Archived
TD0708: Formatting corrections for VPN Client V2.3
Publication Date
2022.12.29
Protection Profiles
MOD_VPNC_V2.3
Other References
FCS_CKM.1, FCS_CKM.1(1), FCS_CKM.2.1/UNLOCKED, FCS_COP.1(1), FCS_IPSEC_EXT.1.5, FCS_IPSEC_EXT.1.11, FDP_RIP.2, FIA_PSK_EXT.1.3, FTP_ITC.1, FTP_TRP.1(1), Appendix C
Issue Description
MOD_VPNC_v2.3 has several formatting inconsistencies with CC Part 2. Resolution
PP-Module for VPN Client v2.3 is modified as follows, with yellow highlights indicating additions and red highlights indicating deletions: FCS_COP.1.1(1) in Section 5.1.1.3 is modified to mark completed selections as follows: FCS_COP.1.1(1) The OS shall perform [encryption/decryption services for data] in accordance with a specified cryptographic algorithm · AES-CBC (as defined in NIST SP 800-38A); · AES-GCM (as defined in NIST SP 800-38D); and [selection: · AES-XTS (as defined in NIST SP 800-38E); · AES-CCMP (as defined in FIPS PUB 197, NIST SP 800-38C, and IEEE 802.11-2012); · AES Key Wrap (KW) (as defined in NIST SP 800-38F); · AES Key Wrap with Padding (KWP) (as defined in NIST SP 800-38F); · AES-CCM (as defined in NIST SP 800-38C); · AES-CCMP-256 (as defined in NIST SP 800-38C and IEEE 802.11ac-2013); · AES-GCMP-256 (as defined in NIST SP 800-38D and IEEE 802.11ac-2013); · No other modes] and cryptographic key sizes [128-bit, 256-bit].
FTP_ITC.1 in Section 5.1.2.3 is modified to mark refinements as follows: FTP_ITC.1.1 The [selection: VPN client, OS] shall use IPsec to provide a trusted communication channel between itself and [selection: a remote VPN gateway, a remote VPN client, a remote IPsec-capable network device] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. FTP_ITC.1.2 The [selection: VPN client, OS] shall permit [the TSF] to initiate communication via the trusted channel. FTP_ITC.1.3 The [selection: VPN client, OS] shall initiate communication via the trusted channel [for all traffic traversing that connection].
FCS_CKM.1.1 in Section 5.2.1.1 is modified to mark refinements as follows: FCS_CKM.1.1 The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm · ECC schemes using “NIST curves” [selection: P-256, P-384] and [selection: P-521, no other curves] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4; [selection: · FFC schemes using [selection: o cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS),” Appendix B.1, o Diffie-Hellman group 14 that meet the following: RFC 3526, o “safe-prime” groups that meet the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography], · RSA schemes using cryptographic key sizes of 2048-bit or greater that meet FIPS PUB 186-4, “Digital Signature Standard (DSS),” Appendix B.3, · ECC schemes using Curve25519 schemes that meet the following: RFC 7748, · no other key generation methods]. FCS_CKM.2.1/UNLOCKED in Section 5.2.1.2 is modified to mark refinements as follows: FCS_CKM.2.1/UNLOCKED The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: · Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, [selection: · Finite field-based key establishment schemes that meets the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, · Key establishment schemes using Diffie-Hellman group 14 that meets the following: RFC 3526 · RSA-based key establishment schemes that meet the following: [selection: o NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”, o RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, “Public-Key Cryptography Standards (PKCS) #1:RSA Cryptography Specifications Version 2.2”] · no other key establishment schemes].
FCS_CKM.1.1(1) in Section 5.3.1.1. is modified to mark refinements, remove incorrect italics from the first refinement, remove bolding from the first three selections incorrectly marked as refinements (not highlighted), and to modify incorrect brackets: FCS_CKM.1.1(1) The application shall [selection: invoke platform-provided functionality, implement functionality] to generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm · [ECC schemes] using [“NIST curves” P-256, P-384 and [selection: P-521, no other curves]] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS),” Appendix B.4]; and, [selection: · [FFC schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS),” Appendix B.1]; · [FFC schemes] using Diffie-Hellman group 14 that meet the following: [RFC 3526, Section 3] · [FFC Schemes] using “safe-prime” groups · [RSA schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS),” Appendix B.3]; · no other key generation methods]. FCS_CKM.2.1 in section 5.3.2.1 is modified to mark refinements: FCS_CKM.2.1 The application shall [selection: invoke platform-provided functionality, implement functionality] to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: · [Elliptic curve-based key establishment schemes] that meets the following: [NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”]; and [selection: · [Finite field-based key establishment schemes] that meets the following: [NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”]; · Key establishment scheme using Diffie-Hellman group 14 that meets the following: RFC 3526, Section 3]; · [FFC Schemes using “safe-prime” groups] that meet the following: ‘NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and [selection: RFC 3526, RFC 7919]; · [RSA-based key establishment schemes] that meets the following: RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.2; · [RSA-based key establishment schemes] that meets the following: [NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”]; · No other schemes]. FCS_CKM.2.1 in section 5.4.1.2 is modified to mark refinements: FCS_CKM.2.1 The TSF shall [selection: invoke platform-provided functionality, implement functionality] to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method · Elliptic curve-based key establishment schemes that meet the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography,” [selection: · RSA-based key establishment schemes that meet the following: RSAESPKCS1-v1_5 as specified in Section 7.2 of RFC 8017, “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.2 · Finite field-based key establishment schemes that meet the following: NIST Special Publication 800-56A Revision 3, "Recommendation for PairWise Key Establishment Schemes Using Discrete Logarithm Cryptography,” · FFC schemes using "safe-prime" groups that meet the following: 'NIST Special Publication 800-56A Revision 3, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"', and [selection: RFC 3526, RFC 7919], · Key establishment schemes using Diffie-Hellman group 14 that meet the following: RFC 3526, Section 3, · No other schemes].
FCS_COP.1.1(1) in section 5.4.1.3 is modified to mark refinements in bold and selections in italics: FCS_COP.1.1(1) The TSF shall [selection: invoke platform-provided functionality, implement functionality] to perform encryption/decryption in accordance with a specified cryptographic algorithm: · AES-CBC (as defined in FIPS PUB 197 and NIST SP 800-38A), · AES-GCM (as defined in NIST SP 800-38D), and [selection: · AES Key Wrap (KW) (as defined in NIST SP 800-38F), · AES Key Wrap with Padding (KWP) (as defined in NIST SP 800-38F), · AES-CCM (as defined in NIST SP 800-38C), · No other modes] and cryptographic key sizes [128-bit, 256-bit].
FTP_TRP.1(1) in section 5.4.1.7 is updated to mark refinements in bold and correctly italicize selections: FTP_TRP.1.1(1) The TSF shall implement functionality using IPsec as defined in the PP-Module for VPN Client, and [selection: • TLS as defined in the Package for Transport Layer Security, • HTTPS in accordance with FCS_HTTPS_EXT.1, • SSH as defined in the Extended Package for Secure Shell, • No other protocols] and [selection: • invoke platform-provided functionality to use [selection: o TLS, o HTTPS, o SSH], • not invoke any platform-provided functionality] to provide a trusted communication path between itself as a [selection: server, peer] and remote administrators that is logically distinct from other communication paths and provides assured identification of its endpoints and protection of the communicated data from [modification, disclosure]. FTP_TRP.1.2(1) The TSF shall implement functionality and [selection: invoke platform-provided functionality, not invoke platform-provided functionality] to permit remote administrators to initiate communication via the trusted path. FTP_TRP.1.3(1) The TSF shall implement functionality and [selection: invoke platform-provided functionality, not invoke platform-provided functionality] to require the use of the trusted path for [all remote administration actions].
FCS_IPSEC_EXT.1.2 in section 5.5.1.2 is modified to mark selections: FCS_IPSEC_EXT.1.2 The TSF shall implement [selection: tunnel mode, transport mode].
FCS_IPSEC_EXT.11 in section 5.5.1.2 is updated to mark selections and remove an extraneous period: FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols perform peer authentication using a [selection: RSA, ECDSA] that use X.509v3 certificates that conform to RFC 4945 and [selection: Pre-shared Keys, no other method].
FDP_RIP.2.1 in section 5.5.2.1 is updated as follows: FDP_RIP.2.1 The [selection: TOE, TOE platform] shall
FIA_PSK_EXT.1.3 in section B.1 is updated to mark selections: FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [selection: SHA1, SHA-256, SHA-512, [assignment: other method of conditioning text string]], [selection: and be able to [selection: accept, generate using the random bit generator specified in FCS_RBG_EXT.1] bit-based pre-shared keys, perform no other conditioning].
FCS_IPSEC_EXT.1.5 in section C.2 of the ECD is updated to align with the SFR. FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [selection: · IKEv1, using Main Mode for Phase I exchanges, as defined in RFCs 2407, 2408, 2409, RFC 4109, [selection: no other RFCs for extended sequence numbers, RFC 4304 for extended sequence numbers], [selection: no other RFCs for hash functions, RFC 4868 for hash functions], and [selection: support for XAUTH, no support for XAUTH]; · IKEv2 as defined in RFCs 7296 (with mandatory support for NAT traversal as specified in section 2.23),
FCS_IPSEC_EXT.11 in section C.2 of the ECD is updated to mark selections: FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols perform peer authentication using a [selection: RSA, ECDSA] that use X.509v3 certificates that conform to RFC 4945 and [selection: Pre-shared Keys, no other method].
FIA_PSK_EXT.1.3 in section C.2 of the ECD is updated to mark selections: FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using [assignment: method of conditioning text string], [selection: and be able to [selection: accept, generate using the random bit generator specified in FCS_RBG_EXT.1] bit-based pre-shared keys, perform no other conditioning]. Justification
Formatting corrections required to complete Certification Report. |