(Update at the bottom)
So, the NSA and IAD just released an advisory memo directed at US government entities and NGOs/Corporations that deal with classified material. In a nutshell, they are raising the minimum required encryption level for top secret data effective immediately. So instead of referring to the NSA's Suite B cryptography, we will now refer to what they are calling the Commercial National
Security Algorithm Suite. The changes are as follows:
Former Suite B standards
- RSA-2048 (Key exchange/Digital Sig)
- ECDH/ECDSA P-256 (Key exchange/Digital Sig)
- AES-128 (Symmetric encryption)
- Diffie-Hellman 2048 (Key exchange)
- SHA-256 (Integrity check/hash)
New NSS standards
- RSA-3072 (Key exchange/Digital Sig)
- ECDH/ECDSA P-384 (Key exchange/Digital Sig)
- AES-256 (Symmetric encryption)
- Diffie-Hellman 3072 (Key exchange)
- SHA-384 (Integrity check/hash)
Okay great.....what does this mean to you?
Well, for one, if the NSA feels there is a threat great enough to warrant raising these standards to protect national security structure, then it only makes sense for the public to do the same. After all, I place I high value on my privacy and the sanctity of my "data".
Things you should be checking:
1. Your VPN provider (you are using a VPN, right?). Most of the providers I recommend already meet or exceed the new standards. There are, however, some that still employ RSA-2048 and AES-128. Find out what your provider is using and if it does not meet the standard as set forth above I would contact them and encourage them to implement it as soon as possible.....or move to a different provider.
2. Your PGP/GPG keys. More and more people are discovering and utilizing GPG encryption for their mail and personal file security. I have noticed though that many of the people that contact me via GPG are still using RSA-2048 keys. I would encourage you to switch to the stronger RSA-4096 keys (or better yet, ECC keys with non-NIST curves....if you are savvy with the terminal).
These couple of steps will greatly increase your personal/business security level and, frankly, are pretty painless to implement.
I should note that you will get hands on experience with these techniques at my GroundRod 2 course.
*** UPDATE ***
We looked at the Suite B standards and the new NSS standards above.....now, here are my recommendations:
For key negotiation/exchange:
- ECC Brainpool P-384 or P-512
- ECC Curve25519
- DH 4096
For symmetric (payload) encryption:
- Twofish / Threefish
For integrity check/hash:
As you can see, I favor non-NIST standards as much as possible. For most VPN providers you are stuck with AES for channel encryption, however, Proxy.sh and a couple others are working on implementing Serpent and Twofish as an option.