Cryptography_Policy.md

May 24, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿ”’ Hack23 AB โ€” Cryptography Policy

๐Ÿ›ก๏ธ Encryption Excellence Through Systematic Implementation
๐ŸŽฏ Demonstrating Cryptographic Expertise for Security Consulting

Owner Version Effective Date Review Cycle

๐Ÿ“‹ Document Owner: CEO | ๐Ÿ“„ Version: 1.2 | ๐Ÿ“… Last Updated: 2026-01-25 (UTC)
๐Ÿ”„ Review Cycle: Annual | โฐ Next Review: 2027-01-25


๐ŸŽฏ Purpose Statement

Hack23 AB's cryptographic implementation demonstrates how systematic encryption practices directly enable both security excellence and business innovation. Our cryptography policy serves as both operational framework and client demonstration of our cybersecurity consulting expertise.

As a cybersecurity consulting company, our approach to cryptography becomes a showcase of professional cryptographic standards, demonstrating to potential clients how proper encryption implementations enable business security without hindering functionality.

Our commitment to transparency means our cryptographic practices become a reference implementation, showing how systematic encryption approaches create competitive advantages through robust security foundations.

โ€” James Pether Sรถrling, CEO/Founder


๐Ÿ” Purpose & Scope

This policy establishes cryptographic standards and procedures for Hack23 AB, ensuring appropriate encryption of data at rest, in transit, and in processing across all systems and applications.

Scope: All systems in Asset Register, data per Data Classification Policy, and supplier services per SUPPLIER.md.


๐Ÿ”’ Mandatory Cryptographic Requirements

โœ… MUST HAVE - Encryption at Rest

ISO 27001 A.8.24 NIST CSF 2.0 PR.DS EU CRA

Organizations implementing this policy MUST:

flowchart TD
    subgraph "๐Ÿ” Encryption at Rest Requirements"
        EXTREME["Extreme Data<br/>โœ… MUST: HSM Encryption"]
        HIGH["High Data<br/>โœ… MUST: AES-256 CMK"]
        STANDARD["Standard Data<br/>โœ… MUST: AES-256 Service"]
    end
    
    subgraph "๐Ÿ”‘ Key Management Requirements"
        KMS["Key Management Service<br/>โœ… MUST: Centralized KMS"]
        ROTATION["Key Rotation<br/>โœ… MUST: Annual minimum"]
        BACKUP["Key Backup<br/>โœ… MUST: Cross-region"]
    end
    
    subgraph "๐Ÿ“‹ Compliance Gates"
        AUDIT["Audit Logging<br/>โœ… MUST: All key operations"]
        ACCESS["Access Control<br/>โœ… MUST: Least privilege"]
        MONITORING["Monitoring<br/>โœ… MUST: Real-time alerts"]
    end
    
    EXTREME --> KMS
    HIGH --> KMS
    STANDARD --> KMS
    
    KMS --> AUDIT
    ROTATION --> ACCESS
    BACKUP --> MONITORING
    
    style EXTREME fill:#D32F2F
    style HIGH fill:#FFC107
    style STANDARD fill:#4CAF50

Encryption at Rest Requirements:

  • โœ… MUST implement AES-256 encryption for all data storage systems
  • โœ… MUST use centralized key management service (AWS KMS or equivalent)
  • โœ… MUST enforce customer-managed keys (CMK) for high-classification data
  • โœ… MUST implement automated key rotation (annual minimum, quarterly preferred)

