NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0728:  Corrections to MACSec PP-Module SD

Publication Date
2023.04.03

Protection Profiles
MOD_MACSEC_V1.0

Other References
FCS_COP.1/MACSEC, FPT_RPL_EXT.1

Issue Description

The supporting document for the newly published PP-Module for MACsec Ethernet Encryption for requirement FCS_COP.1/MACSEC notes “messages and keys” in the test EA at Test 4 for the KW-AD Test.  TD0466 had updated this test in the MACSec EP to reference “ciphertext values and keys” instead of “messages”. While “messages” applies to Test 3, it appears it perhaps should be “ciphertext values” for Test 4. 

Also, Test 30 in FPT_RPL_EXT.1 makes reference to “rerun Test 1” but it appears “Test 1” has been renumbered to Test 29.

Resolution

Test 4 for FCS_COP.1/MACSEC in Section 2.2.2 of the MOD_MACSEC_V1.0 Supporting Document is modified as follows, with strikethrough in red highlighting denoting deletion and underlines in green highlighting denoting addition:

Test 4: KW-AD Test: To test the authenticated decryption capability of AES KW, the evaluator shall

provide five sets of 100 messages ciphertext values and keys to the TOE for each key length supported by the TSF. Each

set of ciphertexts and keys shall correspond to one of five plaintext message lengths (detailed below).

For each set of 100 ciphertext values, 20 shall not be authentic (i.e., fail authentication). The evaluator

shall have the TSF decrypt the ciphertext messages  with the associated key. The evaluator shall then

verify the correct plaintext was generated or the failure to authenticate was correctly detected.

The messages in each set for both tests shall be the following lengths:

- two that are non-zero multiples of 128 bits (two semiblock lengths)

- two that are odd multiples of the semiblock length (64 bits)

- the largest supported plaintext length less than or equal to 4096 bits

Test 30 for FPT_RPL_EXT.1 in  Section 2.3.2 of the MOD_MACSEC_V1.0 Supporting Document is modified as follows, with strikethrough in red highlighting denoting deletion and underlines in green highlighting denoting addition:

Test 30: If both ciphersuites were selected, then the evaluator shall reconfigure the TOE using the

second ciphersuite and rerun Test 1 29 to demonstrate support for both ciphersuites.

Justification

See issue description.

 
 
Site Map              Contact Us              Home