NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0502:  Cryptographic selections and updates for MDF PP

Publication Date
2020.09.03

Protection Profiles
PP_MD_V3.1

Other References
FCS_CKM.1, FCS_CKM.2

Issue Description

FCS_CKM.1 and FCS_CKM.2 in the MDF PP do not include/specify appropriate selections for key agreement groups and do not support safe primes.

Resolution

This TD supersedes TD0426.

FCS_CKM.1 is modified as follows:

FCS_CKM.1 Cryptographic key generation
FCS_CKM.1.1 The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection:

·         RSA schemes using cryptographic key sizes of 2048-bit or greater that meet FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3,

·         ECC schemes using [selection:

-          “NIST curves” P-384 and [selection: P-256, P-521, no other curves] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4,

-          Curve25519 schemes that meet the following: RFC 7748],

·         FFC schemes using [selection:

-          cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1,

-          Diffie-Hellman group 14 that meet the following: RFC3526,

-          "safe-prime" groups that meet the following: 'NIST Special Publication 800-56A Revision 3, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"']

].


Application Note: The ST author shall select all key generation schemes used for key establishment and entity authentication. When key generation is used for key establishment, the schemes in FCS_CKM.2.1(1) and selected cryptographic protocols must match the selection. When key generation is used for entity authentication, the public key may be associated with an X.509v3 certificate.

If the TOE acts only as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.

Curve25519 can only be used for ECDH and in conjunction with FDP_DAR_EXT.2.2.

Under Evaluation Activity -> Tests -> Key Generation for Curve25519 is replaced as follows:

Key Generation for Curve25519

The evaluator shall require the implementation under test (IUT) to generate 10 private/public key pairs. The private key shall be generated as specified in RFC 7748 using an approved random bit generator (RBG) and shall be written in little-endian order (least significant byte first). To determine correctness, the evaluator shall submit the generated key pairs to the public key verification (PKV) function of a known good implementation.

Note: Assuming the PKV function of the good implementation will (using little-endian order):

a.      confirm the private and public keys are 32-byte values

b.      confirm the three least significant bits of the first byte of the private key are zero

c.       confirm the most significant bit of the last byte is zero

d.      confirm the second most significant bit of the last byte is one

e.       calculate the expected public key from the private key and confirm it matches the supplied public key



The evaluator shall generate 10 private/public key pairs using the key generation function of a known good implementation and modify 5 of the public key values so that they are incorrect, leaving five values unchanged (i.e. correct). The evaluator shall obtain in response a set of 10 PASS/FAIL values.

Under Evaluation Activity -> Tests, add the following:

Diffie-Hellman Group 14 and FFC Schemes using "safe-prime" groups

Testing for FFC Schemes using Diffie-Hellman group 14 and/or "safe-prime" groups is done as part of testing in FCS_CKM.2(1).

FCS_CKM.2(1) is modified as follows:

FCS_CKM.2(1) Cryptographic key establishment

FCS_CKM.2.1(1) The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method [selection:

·         RSA-based key establishment schemes that meet the following [selection:

-          NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”,

-          RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, "Public-Key Cryptography Standards (PKCS) #1:RSA Cryptography Specifications Version 2.2"]

·         Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”,

·         Finite field-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”,

·         Key establishment schemes using Diffie-Hellman group 14 that meets the following: RFC 3526].

Application Note: The ST author shall select all key establishment schemes used for the selected cryptographic protocols and any RSA-based key establishment schemes that may used to satisfy FDP_DAR or FCS_STG. Also, FCS_TLSC_EXT.1 requires ciphersuites that use RSA-based key establishment schemes.

The RSA-based key establishment schemes are described in Section 9 of NIST SP 800-56B; however, Section 9 relies on implementation of other sections in SP 800-56B. If the TOE only acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.



The elliptic curves used for the key establishment scheme shall correlate with the curves specified in FCS_CKM.1.1.

The domain parameters used for the finite field-based key establishment scheme are specified by the key generation according to FCS_CKM.1.1.

Assurance Activity

The evaluator shall ensure that the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme.

If Diffie-Hellman group 14 is selected from FCS_CKM.2, the TSS shall describe how the implementation meets RFC 3526 Section 3.

The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s).

Assurance Activity Note: The following tests require the developer to provide access to a test platform that provides the evaluator with tools that are typically not found on factory products.

 

Under Assurance Activity -> Tests, add the following:

RSAES-PKCS1-v1_5 Key Establishment Schemes

The evaluator shall verify the correctness of the TSF's implementation of RSAES-PKCS1-v1_5 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses RSAES-PKCS1-v1_5.

Diffie-Hellman Group 14

The evaluator shall verify the correctness of the TSF's implementation of Diffie-Hellman group 14 by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses Diffie-Hellman Group 14.

FFC Schemes using "safe-prime" groups

The evaluator shall verify the correctness of the TSF's implementation of "safe-prime" groups by using a known good implementation for each protocol selected in FTP_ITC_EXT.1 that uses "safe-prime" groups. This test must be performed for each "safe-prime" group that each protocol uses.

 

 

Justification

See issue description

 
 
Site Map              Contact Us              Home