Commit e93d2876 authored by Marvin Petzolt's avatar Marvin Petzolt Committed by Aki Braun
Browse files

Added more ciphers for TLS support, AEGIS and Blake3

parent e0c651bf
Loading
Loading
Loading
Loading
+34 −7
Original line number Diff line number Diff line
@@ -2,6 +2,9 @@

This annex provides additional generic requirements around the use of state of the art cryptography. Annex K classifies cryptographic algorithm primitives as CRY-SOTA if they are listed in the ENISA ACM [REF] and are suitable for the implementation of supported security mechanisms of the product. This annex lists additional cryptographic algorithm primitives and schemes that are commonly existing on the market for VPNs that are classified as CRY-SOTA.

Note: The combination of the mechanism mentioned in CRY-SOTA-unlisted cryptographic mechanisms together with the mechanisms in ACM that is appropriate for the cryptographic use-case to form a cryptographic protocol are allowed. For example X25519ML-KEM768.
Note: The list of CRY-SOTA-unlisted as well as ACM relates to the default configuration of the product. Additional cryptography may be used when explicitly configured by the user. 

## X.2 Symmetric atomic primitives

### X.2.1 Block ciphers
@@ -15,7 +18,13 @@ Block ciphers can be configured to behave like stream ciphers using counter (CTR
**Table X.2.2-1: State of the art stream ciphers.**
| Primitive            | Parameter's size | Notes             |
|----------------------|------------------|-------------------|
| ChaCha20 (RFC 8439)   | 256 bit (key)    | A modern stream cipher used in VPNs and TLS 1.3. Preferred for devices without AES hardware acceleration. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| ChaCha20 (RFC 8439)  | 256 bit (key), 20 Rounds    | A modern stream cipher used in VPNs and TLS 1.3. Preferred for devices without AES hardware acceleration. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| Salsa20  (SALSA20)   | 256 bit (key), 20 Rounds    | Salsa20 was analyised and approved in the eSTREAM by eCRYPT which was sponsored by the EC. Extending Salsa20 with a larger 25-byte nonce (XSalsa20) to mitigate nonce collisions is included in this primitive. |
| AEGIS (AEGIS, RFC-AEGIS) | AEGIS-128, AEGIS-256, AEGIS-128L, AEGIS-256X | A modern AEAD algorithm based on AES. |  

SALSA20 - https://cr.yp.to/snuffle/spec.pdf
AEGIS - https://competitions.cr.yp.to/round3/aegisv11.pdf
RFC-AEGIS - https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/

### X.2.3 Hash Functions 

@@ -26,6 +35,10 @@ The additional hash functions are included in table X.2.3-1 are agreed as state
|----------------------|------------------|-------------------|
| Blake2b (RFC7693, NIST IR 7896)     | 512 bit | A modern cryptographic hash function which targets 64-bit platform (blake2s).  |
| Blake2s (RFC7693, NIST IR 7896)     | 256 bit | A modern cryptographic hash function which targets 64-bit platform. |  
| Blake3 (C2SP/BLAKE3)                |         | A modern cryptographic hash function that is an evolution from Blake2, but much faster. |

BLAKE3 - https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
C2SP - https://github.com/C2SP/C2SP

## X.3 Symmetric constructions

@@ -59,7 +72,8 @@ The additional authentication encryption schemes included in Table X.3.5-1 are a
**Table X.3.5-1: State of the art authentication encryption schemes.**
| Scheme | Parameter's size | Notes             |
|-----------|------------------|-------------------|
| ChaCha20-Poly1305 (RFC8439) | 256 bit(key)| Standard AEAD for TLS 1.3. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| ChaCha20-Poly1305 (RFC8439) | 256 bit (key), 20 Rounds | Standard AEAD for TLS 1.3. Extending ChaCha20 with a larger 24-byte nonce (XChaCha20) to mitigate nonce collisions is included in this primitive. |
| Salsa20-Poly1305            | 256 bit (key), 20 Rounds | Combination of Salsa20 and Poly1305 to create an AEAD. Extending Salsa20 with a larger 24-byte nonce (XSalsa20) to mitigate nonce collisions is included in this primitive. |

### X.3.6 Key protection

@@ -74,7 +88,13 @@ The additional key derivation functions included in Table X.3.7-1 are agreed as
|-----------------------------------------------|-----------------------|-----------------------------------------------------|
| Blake2s (RFC 7693)                              | Key: 128 bit        | Blake2s is used in modern VPN protocols. Blake supportes a keyed mode which makes it a suitable key derivation function.  |
| Blake2b (RFC 7693)                              | Key: 256 bit        | Blake2b is used in modern VPN protocols. Blake supportes a keyed mode which makes it a suitable key derivation function.  |
| SipHash24 (https://eprint.iacr.org/2012/351)    | Key: 128 bit        | A pseudorandom random function (PRF) optimized for short inputs. Allowed use-cases for this PRF is limited to non-security critical use-cases, such as, for example, hash table creation and ID generation. For other use-cases, refere to other approved cryptographic functions.   |
| SipHash24 (SIPHASH24)                           | Key: 128 bit        | A pseudorandom random function (PRF) optimized for short inputs. Allowed use-cases for this PRF is limited to non-security critical use-cases, such as, for example, hash table creation and ID generation. For other use-cases, refere to other approved cryptographic functions.   |
| Blake3 (C2SP/BLAKE3)                            |                     | A modern cryptographic hash function that is an evolution from Blake2, but much faster. |

BLAKE3 - https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
C2SP - https://github.com/C2SP/C2SP
SIPHASH24 - https://cr.yp.to/siphash/siphash-20120918.pdf


### X.3.8 Password protection/password hashing mechanisms

@@ -90,7 +110,6 @@ Every password based hashing mechansim shall include a unique random salt (at le

### X.3.9 Key combiners


## X.4 Asymmetric atomic primitives

### X.4.1 RSA/Integer factorization
@@ -111,7 +130,8 @@ The additional elliptic curve parameters included in Table X.4.3-1 are agreed as
**Table X.4.3-1: Additional elliptic curve parameters agreed as start of the art.**
| Scheme | Curve | Notes             |
|-----------|------------------|-------------------|
| X25519 / Ed25519 (RFC 8410) | Curve25519 | Standard for TLS 1.3, and SSH and various VPN protocols. |
| X25519 / Ed25519 (RFC 7748) | Curve25519 | Standard for TLS, and SSH and various VPN protocols. |
| X448 /  Ed448 (RFC 7748) | Curve448 | Standard in TLS and various VPN protocols. | 

### X.4.4 Learning with errors in (structured) lattices

@@ -138,7 +158,8 @@ The additional digital signature schemes included in Table X.5.2-1 are agreed as
**Table X.5.2-1: State of the art digital signature schemes.**
| Scheme | Parameter’s sizes | Notes             |
|-----------|------------------|-------------------|
| Ed25519 (RFC 8032) | 256 bit key | Used for TLS and formally known as EdDSA. | 
| Ed25519 (RFC 8032, FIPS 186-5) | 256 bit | Used for TLS and formally known as EdDSA. | 
| Ed448 (RFC 8032, FIPS 186-5) | 456 bit | Used in TLS and various VPN protocols based on TLS. | 

### X.5.3	Asymmetric entity authentication schemes

@@ -151,7 +172,13 @@ The additional digital signature schemes included in Table X.5.2-1 are agreed as

### X.5.4 Key establishment and key encapsulation

No additional primitives.
 The additional Key establishment and key encapsulation included in table X.5.4-1 are agreed as state of the art.

 **Table X.5.4-1: State of the art entity authentication schemes.**
| Scheme | Parameter’s sizes | Notes             |
|-----------|------------------|-------------------|
| X25519 (RFC 7748) | 256 bit | Used in TLS and various VPN protocols. |
| X448 (RFC 7748) | 448 bit | Used in TLS and in various VPN protocols based on TLS. | 

## X.6	Cryptographic Industry Standards