NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0143:  NIT Technical Decision for Failure testing for TLS session establishment in NDcPP and FWcPP

Publication Date
2017.01.18

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References
FCS_TLSS_EXT.1.1

Issue Description

The Network Interpretations Team (NIT) has issued a technical decision regarding failure testing for TLS session establishment.

Resolution

To align with the NIT interpretation #35, FCS_TLSS_EXT.1.1 Test 3 is revised as follows:

The requestor is correct in the RSA case.  If a ciphersuite requiring RSA key exchange has been selected, then the server must terminate the connection without an alert after receiving the client’s ChangeCipherSpec message or Finished message.  If a ciphersuite requiring Diffie-Hellman key agreement has been selected, then the server may send an alert or simply terminate the connection after receiving the client’s ChangeCipherSpec message or Finished message. Since the server cannot distinguish the different cases the Test Case 3 shall be changed to:

Test 3: The evaluator shall use a client to send a key exchange message in the TLS connection that does not match the server-selected ciphersuite (for example, send an ECDHE key exchange while using the TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite or send a RSA key exchange while using one of the ECDSA ciphersuites.) The evaluator shall verify that the TOE either sends an alert after receiving the client’s ChangeCipherSpec message or Finished message; or terminates the connection after receiving the client's ChangeCipherSpec message or Finished message.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI35.pdf.

Justification

See issue description.

 
 
Site Map              Contact Us              Home