NSA Suite B 128bit Mode
The following restrictions apply to NSA Suite B in 128bit mode is enabled and further restricted
in 192bit mode:
- Certificates must be ECC using elliptic curve secp256r1 or secp384r1
- Protocol must be TLSV1.2, all others are disabled
- Cipher algorithm must be AES-128
- Key exchange algorithm must be ECDH
- Digital signature algorithm must be ECDSA
- Hashing algorithm must be SHA256
- Cipher suites allowed for NSA Suite B 128 bit are:
- TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256 (C023)
- TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256 (C02B)
Note: To use Suite B and an ECC certificate
special authorization and setup is required. For more information, see the System SSL Programing
Guide.