Suite B
Suite B is a security standard that is developed by the National Security Agency (NSA) that establishes a cryptographic interoperability strategy. Suite B is similar to SP 800-131a, but it has tighter restrictions.
Suite B can run in two modes: 128-bit and 192-bit. To use the 192-bit mode, you must apply the unrestricted policy file to the JDK in the Verify Identity Access Java™ components. When you apply the unrestricted policy, the JDK uses the stronger cipher that is required for the 192-bit mode.
- TLS version 1.2 protocol for the SSL context
- Suite B-approved cipher suites
- Certificates:
- 128-bit mode certificates must be signed with
SHA256withECDSA. - 192-bit mode certificates must be signed with
SHA384withECDSA.
- 128-bit mode certificates must be signed with
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
The Verify Identity Access Base component communication uses certificates that are generated by the policy server. The strength and algorithms to create these certificates differ for each Suite B security mode. You cannot convert from the 128-bit mode to the 192-bit mode (or any other security mode) without completely regenerating all the Verify Identity Access certificates. The certificates are not compatible with previous releases of Verify Identity Access. Previous release Verify Identity Access clients cannot communicate with the Verify Identity Access 8.0 policy server in this mode.
- The use of TLSv1.2 protocol.
- Suite B approved Cipher suites
- Certificates:
- 128-bit mode certificates must be signed with SHA256withECDSA
- 192-bit mode certificates must be signed with SHA384withECDSA
- Ciphers:
- SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384