NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0195:  NIT Technical Decision Making DH Group 14 optional in FCS_IPSEC_EXT.1.11

Publication Date

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References

Issue Description

The NIT has issued a Technical Decision making DH Group 14 optional in FCS_IPSEC_EXT.1.11.


To align with NIT interpretation # 201702a, FCS_IPSEC_EXT.1.11 is modified as follows:

FCS_IPSEC_EXT.1.11 The TSF shall ensure that IKE protocols implement DH Group(s) [selection: 14 (2048-bit MODP), 19 (256-bit Random ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP)] and [selection: 5 (1536-bit MODP), no other group].

The application note related to FCS_IPSEC_EXT.1.11 shall be modified as follows:

"The selection is used to specify DH groups supported. This applies to IKEv1 and IKEv2 exchanges. It should be noted that if any additional DH groups are specified, they must comply with the requirements (in terms of the ephemeral keys that are established) listed in FCS_CKM.1."

For further information, please see the NIT interpretation at:


See issue description.

Site Map              Contact Us              Home