~~NOTOC~~
{{wvds:title>Compliance}}
===== Compliance & Certifications =====
The WvdS Crypto Service meets the requirements of the following standards and regulations.
----
==== NIS2 (EU Directive) ====
The NIS2 Directive (Network and Information Security 2) has been in effect since January 2023 and must be transposed into national law by October 2024.
=== Article 21: Risk Management Measures ===
| Requirement | WvdS Implementation |
| (a) Risk analysis | Documented threat analysis |
| (b) Security incident handling | Logging, audit trail |
| (d) Supply chain security | OpenSSL FIPS-validated |
| (h) Cryptography | Post-Quantum algorithms |
| (i) Access control | L4Re Capability System |
=== Affected Sectors ===
Critical infrastructure operators (energy, transport, health, water, digital infrastructure) must comply with NIS2.
The WvdS Crypto Service is designed for these sectors.
----
==== BSI TR-03116-4 ====
Technical guideline from the German Federal Office for Information Security for cryptographic requirements in eHealth systems.
=== Allowed Algorithms ===
| Category | Allowed | WvdS |
| Symmetric | AES-256-GCM | ✓ |
| Signature | ECDSA, RSA-PSS | ML-DSA (PQC) |
| Key Exchange | ECDH | ML-KEM (PQC) |
| Hash | SHA-256, SHA-384 | ✓ (internal) |
=== Post-Quantum Note ===
BSI TR-03116-4 recommends gradual migration to post-quantum algorithms from 2025. The WvdS Crypto Service is prepared for this.
----
==== FIPS 140-3 ====
The WvdS Crypto Service uses OpenSSL 3.6 with FIPS Provider.
=== Validated Modules ===
| Module | Certificate |
| OpenSSL 3.0 FIPS Provider | #4282 (in process for 3.6) |
=== FIPS Mode Activation ===
FIPS mode is **enabled by default**. Verification:
// In your code
#include
if (OSSL_PROVIDER_available(NULL, "fips")) {
printf("FIPS Provider active\n");
}
=== Non-FIPS Algorithms ===
The following algorithms are **not available** in FIPS mode:
* MD5, SHA-1 (deprecated)
* DES, 3DES (deprecated)
* RC4 (insecure)
----
==== FIPS 203 (ML-KEM) ====
NIST Post-Quantum Standard for Key Encapsulation.
| Parameter | Value |
| Algorithm | ML-KEM-768 |
| Security Level | NIST Level 3 (~AES-192) |
| Public Key | 1184 bytes |
| Ciphertext | 1088 bytes |
| Shared Secret | 32 bytes |
=== Migration Note ===
ML-KEM replaces classical methods like:
* RSA Key Exchange
* ECDH (P-256, P-384)
* X25519
----
==== FIPS 204 (ML-DSA) ====
NIST Post-Quantum Standard for digital signatures.
| Parameter | Value |
| Algorithm | ML-DSA-65 |
| Security Level | NIST Level 3 |
| Public Key | 1952 bytes |
| Signature | 3293 bytes |
=== Migration Note ===
ML-DSA replaces classical methods like:
* RSA-PSS
* ECDSA (P-256, P-384)
* Ed25519
----
==== Compliance Checklist ====
**For your audit:**
| Requirement | Status | Evidence |
| State-of-the-art encryption | ✓ | AES-256-GCM, ML-KEM |
| Post-Quantum ready | ✓ | FIPS 203, 204 |
| FIPS-validated crypto | ✓ | OpenSSL FIPS Provider |
| Key management | ✓ | Key Storage (File/TPM/HSM) |
| Access control | ✓ | L4Re Capabilities |
| Logging/Audit | ✓ | Configurable |
| Secure key destruction | ✓ | Zeroize on Drop |
| Nonce management | ✓ | Automatic tracking |
| DoS protection | ✓ | Rate Limiting |
----
==== Documentation for Auditor ====
The following documents are available for your audit:
| Document | Content |
| README_OEM.md | Technical integration |
| WvdS_KB_OEM.md | Knowledge Base (details) |
| SECURITY.md | Security Policy |
| CHANGELOG.md | Change history |
**Request for additional documents:**
Contact: Wolfgang van der Stille / EMSR DATA d.o.o. / DATECpro GmbH
----
==== References ====
* [[https://eur-lex.europa.eu/eli/dir/2022/2555|NIS2 Directive (EU) 2022/2555]]
* [[https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-03116/tr-03116_node.html|BSI TR-03116]]
* [[https://csrc.nist.gov/publications/detail/fips/203/final|NIST FIPS 203 (ML-KEM)]]
* [[https://csrc.nist.gov/publications/detail/fips/204/final|NIST FIPS 204 (ML-DSA)]]
* [[https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf|OpenSSL FIPS Security Policy]]
----
[[.:sicherheit|< Security]] | [[.:start|Back to Overview]]