NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0209:  Additional DH Group added as selection for IKE Protocols

Publication Date

Protection Profiles

Other References

Issue Description

FCS_CKM.1.1 allows for RSA schemes using cryptographic key sized of 2048-bit or greater but the corresponding cryptographic protocol requirement FCS_IPSEC_EXT.1.11 does not provide a selection for 3072-bit MODP.


FCS_IPSEC_EXT.1.11 is replaced as follows:

FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), 19 (256-bit Random ECP), 20 (384-bit Random ECP), and [selection: 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS), 15 (3072-bit MODP), no other DH groups].

Application Note: This SFR element has been modified from its definition in the NDcPP by mandating DH groups 19 and 20, both of which are selectable in the original definition of the element. In addition, DH Group 15 has been added as a selection to allow for 3072-bit cryptographic key sizes for RSA schemes in FCS_CKM.1.1.


Allows for greater than 2048-bit cryptographic key sizes.

Site Map              Contact Us              Home