NIAP: View Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0163:  Update to FCS_TLSC_EXT.1.1 Test 5.4 and FCS_TLSS_EXT.1.1 Test
Publication Date
  04/05/2017
References
PP_APP_v1.2, PP_OS_V4.1, PP_MDM_V3.0, PP_CA_v2.0, PP_VOIP_V1.3, FCS_TLSC_EXT.1.1, FCS_TLSS_EXT.1.1
Issue Description

The below tests for FCS_TLSC_EXT.1.1 and FCS_TLSS_EXT.1.1 can only be performed for ciphersuites that utilize Diffie Hellman. These tests should be conditional and only required when a ciphersuite that utilizes Diffie Hellman is claimed by a Security Target.

 

“Modify the signature block in the Server’s KeyExchange handshake message, and verify that the client rejects the connection after receiving the Server KeyExchange.”

 

“Modify the signature block in the Client’s Key Exchange handshake message, and verify that the server rejects the client's Certificate Verify handshake message (if using mutual authentication) or that the server denies the client's Finished handshake message.” 

Resolution

 

The below PPs are updated as follows:

 

 

PP_APP_v1.2

Test 5.4 for FCS_TLSC_EXT.1.1 is updated as follows:

" Test 5.4 (conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Server’s Key Exchange handshake message, and verify that the client rejects the connection after receiving the Server Key Exchange message.”

 

 

Test 4.3 for FCS_TLSS_EXT.1.1 is updated as follows:

“Test 4.3 (conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Client’s Key Exchange handshake message, and verify that the server rejects the client's Certificate Verify handshake message  (if using mutual authentication) or that the server denies the client's Finished handshake message.”

 

PP_OS_V4.1:

Test 5.4 for FCS_TLSC_EXT.1.1 is updated as follows:

" Test 5.4 (conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Server’s Key Exchange handshake message, and verify that the client rejects the connection after receiving the Server Key Exchange message."

 

PP_MDM_V3.0

Test 5, bullet 4 for FCS_TLSC_EXT.1.1 is updated as follows:

“(conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Server’s Key Exchange handshake message, and verify that the client rejects the connection after receiving the Server Key Exchange message."

 

Test 4 bullet 2 for FCS_TLSS_EXT.1.1 is updated as follows:

“(conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the client’s Certificate Verify handshake message, and verify that the server rejects the client’s Certificate Verify handshake message and verify that the server denies the client’s Finished handshake message.”

 

 

PP_CA_v2.0

 

Test 5d for FCS_TLSC_EXT.1.1 is updated as follows:

“(conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Server’s Key Exchange handshake message, and verify that the client rejects the connection after receiving the Server Key Exchange message."

 

Test 4b for FCS_TLSS_EXT.1.1 is updated as follows:

“(conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Client’s Key Exchange handshake message, and verify that the server rejects the client’s Certificate Verify handshake message (if using mutual authentication) or that the server denies the client’s Finished handshake message.”

 

 

PP_VOIP_V1.3
Test 5, bullet 3 for FCS_TLS_EXT.1 is updated as follows:

“(conditional): If an ECDHE or DHE ciphersuite is selected, modify the signature block in the Server’s KeyExchange handshake message, and verify that the client rejects the connection after receiving the Server KeyExchange.”

Justification

 

See issue description.



 
Site Map              Contact Us              Home