NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0588:  Session Resumption Support in TLS package

Publication Date
2021.05.12

Protection Profiles
PKG_TLS_V1.1

Other References
FCS_DTLSS_EXT.1, FCS_TLSS_EXT.1

Issue Description

FCS_TLSS_EXT.1.1 Test 4.3 in the TLS Package, as written, does not account for the behavior of TOEs when session resumption/session tickets are supported or not supported.

Resolution

FCS_TLSS_EXT.1.1 is modified as follows, with underlines denoting additions:

FCS_TLSS_EXT.1 The product shall implement TLS 1.2 (RFC 5246) and [selection: TLS 1.1 (RFC 4346), no earlier TLS versions] as a server that supports the cipher suites [selection:

  • TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246,
  • TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246,
  • TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246,
  • TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246,
  • TLS_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5288,
  • TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288,
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246,
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246,
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5288,
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288,
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289,
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289,
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289,
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289,
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289,
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289,
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289,
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

 ] and also supports functionality for [selection:

  • mutual authentication,
  • session renegotiation,
  • session resumption based on session IDs according to RFC 4346 (TLS1.1) or RFC 5246 (TLS1.2),
  • session resumption based on session tickets according to RFC 5077,
  • no session resumption or session tickets,
  • none

].

Application Note: The ST author should select the cipher suites that are supported, and must select at least one cipher suite. It is necessary to limit the cipher suites that can be used in an evaluated configuration administratively on the server in the test environment. If administrative steps need to be taken so that the cipher suites negotiated by the implementation are limited to those in this requirement, then the appropriate instructions need to be contained in the guidance. GCM cipher suites are preferred over CBC cipher suites, ECDHE preferred over RSA and DHE, and SHA256 or SHA384 over SHA.

TLS_RSA_WITH_AES_128_CBC_SHA is not required despite being mandated by RFC 5246.

These requirements will be revisited as new TLS versions are standardized by the IETF.

If mutual authentication is selected, then the ST must additionally include the requirements from FCS_TLSS_EXT.2. If the TOE implements mutual authentication, this selection must be made.

If session renegotiation is selected, then the ST must additionally include the requirements from FCS_TLSS_EXT.4. If the TOE implements session renegotiation, this selection must be made.

If the TOE does not support session resumption or session tickets, select 'no session resumption or session tickets’. If the TOE supports session resumption based on session IDs according to RFC 4346 (TLS1.1) or RFC 5246 (TLS1.2), select 'session resumption based on session IDs according to RFC 4346 (TLS1.1) or RFC 5246 (TLS1.2)'. If the TOE supports session resumption based on session tickets according to RFC 5077, select 'session resumption based on session tickets according to RFC 5077'.

FCS_TLSS_EXT.1.1 Test 4.3 is modified as follows, with underlines denoting addition and strikethroughs denoting deletion:

Test 4.3: Demonstrate that the TOE will not resume a session for which the client failed to complete the handshake (independent of TOE support for session resumption): Generate a Fatal Alert by sending a Finished message from the client before the client sends a ChangeCipherSpec message, and then send a Client Hello with the session identifier from the previous incomplete session, and verify that the server does not resume the session.

Test 4.3i [conditional]: If the TOE does not support session resumption based on session IDs according to RFC4346 (TLS1.1) or RFC5246 (TLS1.2) or session tickets according to RFC5077, the evaluator shall perform the following test:

a) The evaluator shall send a Client Hello with a zero-length session identifier and with a SessionTicket extension containing a zero-length ticket.

b) The evaluator shall verify the server does not send a NewSessionTicket handshake message (at any point in the handshake).

c) The evaluator shall verify the Server Hello message contains a zero-length session identifier or passes the following steps:

Note: The following steps are only performed if the ServerHello message contains a non-zero length SessionID.

d) The evaluator shall complete the TLS handshake and capture the SessionID from the ServerHello.

e) The evaluator shall send a ClientHello containing the SessionID captured in step d). This can be done by keeping the TLS session in step d) open or start a new TLS session using the SessionID captured in step d).

f) The evaluator shall verify the TOE (1) implicitly rejects the SessionID by sending a ServerHello containing a different SessionID and by performing a full handshake (as shown in Figure 1 of RFC 4346 or RFC 5246), or (2) terminates the connection in some way that prevents the flow of application data.

Test 4.3ii [conditional]: If the TOE supports session resumption using session IDs according to RFC4346 (TLS1.1) or RFC5246 (TLS1.2), the evaluator shall carry out the following steps (note that for each of these tests, it is not necessary to perform the test case for each supported version of TLS):

a) The evaluator shall conduct a successful handshake and capture the TOE-generated session ID in the Server Hello message. The evaluator shall then initiate a new TLS connection and send the previously captured session ID to show that the TOE resumed the previous session by responding with ServerHello containing the same SessionID immediately followed by ChangeCipherSpec and Finished messages (as shown in Figure 2 of RFC 4346 or RFC 5246).

b) The evaluator shall initiate a handshake and capture the TOE-generated session ID in the Server Hello message. The evaluator shall then, within the same handshake, generate or force an unencrypted fatal Alert message immediately before the client would otherwise send its ChangeCipherSpec message thereby disrupting the handshake. The evaluator shall then initiate a new Client Hello using the previously captured session ID, and verify that the server (1) implicitly rejects the session ID by sending a ServerHello containing a different SessionID and performing a full handshake (as shown in figure 1 of RFC 4346 or RFC 5246), or (2) terminates the connection in some way that prevents the flow of application data.

Test 4.3iii [conditional]: If the TOE supports session tickets according to RFC5077, the evaluator shall carry out the following steps (note that for each of these tests, it is not necessary to perform the test case for each supported version of TLS):

a) The evaluator shall permit a successful TLS handshake to occur in which a session ticket is exchanged with the non-TOE client. The evaluator shall then attempt to correctly reuse the previous session by sending the session ticket in the ClientHello. The evaluator shall confirm that the TOE responds with a ServerHello with an empty SessionTicket extension, NewSessionTicket, ChangeCipherSpec and Finished messages (as seen in figure 2 of RFC 5077).

b) The evaluator shall permit a successful TLS handshake to occur in which a session ticket is exchanged with the non-TOE client. The evaluator will then modify the session ticket and send it as part of a new Client Hello message. The evaluator shall confirm that the TOE either (1) implicitly rejects the session ticket by performing a full handshake (as shown in figure 3 or 4 of RFC 5077), or (2) terminates the connection in some way that prevents the flow of application data.

Justification

NDcPP 2.2E and accompanying SD were updated to account for whether or not the TOE supports session resumption; this support should be added  to the TLS Package.

 
 
Site Map              Contact Us              Home