This annex provides additional generic requirements around the use of state of the art cryptography. Annex K classifies cryptographic algorithm primitives as CRY-SOTA if they are listed in the ENISA ACM [REF] and are suitable for the implementation of supported security mechanisms of the product. This annex lists additional cryptographic algorithm primitives and schemes that are commonly existing on the market for VPNs that are classified as CRY-SOTA.
Note: The combination of the mechanism mentioned in CRY-SOTA-unlisted cryptographic mechanisms together with the mechanisms in ACM that is appropriate for the cryptographic use-case to form a cryptographic protocol are allowed. For example X25519ML-KEM768.
Note: The list of CRY-SOTA-unlisted as well as ACM relates to the default configuration of the product. Additional cryptography may be used when explicitly configured by the user.
## X.2 Symmetric atomic primitives
### X.2.1 Block ciphers
@@ -15,7 +18,13 @@ Block ciphers can be configured to behave like stream ciphers using counter (CTR
**Table X.2.2-1: State of the art stream ciphers.**
| ChaCha20 (RFC 8439) | 256 bit (key) | A modern stream cipher used in VPNs and TLS 1.3. Preferred for devices without AES hardware acceleration. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| ChaCha20 (RFC 8439) | 256 bit (key), 20 Rounds | A modern stream cipher used in VPNs and TLS 1.3. Preferred for devices without AES hardware acceleration. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| Salsa20 (SALSA20) | 256 bit (key), 20 Rounds | Salsa20 was analyised and approved in the eSTREAM by eCRYPT which was sponsored by the EC. Extending Salsa20 with a larger 25-byte nonce (XSalsa20) to mitigate nonce collisions is included in this primitive. |
| AEGIS (AEGIS, RFC-AEGIS) | AEGIS-128, AEGIS-256, AEGIS-128L, AEGIS-256X | A modern AEAD algorithm based on AES. |
| ChaCha20-Poly1305 (RFC8439) | 256 bit(key)| Standard AEAD for TLS 1.3. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| ChaCha20-Poly1305 (RFC8439) | 256 bit (key), 20 Rounds | Standard AEAD for TLS 1.3. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| Salsa20-Poly1305 | 256 bit (key), 20 Rounds | Combination of Salsa20 and Poly1305 to create an AEAD. Extending Salsa20 with a larger 24-byte nonce (XSalsa20) to mitigate nonce collisions is included in this primitive. |
### X.3.6 Key protection
@@ -74,7 +88,13 @@ The additional key derivation functions included in Table X.3.7-1 are agreed as
| Blake2s (RFC 7693) | Key: 128 bit | Blake2s is used in modern VPN protocols. Blake supportes a keyed mode which makes it a suitable key derivation function. |
| Blake2b (RFC 7693) | Key: 256 bit | Blake2b is used in modern VPN protocols. Blake supportes a keyed mode which makes it a suitable key derivation function. |
| SipHash24 (https://eprint.iacr.org/2012/351) | Key: 128 bit | A pseudorandom random function (PRF) optimized for short inputs. Allowed use-cases for this PRF is limited to non-security critical use-cases, such as, for example, hash table creation and ID generation. For other use-cases, refere to other approved cryptographic functions. |
| SipHash24 (SIPHASH24) | Key: 128 bit | A pseudorandom random function (PRF) optimized for short inputs. Allowed use-cases for this PRF is limited to non-security critical use-cases, such as, for example, hash table creation and ID generation. For other use-cases, refere to other approved cryptographic functions. |
| Blake3 (C2SP/BLAKE3) | | A modern cryptographic hash function that is an evolution from Blake2, but much faster. |