Internet DRAFT - draft-kaimindermann-securecryptoconfig
draft-kaimindermann-securecryptoconfig
cfrg K. Mindermann
Internet-Draft iC Consult GmbH
Intended status: Informational L. Teis
Expires: 21 October 2021 19 April 2021
Secure Crypto Config
draft-kaimindermann-securecryptoconfig-01
Abstract
Choosing secure cryptography algorithms and their corresponding
parameters is difficult. Also, current cryptography APIs cannot
change their default configuration which renders them inherently
insecure. The Secure Crypto Config provides a method that allows
cryptography libraries to change the default cryptography algorithms
over time and at the same time stay compatible with previous
cryptography operations. This is achieved by combining three things
standardized by the Secure Crypto Config: (1) A process that is
repeated every two years, where a new set of default configurations
for standardized cryptography primitives is published in a specific
format. (2) A Secure Crypto Config Interface that describes a common
API to use cryptography primitives in software (3) using COSE to
derive the parameters from output of cryptography primitives,
otherwise future changes of the default configuration would change
existing applications behavior.
Note to Readers
Comments are solicited and should be addressed to the GitHub
repository issue tracker (https://github.com/secureCryptoConfig/
secureCryptoConfig) and/or the author(s)
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Mindermann & Teis Expires 21 October 2021 [Page 1]
Internet-Draft SCC April 2021
This Internet-Draft will expire on 21 October 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1. Conventions and Definitions . . . . . . . . . . . . . 5
1.2.2. Terms . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.1. Secure Crypto Config Use Cases . . . . . . . . . . . 5
1.3.2. Cryptography Use Cases . . . . . . . . . . . . . . . 6
2. Requirements and Assumptions . . . . . . . . . . . . . . . . 9
2.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 12
3. Security Levels . . . . . . . . . . . . . . . . . . . . . . . 12
3.1. Security Level 1 - Low . . . . . . . . . . . . . . . . . 12
3.2. Security Level 2 . . . . . . . . . . . . . . . . . . . . 12
3.3. Security Level 3 . . . . . . . . . . . . . . . . . . . . 12
3.4. Security Level 4 . . . . . . . . . . . . . . . . . . . . 13
3.5. Security Level 5 - High . . . . . . . . . . . . . . . . . 13
3.6. Security Level Constraints . . . . . . . . . . . . . . . 13
3.6.1. Information classification . . . . . . . . . . . . . 13
3.6.2. Longevity . . . . . . . . . . . . . . . . . . . . . . 13
3.6.3. Constrained Devices . . . . . . . . . . . . . . . . . 14
3.6.4. n-Bit-Security . . . . . . . . . . . . . . . . . . . 14
3.6.5. Attacker Resources and Capabilities . . . . . . . . . 14
4. Consensus Finding Process and entities . . . . . . . . . . . 15
4.1. Consensus Finding . . . . . . . . . . . . . . . . . . . . 15
4.1.1. Regular Process . . . . . . . . . . . . . . . . . . . 15
4.1.2. Emergency Process . . . . . . . . . . . . . . . . . . 16
4.1.3. Requirements for Selection of Cryptography Algorithm
and Parameters . . . . . . . . . . . . . . . . . . . 17
4.2. Entities . . . . . . . . . . . . . . . . . . . . . . . . 17
Mindermann & Teis Expires 21 October 2021 [Page 2]
Internet-Draft SCC April 2021
5. Publication Format and Distribution . . . . . . . . . . . . . 17
5.1. Versioning . . . . . . . . . . . . . . . . . . . . . . . 18
5.2. Naming . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3. Secure Crypto Config IANA Registry . . . . . . . . . . . 18
5.3.1. Example for Secure Crypto Config IANA Registry . . . 19
5.3.2. Utilized Algorithm Registries . . . . . . . . . . . . 19
5.4. Data Structures . . . . . . . . . . . . . . . . . . . . . 20
5.5. Human readable format . . . . . . . . . . . . . . . . . . 21
5.6. Official Secure Crypto Config Repository . . . . . . . . 21
5.6.1. Location of Secure Crypto Config Repository . . . . . 22
5.6.2. Format of Secure Crypto Config Repository . . . . . . 22
5.6.3. Integrity/Signing process . . . . . . . . . . . . . . 23
6. Secure Crypto Config Application Programming Interface
(API) . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.1. Semantic Versioning . . . . . . . . . . . . . . . . . . . 24
6.2. Deployment of (custom) Secure Crypto Config with
Interface . . . . . . . . . . . . . . . . . . . . . . . . 24
6.2.1. Delivery of Secure Crypto Config with Interface . . . 26
6.2.2. Using a custom Secure Crypto Config Repository . . . 26
6.2.3. Integrity Check . . . . . . . . . . . . . . . . . . . 26
6.2.4. Methods and Parameters . . . . . . . . . . . . . . . 27
6.2.5. Automatic Parameter Tuning . . . . . . . . . . . . . 27
6.2.6. Output of readable Secure Crypto Config . . . . . . . 28
6.3. TODOs . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7. Cryptography Library Implementation Specification . . . . . . 29
8. Cryptography Algorithm Standards Recommendation . . . . . . . 29
9. Security Considerations . . . . . . . . . . . . . . . . . . . 29
9.1. Consensus Finding . . . . . . . . . . . . . . . . . . . . 29
9.2. Publication Format . . . . . . . . . . . . . . . . . . . 29
9.3. Cryptography library implementation . . . . . . . . . . . 29
9.4. General Security Considerations . . . . . . . . . . . . . 30
9.4.1. Special Use Cases and (Non-)Security Experts . . . . 30
9.5. Security of Cryptography primitives and
implementations . . . . . . . . . . . . . . . . . . . . . 30
9.5.1. Security Guarantees . . . . . . . . . . . . . . . . . 30
9.5.2. Threat Model / Adversaries . . . . . . . . . . . . . 30
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
11.1. Normative References . . . . . . . . . . . . . . . . . . 31
11.2. Informative References . . . . . . . . . . . . . . . . . 32
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 32
A.1. JSON Secure Crypto Config . . . . . . . . . . . . . . . . 33
Appendix B. Example Java Interface using Secure Crypto Config . 33
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction
Mindermann & Teis Expires 21 October 2021 [Page 3]
Internet-Draft SCC April 2021
1.1. Motivation
Cryptography needs standardization to work across various domains and
to be interoperable between different implementations. One domain
that is not covered sufficiently by cryptography standards is the
selection and maintenance of cryptography algorithms and their
parameters. Choosing an appropriate and secure cryptography
algorithm alone is difficult. Yet, even more difficult is the choice
of the required and matching parameters for that algorithm (e.g.
Argon2 has 10 input parameters (https://tools.ietf.org/html/draft-
irtf-cfrg-argon2-10#section-3.1)). After the choice has been made,
all involved parties need to use exactly this configuration. There
is no specification on how the chosen cryptography configuration
should be stored, distributed and retrieved. Furthermore, supporting
more than one configuration or being able to add future
configurations is not defined. That reduces software compatibility
and increases maintenance efforts.
Cryptography algorithm implementations, regardless of for one
algorithm or multiple ones, offer some kind of Application
Programming Interface for developers to use the algorithms. Yet, in
many cases these interfaces provide no abstraction from the
underlying algorithm but expose much of the internal states and
parameters. Also the more abstracting interfaces, usually found in
the standard libraries of programming languages, require users to
have much cryptography experience to use them correctly and securely.
Moreover, even approaches that tried to increase usability by
providing defaults, these defaults become quickly outdated but cannot
be changed in the interface anymore as applications using these
defaults rely on that functionality.
It sounds a lot like a problem for software engineering and not for
cryptography standardization. But software engineering alone cannot
provide a programming interface for cryptography algorithms that also
works for future algorithms and parameters and at the same time is
able to change the default implementation easily. Both the choice of
the algorithm/parameters and the default behavior must be automated
and standardized to remove this burden from developers and to make
cryptography work by default and in the intended secure way.
The Secure Crypto Config approaches this problem first by providing a
regularly updated list of secure cryptography algorithms and
corresponding parameters for common cryptography use cases. Second,
it provides a standardized Application Programming Interface which
provides the Secure Crypto Config in a misuse resistant way to
developers. Third, it leverages an already standardized format
([RFC8152]) to store the used parameters alongside the results of
cryptography operations. That ensures that future implementations
Mindermann & Teis Expires 21 October 2021 [Page 4]
Internet-Draft SCC April 2021
can change their default cryptography algorithms but still parse the
used configuration from existing data and perform the required
cryptography operations on it.
Each of these approaches could be used on its own. Yet, the
combination of them allows software to be easier to maintain, more
compatible with other cryptography implementations and to future
security developments, and most importantly more secure.
The Secure Crypto Config makes common assumptions that are not true
for all possible scenarios. In cases where security experts are
indeed involved and more implementation choices have to be made, the
Secure Crypto Config still allows the usage of predefined or even
custom cryptography algorithms and parameters.
1.2. Terminology
1.2.1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2.2. Terms
The terms "API", "attack", "authenticity", "availability", "break",
"brute force", "cipher", "ciphertext", "classified", "classification
level", "confidentiality", "cryptographic hash", "encrypt",
"encryption", "initialization vector (IV)", "integrity", "key",
"mode", "nonce", "password", "plain text", "plaintext", "protocol",
"security", "security level", "threat", "trust", in this document are
to be interpreted as described in [RFC4949].
The term "hash" is used as a synonym for "cryptographic hash".
The term "cryptographic primitive" is used in this document to
describe a generic building block used in the field of cryptography
e.g. Hashing, symmetric encryption.
1.3. Use Cases
1.3.1. Secure Crypto Config Use Cases
The Secure Crypto Config has the following main use cases:
Mindermann & Teis Expires 21 October 2021 [Page 5]
Internet-Draft SCC April 2021
* Centralized and regularly updated single source of truth for
secure algorithms and their parameters for most common
cryptography primitives and use cases.
* Both machine and human readable format to specify the above
mentioned cryptography algorithm/parameter configuration. The
format is also extensible to allow others (e.g. governmental or
commercial organizations) to define their own set of cryptography
configurations.
* Standardized cryptography API that not uses the Secure Crypto
Config for the selection of the most recent cryptography
configurations but also uses a standardized cryptography operation
output format to enclose the chosen parameters.
1.3.2. Cryptography Use Cases
The Secure Crypto Config covers cryptography algorithm and parameter
configurations for widely used cryptography use cases defined in the
following sections.
1.3.2.1. Symmetric Encryption
Symmetric Encryption is an important cryptographic primitive
especially as it is usually multiple magnitudes faster both for
encryption and decryption than asymmetric cryptography. Yet, the
secret has to be shared with all participants.
The only expected input parameters by cryptography users:
* plaintext
* secret key
Expected output: ciphertext.
Additional Parameters often required in practice:
* Algorithm
* Block-Mode
* IV
* Padding-Mode
* Authentication Tag size
Mindermann & Teis Expires 21 October 2021 [Page 6]
Internet-Draft SCC April 2021
Possible secure usage:
* A256GCM;3;AES-GCM mode w/ 256-bit key, 128-bit tag
* ChaCha20/Poly1305;24;ChaCha20/Poly1305 w/ 256-bit key, 128-bit tag
1.3.2.2. Asymmetric Encryption
Besides symmetric encryption is asymmetric encryption another
important cryptographic primitive to considered.
The only expected input parameters for encryption:
* plaintext
* public key
Expected output: ciphertext.
The only expected input parameters for decryption:
* ciphertext
* private key
Possible secure usage:
* RSAES-OAEP w/ SHA-512,-42,RSAES-OAEP w/ SHA-512
1.3.2.3. Hashing
Hashing is an important cryptographic primitive and is often needed
as a part of many other cryptographic use cases e.g. password
derivation.
The only expected input parameters by cryptography users:
* plaintext
Expected output: hash.
Possible secure usage:
* SHA-512 (TEMPORARY - registered 2019-08-13, expires
2020-08-13);-44;SHA-2 512-bit Hash
* SHAKE256 (TEMPORARY - registered 2019-08-13, expires
2020-08-13);-45;256-bit SHAKE
Mindermann & Teis Expires 21 October 2021 [Page 7]
Internet-Draft SCC April 2021
1.3.2.4. Password Hashing
The secure storage of passwords requires hashing. Yet, password
hashing requires that the hashing can not be performed very fast to
prevent attackers from guessing/brute-forcing passwords from leaks or
against the live system. E.g. it is totally fine for users if the
login takes 0.1 seconds instead of microseconds. This results in
special families of hash algorithms that offer additional tuning
parameters.
The only expected input parameters by cryptography users:
* plaintext
* hash-algorithm
Expected output: hash.
Possible secure usage:
* Argon2id (https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13)
1.3.2.5. Key Generation
* [ ] TODO should key generation be considered? (Symmetric/
Asymmetric)
A key is necessary for many cryptographic use cases e.g. symmetric
and asymmetric encryption. Therefore, key generation is an important
part while implementing cryptographic code.
The only expected input is the intended use case.
Expected output: key.
Possible secure generation:
* Use of CSPRNG
* Keys derived via derivation function from passwords/other keys
1.3.2.6. Digital Signatures
Signing is an important and often needed cryptographic use case. It
is based on the principle of asymmetrical encryption.
The only expected input parameters for signing:
Mindermann & Teis Expires 21 October 2021 [Page 8]
Internet-Draft SCC April 2021
* plaintext
* private key
Expected output: signature.
The only expected input parameters for verifying the signature:
* signature
* public key
Expected output: valid/not-valid.
Possible secure usage:
* ECDSA
* ES512;-36;ECDSA w/ SHA-512
2. Requirements and Assumptions
2.1. Requirements
In the following, all requirements are listed that regard the Secure
Crypto Config or the Secure Crypto Config Interface.
* Security Level Requirements: The Secure Crypto Config should
define different security levels. E.g. information has different
classification levels and longevity. Additionally, cryptography
operations could not or much slower perform on constrained
devices, which should also be handled with the security levels.
For each security level, the consensus finding process and
entities shall publish a distinct secure crypto config.
* Consensus Finding Process and entities:
- The Secure Crypto Config must be renewed regularly.
- The Secure Crypto Config must be renewable on-demand.
- There must be a guideline on which entities must agree to
publish a new Secure Crypto Config.
- There must be a guideline on which entities may participate in
the consensus finding process and how they may do so.
Mindermann & Teis Expires 21 October 2021 [Page 9]
Internet-Draft SCC April 2021
- There must be a guideline on how to determine broad
availability of both cryptography algorithms and chosen
parameters.
