TD0702: DIT Technical Decision for Additional Workload Options in FCS_COP.1/PBKDF
FCS_COP.1/PBKDF in cPP_DSC_v1.0 is modified as follows (yellow highlights for additions, strikethrough for deletions):
FCS_COP.1.1/PBKDF The TSF shall perform [password-based key derivation functions] in accordance with a specified cryptographic algorithm [HMAC-[selection: SHA-256, SHA-384, SHA-512] ], with [selection: [assignment: integer number greater than or equal to 1000 iterations], at least 1 iteration followed by a function equivalent to the workload of at least 1000 ] iterations], and output cryptographic key sizes [selection: 128, 192, 256] bits that meet the following standard: [NIST SP 800-132].
- Application Note 50
The ST TSF must condition a password into a string of bits prior to using it as input to algorithms that form SKs and KEKs. The ST TSF can perform conditioning using one of the identified hash functions or the process described in NIST SP 800-132; the ST author selects the method used. NIST SP 800-132 requires the use of a pseudo-random function (PRF) consisting of HMAC with an approved hash function.
Appendix A of NIST SP 800-132 recommends setting the iteration count in order to increase the computation needed to derive a key from a password and, therefore, increase the workload of performing a dictionary attack.
The TOE must claim this requirement if it claims FCS_CKM.1/SK and selects an algorithm in the PBK row or claims FCS_CKM_EXT.5 and selects at least one of KeyDrv4, KeyDrv5, or KeyDrv6 AND uses password-based key derivation to create at least one of the inputs.
If less than 1000 PBKDF iterations are used, the ST must specify the workload equivalence to at least 1000 PBKDF iterations.
Section 22.214.171.124 of cPP_DSC_v1.0-SD is updated as follows (yellow highlights for additions, strikethrough for deletions):
The evaluator shall review the TSS to verify that it contains a description of the PBKDF. The evaluator shall also confirm the ST TSF supports the selected hash function itself. The evaluator shall confirm that the TSS contains a description of how the TOE ensures that the output of the PBKDF is at least the same length as that specified in FCS_CKM.1/SK and for the KeyDrv4, KeyDrv5, or KeyDrv6 in FCS_CKM_EXT.5.
If the ST claims iterations less than 1000 iterations, the evaluator shall verify the TSS contains a description of the workload function used to claim equivalence to at least 1000 iterations of PBKDF.
If the ST TSF performs additional conditioning, whitening, or manipulation of the password or passphrase before applying the PBKDF, or to the output of the PBKDF, the evaluator shall ensure that the TSS describes the actions and provides assurance that the TSF does not negatively impact the entropy of the PBKDF output.
If any manipulation of the key is performed in forming the submask that will be used to form the KEK, that process shall be described in the TSS.
There are no AGD evaluation activities for this component.
No explicit testing of the formation of the submask from the input password is required.
For the NIST SP 800-132-based conditioning of the passphrase, the required evaluation activities will be performed when doing the evaluation activities for the appropriate requirements (FCS_COP.1/HMAC).
The evaluator shall verify that the iteration count for PBKDFs performed by the TOE comply with NIST SP 800-132 by ensuring that the TSS contains a description of the estimated time required to derive key material from passwords and how the TOE increases the computation time for password-based key derivation (including but not limited to increasing the iteration count).
There are no KMD evaluation activities for this component.
If the ST claims less than 1000 PBKDF iterations, the evaluator shall verify the KMD contains a description of the process for increasing the workload. The description shall provide a flow diagram of the operations involved including the keys used in the operations. The evaluator shall also confirm that the TSF supports any algorithms in use for this sequence of operations.
The KMD shall include an equivalency argument comparing the workload (time to completion) using at least 1000 PBKDF iterations vs the workload of the alternative process.
For more information, please see the DIT technical decision here: https://dsc-itc.github.io/TD/DSC0001.html
The FCS_COP.1/PBKDF requirement mandates a specific implementation to thwart brute force attacks on the DSC. As there are many different approaches that can be used to thwart such attacks, the cPP and SD can be updated to be less prescriptive in the implementation details while providing equivalent strength in terms of the workload required.