NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0034:  Revision of Test 5 in FCS_TLSC_EXT.1.1 & EXT.2.1 reqs in MDF PP V2.0, MDM PP V2.0, MDM Agent PP V2.0

Publication Date
2015.02.11

Protection Profiles
PP_MD_v2.0, PP_MDM_AGENT_V2.0, PP_MDM_V2.0

Other References
PP_MDF_V2.0, MDM PP V2.0, MDM Agent PP V2.0 requirements FCS_TLSC_EXT.1.1 and FCS_TLSC_EXT.2.1

Issue Description

The last two bullets of Test 5 in FCS_TLSC_EXT.1.1 (FCS_TLS_EXT.2.1 has identical tests) state:

  • Modify a byte in the Server Finished handshake message, and verify that the client sends a fatal alert upon receipt and does not send any application data.
  • Send a garbled message from the Server after the Server has issued the ChangeCipherSpec message and verify that the client denies the connection.


Because the Server Finished message must always follow the Server ChangeCipherSpec message, the last bullet says, in effect, “Send a garbled Server Finished message”, which is redundant given the prior bullet.

Resolution

Rewrite the last bullet in Test 5 to state:

  • Send a valid Server Finished message in plaintext and verify the client sends a fatal alert upon receipt and does not send any application data. The server’s finished message shall contain valid verify_data and shall parse correctly using a network protocol analysis tool.
Justification

The revision removes a potentially redundant test and requires that the server sends a valid plaintext finished message (a violation of the TLS RFCs) with a valid verify_data field.  If implemented correctly, this altered test checks that a client TLS implementation correctly attempts decryption first (and thus will not parse a correctly formatted, plaintext Finished message).

 
 
Site Map              Contact Us              Home