Archived
TD0502: Cryptographic selections and updates for MDF PP
Publication Date
2020.09.03
Protection Profiles
PP_MD_V3.1
Other References
FCS_CKM.1, FCS_CKM.2
Issue Description
FCS_CKM.1 and FCS_CKM.2 in the MDF PP do not include/specify appropriate selections for key agreement groups and do not support safe primes. Resolution
This TD supersedes TD0426. FCS_CKM.1 is modified as follows: FCS_CKM.1 Cryptographic key generation · RSA schemes using cryptographic key sizes of 2048-bit or greater that meet FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3, · ECC schemes using [selection: - “NIST curves” P-384 and [selection: P-256, P-521, no other curves] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4, - Curve25519 schemes that meet the following: RFC 7748], · FFC schemes using [selection: - cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1, - Diffie-Hellman group 14 that meet the following: RFC3526, - "safe-prime" groups that meet the following: 'NIST Special Publication 800-56A Revision 3, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"'] ].
If the TOE acts only as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation. Curve25519 can only be used for ECDH and in conjunction with FDP_DAR_EXT.2.2. Under Evaluation Activity -> Tests -> Key Generation for Curve25519 is replaced as follows: Key Generation for Curve25519 a. confirm the private and public keys are 32-byte values b. confirm the three least significant bits of the first byte of the private key are zero c. confirm the most significant bit of the last byte is zero d. confirm the second most significant bit of the last byte is one e. calculate the expected public key from the private key and confirm it matches the supplied public key
Under Evaluation Activity -> Tests, add the following: Diffie-Hellman Group 14 and FFC Schemes using "safe-prime" groups Testing for FFC Schemes using Diffie-Hellman group 14 and/or "safe-prime" groups is done as part of testing in FCS_CKM.2(1). FCS_CKM.2(1) is modified as follows: FCS_CKM.2(1) Cryptographic key establishment FCS_CKM.2.1(1) The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method [selection: · RSA-based key establishment schemes that meet the following [selection: - NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”, - RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, "Public-Key Cryptography Standards (PKCS) #1:RSA Cryptography Specifications Version 2.2"] · Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, · Finite field-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, · Key establishment schemes using Diffie-Hellman group 14 that meets the following: RFC 3526]. Application Note: The ST author shall select all key establishment schemes used for the selected cryptographic protocols and any RSA-based key establishment schemes that may used to satisfy FDP_DAR or FCS_STG. Also, FCS_TLSC_EXT.1 requires ciphersuites that use RSA-based key establishment schemes. The RSA-based key establishment schemes are described in Section 9 of NIST SP 800-56B; however, Section 9 relies on implementation of other sections in SP 800-56B. If the TOE only acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.
Assurance Activity The evaluator shall ensure that the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme. If Diffie-Hellman group 14 is selected from FCS_CKM.2, the TSS shall describe how the implementation meets RFC 3526 Section 3. The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s). Assurance Activity Note: The following tests require the developer to provide access to a test platform that provides the evaluator with tools that are typically not found on factory products.
Under Assurance Activity -> Tests, add the following: RSAES-PKCS1-v1_5 Key Establishment Schemes The evaluator shall verify the correctness of the TSF's implementation of RSAES-PKCS1-v1_5 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses RSAES-PKCS1-v1_5. Diffie-Hellman Group 14 The evaluator shall verify the correctness of the TSF's implementation of Diffie-Hellman group 14 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses Diffie-Hellman Group 14. FFC Schemes using "safe-prime" groups The evaluator shall verify the correctness of the TSF's implementation of "safe-prime" groups by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses "safe-prime" groups. This test must be performed for each "safe-prime" group that each protocol uses.
Justification
See issue description |