Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Update Caching CMM spec #262

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Update Caching CMM spec #262

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 47 additions & 13 deletions framework/caching-cmm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,6 @@ If this parameter is not set, the caching CMM MUST set it to 2^32.
This parameter is set as an additional security thresholds to ensure that
the data keys expire and are refreshed periodically.

The caching CMM MUST provide a structure as defined below,
to track usage statistics.

### Usage Stats

The usage stats contains two fields:
Expand All @@ -135,44 +132,81 @@ The number of bytes encrypted by the [encryption](structures.md#encryption-mater

### Get Encryption Materials

If the [Max Plaintext Length on the encryption materials request](./cmm-interface.md#encryption-materials-request) is not set
the caching CMM MUST obtain the encryption materials
by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function.
This is because without a size we cannot correctly enforce size limits.

If the [algorithm suite](algorithm-suites.md) requested contains a [Identity KDF](algorithm-suites.md#identity-kdf),
the caching CMM MUST obtain the encryption materials by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function.
the caching CMM MUST obtain the encryption materials
by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function.

Otherwise, the caching CMM MUST attempt to find the [encryption materials](structures.md#encryption-materials)
from the underlying [cryptographic materials cache (CMC)](#underlying-cryptographic-materials-cache).
The caching CMM MUST use the formulas specified in [Appendix A](#appendix-a-cache-entry-identifier-formulas)
in order to compute the [cache entry identifier](cryptographic-materials-cache.md#cache-identifier).

If a cache entry is found, the caching CMM MUST return the encryption materials retrieved.
If a cache entry is not found or the cache entry is expired, the caching CMM MUST then attempt to obtain the encryption materials
If an encryption materials cache entry is found,
and the [cache entry is within limits](#cache-entry-within-limits)
the caching CMM MUST return the encryption materials retrieved.
If a cache entry is not found or the cache entry is expired
or the [cache entry is not within limits](#cache-entry-within-limits),
the caching CMM MUST then attempt to obtain the encryption materials
by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials).

If the [algorithm suite](algorithm-suites.md) requested does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
If the [algorithm suite](algorithm-suites.md) on the returned encryption material
does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
and the newly constructed [cache entry is within limits](#cache-entry-within-limits),
the caching CMM MUST add the encryption materials obtained from the underlying CMM into the underlying CMC.

If the [algorithm suite](algorithm-suites.md) requested contains an Identity KDF,
If the [algorithm suite](algorithm-suites.md) on the returned encryption material
contains an an [Identity KDF](algorithm-suites.md#identity-kdf),
or the newly constructed [cache entry is not within limits](#cache-entry-within-limits),
the caching CMM MUST NOT store the encryption materials in the underlying CMC.

### Decrypt Materials

If the [algorithm suite](algorithm-suites.md) requested contains a [Identity KDF](algorithm-suites.md#identity-kdf),
the caching CMM MUST obtain the decryption materials by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials) function.
the caching CMM MUST obtain the decryption materials
by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials) function.

Otherwise, the caching CMM MUST attempt to find the [decryption materials](structures.md#decryption-materials)
from the [underlying CMC](#underlying-cryptographic-materials-cache).
The caching CMM MUST use the formulas specified in [Appendix A](#appendix-a-cache-entry-identifier-formulas)
in order to compute the [cache entry identifier](cryptographic-materials-cache.md#cache-identifier).

If a cache entry is found, the caching CMM MUST return the decryption materials retrieved.
If a cache entry is not found or the cache entry is expired, the caching CMM MUST attempt to obtain the decryption materials
If a decryption materials cache entry is found,
and the [cache entry is within limits](#cache-entry-within-limits)
the caching CMM MUST return the decryption materials retrieved.
If a cache entry is not found or the cache entry is expired
or the [cache entry is not within limits](#cache-entry-within-limits),
the caching CMM MUST attempt to obtain the decryption materials
by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials).

If the [algorithm suite](algorithm-suites.md) requested does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
For decrypt limits bytes MUST be 0.
This is because the cryptographic safety of byte limits
is not relevant to decrypt.

If the [algorithm suite](algorithm-suites.md) on the returned decryption material
does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
and the newly constructed [cache entry is within limits](#cache-entry-within-limits),
the caching CMM MUST add the decryption materials obtained from the underlying CMM into the underlying CMC.

If the [algorithm suite](algorithm-suites.md) requested contains an Identity KDF,
If the [algorithm suite](algorithm-suites.md) on the returned decryption material
contains an an [Identity KDF](algorithm-suites.md#identity-kdf),
or the newly constructed [cache entry is not within limits](#cache-entry-within-limits),
the caching CMM MUST NOT store the decryption materials in the underlying CMC.

### Cache Entry Within Limits

For a cache entry to be within limits
* Current time minus the [entry's creation time](./cryptographic-materials-cache.md#creation-time)
MUST be less than or equal to the configured [Cache Limit TTL](#cache-limit-ttl)
* The [entry's bytes used](./cryptographic-materials-cache.md#bytes-usage)
MUST be less than or equal to the configured [Limit Bytes](#limit-bytes)
* The [entry's messages used](./cryptographic-materials-cache.md#message-usage)
MUST be less than or equal to the configured [Limit Messages](#limit-messages)

## Appendix A: Cache Entry Identifier Formulas

When accessing the underlying CMC,
Expand Down