NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0320:  TLS ciphers in ESM PPs

Publication Date
2018.05.03

Protection Profiles
PP_ESM_AC_V2.1, PP_ESM_ICM_V2.1, PP_ESM_PM_V2.1

Other References
FCS_TLS_EXT.1.1

Issue Description

In the ESM PPs, FCS_TLS_EXT.1.1 mandates the support for the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite. This cipher suite is no longer mandated.

Resolution

FCS_TLS_EXT.1.1 The TSF shall implement one or more of the following protocols [selection: TLS 1.1 (RFC 4346), TLS 1.2 (RFC 5246)] supporting the following ciphersuites: [selection:

 

·         TLS_RSA_WITH_AES_128_CBC_SHA

·         TLS_RSA_WITH_AES_256_CBC_SHA

·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA

·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA

·         TLS_RSA_WITH_AES_128_CBC_SHA256

·         TLS_RSA_WITH_AES_256_CBC_SHA256

·         TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

·         TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

·         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

·         TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

·         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

·         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

].

 

Application Note:  The ST author must make the appropriate selections and assignments to reflect the TLS implementation. The ST author must provide enough detail to determine how the implementation is complying with the standard(s) identified; this can be done either by adding elements to this component, or by additional detail in the TSS.

 

The ciphersuites to be tested in the evaluated configuration are limited by this requirement; however, this requirement does not restrict the TOE's ability to propose (in its Client Hello) additional ciphersuites beyond the ones listed in this requirement. Put simply, the TOE may propose any ciphersuite; however, the evaluation will only test the ciphersuties in the above list. The ST author should select the ciphersuites that are supported. If administrative steps need to be taken so that the suites negotiated by the implementation are limited to those in this requirement, the appropriate instructions need to be contained in the guidance called for by AGD_OPE. The Suite B algorithms (RFC 5430) listed above are the preferred algorithms for implementation. It is recognized that TLS_RSA_WITH_AES_128_CBC_SHA is mandatory in RFC 5246, but it is not mandated for this Protection Profile.

 

These requirements will be revisited as new TLS versions are standardized by the IETF.

 

Justification

Consistency across PP's.

 
 
Site Map              Contact Us              Home