Fordan — Security Status
Cryptography
The Fordan cryptographic core (crates/core-crypto) is UNAUDITED — not production-trusted. It has not undergone an independent external security audit. Until such an audit is completed and its findings addressed, do not rely on Fordan to protect data against a motivated adversary in production.
What is (and isn't) assured
What we do assert today:
- No homemade crypto. Every primitive delegates to a vetted RustCrypto crate:
argon2(Argon2id, RFC 9106),chacha20poly1305(XChaCha20-Poly1305 / ChaCha20-Poly1305, RFC 8439),aes-gcm(AES-256-GCM),blake3,getrandom(OS CSPRNG),zeroize, andsubtle. No cipher, MAC, KDF, or padding scheme is implemented in-house. - Known-answer tested. Each primitive is checked against official, checked-in test vectors (
test-data/crypto-vectors/): RFC 8439 ChaCha20-Poly1305, the RFC 9106 Argon2id vector, an official BLAKE3 vector, and a NIST AES-256-GCM vector. Tests assert exact ciphertext/tag/hash bytes — not merely round-trips. - Tamper-evident AEAD. Every encrypted artifact is authenticated; a flipped ciphertext byte, tag byte, nonce, key, or associated-data value causes
open()to fail closed. - Constant-time secret comparison. Tags and secrets are compared with the
subtlecrate / the AEAD library's verify — never==. - KDF parameter floor.
derive_kekrejects Argon2id parameters weaker than the RFC 9106 floor (m = 19456 KiB, t = 2, p = 1).
What we do not yet assure:
- Independent cryptographic review of the construction, key hierarchy, and format binding.
- Side-channel resistance beyond the constant-time comparisons noted above.
- Resistance to misuse by higher layers (e.g. nonce-reuse introduced by callers).
Audit gate
This document must be updated — and the "UNAUDITED" banner removed — only after a named external party completes a security audit and the findings are recorded here with their resolutions.