Extension of the TLS cipher suite property with additional properties

IBM / CBOM

Cryptography Bill of Materials

Apache License 2.0

48 stars 6 forks source link

Extension of the TLS cipher suite property with additional properties #5

Closed n1ckl0sk0rtge closed 11 months ago

n1ckl0sk0rtge commented 1 year ago

A TLS cipher suite can be described by a variety of different identifiers. This should also be reflected in the CBOM. These are identifiers for a TLS cipher suite that uses DHE for key exchange, RSA for authentication, and AES with 128bit key in counter with CBC-MAC mode (AES 128 CCM).

IANA name:
    TLS_DHE_RSA_WITH_AES_128_CCM 
OpenSSL name:
    DHE-RSA-AES128-CCM
GnuTLS name:
    TLS_DHE_RSA_AES_128_CCM
Hex code:
    0xC0, 0x9E

Also there should be a way to capture and document the used elliptic curve by ECDH (like sect163k1, x25519, ...) or the key size by plain DH (like 2048, ...)

bhess commented 1 year ago

At the end the strings all map to the hex code (code point). The most normative reference seems to be IANA: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml. I don't think we need to capture the individual strings used by OpenSSL/GnuTLS and others. IANA names on the other hand are more descriptive than hex codes, so my recommendation would be to clarify that we expect IANA names. Agreed with the need to describe the "curve", which is also needed to infer the security level.

n1ckl0sk0rtge commented 1 year ago

Sounds good to me. Maybe we should call the key for the json value ianaName then.

"cryptoProperties": {
    "assetType": "protocol",
    "protocolProperties": {
        "tlsCipherSuites" : [
            {
               "ianaName": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
               "curve": "x25519"
            }
        ]
    }
}

n1ckl0sk0rtge commented 1 year ago

add algorithm references
generalise cipher suites

"cryptoProperties": {
    "assetType": "protocol",
    "protocolProperties": {
        "algorithmSet" : [
            {
               "type": "cipherSuite" (enum)
               "name": "TLS_DHE_RSA_WITH_AES_128_CCM ",
               "algorithmes" : [
                   "ref" : "<reference to algorithm>"
               ],
               "identifiers": ["0xC0", "0x9E"]
            }
        ]
    }
}

"cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
             "variant": "ECDH-secp256r1"
             # enum of common curvs
             "curve": "x25519"
        }
        "classicalSecurityLevel": 192,
        "nistQuantumSecurityLevel": 3
}