The FCS_CKM.1 (2) SFR states:

The TSF shall generate asymmetric cryptographic keys used for IKE peer authentication in accordance with a:

[selection, choose at least one of:

• FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.3 for RSA schemes;
• FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.4 for ECDSA schemes and implementing “NIST curves” P-256, P-384 and [selection: P-521, no other curves];
• ANSI X9.31-1998, Appendix A.2.4 Using AES for RSA schemes

]

ANSI X9.31-1998, Appendix A.2.4 requires the use of what is commonly known as the “ANSI X9.31 RNG.” The ANSI X9.31 RNG is a general-purpose random number generator that requires the use of DES and is not an allowed selection in FCS_RBG_EXT.1.

Change the reference for ANSI X9.31-1998 in the selection from "Appendix A.2.4" to "Section 4.1."

This reference was corrected in FCS_CKM.1(1) in the MDF PP 2.0; for the ANSI X9.31-1998 option in the selection, "Appendix A.2.4" was replaced with "Section 4.1".