TD0727: Update to FCS_COP.1/SIGN for CNSA 1.0 compliance
Publication Date
2023.03.31
Protection Profiles
PP_OS_V4.3
Other References
FCS_COP.1/SIGN
Issue Description
GPOS PP 4.3 FCS_COP.1/SIGN allows support for RSA signatures of 2048-bit and greater. If the goal is for GPOS PP 4.3 to be CNSA 1.0 compliant, the RSA minimum signature key size should be 3072-bit. Resolution
FCS_COP.1/SIGN in Section 5.1.1 of PP_OS_4.3 is modified as follows, with strikethrough in red highlighting denoting deletion and underline in green highlighting denoting addition: FCS_COP.1.1/SIGN The OS shall perform [cryptographic signature services (generation and verification)] in accordance with a specified cryptographic algorithm [selection: - RSA schemes using cryptographic key sizes of 20483072-bit or greater that meet the following: FIPS PUB 186-4, "Digital Signature Standard (DSS)", Section 4 - ECDSA schemes using "NIST curves" P-384 and [selection: P-521, no other curves ] that meet the following: FIPS PUB 186-4, "Digital Signature Standard (DSS)", Section 5 ] and cryptographic key sizes [assignment: cryptographic algorithm] that meet the following: [assignment: list of standards]. Justification
See issue description. |