NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0031:  ANSI X9.31 Reference in FCS_CKM.1(2) in VPN GW EP

Publication Date

Protection Profiles

Other References
PP_ND_VPN_GW_EP_V.1.1, requirement FCS_CKM.1(2) , PP_ND_V1.1

Issue Description

The FCS_CKM.1 (2) SFR states:

The TSF shall generate asymmetric cryptographic keys used for IKE peer authentication in accordance with a:

[selection, choose at least one of:

  • FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.3 for RSA schemes;
  • FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.4 for ECDSA schemes and implementing “NIST curves” P-256, P-384 and [selection: P-521, no other curves];
  • ANSI X9.31-1998, Appendix A.2.4 Using AES for RSA schemes

ANSI X9.31-1998, Appendix A.2.4 requires the use of what is commonly known as the “ANSI X9.31 RNG.” The ANSI X9.31 RNG is a general-purpose random number generator that requires the use of DES and is not an allowed selection in FCS_RBG_EXT.1.


Change the reference for ANSI X9.31-1998 in the selection from "Appendix A.2.4" to "Section 4.1."


This reference was corrected in FCS_CKM.1(1) in the MDF PP 2.0; for the ANSI X9.31-1998 option in the selection, "Appendix A.2.4" was replaced with "Section 4.1".

Site Map              Contact Us              Home