NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0285:  Test for Key Wrap using RSA-OAEP

Publication Date
2018.01.19

Protection Profiles
PP_APP_SWFE_EP_v1.0

Other References
FCS_COP.1(5)

Issue Description

FCS_COP.1(5) in the SW FE PP allows for Key Wrap using RSA-OAEP and the link provided for the test activity is no longer valid.

 

Resolution

The RSA specific Test activity for FCS_COP.1(5) is replaced as follows:

RSA

The evaluator shall check the TSS to ensure it describes the various values used for the RSA-OAEP encryption and decryption scheme described in NIST SP 800-56B, section 7.2.2 and other referenced sections. In particular, the evaluator shall verify that the TSS identifies the hash function, the mask generating function, the random bit generator, the encryption primitive and decryption primitive.

The evaluator shall perform the following tests for the KTS-OAEP scheme:

1. The evaluator shall inspect each cipher text, C, produced by the RSA-OAEP encryption operation of the TOE and make sure it is the correct length, either 256 or 384 bytes depending on RSA key size. The evaluator shall also feed into the TOE’s RSA-OEAP decryption operation some cipher texts that are the wrong length and verify that the erroneous input is detected and that the decryption operation exits with an error code.

2. The evaluator shall convert each cipher text, C, produced by the RSA-OAEP encryption operation of the TOE to the correct cipher text integer, c, and use the decryption primitive to compute em = RSADP((n,d),c) and convert em to the encoded message EM. The evaluator shall then check that the first byte of EM is 0x00. The evaluator shall also feed into the TOE’s RSA-OEAP decryption operation some cipher texts where the first byte of EM was set to a value other than 0x00, and verify that the erroneous input is detected and that the decryption operation exits with an error code.

3. The evaluator shall decrypt each cipher text, C, produced by the RSA-OAEP encryption operation of the TOE using RSADP, and perform the OAEP decoding operation (described in NIST SP 800-56B section 7.2.2.4) to recover HA’ || X. For each HA’, the evaluator shall take the corresponding A and the specified hash algorithm and verify that HA' = Hash(A). The evaluator shall[shall?] also force the TOE to perform some RSA-OAEP decryptions where the A value is passed incorrectly, and the evaluator shall[shall?] verify that an error is detected.

4. The evaluator shall check the format of the ‘X’ string recovered in OAEP.Test.3 to ensure that the format is of the form PS || 01 || K, where PS consists of zero or more consecutive 0x00 bytes and K is the transported keying material. The evaluator shall[shall?] also feed into the TOE’s RSA-OEAP decryption operation some cipher texts for which the resulting ‘X’ strings do not have the correct format (i.e., the leftmost non-zero byte is not 0x01). These incorrectly formatted ‘X’ variables shall[shall?] be detected by the RSA-OEAP decrypt function.

5. The evaluator shall trigger all detectable decryption errors and validate that the returned error codes are the same and that no information is given back to the sender on which type of error occurred. The evaluator shall also validate that no intermediate results from the TOE’s receiver-side operations are revealed to the sender.

 

Justification

Test activity for Key Wrap using RSA-OAEP is added to the EP.

 
 
Site Map              Contact Us              Home