NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0095:  NIT Technical Interpretations regarding audit, random bit generation, and entropy in NDcPP

Publication Date

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References

Issue Description

The Network Interpretations Team (NIT) has issued technical interpetations regarding regarding audit, random bit generation, and entropy in the NDcPP v1.0 and FW cPP v1.0.


To align with the NIT interpretations #1, #4, #5, & 6, NIAP supports the interpretations written below.  For further information, please see the NIT interpretations at:


FAU_STG_EXT.1 – Forwarding of audit information to external audit servers

1. Syslog is not mandated. No requirements are placed upon the format or underlying protocol of the audit being transferred. The only requirement is that it is transferred over an ITC transport.

2. The TOE must be capable of being configured to transfer audit data to an external IT entity without administrator intervention. Manual transfer would not meet the requirements. Transmission could be done in real-time or periodically. In case the transmission would not be done in real-time the TSS has to provide details about the possible as well as acceptable frequency for the transfer of audit data.

3. If the audit server is not part of the TOE, there are no requirements on it except the capabilities for ITC transport for audit data.


FCS_COP.1 – Using CTR-DBRG for random bit generation

Explicit claim of AES in CTR mode is not required to satisfy DRBG requirements as long as ST includes at least one AES claim of the same key size.


FCS_RBG_EXT.1.1 – Using /dev/random as a third party source of entropy

No, /dev/random is not considered a third party entropy source. There is substantial public documentation regarding /dev/random and it is expected that a vendor understand the source they are using to provide the basic security of their device.


Annex D.4 – Health testing for entropy sources

Mandating specific tests for health testing in the ND cPP or FW cPP might interfere with other existing requirements from standards, scheme requirements or national regulations. From NIT's perspective there is no need at present to mandate specific health tests in ND cPP or FW cPP. Section D.4 shall remain unchanged.


See issue description.

Site Map              Contact Us              Home