The CC in ASE_REQ.1.10C requires that the security functional requirements for which an explicit strength of function is appropriate are identified and a metric provided. This is verified in AVA_SOF.1. The CC specifies in part 1 chapter 1 item e) that assessments for the inherent qualities of cryptographic algorithms are not covered in this standard. The CEMEB is uncertain about the interaction of those two statements. For example if functional requirements like FDP_UCT.1 or FCO_NRO.1 are selected, a strength of function seems applicable. The mechanism that implements it, which is likely to be using cryptographic algorithms, should also have a strength of function claim. If a digital signature scheme is used for FCO_NRO.1 could it claim a SOF or would it be outside the CC scope? The CEMEB will work on the assumption that the cryptographic algorithm (e.g. DES, IDEA, MD-5) and the mode in which they are used (e.g. Output Feed Back) are considered black boxes and no claims should be made for strength (outside the boundaries of the CC). The protocols in which they are used (e.g. protocol interactions) should be verified using the strength claims of the `black boxes' as given.