA 2.0 will be required to protect US National Security Systems (NSS) in the future. Based on our stakeholders' feedback we have added answers to a variety of new questions in our FAQ. This includes:
-Clarification that only single-tree variants of SP 800-208's stateful hash-based signature algorithms are allowed in CNSA 2.0
-Added details regarding the flexibilities allowed in the signing infrastructures of commercial hardware/software manufacturers so that vendors can comply with the timelines of our quantum resistant signing requirements for their firmware/software.
-Clarification that ML-DSA-87 can be used for software/firmware signing, though we expect a longer time period before its availability, and so it may not meet our hardware deadlines.
-Added context on our views on hybrid key establishment.
-Clarification that only cryptographic primitives in CNSA can be used in commercial products to protect NSS. Cryptographic functionality provided by primitives not included in CNSA do not have any approved commercial solutions and we explicitly list some such
functionality.
Looking forward to continued community engagement. Thanks for the questions over the last few years.
Morgan Stern
NSA Cybersecurity
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2F4103b67425754d899b4e92708b9073f9%2540nsa.gov&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cb83a4cbc7f4a4af2e2e908dc5fda2b34%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638490637839087755%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0O7v8Wk4RK2K5rv3awy0n%2BpJWonmwPN6mznn0BLWW0%3D&reserved=0.