TD0659: Change to Required NIST Curves for FCS_CKM.1/AK
In FCS_CKM.1.1/AK in the App PP, the "[ECC schemes]" selection currently mandates both P-256 and P-384, with P-521 being optional. However, FCS_TLSC_EXT.5.1 in the TLS Package is open-ended with respect to the values that may be claimed in the Supported Groups Extension when ECDHE schemes are supported.
The following change is made to FCS_CKM.1/AK in Section B.1 in Appendix B in PP_APP_V1.4, with strikethrough denoting deletion and underline denoting addition:
FCS_CKM.1.1/AK The application shall [selection:
- invoke platform-provided functionality,
- implement functionality
] to generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection:
[RSA schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following FIPS PUB 186-4, "Digital Signature Standard (DSS), Appendix B.3",
[ECC schemes] using [“NIST curves” P-256, P-384 and [selection: P-256, P-521 , no other curves ] ] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4],
[FFC schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1],
[FFC Schemes] using Diffie-Hellman group 14 that meet the following: RFC 3526, Section 3,
[FFC Schemes] using “safe-prime” groups that meet the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and [selection: RFC 3526, RFC 7919]
Support for 384 is required by the current CNSA RFC for TLS (RFC 9151), but 256 is sometimes still useful for interoperability.