Date:  01/30/2004

Interim Statement:

The CC in ASE_REQ.1.10C requires that the security functional requirements for which an explicit strength of function is appropriate are identified and a metric provided. This is verified in AVA_SOF.1. The CC specifies in part 1 chapter 1 item e) that assessments for the inherent qualities of cryptographic algorithms are not covered in this standard. The CCIMB is currently rewriting the ASE and APE requirements and also plans to delete the AVA_SOF family, but wants to clarify these statements by providing the following as an interim response:

The CCIMB believes that the assessment of strength of cryptographic algorithms is outside the scope of the CC. Strength of function claims apply only to non-cryptographic, probabilistic/permutational mechanisms. Therefore, where a PP/ST contains a minimum SOF claim, this does not apply to any cryptographic mechanisms with respect to a CC evaluation.

Where cryptographic mechanisms are included in a TOE, the PP/ST should include a clear statement that the assessment of algorithmic strength does not form part of the evaluation. The CC evaluator should not assess the mathematical properties of the algorithm, and therefore no strength of function claim should be made about it. Schemes are free to mandate the inclusion of specific scheme statements about the value and appropriateness of particular algorithms, based on scheme policy. If the only probabilistic/permutational mechanisms within the TOE are cryptographic, the overall SOF claim is still made. The overall SOF claim helps to serve as a minimum threshold that must be met by any security function implemented by noncryptographic probabilistic/permutational mechanisms.