diff --git a/framework/caching-cmm.md b/framework/caching-cmm.md index 10ec2c67..6e736265 100644 --- a/framework/caching-cmm.md +++ b/framework/caching-cmm.md @@ -107,9 +107,6 @@ If this parameter is not set, the caching CMM MUST set it to 2^32. This parameter is set as an additional security thresholds to ensure that the data keys expire and are refreshed periodically. -The caching CMM MUST provide a structure as defined below, -to track usage statistics. - ### Usage Stats The usage stats contains two fields: @@ -135,44 +132,81 @@ The number of bytes encrypted by the [encryption](structures.md#encryption-mater ### Get Encryption Materials +If the [Max Plaintext Length on the encryption materials request](./cmm-interface.md#encryption-materials-request) is not set +the caching CMM MUST obtain the encryption materials +by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function. +This is because without a size we cannot correctly enforce size limits. + If the [algorithm suite](algorithm-suites.md) requested contains a [Identity KDF](algorithm-suites.md#identity-kdf), -the caching CMM MUST obtain the encryption materials by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function. +the caching CMM MUST obtain the encryption materials +by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function. Otherwise, the caching CMM MUST attempt to find the [encryption materials](structures.md#encryption-materials) from the underlying [cryptographic materials cache (CMC)](#underlying-cryptographic-materials-cache). The caching CMM MUST use the formulas specified in [Appendix A](#appendix-a-cache-entry-identifier-formulas) in order to compute the [cache entry identifier](cryptographic-materials-cache.md#cache-identifier). -If a cache entry is found, the caching CMM MUST return the encryption materials retrieved. -If a cache entry is not found or the cache entry is expired, the caching CMM MUST then attempt to obtain the encryption materials +If an encryption materials cache entry is found, +and the [cache entry is within limits](#cache-entry-within-limits) +the caching CMM MUST return the encryption materials retrieved. +If a cache entry is not found or the cache entry is expired +or the [cache entry is not within limits](#cache-entry-within-limits), +the caching CMM MUST then attempt to obtain the encryption materials by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials). -If the [algorithm suite](algorithm-suites.md) requested does not contain an [Identity KDF](algorithm-suites.md#identity-kdf), +If the [algorithm suite](algorithm-suites.md) on the returned encryption material +does not contain an [Identity KDF](algorithm-suites.md#identity-kdf), +and the newly constructed [cache entry is within limits](#cache-entry-within-limits), the caching CMM MUST add the encryption materials obtained from the underlying CMM into the underlying CMC. -If the [algorithm suite](algorithm-suites.md) requested contains an Identity KDF, +If the [algorithm suite](algorithm-suites.md) on the returned encryption material +contains an an [Identity KDF](algorithm-suites.md#identity-kdf), +or the newly constructed [cache entry is not within limits](#cache-entry-within-limits), the caching CMM MUST NOT store the encryption materials in the underlying CMC. ### Decrypt Materials If the [algorithm suite](algorithm-suites.md) requested contains a [Identity KDF](algorithm-suites.md#identity-kdf), -the caching CMM MUST obtain the decryption materials by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials) function. +the caching CMM MUST obtain the decryption materials +by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials) function. Otherwise, the caching CMM MUST attempt to find the [decryption materials](structures.md#decryption-materials) from the [underlying CMC](#underlying-cryptographic-materials-cache). The caching CMM MUST use the formulas specified in [Appendix A](#appendix-a-cache-entry-identifier-formulas) in order to compute the [cache entry identifier](cryptographic-materials-cache.md#cache-identifier). -If a cache entry is found, the caching CMM MUST return the decryption materials retrieved. -If a cache entry is not found or the cache entry is expired, the caching CMM MUST attempt to obtain the decryption materials +If a decryption materials cache entry is found, +and the [cache entry is within limits](#cache-entry-within-limits) +the caching CMM MUST return the decryption materials retrieved. +If a cache entry is not found or the cache entry is expired +or the [cache entry is not within limits](#cache-entry-within-limits), +the caching CMM MUST attempt to obtain the decryption materials by making a call to the underlying CMM's [Decrypt Materials](cmm-interface.md#decrypt-materials). -If the [algorithm suite](algorithm-suites.md) requested does not contain an [Identity KDF](algorithm-suites.md#identity-kdf), +For decrypt limits bytes MUST be 0. +This is because the cryptographic safety of byte limits +is not relevant to decrypt. + +If the [algorithm suite](algorithm-suites.md) on the returned decryption material +does not contain an [Identity KDF](algorithm-suites.md#identity-kdf), +and the newly constructed [cache entry is within limits](#cache-entry-within-limits), the caching CMM MUST add the decryption materials obtained from the underlying CMM into the underlying CMC. -If the [algorithm suite](algorithm-suites.md) requested contains an Identity KDF, +If the [algorithm suite](algorithm-suites.md) on the returned decryption material +contains an an [Identity KDF](algorithm-suites.md#identity-kdf), +or the newly constructed [cache entry is not within limits](#cache-entry-within-limits), the caching CMM MUST NOT store the decryption materials in the underlying CMC. +### Cache Entry Within Limits + +For a cache entry to be within limits +* Current time minus the [entry's creation time](./cryptographic-materials-cache.md#creation-time) + MUST be less than or equal to the configured [Cache Limit TTL](#cache-limit-ttl) +* The [entry's bytes used](./cryptographic-materials-cache.md#bytes-usage) + MUST be less than or equal to the configured [Limit Bytes](#limit-bytes) +* The [entry's messages used](./cryptographic-materials-cache.md#message-usage) + MUST be less than or equal to the configured [Limit Messages](#limit-messages) + ## Appendix A: Cache Entry Identifier Formulas When accessing the underlying CMC,