The restriction to three modes of AES for encryption/decryption in FCS_COP.1 is limiting. Given the variety of software applications available in the market, inclusion of additional modes was considered to account for other implementations.

This TD is archived and replaced with TD0598

FCS_COP.1(1) is replaced as follows:

FCS_COP.1.1(1) The application shall perform encryption/decryption in accordance with a specified cryptographic algorithm [selection:

- AES-CBC (as defined in NIST SP 800-38A) mode,

- AES-GCM (as defined in NIST SP 800-38D) mode,

- AES-XTS (as defined in NIST SP 800-38E) mode,

- AES-CCM (as defined in NIST SP 800-38C) mode,

] and cryptographic key sizes [selection: 128-bit, 256-bit].

The application note is unchanged. 

The following AES-CCM Tests are added to the Evaluation Activities for FCS_COP.1(1).

Tests

AES-CCM Tests

It is not recommended that evaluators use values obtained from static sources such as http://csrc.nist.gov/groups/STM/cavp/documents/mac/ccmtestvectors.zip or use values not generated expressly to exercise the AES-CCM implementation.

The evaluator shall test the generation-encryption and decryption-verification functionality of AES-CCM for the following input parameter and tag lengths:

Keys: All supported and selected key sizes (e.g., 128, 256 bits).

Associated Data: Two or three values for associated data length: The minimum (≥ 0 bytes) and maximum (≤ 32 bytes) supported associated data lengths, and 2^16 (65536) bytes, if supported.

Payload: Two values for payload length: The minimum (≥ 0 bytes) and maximum (≤ 32 bytes) supported payload lengths.

Nonces: All supported nonce lengths (7, 8, 9, 10, 11, 12, 13) in bytes.

Tag: All supported tag lengths (4, 6, 8, 10, 12, 14, 16) in bytes.

The testing for CCM consists of five tests. To determine correctness in each of the below tests, the evaluator shall compare the ciphertext with the result of encryption of the same inputs with a known good implementation.

Variable Associated Data Test

For each supported key size and associated data length, and any supported payload length, nonce length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext.

Variable Payload Test

For each supported key size and payload length, and any supported associated data length, nonce length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext.

Variable Nonce Test

For each supported key size and nonce length, and any supported associated data length, payload length, and tag length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext.

Variable Tag Test

For each supported key size and tag length, and any supported associated data length, payload length, and nonce length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload values, and obtain the resulting ciphertext.

Decryption-Verification Process Test

To test the decryption-verification functionality of AES-CCM, for each combination of supported associated data length, payload length, nonce length, and tag length, the evaluator shall supply a key value and 15 sets of input plus ciphertext, and obtain the decrypted payload. Ten of the 15 input sets supplied should fail verification and five should pass.

AES-CCM, as defined in NIST SP800-38C, is a NIST-approved algorithm providing confidentiality and authentication, for which test requirements are available and well-defined. The inclusion of this mode expands the application software implementations that can be evaluated.