Version: 1.0

Approved By: Richard D’Lonesteen

Created at: 12/08/2023

1. Objective

The objective of this policy is to establish and enforce standards for cryptographic techniques to safeguard sensitive information handled by ChattyAI. This involves the proper use of encryption algorithms, management of encryption keys, and adherence to industry-best practices for cryptographic operations.

2. Minimization of Sensitive Information Storage

Sensitive information must be stored minimally. Whenever feasible, the exclusion of sensitive data storage is preferable. Prioritize alternative methods such as tokenization or anonymization where possible.

3. Cryptographic Algorithms

3.1. Hash Algorithms

• For password storage, employ the following:
  • Argon2: Minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
  • Scrypt (Fallback): Minimum CPU/memory cost parameter of \(2^{17}\), block size of 8 (1024 bytes), and parallelization parameter of 1.
  • BCrypt (Legacy Systems): Work factor of 10 or more, with a password length limit of 72 bytes.
  • PBKDF2 (FIPS-140 Compliance): Handle with a work factor of 600,000+ using HMAC-SHA-256 as the internal hash function.

3.2. Symmetric Encryption

• Utilize AES-128 or AES-256 bit keys with secure modes of operation such as GCM or CCM for symmetric encryption.

3.3. Asymmetric Encryption

• Preferred: Elliptical curve cryptography (ECC) with secure curves like Curve25519.
• Alternate (if ECC unavailable): RSA with a minimum key size of 2048 bits and enabled OAEP for padding.

4. Secure Random Number Generation

Ensure the generation of random numbers for security-critical functions, including encryption keys, session IDs, and tokens, adheres to cryptographically secure methods. Avoid non-secure random number generation functions as specified per programming language guidelines provided.