NSA Suite B 128bit Mode

The following restrictions apply to NSA Suite B in 128bit mode is enabled and further restricted in 192bit mode:
  • Certificates must be ECC using elliptic curve secp256r1 or secp384r1
  • Protocol must be TLSV1.2, all others are disabled
  • Cipher algorithm must be AES-128
  • Key exchange algorithm must be ECDH
  • Digital signature algorithm must be ECDSA
  • Hashing algorithm must be SHA256
  • Cipher suites allowed for NSA Suite B 128 bit are:
    • TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256 (C023)
    • TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256 (C02B)
Note: To use Suite B and an ECC certificate special authorization and setup is required. For more information, see the System SSL Programing Guide.