โœ… MUST HAVE - Encryption in Transit

CIS Control 3.10

Data transmission security implementation MUST:

graph LR
    subgraph "๐ŸŒ Transport Layer Requirements"
        TLS13["TLS 1.3 Preferred<br/>โœ… MUST: Modern protocols"]
        TLS12["TLS 1.2 Minimum<br/>โœ… MUST: Legacy support"]
        CIPHERS["Strong Ciphers<br/>โœ… MUST: AEAD suites only"]
    end
    
    subgraph "๐Ÿ”’ Protocol Implementation"
        HTTPS["HTTPS Everywhere<br/>โœ… MUST: All web traffic"]
        API["API Security<br/>โœ… MUST: TLS + signatures"]
        EMAIL["Email Encryption<br/>โœ… MUST: TLS + S/MIME"]
    end
    
    subgraph "๐Ÿ“Š Validation Requirements"
        TESTING["Protocol Testing<br/>โœ… MUST: Automated validation"]
        GRADING["Security Grading<br/>โœ… MUST: SSL Labs A+"]
        MONITORING["Traffic Monitoring<br/>โœ… MUST: Weak cipher detection"]
    end
    
    TLS13 --> HTTPS
    TLS12 --> API
    CIPHERS --> EMAIL
    
    HTTPS --> TESTING
    API --> GRADING
    EMAIL --> MONITORING
    
    style TLS13 fill:#4CAF50
    style HTTPS fill:#1565C0
    style TESTING fill:#FFC107

Transport Security Requirements:

  • โœ… MUST implement TLS 1.3 for all new implementations
  • โœ… MUST support TLS 1.2 minimum for legacy compatibility
  • โœ… MUST use only modern cipher suites with forward secrecy
  • โœ… MUST achieve SSL Labs A+ rating for all public endpoints

โœ… MUST HAVE - Key Management Framework

ISO 27001 A.8.24 NIS2 Art.21

Cryptographic key management MUST:

sequenceDiagram
    participant GEN as ๐Ÿ”‘ Key Generation
    participant STORE as ๐Ÿฆ Secure Storage
    participant USE as ๐Ÿ” Key Usage
    participant ROTATE as ๐Ÿ”„ Key Rotation
    participant DELETE as ๐Ÿ—‘๏ธ Secure Deletion
    
    GEN->>STORE: โœ… MUST: HSM generation
    STORE->>USE: โœ… MUST: Least privilege access
    USE->>ROTATE: โœ… MUST: Annual rotation
    ROTATE->>DELETE: โœ… MUST: Secure key destruction
    DELETE->>GEN: โœ… MUST: Audit trail maintained

Key Management Requirements:

  • โœ… MUST generate all cryptographic keys using hardware security modules
  • โœ… MUST implement centralized key management with AWS KMS or equivalent
  • โœ… MUST enforce role-based access control for all key operations
  • โœ… MUST maintain complete audit trails for key lifecycle events

๐Ÿ”’ Cryptographic Standards Framework

๐Ÿ›ก๏ธ Approved Encryption Algorithms

NIST Approved FIPS 140-3

Algorithm TypeAlgorithmKey SizeImplementationStatus
๐Ÿ” SymmetricAES256-bitAWS KMSApproved
๐Ÿ”‘ AsymmetricRSA4096-bitSSH KeysLegacy Support
๐Ÿ”‘ AsymmetricEd25519256-bitPreferredApproved
๐Ÿ” HashingSHA-256256-bitIntegrityApproved
๐Ÿ” HashingSHA-3256-bitFutureApproved

โŒ Prohibited Algorithms

Security Risk

Deprecated AlgorithmSecurity IssueReplacementDeadline
MD5CollisionSHA-256Immediate
SHA-1CollisionSHA-256Immediate
DES/3DESWeak KeysAES-256Immediate
RC4Stream CipherAES-GCMImmediate

๐Ÿ—๏ธ Implementation Architecture

๐Ÿ“Š Encryption by Data Classification

Data Protection

Implementation follows Data Classification Policy requirements:

Classification LevelEncryption RequirementKey ManagementImplementation
ExtremeHSM-based AES-256CloudHSMHardware Security Module
Very HighAES-256 + CMKKMS CMKCustomer Managed Keys
HighAES-256 encryptionKMS ServiceService Managed Keys
ModerateStandard encryptionS3 SSEService Default
LowBasic protectionService DefaultPlatform Standard

