Suite B is a set of cryptographic algorithms standardized by the National Security Agency (NSA) to allow commercial products to protect traffic that is classified at secret or top secret levels. The Suite B algorithms serve as a method to ensure the security of classified and unclassified information passed through public networks.
NOTE:
Suite B standard is subject to change, be aware that NSA may change their recommendations in future. Suite B support in eDiretory is based on our interpretation of the NSA recommendations.
Suite B is not supported with OES 2018.
Suite B includes the following cryptographic algorithms:
Encryption based on the Advanced Encryption Standard (AES) using 128-bit keys or 256-bit keys
Digital signatures with the Elliptic Curve Digital Signature Algorithm (ECDSA) on P-256 and P-384 curves
Key exchange, either pre-shared or dynamic, using the Elliptic Curve Diffie-Hellman (ECDH) method on P-256 and P-384 curves
Hashing (digital fingerprinting) based on the Secure Hash Algorithm-2 (SHA-256 and SHA-384)
For more information about Suite B, see Suite B Cryptography.
eDirectory allows you to separately configure the following modules in Suite B modes:
|
Module |
Description |
|---|---|
|
NPKI (NetIQ certificate server) |
Certificate Server provides public key cryptography services that are natively integrated into eDirectory and that allow you to mint, issue, and manage both user and server certificates. These services allow you to protect confidential data transmissions over public communications channels such as the Internet. When you configure the Certificate Server in Suite B mode, Certificate Server adheres to RFC 5759 that specifies the base profile for Suite B certificates and Certificate Revocation List (CRL). For more information, see Enabling Suite B on the Certificate Server. |
|
LDAP and HTTP Services |
The LDAP service is a server application that lets LDAP clients access information stored in eDirectory. eDirectory provides cross-platform monitoring and diagnostic capability to all servers in your eDirectory tree using the HTTP service. When you configure these services in Suite B mode, they include support for ECDSA certificates and enforce use of TLS 1.2 and Suite B ciphers as specified in RFC 6460. For more information, see Configuring LDAP and HTTP Services to Use ECDSA Certificates and Suite B Ciphers. |
|
NICI |
NICI is the cryptography module that provides keys, algorithms, various key storage and usage mechanisms, and a large-scale key management system. To help applications securely store and transfer data and keys, NICI provides three types of keys - Key Storage key, NICI Security Domain Infrastructure (SDI) key, and Session key. When you configure a server in Suite B mode, NICI secures sensitive data in the tree by using the 256-bit AES keys. For example, passwords, Challenge-Response data. Upgrading to NICI 3.0 automatically re-creates the key storage key and session key to adhere to Suite B. eDirectory uses NICI SDI key, also called tree key, to securely wrap keys that in turn encrypt data for local or remote storage allowing servers in the tree to unwrap the key. The data remains secure in conjunction with eDirectory rights. The tree key is available to all servers in the tree. To access the same data, multiple servers use the same NICI SDI key. Therefore, this key is not automatically created with NICI 3.0 installation. You need to manually create this key. For more information, see Creating an AES 256-Bit SDI Key. |
|
Background authentication mechanism |
Provides standards-based background authentication mechanism based on TLS 1.2 for single sign-on authentication with eDirectory. For more information, see Enabling Background Authentication. |
The following sections describe information about configuring eDirectory modules in Suite B modes: