Unverified Commit be0d2571 authored by Aki Braun's avatar Aki Braun
Browse files

Add annex K references

parent f221fa0b
Loading
Loading
Loading
Loading
+35 −1
Original line number Diff line number Diff line
@@ -114,7 +114,27 @@ The following referenced documents are necessary for the application of the pres

<span id="_ref_1"></span><a name="_ref_1">[1]</a> [ENISA Report 1747792503](https://certification.enisa.europa.eu/document/download/a845662b-aee0-484e-9191-890c4cfa7aaa_en?filename=ECCG%20Agreed%20Cryptographic%20Mechanisms%20version%202.pdf) (version 2 - April 2025) "European Cybersecurity Certification Group Sub-group on Cryptography Agreed Cryptographic Mechanisms"

<span id="_ref_2"></span><a name="_ref_2">[2]</a> prEN 40000-1-3: "Cybersecurity requirements for products with digital elements - Vulnerability Handling"
<span id="_ref_2"></span><a name="_ref_2">[2]</a> CEN-CENELEC prEN 40000-1-3: "Cybersecurity requirements for products with digital elements - Vulnerability Handling"

<span id="_ref_3"></span><a name="_ref_3">[3]</a> IETF [RFC 7488](https://datatracker.ietf.org/doc/html/rfc7748): "Elliptic Curves for Security"

<span id="_ref_4"></span><a name="_ref_4">[4]</a> IETF [RFC 8032](https://datatracker.ietf.org/doc/html/rfc8032): "Edwards-Curve Digital Signature Algorithm (EdDSA)"

<span id="_ref_5"></span><a name="_ref_5">[5]</a> NIST [FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf): "Digital Signature Standard (DSS)"

<span id="_ref_6"></span><a name="_ref_6">[6]</a> IETF [RFC 9106](https://datatracker.ietf.org/doc/html/rfc9106): "Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications"

<span id="_ref_7"></span><a name="_ref_7">[7]</a> BSI [TR-02102-1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html) (2026-01): "Cryptographic Mechanisms: Recommendations and Key Lengths"

<span id="_ref_8"></span><a name="_ref_8">[8]</a> IETF [RFC 7914](https://datatracker.ietf.org/doc/html/rfc7914): "The scrypt Password-Based Key Derivation Function"

<span id="_ref_9"></span><a name="_ref_9">[9]</a> IETF [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439): "ChaCha20 and Poly1305 for IETF Protocols"

<span id="_ref_10"></span><a name="_ref_10">[10]</a> IETF [RFC 7693](https://datatracker.ietf.org/doc/html/rfc7693): "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)"

<span id="_ref_11"></span><a name="_ref_11">[11]</a> IETF [RFC 4418](https://datatracker.ietf.org/doc/html/rfc4418): "UMAC: Message Authentication Code using Universal Hashing"

<span id="_ref_12"></span><a name="_ref_12">[12]</a> C2SP [BLAKE3](https://c2sp.org/BLAKE3): "The BLAKE3 Hashing Framework"

## 2.2 Informative references

@@ -184,6 +204,20 @@ For the purposes of the present document, the terms given in Regulation (EU) 202

> NOTE: This includes cases where that product provides access from a restricted-use logical computer network to the public internet.

**cryptographic mechanism**: security-related procedure using cryptography

> NOTE 1: The term “cryptographic mechanism” is used as an umbrella term covering the categories used in the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [1](#_ref_1), including cryptographic algorithms, primitives, schemes, protocols, protocol profiles, cipher suites, modes of operation, constructions and parameter sets.

> NOTE 2: The terms “cryptographic primitive”, “cryptographic construction”, “cryptographic scheme” and “cryptographic protocol” are used consistently with the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [1](#_ref_1).

> NOTE 3: A cryptographic mechanism can be specified at different levels of abstraction. For example, AES is a cryptographic primitive, AES-GCM is a mode of operation / authenticated encryption construction, TLS 1.3 is a protocol, a TLS 1.3 restricted cipher-suite profile is a protocol profile, and TLS\_AES\_128\_GCM\_SHA256 is a cipher suite.

**cryptographic property**: property provided or supported by a cryptographic mechanism

> NOTE 1: Cryptographic properties include, for example, confidentiality, integrity, authenticity, entity authentication, message authentication, key establishment, key confirmation, replay protection, collision resistance, second-preimage resistance, pre-image resistance, signature unforgeability, non-repudiation, forward secrecy and password-verifier protection. Where relevant, a cryptographic property can be expressed using a formal cryptographic notion, for example IND-CPA, IND-CCA, IND-CCA2, EUF-CMA, SUF-CMA or authenticated key exchange security.

> NOTE 2: A cryptographic property is distinct from a product-level technical requirement, although it can support such a requirement. For example, a secure communication requirement can rely on cryptographic properties such as confidentiality, integrity and authentication.

## 3.2 Symbols

There are no symbols requiring definition used in the present document.
+31 −67
Original line number Diff line number Diff line
Annex K (normative):  
Generic cryptographic requirements and assessment 

## K.0 General

### K.0.1 Introduction

Editor’s note: Clause K.0 provides general context, terms and application guidance for vertical standards. Guidance and editorial instructions in this clause shall be removed or adapted when Annex K is integrated into a vertical standard. Terms and definitions in clause K.0.2 shall be moved to the terms and definitions clause of the vertical standard or retained in Annex K, as appropriate.

The requirements and assessment provisions provided by this annex are intended to be used as a common framework for vertical CRA standards concerning the use of cryptography, including state-of-the-art cryptographic mechanisms and controlled interoperability-based exceptions, with the aim to:

* provide a path towards presumption of conformity;
* enable cross-vertical alignment; and
* reflect interoperability needs.

Vertical standards may adapt the framework, and in particular specify additional or more specific requirements, assessment activities, assessment evidence or assessment criteria where needed for the relevant product category, product function, use case or risk profile. 

Clause K.1.1 defines the product-facing requirement for the cryptographic mechanisms used in the product’s default configuration. It distinguishes ACM-listed cryptographic mechanisms defined in [1](#_ref_1), ACM-extended cryptographic mechanisms, and interoperability-based cryptographic mechanisms listed in clause K.4.2. ACM-extended cryptographic mechanisms are either listed in clause K.3.2 or fulfil the criteria specified in clause K.1.1 item 2.b. 

Vertical standards can instantiate clause K.3.2 where ACM-extended cryptographic mechanisms are specified by the vertical standard. Mechanisms listed or referenced in clause K.3.2 shall be identified with sufficient precision to support assessment under clause K.1.2. For interoperability-based cryptographic mechanisms, vertical standards shall instantiate clause K.4.2 and identify the mechanisms with sufficient precision to support assessment under clause K.1.2.

### K.0.2 Terms and definitions

**Cryptographic mechanism**: security-related procedure using cryptography.

> NOTE 1: The term “cryptographic mechanism” is used in this annex as an umbrella term covering the categories used in the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [1](#_ref_1), including cryptographic algorithms, primitives, schemes, protocols, protocol profiles, cipher suites, modes of operation, constructions and parameter sets.

> NOTE 2: The terms “cryptographic primitive”, “cryptographic construction”, “cryptographic scheme” and “cryptographic protocol” are used consistently with the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [1](#_ref_1).

> NOTE 3: A cryptographic mechanism can be specified at different levels of abstraction. For example, AES is a cryptographic primitive, AES-GCM is a mode of operation / authenticated encryption construction, TLS 1.3 is a protocol, a TLS 1.3 restricted cipher-suite profile is a protocol profile, and TLS\_AES\_128\_GCM\_SHA256 is a cipher suite.

**Cryptographic property**: property provided or supported by a cryptographic mechanism.

> NOTE 4: Cryptographic properties include, for example, confidentiality, integrity, authenticity, entity authentication, message authentication, key establishment, key confirmation, replay protection, collision resistance, second-preimage resistance, pre-image resistance, signature unforgeability, non-repudiation, forward secrecy and password-verifier protection. Where relevant, a cryptographic property can be expressed using a formal cryptographic notion, for example IND-CPA, IND-CCA, IND-CCA2, EUF-CMA, SUF-CMA or authenticated key exchange security.

> NOTE 5: A cryptographic property is distinct from a product-level technical requirement, although it can support such a requirement. For example, a secure communication requirement can rely on cryptographic properties such as confidentiality, integrity and authentication.

### K.0.3 Application Guidance for vertical standards

Vertical standards should use the ECCG Agreed Cryptographic Mechanisms (ACM) catalogue [1](#_ref_1) as the primary reference for cryptographic mechanisms, as defined in clause K.1.1 item 1.
@@ -297,30 +266,25 @@ Table K.3.2 lists the ACM-extended cryptographic mechanisms specified by the pre

| ACM-extended cryptographic mechanism | Type of cryptographic mechanism | Characteristics / parameters | Related product function(s) / use case(s), where applicable | Cryptographic properties | Specification / reference | Conditions or limitations, where applicable |
| :---- | :---- |:----| :---- | :---- |:----| :---- |
| \<mechanism name\> | \<Algorithm / Primitive / Scheme / Protocol / Protocol profile / Cipher suite / Mode / Construction / Parameter set / Other\> | \<key length, mode, profile, cipher suite, parameter set, version, etc.\> | \<product function, interface, protocol context, operational context, etc.\> | \<confidentiality, integrity, authentication, key establishment, etc.\> | \<publicly available and uniquely referenceable specification\> | \<constraints, permitted use, excluded use, configuration limitation, lifecycle limitation, etc.\> |
| Curve25519 | Primitive | \- | \- | Confidentiality, Authentication, Key Establishment | RFC 7748 |  |
| X25519 | Primitive | 256 bit | TLS, IPC, VPN protocols, key agreement | Key establishment | RFC 7748 |  |
| Ed25519 | Primitive | 256 bit | Package Signature, TLS, IPC,  VPN protocols, data signature | Authentication | RFC 8032, FIPS 186-5 |  |
| Curve448  | Primitive | \- | \- | Confidentiality, Authentication, Key Establishment | RFC 7748 |  |
| X448 | Primitive | 448 bit | TLS, IPC,  VPN protocols | Key establishment | RFC 7748 |  |
| Ed448   | Primitive | 456 bit | Package Signature, TLS, IPC,  VPN protocols | Authentication | RFC 8032, FIPS 186-5 |  |
| Argon2 | Algorithm | Refer to 4\. Parameter Choice in RFC 9106 and the ACN’s guidance.Argon2id, Argon2i, Argon2d  | Password-based hashing, Key derivation | Cryptographic hashing, Integrity, Authentication | RFC 9106, BSI-TR-02102-1, [ACN](https://www.acn.gov.it/portale/en/crittografia) |  |
| scrypt  | Algorithm | Refer to 2\. scrypt Parameters in RFC 7914 and the ACN’s guidance. | Password-based hashing,Key derivation | Cryptographic hashing, Integrity, Authentication | RFC 7914, [ACN](https://www.acn.gov.it/portale/en/crittografia) |  |
| ChaCha20 | Algorithm | Key: 256 bit Nonce: 96bit or 192bit (XChaCha),  | TLS, data encryption,  VPN protocols | confidentiality | RFC 8439 |  |
| Curve25519 | Primitive | \- | \- | Confidentiality, Authentication, Key Establishment | RFC 7748 [\[3\]](#_ref_3) |  |
| X25519 | Primitive | 256 bit | TLS, IPC, VPN protocols, key agreement | Key establishment | RFC 7748 [\[3\]](#_ref_3) |  |
| Ed25519 | Primitive | 256 bit | Package Signature, TLS, IPC,  VPN protocols, data signature | Authentication | RFC 8032 [\[4\]](#_ref_4), FIPS 186-5 [\[5\]](#_ref_5) |  |
| Curve448  | Primitive | \- | \- | Confidentiality, Authentication, Key Establishment | RFC 7748 [\[3\]](#_ref_3) |  |
| X448 | Primitive | 448 bit | TLS, IPC,  VPN protocols | Key establishment | RFC 7748 [\[3\]](#_ref_3) |  |
| Ed448 | Primitive | 456 bit | Package Signature, TLS, IPC,  VPN protocols | Authentication | RFC 8032 [\[4\]](#_ref_4), FIPS 186-5 [\[5\]](#_ref_5) |  |
| Argon2 | Algorithm | Refer to 4\. Parameter Choice in RFC 9106 [\[6\]](#_ref_6) and the ACN’s guidance.<br />Argon2id, Argon2i, Argon2d | Password-based hashing, Key derivation | Cryptographic hashing, Integrity, Authentication | RFC 9106 [\[6\]](#_ref_6), BSI-TR-02102-1 [\[7\]](#_ref_7), [ACN](https://www.acn.gov.it/portale/en/crittografia) |  |
| scrypt  | Algorithm | Refer to 2\. scrypt Parameters in RFC 7914 [\[8\]](#_ref_8) and the ACN’s guidance. | Password-based hashing,Key derivation | Cryptographic hashing, Integrity, Authentication | RFC 7914 [\[8\]](#_ref_8), [ACN](https://www.acn.gov.it/portale/en/crittografia) |  |
| ChaCha20 | Algorithm | Key: 256 bit Nonce: 96bit or 192bit (XChaCha), | TLS, data encryption,  VPN protocols | confidentiality | RFC 8439 [\[9\]](#_ref_9) |  |
| Salsa20 | Algorithm | Key: 256 bit Nonce: 64 bit, 192bit (XSalsa20) | data encryption,  VPN protocols  | confidentiality | [SALSA20](https://cr.yp.to/snuffle/spec.pdf) | 20 rounds |
| Poly1305 | Algorithm | 256 bit | MAC, VPN protocols | Authentication, Integrity | RFC 8439 |  |
| AEGIS | Algorithm | 256 bit, 128 bitAEGIS-128, AEGIS-128L, AEGIS-256, AEGIS-256X | Authenticated data encryption, VPN protocols  | Authentication, confidentiality, integrity | [RFC-AEGIS](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/), [AEGIS](https://competitions.cr.yp.to/round3/aegisv11.pdf) |  |
| Blake2 | Algorithm | Blake2s, Blake2b | Key derivation, Generic hashing, MAC | Authentication, integrity | RFC7693, NIST IR 7896 |  |
| Blake3 | Algorithm |  | Key derivation, Generic hashing, MAC | Authentication, integrity | [BLAKE3](https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf)   [C2SP](https://github.com/C2SP/C2SP)  |  |
| UMAC | Algorithm | 128 bit  | MAC | Authentication, Integrity | RFC 4418 |  |

 > NOTE: The combination of the mechanism mentioned in Table K.3.2: ACM-extended cryptographic mechanisms together with the mechanisms in ACM that is appropriate for the cryptographic use-case to form a cryptographic protocol are allowed. For example ChaCha20-Poly1305, HMAC-blake2s or X25519ML-KEM768. 

 > NOTE: The use-case defined in K.3.2 marked in “Related product function(s) / use case(s), where applicable” is a non-exhaustive list and listed algorithm can be used for other appropriate use-cases as well. 
| Poly1305 | Algorithm | 256 bit | MAC, VPN protocols | Authentication, Integrity | RFC 8439 [\[9\]](#_ref_9) |  |
| AEGIS | Algorithm | 256 bit, 128 bit<br />AEGIS-128, AEGIS-128L, AEGIS-256, AEGIS-256X | Authenticated data encryption, VPN protocols  | Authentication, confidentiality, integrity | [RFC-AEGIS](https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/), [AEGIS](https://competitions.cr.yp.to/round3/aegisv11.pdf) |  |
| Blake2 | Algorithm | Blake2s, Blake2b | Key derivation, Generic hashing, MAC | Authentication, integrity | RFC 7693 [\[10\]](#_ref_10), NIST IR 7896 |  |
| Blake3 | Algorithm | | Key derivation, Generic hashing, MAC | Authentication, integrity | BLAKE3 [\[12\]](#_ref_12), [C2SP](https://github.com/C2SP/C2SP) |  |
| UMAC | Algorithm | 128 bit | MAC | Authentication, Integrity | RFC 4418 [\[11\]](#_ref_11) |  |

  Editor’s note for rapporteurs: Where no ACM-extended cryptographic mechanisms are specified by the vertical standard, this clause is to state: “No ACM-extended cryptographic mechanisms are specified.” This editor’s note shall be removed before publication.
 > NOTE 1: The combination of the mechanism mentioned in Table K.3.2: ACM-extended cryptographic mechanisms together with the mechanisms in ACM that is appropriate for the cryptographic use-case to form a cryptographic protocol are allowed. For example ChaCha20-Poly1305, HMAC-blake2s or X25519ML-KEM768. 

  Editor’s note for rapporteurs: Table K.3.2 is an example template and can be adapted where needed for the relevant vertical standard.
 > NOTE 2: The use-case defined in K.3.2 marked in “Related product function(s) / use case(s), where applicable” is a non-exhaustive list and listed algorithm can be used for other appropriate use-cases as well. 

### K.3.3 Assessment