Archived TD0357: AES Modes for the MACsec EP
TD0134 added FCS_COP.1.1(5) to specify required algorithms for MACsec. It is not clear what this SFR is specifying, because AES Key Wrap in CMAC mode does not exist. NIST SP 800-38F specifies KW, KWP, and TKW modes. NIST SP 800-38B specifies CMAC mode. The test requirements specify CMAC tests but do not specify any KW tests.
This TD has been superseded by TD 0466 and is archived as of 11-15-2019.
FCS_COP.1.1(5) is modified as follows:
FCS_COP.1.1(5) Refinement: The TSF shall perform encryption/decryption in accordance with a specified cryptographic algorithm AES used in AES Key Wrap, GCM and cryptographic key sizes 128 bits, 256 bits that meet the following: AES as specified in ISO 18033-3, AES Key Wrap as specified in NIST SP 800-38F, GCM as specified in ISO 19772.
Application Note: This EP mandates the use of GCM for MACsec and AES Key Wrap for key distribution so this SFR has been further refined from the NDcPP.
The evaluator shall verify that the TSS describes the supported AES modes that are required for this EP in addition to the ones already required by the NDcPP.
No additional guidance review activities are required.
The evaluator shall perform testing for AES-GCM as required by the NDcPP.
In addition to the tests specified in the NDcPP for this SFR, the evaluator shall perform the following tests for AES Key Wrap in accordance with the NIST “Key Wrap Validation System”:
To test the authenticated encryption capability of AES KW, the evaluator shall provide the TSF, for each key length, five sets of 100 messages and keys. Each set of messages and keys shall correspond to one of five plaintext message lengths (detailed below). The evaluator shall have the TSF encrypt the messages with the associated key. The evaluator shall verify that the correct ciphertext was generated in each case.
To test the authenticated decryption capability of AES KW, the evaluator shall provide the TSF, for each key length, five sets of 100 ciphertext values and keys. Each set of ciphertexts and keys shall correspond to one of five plaintext message lengths (detailed below). For each set of 100 cyphertext values, 20 shall not be authentic (i.e. fail authentication). The evaluator shall have the TSF decrypt the ciphertext messages with the associated key. The evaluator will then verify the correct plaintext was generated or the failure to authenticate was correctly detected.
The messages in each set for both tests shall be the following lengths:
In addition, a modified version of FCS_COP.1/KeyedHash from the NDcPP is added:
FCS_COP.1(1)/KeyedHashCMAC Cryptographic Operation (AES-CMAC Keyed Hash Algorithm)
FCS_COP.1.1(1)/ KeyedHash:CMAC Refinement: FCS_COP.1.1(c) Refinement: The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm [AES-CMAC] and cryptographic key sizes [selection: 128, 256 bits] and message digest size of 128 bits that meets NIST SP 800-38B.
Application Note: AES-CMAC is a keyed hash function that is used as part of the key derivation function (KDF) that is used for key generation.
CMAC Generation Test
To test the generation capability of AES-CMAC, the evaluator shall provide to the TSF, for each key length-message length-CMAC length tuple (in bytes), a set of 8 arbitrary key-plaintext tuples that will result in the generation of a known MAC value when encrypted. The evaluator will then verify that the correct MAC was generated in each case.
CMAC Verification Test
To test the generation capability of AES-CMAC, the evaluator shall provide to the TSF, for each key length-message length-CMAC length tuple (in bytes), a set of 20 arbitrary key-MAC tuples that will result in the generation of known messages when verified. The evaluator will then verify that the correct message was generated in each case.
The following information should be used by the evaluator to determine the key length-message length-CMAC length tuples that should be tested:
- Key length: values will include the following:
- Message length: values will include the following:
o 0 (optional)
o Largest value supported by the implementation (no greater than 65536)
o Two values divisible by 16
o Two values not divisible by 16
- CMAC length
o Smallest value supported by the implementation (no less than 1)
o Any supported CMAC length between the minimum and maximum values
See issue description.