NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0174:  Optional Ciphersuites for TLS

Publication Date
2017.04.10

Protection Profiles
PP_APP_v1.2, PP_MD_v3.0, PP_NDCPP_APP_AUTHSVR_EP_V1.0

Other References
FCS_TLSC_EXT.1.1, FCS_EAP-TLS_EXT.1.1,

Issue Description

05/03/2017: Updating TD as it now also applies to the Authentication Server EP.

The list of ciphersuites included in the TLS requirement in the SW App PP does not match the list in the MDFPP.  This could result in conflict when “invoke platform-provided TLS 1.2” is selected. 

Resolution

The following replaces the Optional Ciphersuites in the FCS_TLSC_EXT.1.1 SFR in PP_MD_v3.0 and  PP_APP_v1.2 and the FCS_EAP-TLS_EXT.1.1 SFR in PP_NDCPP_APP_AUTHSVR_EP_V1.0

• Optional Ciphersuites: [selection:

ο TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246

ο TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

ο TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288

ο TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246

ο TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

ο TLS_DHE_RSA_WITH_AES_256_GCM_ SHA384 as defined in RFC 5288

ο TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

ο TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

ο TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

ο TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

ο TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

ο TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 

ο TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

ο TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

 

            ο no other ciphersuite.]

Justification

This change removes the inconsistency between the MDF and App Protection Profiles.

 
 
Site Map              Contact Us              Home