NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0335:  NIT Technical Decision for FCS_DTLS Mandatory Cipher Suites

Publication Date
2018.08.01

Protection Profiles
CPP_FW_V2.0E, CPP_ND_V2.0E

Other References
FCS_DTLSC_EXT.1.1, FCS_DTLSC_EXT.2.1, FCS_DTLSS_EXT.1.1, FCS_DTLSS_EXT.2.1, FCS_TLSC_EXT.1.1, FCS_TLSC_EXT.2.1, FCS_TLSS_EXT.1.1, FCS_TLSS_EXT.2.1

Issue Description

The NIT has issued a technical decision for FCS_DTLS Mandatory Cipher Suites.

Resolution

Updated 08/14/2018 to add missing details related to TLSC/TLSS.

The first paragraph of the application notes for FCS_DTLSC_EXT.1.1, FCS_DTLSS_EXT.1.1 and FCS_DTLSS_EXT.2.1 shall therefore be replaced  as follows:

"The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the ciphersuites that are supported. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment. Even though RFC 5246 and RFC 6347 mandate implementation of specific ciphers, there is no requirement to implement TLS_RSA_WITH_AES_128_CBC_SHA in order to claim conformance to this cPP. "

The first paragraph of the application note for FCS_DTLSC_EXT.2.1 shall be replaced as follows:

"The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the ciphersuites that are supported. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment. Even though RFC 5246 and RFC 6347 mandate implementation of specific ciphers, there is no requirement to  implement TLS_RSA_WITH_AES_128_CBC_SHA  in  order to claim conformance to this cPP. "

The first paragraph of the application notes for FCS_TLSC_EXT.1.1, FCS_TLSC_EXT.2.1, FCS_TLSS_EXT.1.1 and FCS_TLSS_EXT.2.1 shall therefore be replaced as follows:

"The ciphersuites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the ciphersuites that are supported. It is necessary to limit the ciphersuites that can be used in an evaluated configuration administratively on the server in the test environment. Even though RFC 5246 mandates implementation of specific ciphers, there is no requirement to implement TLS_RSA_WITH_AES_128_CBC_SHA in order to claim conformance to this cPP. "

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201809.pdf

Justification

RFC 6347 Section 4 states "instead of presenting DTLS as a new protocol, we present it as a series of deltas from TLS 1.2 [TLS12].  Where we do not explicitly call out differences, DTLS is the same as in [TLS12]." Given that text, RFC 6347 inherits the mandatory-to-implement ciphersuite text from TLS 1.2.

However, the RFC's declaration of the ciphersuite as mandatory-to-implement is irrelevant to the PP's declaration of what ciphersuites can be used in the operational configuration. "Claiming compliance" with RFC 5246 or RFC 6347 in the sense of NDcPP/FWcPP does not require enabling TLS_RSA_WITH_AES_128_CBC_SHA in the operational configuration.

 
 
Site Map              Contact Us              Home