NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0209:  Additional DH Group added as selection for IKE Protocols

Publication Date
2017.06.09

Protection Profiles
EP_VPN_GW_V2.1

Other References
FCS_IPSEC_EXT.1.11

Issue Description

FCS_CKM.1.1 allows for RSA schemes using cryptographic key sized of 2048-bit or greater but the corresponding cryptographic protocol requirement FCS_IPSEC_EXT.1.11 does not provide a selection for 3072-bit MODP.

Resolution

FCS_IPSEC_EXT.1.11 is replaced as follows:

FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), 19 (256-bit Random ECP), 20 (384-bit Random ECP), and [selection: 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS), 15 (3072-bit MODP), no other DH groups].


Application Note: This SFR element has been modified from its definition in the NDcPP by mandating DH groups 19 and 20, both of which are selectable in the original definition of the element. In addition, DH Group 15 has been added as a selection to allow for 3072-bit cryptographic key sizes for RSA schemes in FCS_CKM.1.1.

Justification

Allows for greater than 2048-bit cryptographic key sizes.

 
 
Site Map              Contact Us              Home