The content of this repository is the result of the gathering, translation, standardization and structuring of a set of technical requirements extracted from five cybersecurity agencies' guidelines.
The examined guidelines are:
- AgID AgID-RACCSECTLS-01
- ANSSI v1.2
- BSI TR-02102-2 and TR-03116-4
- Mozilla v5.7
- NIST SP 800-52 Rev. 2 (and related documents)
The result of this process is a dataset that can be audited, inspected and peer reviewed.
- Configurable element - each element whose availability can be set by the system administrator (e.g., specific protocol versions);
- Guideline - a document issued by a national cybersecurity agency that contains technical requirement for various configurable elements;
- Level - the requirement level that every guideline assigns to each configurable element;
- Profile - a use case defined by a guideline (e.g., customer-facing and government-facing service);
- Variant - subset of elements that can have alternative configurations levels (e.g., prioritization of ephemeral keys use);
- Condition - an additional requirement that restricts the use of a configurable element (e.g., "use element up to year 2030").
The dataset is composed of multiple .md files that are used to store different sets of configurable elements. Each file contains a table with the following structure:
| Configurable Element | (Guideline1, Profile1) | (Guideline1, Profile1) | ... | (Guidelinen, Profilen) | (Guidelinen, Profilen) |
|---|---|---|---|---|---|
| Element1 | Level1,1 | Condition1,1 | ... | Level1,n | Condition1,n |
| Element2 | Level2,1 | Condition2,1 | ... | Level2,n | Condition2,n |
| ... | ... | ... | ... | ... | ... |
| Elementn | Leveln,1 | Conditionn,1 | ... | Leveln,n | Conditionn,n |
For additional information on how to add a new guideline or a new table to the dataset, please refer to the Standard Compliance Module.
Each file lists the requirements level of
- Certificates-related
- Certificate.md: common fields;
- Certificate Extensions.md: specific extensions;
- Certificate Signature.md: algorithms that can be used to sign a certificate;
- Cipher Suites.md: cipher suites;
- Hash Algorithms.md: the hash algorithms that can be used together with the respective signatures;
- Key Lengths.md: the key lengths that can be used for both key exchange and signature algorithms;
- Misc.md: other configurable elements that do not fall into a specific category (e.g., vulnerability-specific mitigations);
- Protocol.md: SSL and TLS versions;
- Signature Algorithms.md: the signature algorithms that can be used for forward secrecy;
- TLS Extensions.md: the TLS extensions that can be used during a secure transmission.
To enable reproducibility of the dataset, the repository also contains a set of scripts that can be used to generate a SQLite database that maps the dataset.
schema_creator.py: reads the dataset and by using Prisma Client Python creates an empty SQLite database with the tables needed to store the dataset. The database will be stored in a file calledrequirements.db(in the root directory of the repository);database_filler.py: reads the dataset and fills all the tables ofrequirements.dbwith the data contained in the dataset.
Please refer to the Wiki page.
This dataset is the result of a study aimed to design a methodology to assess the compliance level of new and existing webservers. More detail about the methodology and the process behind its creation can be found in the paper Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints:
@conference{secrypt24,
author={Riccardo Germenia. and Salvatore Manfredi. and Matteo Rizzi. and Giada Sciarretta. and Alessandro Tomasi. and Silvio Ranise.},
title={Automating Compliance for Improving TLS Security Postures: An Assessment of Public Administration Endpoints},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - SECRYPT},
year={2024},
pages={450-458},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012764700003767},
isbn={978-989-758-709-2},
issn={2184-7711},
}The content of this dataset is an integral part of TLSAssistant, an open-source modular framework capable of identifying a wide range of TLS vulnerabilities and assessing compliance with multiple guidelines. Its actionable report can assist the user in correctly and easily fixing their configurations.