The Security Functional Requirement for FCS_CKM.1(a) should be considered an optional requirement in the HCD PP v1.0.

FCS_CKM.1.1(a) and FCS_COP.1.1(b) both make P-256 and P-384 required, and P-521 optional for elliptic curve-based key establishment:

NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for elliptic curve-based key establishment schemes and implementing “NIST curves” P256, P-384 and [selection: P-521, no other curves] (as defined in FIPS PUB 186-4, “Digital Signature Standard”) 

Other NIAP-approved Protection Profiles (https://www.niap-ccevs.org/MMO/PP/CPP_ND_V2.2E.pdf, https://www.niap-ccevs.org/MMO/PP/CPP_FDE_AA_V2.0E.pdf) allow all of the key sizes as a selection.

FCS_CKM.1.1(a): TD0074 is archived and replaced with the following for PP_HCD_V1.0-Err:

The SFR and associated Tests in the Assurance Activity are moved to “Appendix C Optional Requirements.”

Pages 38 to 40, Section 4.5.1 FCS_CKM.1(a) currently reads:

Section 4.5.1 FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)

(for O.COMMS_PROTECTION)

Hierarchical to: No other components.

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or

FCS_COP.1(b) Cryptographic Operation (for signature generation/ verification)]

FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction

FCS_CKM.1.1(a) Refinement: The TSF shall generate asymmetric cryptographic keys used for key establishment in accordance with [selection:

• NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for finite field-based key establishment schemes;

• NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for elliptic curve-based key establishment schemes and implementing “NIST curves” [selection: P-256, P-384, P-521] (as defined in FIPS PUB 186-4, “Digital Signature Standard”)

• NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography” for RSA-based key establishment schemes

¶ 190 ] and specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits.

¶ 191 Application Note:

¶ 192 The ST author selects the key generation scheme used for key establishment and device authentication. If multiple schemes are supported, then the ST author should iterate this component to capture this capability. When key generation is used for device authentication, the public key is expected to be associated with an X.509v3 certificate. If the TOE acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation.

¶ 193 Since the domain parameters to be used are specified by the requirements of the protocol in this PP, it is not expected that the TOE will generate domain parameters, and therefore there is no additional domain parameter validation needed when the TOE complies with the protocols specified in this PP.

¶ 194 SP 800-56B references (but does not mandate) key generation according to FIPS 186-3. For purposes of compliance in this version of the HCD PP, RSA key pair generation according to FIPS 186-4 is allowed in order for the TOE to claim conformance to SP 800-56B.

¶ 195 The generated key strength of 2048-bit DSA and rDSA keys need to be equivalent to, or greater than, a symmetric key strength of 112 bits. See NIST Special Publication 800-57, “Recommendation for Key Management” for information about equivalent key strengths.

196 Assurance Activity:

¶ 197 TSS:

¶ 198 The evaluator shall ensure that the TSS contains a description of how the TSF complies with 800-56A and/or 800-56B, depending on the selections made. This description shall indicate the sections in 800-56A and/or 800-56B that are implemented by the TSF, and the evaluator shall ensure that key establishment is among those sections that the TSF claims to implement.

¶ 199 Any TOE-specific extensions, processing that is not included in the documents, or alternative implementations allowed by the documents that may impact the security requirements the TOE is to enforce shall be described in the TSS.

¶ 200 The TSS may refer to the Key Management Description (KMD), described in Appendix F , that may not be made available to the public.

¶ 201 Test:

¶ 202 The evaluator shall use the key pair generation portions of "The FIPS 186-4 Digital Signature Algorithm Validation System (DSA2VS)", "The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)", and “The 186-4 RSA Validation System (RSA2VS)” as a guide in testing the requirement above, depending on the selection performed by the ST author. This will require that the evaluator have a trusted reference implementation of the algorithms that can produce test vectors that are verifiable during the test.

FCS_COP.1.1(b): The SFR in Section 3.1.1 of PP_HCD_v1.0-ERR (June 2017) is updated as follows, with bold strikethroughs denoting deletions and bold underlines denoting additions:

FCS_COP.1(b) Cryptographic Operation (for signature generation/verification)

(for O.UPDATE_VERIFICATION, O.COMMS_PROTECTION)

Hierarchical to: No other components.

Dependencies: [FDP_ITC.1 Import of user data without security attributes, or

FDP_ITC.2 Import of user data with security attributes, or

FCS_CKM.1 Cryptographic key generation

FCS_CKM.1(a) Cryptographic Key Generation (for asymmetric keys)]

FCS_CKM_EXT.4 Extended: Cryptographic Key Material Destruction

FCS_COP.1.1(b) Refinement: The TSF shall perform cryptographic signature services in accordance with a [selection:

• Digital Signature Algorithm (DSA) with key sizes (modulus) of [assignment: 2048 bits or greater],

• RSA Digital Signature Algorithm (rDSA) with key sizes (modulus) of [assignment: 2048 bits or greater], or

• Elliptic Curve Digital Signature Algorithm (ECDSA) with key sizes of [assignment: 256 bits or greater]]

that meets the following [selection:

Case: Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

Case: RSA Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

Case: Elliptic Curve Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

• The TSF shall implement “NIST curves” P-256, P384 and [selection: P521, no other curves] (as defined in FIPS PUB 186-4, “Digital Signature Standard”).

Case: Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

Case: RSA Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

Case: Elliptic Curve Digital Signature Algorithm

• FIPS PUB 186-4, “Digital Signature Standard”

• The TSF shall implement “NIST curves” P-256, P-384 and [selection: P-256, P-384, P-521, no other curves] (as defined in FIPS PUB 186-4, “Digital Signature Standard”).

].

FCS_CKM.1(a) SFR and Assurance Activity is optional requirement in HCD PP v1.0.

All of the key sizes should be selectable; making some required is inconsistent with other PPs.