๐ŸŒ Transport Layer Security Implementation

flowchart TB
    subgraph "๐ŸŒ Public Internet"
        USERS[Users/Clients<br/>TLS 1.3 Preferred]
        CDN[CloudFront CDN<br/>TLS Termination]
        WAF[AWS WAF<br/>Cipher Suite Filtering]
    end
    
    subgraph "๐Ÿ”’ Application Layer"
        ALB[Application Load Balancer<br/>TLS 1.2+ Only]
        API[API Gateway<br/>Modern Ciphers]
        LAMBDA[Lambda Functions<br/>HTTPS Everywhere]
    end
    
    subgraph "๐Ÿ’พ Data Layer"
        RDS[RDS PostgreSQL<br/>Force SSL]
        S3[S3 Buckets<br/>HTTPS Required]
        KMS[KMS Operations<br/>TLS 1.3]
    end
    
    USERS --> CDN
    CDN --> WAF
    WAF --> ALB
    
    ALB --> API
    API --> LAMBDA
    
    LAMBDA --> RDS
    LAMBDA --> S3
    LAMBDA --> KMS
    
    style USERS fill:#1565C0
    style CDN fill:#4CAF50
    style ALB fill:#FF9800
    style RDS fill:#7B1FA2

๐Ÿ”‘ AWS KMS Integration Architecture

AWS Integration

Comprehensive key management per Asset Register AWS services:

AWS ServiceEncryption MethodKey TypeStatus
S3 BucketsSSE-KMSCustomer ManagedActive
RDS PostgreSQLEncryption at RestCustomer ManagedActive
Lambda FunctionsEnvironment VariablesFunction-specific CMKActive
CloudTrail LogsLog EncryptionService ManagedActive
WorkMailEmail EncryptionService ManagedActive

๐Ÿ›ก๏ธ Security Control Framework

๐Ÿ” Certificate Management

Certificate Security

Domain certificate management aligned with Network Security Policy:

DomainCertificate TypeIssuerSecurity Features
hack23.comDV SSLACMAuto Renewal
blacktrigram.comDV SSLACMCloudWatch Alerts

๐Ÿ”’ Modern Cipher Suite Requirements

Cipher Security

Approved cipher suites for TLS 1.3:

TLS_1_3_Ciphers:
  - TLS_AES_256_GCM_SHA384          # โœ… AEAD with perfect forward secrecy
  - TLS_CHACHA20_POLY1305_SHA256    # โœ… AEAD optimized for mobile
  - TLS_AES_128_GCM_SHA256          # โœ… AEAD acceptable for performance

TLS_1_2_Ciphers:
  - ECDHE-RSA-AES256-GCM-SHA384     # โœ… Forward secrecy + AEAD
  - ECDHE-RSA-AES128-GCM-SHA256     # โœ… Forward secrecy + AEAD
  - ECDHE-RSA-CHACHA20-POLY1305     # โœ… Forward secrecy + AEAD

Prohibited_Ciphers:
  - All non-AEAD ciphers             # โŒ No authentication
  - RC4 family                       # โŒ Stream cipher weakness
  - DES/3DES family                  # โŒ Inadequate key strength

๐Ÿ“Š Cryptographic Performance Metrics

๐ŸŽฏ Security Posture KPIs

Security Excellence

Metric CategoryKPITargetCurrent StatusFramework Badge
๐Ÿ” Encryption CoverageData at Rest100%CompleteISO 27001 A.8.24
๐ŸŒ Transport SecurityTLS Implementation100%A+ RatingNIST CSF PR.DS
๐Ÿ”‘ Key ManagementKMS Integration100%Full IntegrationCIS Control 3
๐Ÿ“‹ Algorithm ComplianceApproved Algorithms100%NIST CompliantFIPS 140-3
๐Ÿ”„ Key RotationAutomated RotationAnnual minimumAutomatedISO 27001 A.8.24

