Archived TD0355: FCS_CKM.1/VPN for IKE authentication
In Section 5.3 (App PP Security Functional Requirements Direction), FCS_CKM.1.1 does not allow a selection operation to permit the TOE or TOE Platform to meet the requirement. It also is not refined to “IKE peer authentication”.
The following SFR is added to Section 5.3.3:
FCS_CKM.1/VPN Cryptographic Key Generation (IKE)
FCS_CKM.1.1/VPN The application shall [selection: invoke platform-provided functionality, implement functionality] to generate asymmetric cryptographic keys used for IKE peer authentication in accordance with: [selection:
and specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits.
Application Note: The keys that are required to be generated by the TOE through this requirement are intended to be used for the authentication of the VPN entities during the IKE (either v1 or v2) key exchange. While it is required that the public key be associated with an identity in an X509v3 certificate, this association is not required to be performed by the TOE, and instead is expected to be performed by a Certificate Authority in the Operational Environment.
As indicated in FCS_IPSEC_EXT.1, the TOE is required to implement support for RSA or ECDSA (or both) for authentication.
See NIST Special Publication 800-57, “Recommendation for Key Management” for information about equivalent key strengths.
In addition, the following assurance activities are added to Section 2.3.4 of PP-Module for Virtual Private Network (VPN Clients) Supporting Document:
18.104.22.168.2 FCS_CKM.1/VPN Cryptographic Key Generation (IKE)
The evaluator shall examine the TSS to verify that it describes how the key generation functionality is invoked.
There are no AGD Assurance Activities for this requirement.
Refer to the Assurance Activity for FCS_CKM.1(1) in the App PP.
The same construct is used for the GPOS and MDF base PPs in the PP-Module.