TD0502: Cryptographic selections and updates for MDF PP
Publication Date
2020.09.03
Protection Profiles
PP_MD_V3.1
Other References
FCS_CKM.1, FCS_CKM.2
Issue Description
FCS_CKM.1 and FCS_CKM.2 in the MDF PP do not include/specify appropriate selections for key agreement groups and do not support safe primes. Resolution
FCS_CKM.1 Cryptographic key generation · RSA schemes using cryptographic key sizes of 2048-bit or greater that meet FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3, · ECC schemes using [ - “NIST curves” P-384 and [ - Curve25519 schemes that meet the following: RFC 7748], · FFC schemes using - cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1 - Diffie-Hellman group 14 that meet the following: RFC3526, - "safe-prime" groups that meet the following: 'NIST Special Publication 800-56A Revision 3, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"'] ].
If the TOE acts only as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation. Curve25519 can only be used for ECDH and in conjunction with FDP_DAR_EXT.2.2.
Testing for FFC Schemes using Diffie-Hellman group 14 and/or "safe-prime" groups is done as part of testing in FCS_CKM.2(1).
FCS_CKM.2(1) Cryptographic key establishment FCS_CKM.2.1(1) The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method · RSA-based key establishment schemes that meet the following [ - NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”, - RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, "Public-Key Cryptography Standards (PKCS) #1:RSA Cryptography Specifications Version 2.2"] · Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, · Finite field-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, · Key establishment schemes using Diffie-Hellman group 14 that meets the following: RFC 3526].
The RSA-based key establishment schemes are described in Section 9 of NIST SP 800-56B; however, Section 9 relies on implementation of other sections in SP 800-56B. If the TOE only acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.
The evaluator shall ensure that the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme. If Diffie-Hellman group 14 is selected from FCS_CKM.2, the TSS shall describe how the implementation meets RFC 3526 Section 3. The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s). Assurance Activity Note: The following tests require the developer to provide access to a test platform that provides the evaluator with tools that are typically not found on factory products.
The evaluator shall verify the correctness of the TSF's implementation of RSAES-PKCS1-v1_5 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses RSAES-PKCS1-v1_5.
The evaluator shall verify the correctness of the TSF's implementation of Diffie-Hellman group 14 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses Diffie-Hellman Group 14.
The evaluator shall verify the correctness of the TSF's implementation of "safe-prime" groups by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses "safe-prime" groups. This test must be performed for each "safe-prime" group that each protocol uses.
Justification
See issue description |