๐Ÿ”„ Continuous Security Improvement

flowchart LR
    ASSESS["๐Ÿ” Crypto Assessment"] --> IMPLEMENT["๐Ÿ”’ Algorithm Updates"]
    IMPLEMENT --> VALIDATE["โœ… Security Validation"]
    VALIDATE --> MONITOR["๐Ÿ“Š Performance Monitoring"]
    MONITOR --> ASSESS
    
    ASSESS --> THREAT["๐Ÿšจ Threat Intelligence"]
    THREAT --> QUANTUM["๐Ÿ”ฎ Post-Quantum Prep"]
    QUANTUM --> IMPLEMENT
    
    style ASSESS fill:#1565C0
    style IMPLEMENT fill:#4CAF50
    style VALIDATE fill:#FF9800
    style MONITOR fill:#7B1FA2

Business Value Demonstration:

Cost Avoidance Trust Enhancement Compliance Excellence Innovation Enablement


โœ๏ธ Code Signing & Commit Verification

GitHub Signing GPG Keys

All code commits and releases MUST be cryptographically signed:

Signing TypeAlgorithmKey SizeRequirementVerification
Git CommitsGPG/RSA4096-bitโœ… MUST sign all commitsVerified
Git TagsGPG/RSA4096-bitโœ… MUST sign all releasesGitHub verified badge
SSH AuthEd25519256-bitโœ… MUST use for Git operationsSSH key fingerprint audit
Maven ArtifactsGPG/RSA4096-bitโœ… MUST sign for Maven CentralSonatype verification

GPG Key Management:

  • โœ… Primary signing key: 4096-bit RSA with 2-year expiration
  • โœ… Subkeys for signing operations (rotate annually)
  • โœ… Private keys protected with strong passphrase (see Password Policy below)
  • โœ… Public keys published to GitHub, keyservers, and Maven Central
  • โœ… Key backup stored in encrypted offline storage

๐Ÿ”‘ SSH Key Management

SSH Security

SSH key requirements for infrastructure access:

Use CaseAlgorithmKey SizePassphraseRotation
GitHub AccessEd25519256-bitโœ… RequiredAnnual
AWS EC2 AccessEd25519256-bitโœ… RequiredAnnual
Server AdministrationEd25519256-bitโœ… RequiredAnnual
Legacy SystemsRSA4096-bit minโœ… RequiredAnnual

SSH Hardening Requirements:

  • โœ… MUST disable password authentication on all servers
  • โœ… MUST use Ed25519 for new key generation (RSA-4096 for legacy only)
  • โœ… MUST protect private keys with strong passphrase
  • โœ… MUST use SSH agent with timeout (12 hours maximum)
  • โœ… MUST maintain authorized_keys audit trail
  • โŒ MUST NOT share SSH keys between systems or personnel

๐Ÿ” Password & Secrets Management

Secrets Management Password Policy

Cryptographic Password Requirements:

Password TypeMinimum LengthComplexityRotationStorage
Master Passwords20+ charactersHigh entropy passphraseAnnualHardware token + memory
Service Accounts32+ charactersRandom generation90 daysAWS Secrets Manager
API Keys40+ charactersCryptographic random90 daysAWS Secrets Manager
Database Credentials32+ charactersRandom generation90 daysAWS Secrets Manager
Encryption Passphrases25+ charactersHigh entropyAnnualHardware token

Secrets Management Architecture:

flowchart TB
    subgraph "๐Ÿ” Secrets Storage"
        SM[AWS Secrets Manager<br/>Primary secrets store]
        KMS[AWS KMS<br/>Secrets encryption]
        PARAM[SSM Parameter Store<br/>Configuration secrets]
    end
    
    subgraph "๐Ÿ”‘ Key Hierarchy"
        MASTER[Master CMK<br/>Secrets Manager CMK]
        APP[Application Keys<br/>Per-service secrets]
        ROTATE[Automatic Rotation<br/>Lambda-based]
    end
    
    subgraph "๐Ÿ“‹ Audit & Compliance"
        TRAIL[CloudTrail<br/>Access logging]
        ALERT[CloudWatch Alerts<br/>Anomaly detection]
        REVIEW[Quarterly Review<br/>Access audit]
    end
    
