NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0659:  Change to Required NIST Curves for FCS_CKM.1/AK

Publication Date
2022.07.13

Protection Profiles
PP_APP_v1.4

Other References
FCS_CKM.1/AK

Issue Description

In FCS_CKM.1.1/AK in the App PP,  the "[ECC schemes]" selection currently mandates both P-256 and P-384, with P-521 being optional. However, FCS_TLSC_EXT.5.1 in the TLS Package is open-ended with respect to the values that may be claimed in the Supported Groups Extension when ECDHE schemes are supported.

Resolution

The following change is made to FCS_CKM.1/AK in Section B.1 in Appendix B in PP_APP_V1.4, with strikethrough denoting deletion and underline denoting addition:

FCS_CKM.1.1/AK The application shall [selection:

- invoke platform-provided functionality,

- implement functionality

to generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection:

[RSA schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following FIPS PUB 186-4, "Digital Signature Standard (DSS), Appendix B.3",

[ECC schemes] using [“NIST curves” P-256, P-384 and [selection: P-256, P-521 , no other curves ] ] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4],

[FFC schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1],

[FFC Schemes] using Diffie-Hellman group 14 that meet the following: RFC 3526, Section 3,

[FFC Schemes] using “safe-prime” groups that meet the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and [selection: RFC 3526, RFC 7919]

].

 

Justification

Support for 384 is required by the current CNSA RFC for TLS (RFC 9151), but 256 is sometimes still useful for interoperability.

 
 
Site Map              Contact Us              Home