NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0224:  NIT Technical Decision Making DH Group 14 optional in FCS_IPSEC_EXT.1.11

Publication Date
2017.07.27

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References
CPP_ND_V1.0, FCS_IPSEC_EXT.1.11

Issue Description

The NIT has issued a Technical Decision making DH Group 14 optional and removing DH Group 5 in FCS_IPSEC_EXT.1.11.

Resolution

To align with NIT interpretation # 201702a, FCS_IPSEC_EXT.1.11 is modified as follows:

"FCS_IPSEC_EXT.1.11 The TSF shall ensure that IKE protocols implement DH Group(s) [selection: 14 (2048-bit MODP), 19 (256-bit Random ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP)]."

The application note related to FCS_IPSEC_EXT.1.11 shall be modified as follows:

 

"The selection is used to specify DH groups supported. This applies to IKEv1 and IKEv2 exchanges."

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201702arev2.pdf.

This TD supersedes NIAP TD 0195.

Justification

DH group 5 has been removed as a selectable option from FCS_IPSEC_EXT.1.11 due to its insufficient security strength as well as its incompatibility to NIST SP800-56Arev2.

 
 
Site Map              Contact Us              Home