NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0355:  FCS_CKM.1/VPN for IKE authentication

Publication Date
2018.09.20

Protection Profiles
MOD_VPN_CLI_V2.1

Other References
FCS_CKM.1/VPN

Issue Description

In Section 5.3 (App PP Security Functional Requirements Direction), FCS_CKM.1.1 does not allow a selection operation to permit the TOE or TOE Platform to meet the requirement.  It also is not refined to “IKE peer authentication”.

Resolution

The following SFR is added to Section 5.3.3:

FCS_CKM.1/VPN Cryptographic Key Generation (IKE)

FCS_CKM.1.1/VPN The application shall [selection: invoke platform-provided functionality, implement functionality] to generate asymmetric cryptographic keys used for IKE peer authentication in accordance with: [selection:

  • FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3 for RSA schemes;
  • FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4 for ECDSA schemes and implementing “NIST curves”, P-256, P-384 and [selection: P-521, no other curves]]

and specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits.

Application Note: The keys that are required to be generated by the TOE through this requirement are intended to be used for the authentication of the VPN entities during the IKE (either v1 or v2) key exchange. While it is required that the public key be associated with an identity in an X509v3 certificate, this association is not required to be performed by the TOE, and instead is expected to be performed by a Certificate Authority in the Operational Environment.

As indicated in FCS_IPSEC_EXT.1, the TOE is required to implement support for RSA or ECDSA (or both) for authentication.

See NIST Special Publication 800-57, “Recommendation for Key Management” for information about equivalent key strengths.

 

In addition, the following assurance activities are added to Section 2.3.4 of PP-Module for Virtual Private Network (VPN Clients) Supporting Document:

2.3.4.1.2 FCS_CKM.1/VPN Cryptographic Key Generation (IKE)

TSS

The evaluator shall examine the TSS to verify that it describes how the key generation functionality is invoked.

Operational Guidance

There are no AGD Assurance Activities for this requirement.

Test

Refer to the Assurance Activity for FCS_CKM.1(1) in the App PP.

Justification

The same construct is used for the GPOS and MDF base PPs in the PP-Module.

 
 
Site Map              Contact Us              Home