NSA product types

From Wikipedia, the free encyclopedia
  (Redirected from Type 1 product)
Jump to navigation Jump to search

The U.S. National Security Agency (NSA) ranks cryptographic products or algorithms by a certification called product types. Product types are defined in the National Information Assurance Glossary (CNSSI No. 4009) which defines Type 1, 2, 3, and 4 products. [1]

Type 1 product[edit]

A Type 1 product is a device or system certified by NSA for use in cryptographically securing classified U.S. Government information. A Type 1 product is defined as:

Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.

They are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulations.

Type 1 certification is a rigorous process that includes testing and formal analysis of (among other things) cryptographic security, functional security, tamper resistance, emissions security (EMSEC/TEMPEST), and security of the product manufacturing and distribution process.[2]

Type 2 product[edit]

A Type 2 product is unclassified cryptographic equipment, assemblies, or components, endorsed by the NSA, for use in telecommunications and automated information systems for the protection of national security information, as defined as:

Cryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified national security information.

Type 3 product[edit]

A Type 3 product is a device for use with Sensitive, But Unclassified (SBU) information on non-national security systems, defined as:

Unclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).

Approved encryption algorithms include three-key Triple DES, and AES (although AES can also be used in NSA-certified Type 1 products[citation needed]). Approvals for DES, two-key Triple DES and Skipjack have been withdrawn as of 2015. [3]

Type 4 product[edit]

A Type 4 product is an encryption algorithm that has been registered with NIST but is not a Federal Information Processing Standard (FIPS), defined as:

Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.

See also[edit]

References[edit]

  1. ^ National Information Assurance Glossary (CNSSI No. 4009, 2010)
  2. ^ "In defense of data". www.militaryaerospace.com. Retrieved 2019-04-09.
  3. ^ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST.SP.800-131A Rev1, November 6, 2015, Elaine Barker, Allen Roginsky

Parts of this article have been derived from Federal Standard 1037C, the National Information Systems Security Glossary, and 40 USC 1452.