NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0273:  Rekey after CAK expiration

Publication Date
2017.12.20

Protection Profiles
PP_NDCPP_MACSEC_EP_V1.2

Other References
FCS_MACSEC_EXT.4

Issue Description

Issue 1: There is a discrepancy in the PP_NDCPP_MACSEC_EP_V1.2 Test 2 that requires verification that a CAK be protected when distributed, when none of the elements of FCS_MACSEC_EXT.4 state that the CAK must be wrapped, and FCS_MACSEC_EXT.4.2 specifically requires the SAK to be wrapped. 

Issue 2: Additionally, FCS_MACSEC_EXT.4 Test 3 and FMT_SMF.1 Test 3 are almost identical, and do not account for TOEs that only support pre-shared keys for CAK establishment.

Resolution

For Issue 1: There is a typo in the PP_NDCPP_MACSEC_EP_V1.2.  Therefore, FCS_MACSEC_EXT.4 Test 2 is modified to replace the word “CAK” with “SAK” as follows:

Test 2: The evaluator shall capture traffic between the TOE and a MACsec-capable peer in the Operational Environment. The evaluator shall then cause the TOE to distribute a SAK to that peer, capture the MKPDUs from that operation, and verify the key is wrapped in the captured MKPDUs.

 

For Issue 2: FCS_MACSEC_EXT.4 Test 3 and FMT_SMF.1 Test 3 are duplicative, therefore, FCS_MACSEC_EXT.4 Test 3 shall be removed. 

Justification

See issue description.

 
 
Site Map              Contact Us              Home