* Publication Format and Distribution Requirements:
- General:
o The Secure Crypto Config must be easily publishable by the
committee.
o Standardized unique and distinct names for (1) cryptography
algorithms (2) their parameters and (3) the combination of
the algorithm with set parameters. Otherwise, ambiguity
would make it harder for developers and cryptography
implementors to make correct and secure choices.
o There must be a versioning that allows to distinguish
between Secure Crypto Configurations and what is the latest
Secure Crypto Config.
o There must be a deprecation process that ensures usage of
outdated/insecure Crypto Configurations cases.
o There must be an official source where this Secure Crypto
Config is maintained and can be obtained from (e.g. via the
WWW).
o The official source format of the Secure Crypto Config must
be cryptographically protected to ensure its integrity and
authenticity.
o Other published formats derived from the source format (e.g.
for human readability on a webpage) do not have to be
cryptographically protected but should be generated
automatically from the source format.
o The official source should also provide information about
the Secure Crypto Config Interface that should be utilized
for the application of the Secure Crypto Config.
o The Secure Crypto Config must specify how it can be extended
(e.g. more security levels) and how derivatives work.
- Human readable
o The Secure Crypto Config must have a human readable format.
Mindermann & Teis Expires 21 October 2021 [Page 10]
Internet-Draft SCC April 2021
o The Secure Crypto Config must allow non-experts to find
secure cryptography algorithms and appropriate parameters
for common cryptography use cases.
o The Secure Crypto Config human readable publication format
should only use easy to comprehend data structures like two-
dimensional tables.
- Machine readable
o Cryptography libraries, regardless of the programming
language, should be able to directly map (without extensive
parsing) the Secure Crypto Config to their implementation
o Must be easy to verify which Secure Crypto Config is used /
was used (e.g. in Continuous Integration platforms)
o Must be easy to verify the authenticity of the Secure Crypto
Config (e.g. is this really what the CFRG has published?)
* Cryptography library integration requirements:
- Easy to integrate by cryptography libraries
- Experts should still be able to use/access the unaltered output
of cryptographic primitives
- Recommendation what should be the default Secure Crypto Config
for a cryptography library (e.g. should it be the one with the
highest security level or _only_ a weaker one?)
- Recommendation of what should a cryptography library do if it
can not support the parameters specified in the latest Secure
Crypto Config. (E.g. key size for RSA would be n*2 and the
library supports only n)
- Recommendation on how a cryptography library should integrate
the Secure Crypto Config so that it is up to date as soon as
possible after a new Secure Crypto Config has been published
* General Requirements:
- Interoperability with other standards/formats (e.g. [RFC8152])
- The Secure Crypto Config should cover most common cryptography
primitives and their currently broadly available and secure
algorithms.
Mindermann & Teis Expires 21 October 2021 [Page 11]
Internet-Draft SCC April 2021
- The Secure Crypto Config should be protected against attackers
as defined in Section 3.6.5
- The Secure Crypto Config should prevent non-experts to
configure cryptography primitives in an insecure way.
- The Secure Crypto Config should not prevent experts from using
or changing all parameters of cryptography primitives provided
by a cryptography library/API.
2.2. Assumptions
The Secure Crypto Config assumes that both the proposed algorithms
and the implementations (cryptography libraries) for the cryptography
primitives are secure. This also means that side-channel attacks are
not considered explicitly. It is also assumed that programmers,
software engineers and other humans are going to use cryptography.
They are going to make implementation choices without being able to
consult cryptography and security experts and without understanding
cryptography related documentation fully. This also means that it is
not considered best practice to assume or propose that only
cryptography experts (should) use cryptography (primitives/
libraries).
3. Security Levels
The Secure Crypto Config must be able to provide a secure parameter
set for different security levels. These security levels depend on
the following security constraints: *Information classification
(Secret, Confidential), Longevity (less than one day, more than a
day), Constrained devices (constrained, not constrained)*. They are
defined in Section 3.6 below. The Secure Crypto Config provides 5
common security levels for which official algorithm/parameter choices
are published.
3.1. Security Level 1 - Low
Confidential information, regardless of the other two constraints
3.2. Security Level 2
Secret information, less than one day longevity, constrained device
3.3. Security Level 3
Secret information, less than one day longevity, non-constrained
device
Mindermann & Teis Expires 21 October 2021 [Page 12]
Internet-Draft SCC April 2021
3.4. Security Level 4
Secret information, more than a day longevity, constrained device
3.5. Security Level 5 - High
Secret information, more than a day longevity, non-constrained device
3.6. Security Level Constraints
3.6.1. Information classification
Information classification within this document is about the
confidentiality of the information. Not all information is equally
confidential, e.g. it can be classified into different classes of
information. For governmental institutions usually three classes are
used: Confidential, Secret, or Top Secret. The Secure Crypto Config
considers only *Confidential* and *Secret* for its standardized
security levels. Further levels with other classifications can be
added by other organizations. Additionally, in common (non-
governmental) use cases data is not labeled with an information
class. Hence, often only one class is chosen for the cryptography
processing of all data.
The Secure Crypto Config does not endorse a definition of the
information classes, yet *Secret* information is to be considered to
have higher confidentiality requirements than *Confidential*
information.
3.6.2. Longevity
The time how long information has to be kept confidential can
influence cryptography parameters a lot. Usually what you talked
about with your friends should be kept confidential for a lifetime.
Yet, a public trade transaction must only be confidential until the
trade was executed which can happen in milliseconds. It directly
influences a very important attacker resource: The time an attacker
has to try to gain access to the confidential information. The
Secure Crypto Config considers only two ranges of longevity for its
standardized security levels: *short longevity* of less than one day
and *long longevity* of a day or more than a day. Further levels
with other longevity levels can be added by other organizations.
Mindermann & Teis Expires 21 October 2021 [Page 13]
Internet-Draft SCC April 2021
3.6.3. Constrained Devices
For cryptography often complex computations have to be executed.
Yet, not all environments have the same hardware resources available.
E.g. it is not always the case that the used processors have
dedicated cryptography hardware or even specialized execution units
or instruction sets like [AESNI]. Detailed discussion and
definitions can be found in [RFC7228]. Yet, their definitions are
too concrete to be used in the Secure Crypto Config's standardized
security levels. Therefore, the Secure Crypto Config defines
constraint devices not based on concrete processing power (e.g. 100k
instructions per second):
A device is constrained when it has *multiple orders of magnitudes*
fewer resources than a current (not a new one, but broadly in use at
the time of publication of a Secure Crypto Config!) standard personal
computer.
For example, if a current standard personal computer can encrypt with
1 GiB/s, a constrained device would be all devices that can only
perform the same cryptography operation with less than 10 MiB/s.
Resources can be everything important for cryptography like dedicated
cryptography hardware, instruction sets, memory, power consumption,
storage space, communication bandwidth, latency etc. The Secure
Crypto Config considers only *constrained* and *non-constrained* for
its standardized security levels. Further levels with other
constrained resource definitions can be added by other organizations.
3.6.4. n-Bit-Security
n-Bit Security Level:
A cryptographic mechanism achieves a security level of n bits if
costs which are equivalent to 2^n calculations of the encryption
function of an efficient block cipher (e.g. AES) are tied to each
attack against the mechanism which breaks the security objective
of the mechanism with a high probability of success. BSI
3.6.5. Attacker Resources and Capabilities
The Secure Crypto Config considers only the following same attacker
resources and capabilities for all standardized security levels:
* The attacker knows all used algorithms and parameters except
secrets according to Kerckhoffs's principle.
Mindermann & Teis Expires 21 October 2021 [Page 14]
Internet-Draft SCC April 2021
* The attacker has access to the system used for cryptography
operations and can utilize its cryptography operations apart from
obtaining secrets.
* The attacker can utilize very high-performance computing resources
such as supercomputers and distributed computing (e.g. this
includes very high memory, storage, processing and networking
performance)
Further security levels with other attacker definitions can be added
by other organizations.
4. Consensus Finding Process and entities
To provide a Secure Crypto Config, it is necessary to agree upon a
secure and appropriate cryptographic parameter set for each security
level (see Section 3). This must happen in a common consensus
finding process which takes place during regular intervals. The
consensus finding process is based on the established RFC process
during which the Secure Crypto Config Working Group decides in
cooperation with the Crypto Forum Research Group (CFRG) and other
institutions like the Bundesamt fuer Sicherheit in der
Informationstechnik (BSI) or the National Institute of Standards and
Technology (NIST) for a set of secure parameters. After the
successful decision, the agreed on parameters can be added in the
defined publication data structures (see Section 5.4) and provided on
the repository platform.
4.1. Consensus Finding
Consensus must be found two years after the last consensus was found.
This ensures that there is a new Secure Crypto Config every two
years, even if the configuration itself has not changed. There is a
regular process and an emergency process to release Secure Crypto
Configurations.
4.1.1. Regular Process
The process has three phases that MUST be finalized within 2 years:
* (1) One year *Proposal phase* during which all participating
entities must propose at least two cryptography algorithms and
parameters per cryptography use case per security level.
* (2) Six months *Consensus finding phase* during which all
participating entities must agree on a common Secure Crypto
Config.
Mindermann & Teis Expires 21 October 2021 [Page 15]
Internet-Draft SCC April 2021
* (3) Six months *Publication phase* ensures the publication of the
final Secure Crypto Config AND allows the Secure Crypto Config
Interface and other cryptography implementations to integrate the
necessary changes.
During the Proposal phase the proposed algorithms and all necessary
parameters should be submitted in table form for each security level
and defined cryptographic use case as proposed. This table format is
simply structured and is easy to read by humans as the Consensus
finding phase can only be done manually. It is important that the
parameters for each cryptographic use case depending on its security
level can be found easily by the participants of the consensus
finding process such that it is possible to get to an agreement
faster.
4.1.2. Emergency Process
* [ ] TODO How can the Working Group alter the Secure Crypto Config
IANA registry / or use the RFC Errata process?
In cases when a regularly still valid Secure Crypto Config would
become insecure regarding either a proposed algorithm or a proposed
parameter choice it must be revised with the following process:
1. Determine the insecure configuration.
2. Remove the insecure configuration.
3. Publish the revised Secure Crypto Config with a new patch
version.
4. Mark the old (unrevised) Secure Crypto Config as deprecated.
Examples for emergency cases are drastically better brute force
algorithms or brute force performance (e.g. quantum computers/
algorithms), drastically discovered flaws in proposed algorithms and
their configurations.
An applied emergency process results in the problem that currently
used Secure Crypto Config Interface versions are no longer up-to-
date, because they are still supporting the no longer secure
algorithms. Therefore, the corresponding algorithms need to be
marked as insecure. If e.g. a proposed algorithm gets insecure this
can be marked inside the corresponding Secure Crypto Config IANA
registry entry as no longer proposed to make the users aware of its
insecurity. The Working Group itself can decide when to alter the
Secure Crypto Config IANA registry.
Mindermann & Teis Expires 21 October 2021 [Page 16]
Internet-Draft SCC April 2021
4.1.3. Requirements for Selection of Cryptography Algorithm and
Parameters
The Secure Crypto Config MUST only propose cryptography algorithms
and parameters that fulfill the following requirements:
* Cryptography algorithms and parameters have stable implementations
in at least two different programming languages.
* Cryptography algorithms and parameters have a defined standard to
store the algorithm and parameter identification alongside the
result (e.g. like [RFC8152]). This is required to ensure
cryptography operation results can be processed even if the
default parameters have been changed or the information has been
processed with a previous version of the Secure Crypto Config.
* Cryptography algorithms that support parametrization to adapt to
increased brute force performance and to allow longevity of the
algorithm especially for hardware optimized implementations.
The Secure Crypto Config SHOULD only propose cryptography algorithms
and parameters that fulfill the following requirements:
* Cryptography algorithms and parameters are defined in a globally
accepted standard which was suspect to a standardization process.
* Cryptography algorithms and parameters are licensed under a
license that allows free distribution.
4.2. Entities
Entities that participate in the proposal phase SHOULD have
significant cryptography expertise. Entities that participate in the
consensus finding phase MUST have significant cryptography expertise.
Cryptographic expertise is defined by the Secure Crypto Config
Working Group or the CFRG.
5. Publication Format and Distribution
In general the Secure Crypto Config is published via JSON [RFC8259]
files in an official repository. The Secure Crypto Config also
utilizes IANA registries, see {#IANA}.
Mindermann & Teis Expires 21 October 2021 [Page 17]
Internet-Draft SCC April 2021
5.1. Versioning
The Secure Crypto Config is regularly published in a specific year.
Therefore, the Secure Crypto Config format MUST use the following
versioning format: *YYYY-PATCH*. YYYY is a positive integer
describing the year (using the Gregorian calendar, and considering
the year that has not ended in all time zones, cf. Anywhere on Earth
Time) this specific Secure Crypto Config was published. PATCH is a
positive integer starting at 0 and only increasing for emergency
releases.
5.2. Naming
The naming of official released SCCs must follow this format:
"SCC_**Version**_LEVEL_**Security Level Number**"
E.g. a Secure Crypto Config for Security Level 5 release in 2020 the
first time (so no patch version) would be named:
"SCC_2020-00_LEVEL_5"
The naming of files is not regulated, only the content is standard
relevant. Yet, the Secure Crypto Config Files should use the
mentioned naming convention as well as adding a suffix (file type
ending) ".json" to prevent ambiguity and remove implementation
choices:
"SCC_**Version**_LEVEL_**Security Level Number.json**"
5.3. Secure Crypto Config IANA Registry
*NOT NEEDED?, as the Secure Crypto Config uses other registries, e.g.
COSE. No final decision, yet.*
* [ ] TODO Naming convention. Specification depending on crypto use
case?
* [ ] TODO dash character "-" not possible in enum!
The Secure Crypto Config requires one IANA Registry with the
following columns:
* Secure Crypto Config release version: *YYYY-PATCH*
* Distinct *Algorithm-Parameter-Identifier* that uniquely identifies
a cryptography algorithm and the parameters
Mindermann & Teis Expires 21 October 2021 [Page 18]
Internet-Draft SCC April 2021
* Distinct and *constantly available reference* where all parameters
are unambiguously defined
* (Optional) Short description of the parameters
Algorithm-Parameter-Identifier: MUST only consist of uppercase
alphanumeric characters and underscores. Depending on the use case
the Algorithm Parameter Identifier can be constructed differently.
We propose the following schemes:
* For symmetric encryption the name should look like
*AlgorithmName_Mode_Padding_KeyLength_TagLength_NonceLength* (e.g.
AES_GCM_NoPadding_256_128_128).
* For hashing as *HashAlgorithmName_KeyLength* (e.g. SHA3_256).
* For asymmetric encryption and digital signatures
*AlgorithmName_AuxiliaryAlgorithm_Padding_KeyLength* (e.g.
RSA_ECB_OAEP_4096).
5.3.1. Example for Secure Crypto Config IANA Registry
+=========+=====================+===========+==================+
| SCC | AlgParam Identifier | Reference | Description |
| Version | | | |
+=========+=====================+===========+==================+
| 2020-01 | AES_GCM_256_128_128 | [RFC8152] | AES 256 with GCM |
| | | | and 128 bit tag |
| | | | and random nonce |
+---------+---------------------+-----------+------------------+
Table 1
5.3.2. Utilized Algorithm Registries
The Secure Crypto Config can only propose cryptography algorithms and
parameters that have been standardized. Therefore, it refers to the
following IANA registries:
* CBOR Object Signing and Encryption (COSE)
(https://www.iana.org/assignments/cose/cose.xhtml)
* AEAD Algorithms (https://www.iana.org/assignments/aead-parameters/
aead-parameters.xhtml)
* Named Information Hash Registry (https://www.iana.org/assignments/
named-information/named-information.xhtml#hash-alg)
Mindermann & Teis Expires 21 October 2021 [Page 19]
Internet-Draft SCC April 2021
Used registries must define all required parameters for an algorithm
to implement it without ambiguity. E.g. implementations must not be
able to choose other parameter values for these predefined
cryptography algorithm and parameter combinations.
5.4. Data Structures
For each defined security level, a distinct JSON file must be
provided. These files must adhere to the common schema and shown in
Figure 1 and described in the following.
{
"PolicyName": "SCC_SecurityLevel_Security Level Number",
"Publisher": [
{
"name": "Publisher name",
"URL": "URL corresponding to publisher"
}
],
"SecurityLevel" : "Security Level Number",
"Version": "YYYY-Patch",
"PolicyIssueDate": "YYYY-MM-DD",
"Expiry": "YYYY-MM-DD",
"Usage": {
"SymmetricEncryption": [
"Algorithm 1",
"Algorithm 2"
],
"AsymmetricEncryption": [
"Algorithm 1",
"Algorithm 2"
],
"Hashing": [
"Algorithm 1",
"Algorithm 2"
],
"PasswordHashing": [
"Algorithm 1",
"Algorithm 2"
],
"Signing": [
"Algorithm 1",
"Algorithm 2"
]
}
}
Figure 1: General JSON format
Mindermann & Teis Expires 21 October 2021 [Page 20]
Internet-Draft SCC April 2021
* SecurityLevel: Contains the number of the corresponding Security
Level of the Secure Crypto Config
* PolicyName: Contains the name of the corresponding Secure Crypto
Config according to the naming schema defined in Section 5.2
* Publisher: Contains an array of all parties that participated in
the consensus finding process
- name: Name of the participating party
- URL: Put in the official URL of the named publisher
* Version: Contains version in the format defined in Section 5.1
* PolicyIssueDate: Date at which the Secure Crypto Config was
published in the format: YYYY-MM-DD
* Expiry: Date at which the Secure Crypto Config expires in the
format: YYYY-MM-DD
* Usage: Contains an array of objects for each cryptographic use
case defined in Section 1.3.2.
- For each cryptographic use case, at least two agreed upon
algorithms (see Section 4) with necessary parameters are
included. Each of these algorithms with its parameters is
specified with its unique identification name defined in a IANA
registry used by the Secure Crypto Config.
This format allows custom algorithm/parameter definitions both by
overwriting use cases completely or by adding only specific algorithm
identifiers via custom configurations.
5.5. Human readable format
The Secure Crypto Config can not only be used automatically but also
provide the cryptography algorithms and parameters for humans. The
human readable format must be derived from the JSON files both to
protect from copy-paste-errors and to validate the cryptographic
signatures. Yet, the human readable format or publication page
itself must not be cryptographically protected. There should be one
accessible resource, e.g. a webpage, where the source format (JSON
files) are automatically used for displaying them in appropriate ways
(e.g. tables with various sorting and searching options).
5.6. Official Secure Crypto Config Repository
Mindermann & Teis Expires 21 October 2021 [Page 21]
Internet-Draft SCC April 2021
5.6.1. Location of Secure Crypto Config Repository
The needed Secure Crypto Config files should be published at an
official GitHub repository. There, all current versions will be
provided during the interval of the Publication phase (see
Section 4.1.1). Additionally, all previously published files are
still stored at this location even if new versions are published.
5.6.2. Format of Secure Crypto Config Repository
scc-repo
- configs
- 2020
- 00
- SCC_2020-00_LEVEL_1.json
- SCC_2020-00_LEVEL_1.signature1
- SCC_2020-00_LEVEL_1.signature2
- SCC_2020-00_LEVEL_2.json
- SCC_2020-00_LEVEL_2.signature1
- SCC_2020-00_LEVEL_2.signature2
- SCC_2020-00_LEVEL_3.json
- SCC_2020-00_LEVEL_3.signature1
- SCC_2020-00_LEVEL_3.signature2
- SCC_2020-00_LEVEL_4.json
- SCC_2020-00_LEVEL_4.signature1
- SCC_2020-00_LEVEL_4.signature2
- SCC_2020-00_LEVEL_5.json
- SCC_2020-00_LEVEL_5.signature1
- SCC_2020-00_LEVEL_5.signature2
- 01
- 02
- 2021
- 2022
- 2023
- 2024
Figure 2: Example for Secure Crypto Config Repository content
Mindermann & Teis Expires 21 October 2021 [Page 22]
Internet-Draft SCC April 2021
scc-repo
- configs
- a
- b
- 0c1
- ReallySecure
- 0x1111
- SCC_2020-00_LEVEL_1.json
- SCC_2020-00_LEVEL_1.signature1
- SCC_2020-00_LEVEL_1.signature2
- SCC_2020-00_LEVEL_2.json
- SCC_2020-00_LEVEL_2.signature1
- SCC_2020-00_LEVEL_2.signature2
- SCC_2020-00_LEVEL_3.json
- SCC_2020-00_LEVEL_3.signature1
- SCC_2020-00_LEVEL_3.signature2
- SCC_2020-00_LEVEL_4.json
- SCC_2020-00_LEVEL_4.signature1
- SCC_2020-00_LEVEL_4.signature2
- SCC_2020-00_LEVEL_5.json
- SCC_2020-00_LEVEL_5.signature1
- SCC_2020-00_LEVEL_5.signature2
- asdf
- afd
- af
Figure 3: Example for Secure Crypto Config Repository content
with custom naming scheme
The Secure Crypto Config configuration files are expected to be in
any folder hierarchy below the folder "configs"-folder. Each JSON
file should be accompanied by corresponding signature files that have
the same filename without extension as the JSON file, suffixed by
"-signatureX" where "X" is a counter starting at 1.
5.6.3. Integrity/Signing process
* [ ] TODO what kind of signing process should be used?
- [ ] GPG?
- [ ] openssl?
- [ ] Git GPG signed commits?
- [ ] Use an SCC recommended signing algorithm/format
Mindermann & Teis Expires 21 October 2021 [Page 23]
Internet-Draft SCC April 2021
* [ ] Can two signatures be put in one signature file? Should they
be put in the same file?
* [ ] Public Key distribution?! (In GitHub repo?)
Each JSON file should be accompanied by at least two signatures.
Both signatures are stored in different files on the same level as
their corresponding Secure Crypto Config file to reduce the parsing
effort. The signatures should be generated by entities defined by
the Secure Crypto Config Working Group. They are responsible to
publish and renew the used public keys. For signing of the
corresponding Secure Crypto Config JSON files _openssl_ could be
used. The public keys needed for validation are published in the
official repository of the Secure Crypto Config.
6. Secure Crypto Config Application Programming Interface (API)
This section describes the application programming interface (API)
that provides the Secure Crypto Config. The Secure Crypto Config
Interface is generic and describes the API that should be used by
each programming language.
6.1. Semantic Versioning
The implementation of the Secure Crypto Config Interface MUST follow
Semantic Versioning (https://semver.org/), which specifies a version
format of *X.Y.Z* (Major.Minor.Patch) and semantics when to increase
which version part. It would be beneficial if the release of a new
Interface version gets synchronized with the publication of a new
Secure Crypto Config. It should be possible to support the newly
defined parameters of Secure Crypto Config in the interface as soon
as possible.
6.2. Deployment of (custom) Secure Crypto Config with Interface
There are two different possibilities to work with the Secure Crypto
Config: - The preferred option is to use the Secure Crypto Configs
that will be delivered within the Interface. In each new Interface
version the current Secure Crypto Configs will be added such that
always the latest Secure Crypto Configs at the time of the Interface
release will be supported. Previous Secure Crypto Configs will
remain inside the Interface such that also older ones can still be
used. - Another option is to define a specific path to your own/
derived versions of the Secure Crypto Configs with the same structure
of the files as described in Section 5.4 but with other values than
in the official ones.
The Interface will process the Secure Crypto Configs as follows:
Mindermann & Teis Expires 21 October 2021 [Page 24]
Internet-Draft SCC April 2021
1. Check if the path to the Secure Crypto Configs is a valid one.
2. Check if the "configs" folder exists.
3. For each folder following "configs" in the hierarchy look inside
that folder and check the existence of JSON files that need to be
considered. This check will happen recursively for all folders
inside the hierarchy.
4. For every JSON file found, look if there exists a signature. If
one is given, check if the signature is valid for the
corresponding file.
5. Every file with a valid signature will be parsed and further
processed.
The parsing of each valid JSON file must be done as follows:
1. Read out all information of all JSON files that need to be
considered. The information of each file is stored in a
corresponding object. With this procedure all JSON files need to
be read only once which will contribute to the performance.
2. Parsing of security level: Check if it is a positive integer.
All files not containing an (positive) integer number as security
level value will be discarded.
3. Parsing of algorithm identifiers: Only the algorithm identifiers
that are supported by the Interface will be considered and stored
inside the corresponding object. The supported algorithms are
specified inside the interface (e.g. with an enmum).
4. Parsing of the version of all files: All files with values in the
wrong format (see Section 5.1) will be excluded from further
processing. Find the latest (according to version) Secure Crypto
Config file with the highest appearing security level (determined
in previous step). The path to this file will be used as default
path used for each cryptographic use case if nothing else is
specified by the user. If two or more files with identical
levels and version number are found, only the first one will be
used, others are discarded.
5. The unique algorithm identifiers for the execution of a specific
cryptographic use case will be fetched from the corresponding
object (representing the JSON file determined beforehand) at the
time the users invoke a method for a specific cryptographic use
case. The Interface will also provide a possibility to choose a
specific algorithm (out of the supported ones) for executing the
Mindermann & Teis Expires 21 October 2021 [Page 25]
Internet-Draft SCC April 2021
desired use case. In this case the specified algorithm is used.
The identifiers will be compared with the supported ones in order
of their occurrence inside the file. If one matching identifier
is found it will be used for execution. If it is not a matching
one the value will be skipped and the next one will be compared.
If none of the algorithms inside the selected Secure Crypto
Config can be found an error will occur.
6.2.1. Delivery of Secure Crypto Config with Interface
Each Secure Crypto Config Interface must be published in such a way
that it uses (a copy of) the recent Secure Crypto Config repository.
The Secure Crypto Config will be stored inside the subfolder "scc-
configs" which should be located in the Interface "src"-folder if
existent. The structure of the "scc-configs" folder will be the same
as in the described hierarchy of the GitHub repository. In any new
version of the Interface the latest published Secure Crypto Config
and its signatures must be used.
If new Secure Crypto Configs will be published for which no published
version of the Interface is available, the custom repository approach
can be used as described in the following.
6.2.2. Using a custom Secure Crypto Config Repository
It is also possible to use a different path to the Secure Crypto
Configs. As also derived versions of the Secure Crypto Config for
specific needs should be supported it will also be feasible to define
a path to own or derived files that differentiate from the default
"src/scc-configs/configs" folder. In this case, a method for setting
and using a specific path must be provided by the Interface.
6.2.3. Integrity Check
* [ ] TODO which public keys should be used? (See above Integrity/
Signing process Public Key distribution?!)
The check for valid signature of the Secure Crypto Configs is always
made before every actual usage of the Interface functionalities. In
this way, it is possible to guarantee that the entity using the
Interface only works with valid Secure Crypto Configs and circumvents
the risk of forged file contents. The public key needed for validity
can be found in the official GitHub repository. If own derived
Secure Crypto Configs are created than it can be possible that no
validation process is needed for these files.
Mindermann & Teis Expires 21 October 2021 [Page 26]
Internet-Draft SCC April 2021
6.2.4. Methods and Parameters
Intended methods and parameters included in the Java interface are
described in Figure 5.
6.2.4.1. Supported Algorithm Parameter Types
* [ ] TODO What is with parameters that have to be chosen during
runtime? (e.g. the length of the nonce can be specified but not
its content?) Maybe refer to how the PHC String Format
(https://GitHub.com/P-H-C/phc-string-format/blob/master/phc-sf-
spec.md) describes how parameters must be defined and only allow
constants and csprng generated content?
Cryptography algorithms require different parameters. The Secure
Crypto Config Interface considers the following types of parameters:
* Parameter Size (e.g. key length in bit)
* Parameter Counter Content (e.g. nonce)
* Parameter Secure Random Content (e.g. nonce)
* Parameter User Automatic Tunable Content (e.g. memory consumption
for Argon2 password hashing algorithm)
* Parameter User Defined Content (e.g. plaintext and key for
symmetric encryption)
* Parameter Compound Parameter Content (e.g. counter + random =
nonce)
6.2.5. Automatic Parameter Tuning
* [ ] TODO is it possible to define new algorithm/parameter
combinations on the fly (in extensions/derivations) or are only
SCC IANA registry identifiers allowed/usable?
Mindermann & Teis Expires 21 October 2021 [Page 27]
Internet-Draft SCC April 2021
It should be possible to have user specified parameters such as the
key/nonce length explicitly given by the user, but also a performance
mode that evaluates for each configuration and gives back a
prioritized list for each configuration. In this way, it is possible
to select parameters depending on systems properties. Such a
parameter choice would be beneficial e.g. in the case of Argon2
(https://tools.ietf.org/html/draft-irtf-cfrg-argon2-13) in which one
parameter for the memory usage must be given. This choice should be
chosen based on the corresponding system. That kind of parameter
selection can be seen e.g. in Libpasta Tuning
(https://libpasta.github.io/advanced/tuning/), which returns a secure
parameter set depending on executed evaluations.
6.2.6. Output of readable Secure Crypto Config
A Secure Crypto Config Interface must offer the following additional
methods regarding the configuration - A method that returns a human
readable version of the currently used Secure Crypto Config - A
method that returns the currently used cryptography algorithm and
parameters for a given use case - A method that validates the content
of a Secure Crypto Config JSON file and one or more signatures
6.3. TODOs
* The SCC could be provided on a suitable platform (?) and is
accessible over the network (adversaries? e.g. http connection)
- [ ] e.g. should there be constants like "SCC_TOP_SECRET_LATEST"
and "SCC_TOP_SECRET_LATEST".
- [ ] And like "SCC_TOP_SECRET_LATEST.AES" which points always to
the latest Secure Crypto Config definition for AES parameters.
* [ ] TODO how should cryptography implementations, that implement/
support SCC, generate the parameters?
* [x] What kind of parameters can be chosen based on the Secure
Crypto Config? => E.g. Should be all except the plaintext and the
key for encryption algorithms. Also, many parameters can be
generated based on cryptographically secure random numbers.
* [x] TODO The Secure Crypto Config Interface should include a
performance evaluation mode which evaluates the performance of
each configuration and returns a prioritized list for each
configuration. E.g. cf. Libpasta Tuning
(https://libpasta.github.io/advanced/tuning/)
Mindermann & Teis Expires 21 October 2021 [Page 28]
Internet-Draft SCC April 2021
7. Cryptography Library Implementation Specification
Cryptography libraries should provide the above mentioned Secure
Crypto Config Interface. Until a common cryptography library
provides the Secure Crypto Config Interface itself, there should be
wrapper implementations that provide the Secure Crypto Config
Interface and make use of the programming languages' standard
cryptography library.
8. Cryptography Algorithm Standards Recommendation
When new cryptography algorithm and/or parameter/mode/etc standards
are created, they should contain a section mentioning the creating of
the proposed secure parameter sets in the above mentioned IANA
registries. This ensures that new cryptography algorithms and
parameter sets are available faster for the Secure Crypto Config
Interface implementations to use.
9. Security Considerations
* [x] TODO are some of the listed common issues relevant?:
TypicalSECAreaIssues (https://trac.ietf.org/trac/sec/wiki/
TypicalSECAreaIssues)
* [x] TODO check if security considerations of TLS 1.2 are relevant,
especially appendix D, E and F (https://tools.ietf.org/html/
rfc5246#appendix-D)
* [ ] TODO Are these appropriate security considerations?
9.1. Consensus Finding
* Only trustworthy and cryptographic specialized entities should
participate in the publication process of the Secure Crypto
Config. Otherwise a Secure Crypto Config with a weak and insecure
parameter set could be provided.
9.2. Publication Format
* The operators of the Secure Crypto Config must ensure that
potential unauthorized parties are not able to manipulate the
parameters of the published Secure Crypto Config. Countermeasures
to this are in place by utilizing git's gpg signatures and
integrity as well as signatures for the published Secure Crypto
Config files as well.
9.3. Cryptography library implementation
Mindermann & Teis Expires 21 October 2021 [Page 29]
Internet-Draft SCC April 2021
* Integrity must be ensured if potential users want to fetch the
provided Secure Crypto Config from the corresponding platform over
the network e.g. by using a signatures.
* Users should only trust Secure Crypto Config issued from the
original publisher with the associated signature. Users are
responsible to verify the provided signatures.
9.4. General Security Considerations
9.4.1. Special Use Cases and (Non-)Security Experts
The Secure Crypto Config does not apply to all use cases for
cryptography and usage of cryptography primitives. It is meant to
provide secure defaults for the most common use cases and non-expert
programmers. Additionally, non-experts may still implement
vulnerable code by using the Secure Crypto Config. Yet, it should
reduce the vulnerabilities from making the wrong choices about
parameters for cryptography primitives.
9.5. Security of Cryptography primitives and implementations
* The Secure Crypto Config assumes that both the proposed algorithms
and the implementations (cryptography libraries) for the
cryptography primitives are secure as long as they are used with
the correct parameters, states and orders of function calls.
9.5.1. Security Guarantees
The Secure Crypto Config makes the best effort to be as up-to-date
with recent discoveries, research and developments in cryptography
algorithms as possible. Following this, it strives to publish
cryptography algorithms and corresponding parameter choices for
common use cases.
Yet, the Secure Crypto Config and the involved parties working on and
publishing it do not guarantee security for the proposed parameter
configurations or any entity making use of it. E.g. a new algorithm
that can do brute-force attacks exponentially faster could be
existing or published right after the publication of the most recent
Secure Crypto Config was published itself.
9.5.2. Threat Model / Adversaries
There are different possibilities in which a potential adversary
could intervene during the creation as well as after the publication
of the Secure Crypto Config. These attack scenarios must be
considered and prevented.
Mindermann & Teis Expires 21 October 2021 [Page 30]
Internet-Draft SCC April 2021
* *Process:* During the creation process, it is necessary for
selected institutions to agree on a secure parameter set. It
could be possible that one party wants to influence this process
in a bad way. As a result, it could be agreed on weaker parameter
sets than originally intended.
* *Publication:* After the publication of the Secure Crypto Config a
potential attacker could gain access to the provided files on the
corresponding platform and change the content to an insecure
parameter set.
* *Content:* Depending on the distribution method of the Secure
Crypto Config, it is also possible that an attacker could change
the content of the Secure Crypto Config as man-in-the-middle.
Especially if an http connection is used to obtain the Secure
Crypto Config, this will be a serious problem.
10. IANA Considerations
* [] TODO Are there IANA Considerations?
* [] TODO May add reference to own registry
The data structure (see Section 5.4) defined in this document uses
the JSON format as defined in [RFC8259].
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/rfc/rfc4949>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/rfc/rfc8152>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
Mindermann & Teis Expires 21 October 2021 [Page 31]
Internet-Draft SCC April 2021
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/rfc/rfc8259>.
11.2. Informative References
[AESNI] Gueron, S., "Intel Advanced Encryption Standard (AES)
Instruction Set White Paper", 2010,
<https://www.intel.com/content/dam/doc/white-paper/
advanced-encryption-standard-new-instructions-set-
paper.pdf>.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743,
DOI 10.17487/RFC2743, January 2000,
<https://www.rfc-editor.org/rfc/rfc2743>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/rfc/rfc5116>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/rfc/rfc5652>.
[RFC5698] Kunz, T., Okunick, S., and U. Pordesch, "Data Structure
for the Security Suitability of Cryptographic Algorithms
(DSSC)", RFC 5698, DOI 10.17487/RFC5698, November 2009,
<https://www.rfc-editor.org/rfc/rfc5698>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility
Procedure for the Resource Public Key Infrastructure
(RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April
2013, <https://www.rfc-editor.org/rfc/rfc6916>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228,
DOI 10.17487/RFC7228, May 2014,
<https://www.rfc-editor.org/rfc/rfc7228>.
[RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm
Agility and Selecting Mandatory-to-Implement Algorithms",
BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015,
<https://www.rfc-editor.org/rfc/rfc7696>.
Appendix A. Examples
Mindermann & Teis Expires 21 October 2021 [Page 32]
Internet-Draft SCC April 2021
A.1. JSON Secure Crypto Config
{
"PolicyName" : "SCC_SecurityLevel_5",
"Publisher" : [
{
"name" : "Crypto Forum Research Group",
"URL" : "https://irtf.org/cfrg"
},
{
"name" : "BSI",
"URL" : "https://BSI"
}
],
"SecurityLevel" : "5",
"Version" : "2020-0",
"PolicyIssueDate" : "2020-04-20",
"Expiry" : "2023-04-21",
"Usage" : {
"SymmetricEncryption" : [
"AES_GCM_256_96",
"AES_GCM_192_96"
],
"AsymmetricEncryption" : [
"RSA_SHA_512",
"RSA_SHA_256"
],
"Hashing" : [
"SHA3_512",
"SHA_512"
],
"Signing" : [
"ECDSA_512",
"ECDSA_384"
],
"PasswordHashing" : [
"PBKDF_SHA_512",
"SHA_512_64"
]
}
}
Figure 4: Example for JSON format
Appendix B. Example Java Interface using Secure Crypto Config
Mindermann & Teis Expires 21 October 2021 [Page 33]
Internet-Draft SCC April 2021
package org.securecryptoconfig;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import org.securecryptoconfig.SCCKey.KeyType;
import org.securecryptoconfig.SCCKey.KeyUseCase;
import COSE.CoseException;
public abstract interface SecureCryptoConfigInterface {
//Symmetric
public AbstractSCCCiphertext encryptSymmetric(AbstractSCCKey key, PlaintextContainerInterface plaintext)
throws SCCException;
public AbstractSCCCiphertext encryptSymmetric(AbstractSCCKey key, byte[] plaintext)
throws SCCException;
public AbstractSCCCiphertext reEncryptSymmetric(AbstractSCCKey key, AbstractSCCCiphertext ciphertext)
throws SCCException;
public PlaintextContainerInterface decryptSymmetric(AbstractSCCKey key, AbstractSCCCiphertext sccciphertext)
throws SCCException;
// Asymmetric
public AbstractSCCCiphertext encryptAsymmetric(AbstractSCCKey key, PlaintextContainerInterface plaintext)
throws SCCException;
public AbstractSCCCiphertext encryptAsymmetric(AbstractSCCKey key, byte[] plaintext)
throws SCCException;
public AbstractSCCCiphertext reEncryptAsymmetric(AbstractSCCKey key, AbstractSCCCiphertext ciphertext)
throws SCCException;
public PlaintextContainerInterface decryptAsymmetric(AbstractSCCKey key, AbstractSCCCiphertext ciphertext)
throws SCCException;
// Hashing
public AbstractSCCHash hash(PlaintextContainerInterface plaintext)
throws SCCException;
public AbstractSCCHash hash(byte[] plaintext)
throws SCCException;
public AbstractSCCHash updateHash(PlaintextContainerInterface plaintext, AbstractSCCHash hash)
throws SCCException;
public AbstractSCCHash updateHash(byte[] plaintext, AbstractSCCHash hash)
Mindermann & Teis Expires 21 October 2021 [Page 34]
Internet-Draft SCC April 2021
throws SCCException;
public boolean validateHash(PlaintextContainerInterface plaintext, AbstractSCCHash hash)
throws SCCException;
public boolean validateHash(byte[] plaintext, AbstractSCCHash hash)
throws SCCException;
// Digital Signature
public AbstractSCCSignature sign(AbstractSCCKey key, PlaintextContainerInterface plaintext)
throws SCCException;
public AbstractSCCSignature sign(AbstractSCCKey key, byte[] plaintext)
throws SCCException;
public AbstractSCCSignature updateSignature(AbstractSCCKey key, PlaintextContainerInterface plaintext)
throws SCCException;
public AbstractSCCSignature updateSignature(AbstractSCCKey key, byte[] plaintext)
throws SCCException;
public boolean validateSignature(AbstractSCCKey key, AbstractSCCSignature signature)
throws SCCException;
public boolean validateSignature(AbstractSCCKey key, byte[] signature)
throws SCCException;
// Password Hashing
public AbstractSCCPasswordHash passwordHash(PlaintextContainerInterface password)
throws SCCException;
public AbstractSCCPasswordHash passwordHash(byte[] password)
throws SCCException;
public boolean validatePasswordHash(PlaintextContainerInterface password, AbstractSCCPasswordHash passwordhash)
throws SCCException;
public boolean validatePasswordHash(byte[] password, AbstractSCCPasswordHash passwordhash)
throws SCCException;
}
abstract interface PlaintextContainerInterface {
public abstract byte[] toBytes();
public abstract String toString(Charset c);
@Override
Mindermann & Teis Expires 21 October 2021 [Page 35]
Internet-Draft SCC April 2021
public abstract String toString();
public abstract boolean validateHash(AbstractSCCHash hash)
throws SCCException;
public abstract boolean validatePasswordHash(AbstractSCCPasswordHash passwordHash)
throws SCCException;
public abstract AbstractSCCCiphertext encryptSymmetric(AbstractSCCKey key)
throws SCCException;
public abstract AbstractSCCCiphertext encryptAsymmetric(AbstractSCCKey key)
throws SCCException;
public abstract AbstractSCCSignature sign(AbstractSCCKey key)
throws SCCException;
public abstract boolean validateSignature (AbstractSCCSignature signature, AbstractSCCKey key)
throws SCCException;
public abstract AbstractSCCHash hash()
throws SCCException;
public abstract AbstractSCCPasswordHash passwordHash()
throws SCCException;
}
abstract class AbstractSCCCiphertext {
byte[] msg;
protected AbstractSCCCiphertext(byte[] msg) {
this.msg = msg;
}
public abstract byte[] toBytes();
@Override
public abstract String toString();
public abstract PlaintextContainerInterface decryptSymmetric(AbstractSCCKey key)
throws SCCException;
public abstract PlaintextContainerInterface decryptAsymmetric(AbstractSCCKey key)
throws SCCException;
public abstract AbstractSCCCiphertext reEncryptSymmetric(AbstractSCCKey key)
throws SCCException;
Mindermann & Teis Expires 21 October 2021 [Page 36]
Internet-Draft SCC April 2021
public abstract AbstractSCCCiphertext reEncryptAsymmetric(AbstractSCCKey key)
throws SCCException;
}
abstract class AbstractSCCKey {
KeyType type;
byte[] privateKey
byte[] publicKey;
String algorithm;
protected AbstractSCCKey(KeyType type, byte[] publicKey, byte[] privateKey, String algorithm) {
this.type = type;
this.publicKey = publicKey;
this.privateKey = privateKey;
this.algorithm = algorithm;
}
public abstract byte[] toBytes()
throws SCCException;
public abstract byte[] getPublicKeyBytes()
throws SCCException;
public abstract byte[] getPrivateKeyBytes()
throws SCCException;
public abstract KeyType getKeyType();
public abstract String getAlgorithm();
}
abstract class AbstractSCCHash {
byte[] hashMsg;
protected AbstractSCCHash(byte[] hashMsg) {
this.hashMsg = hashMsg;
}
public abstract byte[] toBytes();
@Override
public abstract String toString();
public abstract boolean validateHash(PlaintextContainerInterface plaintext)
throws SCCException;
Mindermann & Teis Expires 21 October 2021 [Page 37]
Internet-Draft SCC April 2021
public abstract boolean validateHash(byte[] plaintext)
throws SCCException;
public abstract AbstractSCCHash updateHash(PlaintextContainerInterface plaintext)
throws SCCException;
public abstract AbstractSCCHash updateHash(byte[] plaintext)
throws SCCException;
}
abstract class AbstractSCCPasswordHash {
byte[] hashMsg;
protected AbstractSCCPasswordHash(byte[] hashMsg) {
this.hashMsg = hashMsg;
}
public abstract byte[] toBytes();
@Override
public abstract String toString();
public abstract boolean validatePasswordHash(PlaintextContainerInterface password)
throws SCCException;
public abstract boolean validatePasswordHash(byte[] password)
throws SCCException;
}
abstract class AbstractSCCSignature {
byte[] signatureMsg;
protected AbstractSCCSignature(byte[] signatureMasg) {
this.signatureMsg = signatureMasg;
}
public abstract byte[] toBytes();
@Override
public abstract String toString();
public abstract boolean validateSignature(AbstractSCCKey key)
throws SCCException;
public abstract AbstractSCCSignature updateSignature(PlaintextContainerInterface plaintext, AbstractSCCKey key)
Mindermann & Teis Expires 21 October 2021 [Page 38]
Internet-Draft SCC April 2021
throws SCCException;
}
Figure 5: Example for a JAVA SCC API
Acknowledgments
* [ ] TODO acknowledge.
Authors' Addresses
Kai Mindermann
iC Consult GmbH
Email: kai.mindermann@ic-consult.com
Lisa Teis
Email: lisateis102@gmail.com
Mindermann & Teis Expires 21 October 2021 [Page 39]