NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0330:  Curve25519 scheme moved to optional and FFC scheme using DH Group 14 added

Publication Date
2018.06.01

Protection Profiles
MOD_VPN_CLI_V2.1

Other References
FCS_CKM.1.1

Issue Description

The VPN Client Module mandates Curve25519 when the MDF PP is the base PP.  However, the MDF PP v3.1 does not mandate the Curve25519 scheme. In addition, there was no appropriate selection in FCS_CKM.1.1 to coincide with the selection for FFC Schemes using DH Group 14 in FCS_CKM.2.1.

Resolution

Section 5.2.2 FCS_CKM.1 Cryptographic Key Generation is modified as follows:

FCS_CKM.1.1 The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm

·               [ECC schemes] using [“NIST curves” P-256, P-384 and [selection: P-521, no other curves]] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4];

·               [selection:

·         [FFC schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1];

·         [FFC Schemes] using Diffie-Hellman group 14 that meet the following: [RFC 3526, Section 3]]; 

·               [selection:

·         [RSA schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3];

·         [Curve25519 schemes] that meet the following: [RFC 7748];

·         no other key generation methods

].

 

For test activities for FCS_CKM.1.1 in the SD, Section 2.2.1.1.1, the following text shall be added:

"Testing for FFC Schemes using Diffie-Hellman group 14 is done as part of testing in CKM.2.1."

No change is made to the Application Note.

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home