    SM --> KMS
    PARAM --> KMS
    KMS --> MASTER
    MASTER --> APP
    APP --> ROTATE
    
    SM --> TRAIL
    TRAIL --> ALERT
    ALERT --> REVIEW
    
    style SM fill:#FF9800
    style KMS fill:#4CAF50
    style MASTER fill:#1565C0

Prohibited Practices:

  • โŒ NEVER store secrets in source code, environment files, or documentation
  • โŒ NEVER transmit secrets via unencrypted channels (email, chat, tickets)
  • โŒ NEVER reuse passwords across different systems
  • โŒ NEVER use predictable or dictionary-based passwords

๐Ÿšจ Cryptographic Incident Response

Incident Response

Key Compromise Response Procedures:

Incident TypeSeverityResponse TimeImmediate Actions
Private Key ExposureCritical<1 hourRevoke key, rotate affected systems, notify stakeholders
Password/Secret LeakHigh<4 hoursRotate secret, audit access logs, assess exposure scope
Weak Algorithm DetectionMedium<24 hoursPlan migration, assess risk, implement stronger algorithm
Certificate ExpiryMedium<24 hoursRenew certificate, validate deployment, test connectivity
HSM/KMS IssueCritical<1 hourActivate backup keys, engage AWS support, incident documentation

Incident Response Steps:

  1. Detection & Triage - Identify scope and severity of cryptographic incident
  2. Containment - Revoke compromised keys/certificates immediately
  3. Eradication - Remove exposure source, rotate all potentially affected secrets
  4. Recovery - Deploy new cryptographic material, validate system functionality
  5. Post-Incident - Document lessons learned, update procedures, enhance monitoring

Notification Requirements:

  • Internal: CEO notified within 1 hour for Critical/High severity
  • External: Per Incident Response Plan requirements
  • Regulatory: GDPR 72-hour notification if personal data potentially affected

๐Ÿ”ฎ Post-Quantum Cryptography Roadmap

NIST PQC Quantum Ready

NIST Post-Quantum Cryptography Standards (Finalized 2024):

AlgorithmTypeStandardUse CaseAdoption Status
ML-KEM (CRYSTALS-Kyber)Key EncapsulationFIPS 203Key exchange, TLSMonitoring
ML-DSA (CRYSTALS-Dilithium)Digital SignatureFIPS 204Code signing, certificatesMonitoring
SLH-DSA (SPHINCS+)Digital SignatureFIPS 205Long-term signaturesMonitoring

Transition Timeline:

  • 2025-2026: Inventory cryptographic assets, monitor AWS/cloud provider PQC support
  • 2027-2028: Hybrid implementations (classical + PQC) for high-value assets
  • 2030+: Full PQC migration per NIST/NSA guidance

Current Actions:

  • โœ… Cryptographic asset inventory maintained in Asset Register
  • โœ… Monitoring AWS KMS PQC roadmap
  • โœ… Algorithm agility designed into key management architecture
  • ๐Ÿ”„ Awaiting cloud provider hybrid TLS support

๐ŸŽฏ Strategic & Governance

๐Ÿ”’ Security Policies

๐Ÿ’ป Asset & Development


๐Ÿ“‹ Document Control:
โœ… Approved by: James Pether Sรถrling, CEO
๐Ÿ“ค Distribution: Public
๐Ÿท๏ธ Classification: Confidentiality: Public
๐Ÿ“… Effective Date: 2026-01-25
โฐ Next Review: 2027-01-25
๐ŸŽฏ Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls