TD0573: Update to FCS_COP and FCS_CKM in ESM PPs
Publication Date
2021.01.29
Protection Profiles
PP_ESM_AC_V2.1, PP_ESM_ICM_V2.1, PP_ESM_PM_V2.1
Other References
FCS_CKM.1, FCS_COP.1
Issue Description
The SFRs for cryptographic protocols in the NIAP ESM PPs are outdated and do not describe current expectations with respect to these protocols. Issuance of TDs to update these protocols necessitate revisions to FCS_CKM and FCS_COP, as well. Resolution
· RSA schemes using cryptographic key sizes of 2048-bit or greater that meet thefollowing: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3; · ECC schemes using ‘NIST curves’ P-256, P-384 and [selection: P-521, no other curves] that meet the following: FIPS 186-4, “Digital Signature Standard (DSS)”, Appendix B.4 · FCC schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4 “Digital Signature Standard (DSS)”, Appendix B.1 · FFC Schemes using Diffie-Hellman group 14 that meet the following: RFC 3526, · FFC Schemes using safe primes that meet the following: ‘NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes, · no other key generation methods].
] used for key establishment in accordance with: [selection:
· RSA-based key establishment schemes that meet the following: RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.2;” · Elliptic curve-based key establishment schemes that meet the following: NIST Special Publication 800-56A, Revision 3 “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography;” · Finite field-based key establishment schemes that meet the following: NIST Special Publication 800-56A, Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography;” · Finite field-based key establishment scheme using Diffie-Hellman Group 14 that meets the following: RFC 3526, Section 3; · FFC Schemes using “safe-prime” groups that meet the following: ‘NIST Special Publication 800-56A , “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and [selection: groups listed in RFC 3526, groups listed in RFC 7919]]. and specified cryptographic key sizes [equivalent to, or greater than, 112 bits of security] that meet the following: [standards defined in first selection]. Application Note: This component requires that the TOE be able to generate the public/private key pairs that are used for key establishment purposes for the various cryptographic protocols used by the TOE (e.g., IPsec). If multiple schemes are supported, then the ST author must iterate this requirement to capture this capability. The elliptic curves used for the key establishment scheme correlate with the curves specified in FCS_CKM.1.1. The scheme used will be chosen by the ST author from the selection. Diffie-Hellman Group 14, or MODP-2048, is listed in RFC 3526. For TLS implementing Diffie-Hellman Group 14 select “Finite field-based key establishment scheme using Diffie-Hellman Group 14…” For TLS implementing ffdhe groups using Supported Groups extension listed in RFC 7919, select “FFC Schemes using “safe-prime” groups…” Assurance Activity: TSS The evaluator shall ensure that the TSS identifies the key sizes and key establishment schemes supported by the TOE. The evaluator shall examine the TSS to verify that it identifies the usage for each scheme. Guidance The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s) and key sizes for all uses defined in this PP. Test
SP800-56A Key Establishment Schemes
Function Test
RSA-based key establishment
FFC Schemes usingDiffie-Hellman Group 14
FFC Schemes using “safe-prime” groups
Application Note: For the assignment, the ST author must choose the additional mode or modes in which the AES operates. For the first selection, the ST author must choose the modes that are supported by this functionality. For the assignment, the ST author identifies additional key sizes supported, and for the second selection, the ST author must choose the standards that describe the modes specified in the assignment. Assurance Activity Test
*KAT-1. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 10 plaintext values and obtain the ciphertext value that results from AES-CBC encryption of the given plaintext using a key value of all zeros and an IV of all zeros. Five plaintext values shall be encrypted with a 128-bit all-zeros key, and the other five shall be encrypted with a 256-bit all- zeros key. To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, using 10 ciphertext values as input and AES-CBC decryption.**KAT-2. To test the encrypt functionality of AES-CBC, the evaluator shall supply a set of 10 key values and obtain the ciphertext value that results from AES-CBC encryption of an all-zeros plaintext using the given key value and an IV of all zeros. Five of the keys shall be 128-bit keys, and the other five shall be 256-bit keys. To test the decrypt functionality of AES-CBC, the evaluator shall perform the same test as for encrypt, using an all-zero ciphertext value as input and AES-CBC decryption.**KAT-3. To test the encrypt functionality of AES-CBC, the evaluator shall supply the two sets of key values described below and obtain the ciphertext value that results from AES encryption of an all-zeros plaintext using the given key value and an IV of all zeros. The first set of keys shall have 128 128-bit keys, and the second set shall have 256 256-bit keys. Key i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1,N]. To test the decrypt functionality of AES-CBC, the evaluator shall supply the two sets of key and ciphertext value pairs described below and obtain the plaintext value that results from AES-CBC decryption of the given ciphertext using the given key and an IV of all zeros. The first set of key/ciphertext pairs shall have 128 128-bit key/ciphertext pairs, and the second set of key/ciphertext pairs shall have 256 256-bit key/ciphertext pairs. Key i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i in [1,N]. The ciphertext value in each pair shall be the value that results in an all-zeros plaintext when decrypted with its corresponding key.**KAT-4. To test the encrypt functionality of AES-CBC, the evaluator shall supply the set of 128 plaintext values described below and obtain the two ciphertext values that result from AES-CBC encryption of the given plaintext using a 128-bit key value of all zeros with an IV of all zeros and using a 256-bit key value of all zeros with an IV of all zeros, respectively. Plaintext value i in each set shall have the leftmost i bits be ones and the rightmost 128-i bits be zeros, for i in [1,128].*
*128 bit and 256 bit keys**Two plaintext lengths. One of the plaintext lengths shall be a non-zero integer multiple of 128 bits, if supported. The other plaintext length shall not be an integer multiple of 128 bits, if supported.Three AAD lengths. One AAD length shall be 0, if supported. One AAD length shall be a non-zero integer multiple of 128 bits, if supported. One AAD length shall not be an integer multiple of 128 bits, if supported.**Two IV lengths. If 96 bit IV is supported, 96 bits shall be one of the two IV lengths tested.*
· RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of 2048 bits or greater, · Elliptic Curve Digital Signature Algorithm (ECDSA) with a key size of 256 bits or greater,
that meets the following: [selection: o RSA Digital Signature Algorithm - FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5 using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSA-PKCS1v1_5; o Elliptic Curve Digital Signature Algorithm - FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, implementing “NIST curves” P-256, P384 and [selection: P-521, no other curves]] ]. Application Note: The ST author must choose the algorithm implemented to perform digital signatures; if more than one algorithm is available, this requirement (and the corresponding FCS_CKM.1 requirement) must be iterated to specify the functionality. For the algorithm chosen, the ST author must make the appropriate assignments/selections to specify the parameters that are implemented for that algorithm. For elliptic curve-based schemes, the key size refers to the log2 of the order of the base point. Assurance Activity:
Application Note: The selection of the hashing algorithm shall correspond to the selection of the message digest size; for example, if SHA-1 is chosen, then the only valid message digest size selection would be 160 bits. Assurance Activity: TSS
Guidance
Tests
Application Note: The selection of the hashing algorithm must correspond to the selection of the message digest size; for example, if HMAC-SHA-256 is chosen, then the only valid message digest size selection would be 256 bits. The message digest size above corresponds to the underlying hash algorithm used. Note that truncating the output of the HMAC following the hash calculation is an appropriate step in a variety of applications. This does not invalidate compliance with this requirement, however, the ST must state that truncation is performed, the size of the final output, and the standard to which this truncation complies. Assurance Activity: TSS
Guidance
Tests
Justification
Updating these SFRs, and their associated Assurance Activities, brings them in line with current standards and adds stronger, more commonly used algorithms for cryptographic protocols. |