30 lines
No EOL
1 KiB
Markdown
30 lines
No EOL
1 KiB
Markdown
# Security Specifications (SYM-SEC)
|
|
|
|
## SYM-SEC-004: Transport Layer Security
|
|
**Effective:** 2025-05-02
|
|
**Last Revised:** 2025-05-02
|
|
**Status:** Active
|
|
|
|
### 1. Cryptographic Protocols
|
|
- TLS 1.3 REQUIRED for all external communications
|
|
- Forward secrecy REQUIRED (ECDHE with X25519 preferred)
|
|
- AES-256-GCM REQUIRED for symmetric encryption
|
|
|
|
### 2. Certificate Requirements
|
|
- All certificates MUST use SHA-256 with RSA (3072+ bits) or ECDSA (P-384)
|
|
- Certificate transparency logging REQUIRED
|
|
- Maximum certificate validity: 398 days
|
|
|
|
### 3. Cipher Suite Priorities
|
|
1. TLS_AES_256_GCM_SHA384
|
|
2. TLS_CHACHA20_POLY1305_SHA256
|
|
3. TLS_AES_128_GCM_SHA256
|
|
|
|
### 4. RBAC Integration Requirements
|
|
- TLS client certificate authentication MUST be integrated with RBAC roles
|
|
- Certificate OU field MUST map to RBAC roles via signed claims
|
|
- Certificate revocation checks REQUIRED before RBAC validation
|
|
|
|
### 5. Audit Requirements
|
|
- Full TLS handshake parameters logged for security audits
|
|
- Session keys escrowed via KMS for incident investigation |