Compliance / BSI IT-Grundschutz + TR-02102
BSI IT-Grundschutz Crypto Scanner
Korthex scans source code, TLS, databases and git history against the German BSI baseline: IT-Grundschutz building block CON.1 (Kryptokonzept) and the TR-02102 algorithm and key-length recommendations. Every finding carries the affected requirement, file and line, and a concrete replacement. Built in Germany, 100% on-premise, air-gapped capable.
What BSI expects
The IT-Grundschutz Kompendium requires a documented Kryptokonzept (building block CON.1): which algorithms, key lengths and protocols are used where, and how keys are managed. BSI TR-02102-1 supplies the concrete numbers: RSA and discrete-log systems at least 3000 bit, elliptic curves at least 250 bit, SHA-256 or stronger, authenticated encryption modes, and quantum-safe hybrid key exchange recommended for new systems. TR-02102-2 applies the same logic to TLS.
What Korthex flags against TR-02102
- RSA below 3000 bit (TR-02102 recommendation; below 2048 bit critical under every framework)
- Elliptic-curve cryptography below 250 bit
- MD5 and SHA-1 anywhere they carry security: signatures, integrity, password paths
- Non-AEAD modes: AES-ECB, CBC without integrity protection, missing IVs, key reuse
- Legacy TLS protocol versions and cipher suites per TR-02102-2
- Quantum-vulnerable RSA, ECC and Diffie-Hellman, with the ML-KEM / ML-DSA migration path that matches the BSI hybrid guidance
Kryptokonzept evidence, generated
The CBOM is the living annex to your Kryptokonzept: the inventory of what is actually deployed, regenerated per scan or per commit, with file and line evidence, severity, taint verdict and compliance status. Export as PDF for Grundschutz assessments and audits, or as CycloneDX and JSON for tooling.
Built for German and EU environments
Korthex runs 100% on-premise and air-gapped, the deployment model German federal, state and KRITIS environments typically require: source code never leaves the infrastructure. It is built in Germany by Flowence, and the same scan also maps findings to NIST FIPS 140-3, FIPS 203 / 204 / 205, PCI-DSS and ISO 27001, so international teams satisfy BSI and their other frameworks in one pass. The EU coordinated PQC roadmap expects first migration steps by the end of 2026; the quantum-exposure bucket in the CBOM is that first step.
Frequently asked questions
What is CON.1 in IT-Grundschutz?
CON.1 is the Kryptokonzept building block of the IT-Grundschutz Kompendium. It requires organizations to document and implement rules for cryptographic procedures: which algorithms, key lengths and protocols are used, where, and how keys are managed.
Which key lengths does BSI TR-02102 recommend?
TR-02102-1 recommends at least 3000 bit for RSA and discrete-log systems, at least 250 bit for elliptic curves, SHA-256 or stronger hashes, and authenticated encryption modes. For new systems it recommends quantum-safe hybrid key exchange.
Does Korthex work in air-gapped environments?
Yes. Korthex runs fully on-premise including air-gapped operation, as a CLI or inside CI/CD. Source code never leaves your infrastructure.
Does Korthex replace the Kryptokonzept document?
No. The Kryptokonzept remains your policy document. Korthex generates the inventory and evidence side of it: what is actually deployed, where it deviates, and the ordered migration plan to fix deviations.
Is the report available in German?
Reports are in English. Findings are mapped to the German standards (IT-Grundschutz, TR-02102) regardless of report language, with the requirement reference attached per finding.