[FEATURE]: Add AES-CTR + HMAC-SHA1-96 (IPsec ESP suite, RFC 3686) to Cryptography Registry #770
Description
Describe the feature
Where:
schema/cryptography-defs.json (AES family)
What:
Add a registry entry to recognize the widely deployed IPsec ESP transform combination: AES-CTR + HMAC-SHA1-96 (described in RFC 3686, used together with an authentication function such as HMAC-SHA-1-96).
Why:
Some tooling and SBOM/CBOM pipelines encounter this suite expressed as a single algorithm string. Having a canonical pattern improves normalization and reporting consistency.
Notes / scope:
- This is an IPsec ESP suite-style naming convention, not an IETF AEAD registry algorithm name.
- Registry-only addition. No schema/spec behavior changes.
Proposed entry (draft):
- Pattern:
AES[-(128|192|256)]-CTR-HMAC-SHA1[-96] - Primitive: (needs guidance:
aevs alternative classification) - Standards: RFC 3686 (and optionally the authoritative HMAC-SHA1-96 reference if maintainers prefer)
Possible solutions
Add a variant entry under the existing AES family, with an RFC 3686 reference.
Alternatives
Leave unregistered and rely on ad-hoc naming across tools.
Additional context
Happy to adjust the naming, key-size handling, and primitive classification based on maintainer feedback.