# Security Specifications (SYM-SEC)

## SYM-SEC-004: Transport Layer Security
**Effective:** 2025-05-02  
**Last Revised:** 2025-05-02  
**Status:** Active

### 1. Cryptographic Protocols
- TLS 1.3 REQUIRED for all external communications
- Forward secrecy REQUIRED (ECDHE with X25519 preferred)
- AES-256-GCM REQUIRED for symmetric encryption

### 2. Certificate Requirements
- All certificates MUST use SHA-256 with RSA (3072+ bits) or ECDSA (P-384)
- Certificate transparency logging REQUIRED
- Maximum certificate validity: 398 days

### 3. Cipher Suite Priorities
1. TLS_AES_256_GCM_SHA384
2. TLS_CHACHA20_POLY1305_SHA256
3. TLS_AES_128_GCM_SHA256

### 4. RBAC Integration Requirements
- TLS client certificate authentication MUST be integrated with RBAC roles
- Certificate OU field MUST map to RBAC roles via signed claims
- Certificate revocation checks REQUIRED before RBAC validation

### 5. Audit Requirements
- Full TLS handshake parameters logged for security audits
- Session keys escrowed via KMS for incident investigation