Cryptographic Controls Policy (A.8.24)
Document ID: cryptographic-controls-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Purpose
Define which cryptographic algorithms, key sizes, and key management practices are approved for protecting SigmaShake information assets.
Approved algorithms
| Use case | Algorithm | Key size / parameters | Notes |
|---|---|---|---|
| Evidence signing | Ed25519 | 256-bit (Curve25519) | IETF RFC 8032 |
| TLS transport | TLS 1.2+ | ECDHE preferred | Enforced by Cloudflare |
| HMAC (internal auth) | HMAC-SHA-256 | 256-bit key | Secrets Store |
| Password hashing | N/A | — | No passwords stored; SSO only |
| Content addressing | SHA-256 | — | Evidence hashing + Merkle chain |
Prohibited algorithms
- MD5, SHA-1 (for integrity or signing purposes)
- RSA < 2048 bits
- DES, 3DES, RC4
- ECB mode for any block cipher
- Self-signed TLS certificates in production
Key management
Evidence signing keys (Ed25519)
- Generated in Cloudflare Workers using
crypto.subtle.generateKey - Private key stored as
COMPLIANCE_SIGNING_KEYin Cloudflare Secrets Store - Public key registered in
signing_keystable and published at/.well-known/compliance-pubkey - Rotation: every 90 days. Overlap slot (
COMPLIANCE_SIGNING_KEY_V2) maintained during rotation window - Retiring keys remain in
signing_keyswith stateretiringso historical evidence remains verifiable
HMAC keys
- Stored in Cloudflare Secrets Store
- Rotated on the same 90-day cadence as signing keys (
secrets-age+rotation-smokecollectors) - Never transmitted; compared via constant-time equality
GitHub App private key (RSA)
- RS256 JWT signing for GitHub App installation token minting
- Stored as
GITHUB_APP_PRIVATE_KEYin Secrets Store - Rotated annually or on suspected compromise
Transport security
All external-facing endpoints use HTTPS enforced by Cloudflare. Internal service-to-service calls use Cloudflare service bindings (same-network, TLS-equivalent isolation).
Key compromise response
If a signing key is suspected compromised:
- Immediately set key state to
revokedinsigning_keys - Generate a new key and deploy as the active key
- Issue an incident report referencing affected evidence objects
- Notify affected auditors or customers if evidence integrity is in question
Evidence
| Collector | Cadence | Control |
|---|---|---|
secrets-age | Daily | A.5.17, A.8.24 |
rotation-smoke | Daily | A.5.17, A.8.24 |
saml-signing-attestation | Weekly | A.8.24 |
sso-signing-key-age | Weekly | A.8.24 |