TD0728: Corrections to MACSec PP-Module SD
The supporting document for the newly published PP-Module for MACsec Ethernet Encryption for requirement FCS_COP.1/MACSEC notes “messages and keys” in the test EA at Test 4 for the KW-AD Test. TD0466 had updated this test in the MACSec EP to reference “ciphertext values and keys” instead of “messages”. While “messages” applies to Test 3, it appears it perhaps should be “ciphertext values” for Test 4.
Also, Test 30 in FPT_RPL_EXT.1 makes reference to “rerun Test 1” but it appears “Test 1” has been renumbered to Test 29.
Test 4 for FCS_COP.1/MACSEC in Section 2.2.2 of the MOD_MACSEC_V1.0 Supporting Document is modified as follows, with strikethrough in red highlighting denoting deletion and underlines in green highlighting denoting addition:
Test 4: KW-AD Test: To test the authenticated decryption capability of AES KW, the evaluator shall
provide five sets of 100 messages ciphertext values and keys to the TOE for each key length supported by the TSF. Each
set of ciphertexts and keys shall correspond to one of five plaintext message lengths (detailed below).
For each set of 100 ciphertext values, 20 shall not be authentic (i.e., fail authentication). The evaluator
shall have the TSF decrypt the ciphertext messages with the associated key. The evaluator shall then
verify the correct plaintext was generated or the failure to authenticate was correctly detected.
The messages in each set for both tests shall be the following lengths:
- two that are non-zero multiples of 128 bits (two semiblock lengths)
- two that are odd multiples of the semiblock length (64 bits)
- the largest supported plaintext length less than or equal to 4096 bits
Test 30 for FPT_RPL_EXT.1 in Section 2.3.2 of the MOD_MACSEC_V1.0 Supporting Document is modified as follows, with strikethrough in red highlighting denoting deletion and underlines in green highlighting denoting addition:
Test 30: If both ciphersuites were selected, then the evaluator shall reconfigure the TOE using the
second ciphersuite and rerun Test 1 29 to demonstrate support for both ciphersuites.
See issue description.