Archived
TD0081: Inconsistency between FCS_CKM.2.1 and FCS_TLSC_EXT.1 in OSPP
Publication Date
2016.02.24
Protection Profiles
PP_OS_v4.0
Other References
PP_OS_V4.0
Issue Description
'FCS_CKM.2.1: Cryptographic Key Establishment' in OSPP v4.0 covers Elliptic curve-based key establishment schemes as well as RSA-based key establishment schemes. FCS_TLSC_EXT.1 on the other hand, allows RSA, EC Diffie-Hellman in addition to Diffie-Hellman, which is inconsistent with FCS_CKM.2.1. Resolution
FCS_CKM.2.1 is being revised as follows:
***** FCS_CKM.2.1 The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method:
* RSA-based key establishment schemes that meets the following: NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography” and [selection:
Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment schemes Using Discrete Logarithm Cryptography”, Finite field-based key establishment schemes that meets the following: [NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, No other schemes
].
Application Note: The ST author shall select all key establishment schemes used for the selected cryptographic protocols.
FCS_TLSC_EXT.1 requires cipher suites that use RSA-based key establishment schemes.
The RSA-based key establishment schemes are described in Section 9 of NIST SP 80056B; however, Section 9 relies on implementation of other sections in SP 80056B. If the OS acts as a receiver in the RSA key establishment scheme, the OS does not need to implement RSA key generation.
The elliptic curves used for the key establishment scheme shall correlate with the curves specified in FCS_CKM.1.1.
The domain parameters used for the finite field-based key establishment scheme are specified by the key generation according to FCS_CKM.1.1(1).
***** The assurance activities remain the same.
Additionally, FCS_CKM.1.1 should be rewritten as follows:
***** FCS_CKM.1.1 The OS shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection:
RSA schemes using crypto graphic key sizes of 2048-bit or greater that meet the following: [selection: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3, ANSI X9.311998,Section 4.1] ,
ECC schemes using “NIST curves” P-256, P-384 and [selection: P-521, no other curves ] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4,
FFC schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1
] .
***** The application note remains the same.
In the test section of the FCS_CKM.1 Assurance Activity, the following section should be added:
***** Key Generation for Finite-Field Cryptography (FFC) The evaluator shall verify the implementation of the Parameters Generation and the Key Generation for FFC by the TOE using the Parameter Generation and Key Generation test. This test verifies the ability of the TSF to correctly produce values for the field prime p, the cryptographic prime q (dividing p-1), the cryptographic group generator g, and the calculation of the private key x and public key y.
The Parameter generation specifies 2 ways (or methods) to generate the cryptographic prime q and the field prime p:
Cryptographic and Field Primes:
* Primes q and p shall both be provable primes * Primes q and field prime p shall both be probable primes and two ways to generate the cryptographic group generator g:
Cryptographic Group Generator:
* Generator g constructed through a verifiable process * Generator g constructed through an unverifiable process.
The Key generation specifies 2 ways to generate the private key x: Private Key:
* len(q) bit output of RBG where 1 <=x <= q-1 * len(q) + 64 bit output of RBG, followed by a mod q-1 operation where 1<= x<=q-1.
The security strength of the RBG must be at least that of the security offered by the FFC parameter set.
To test the cryptographic and field prime generation method for the provable primes method and/or the group generator g for a verifiable process, the evaluator must seed the TSF parameter generation routine with sufficient data to deterministically generate the parameter set.
For each key length supported, the evaluator shall have the TSF generate 25 parameter sets and key pairs. The evaluator shall verify the correctness of the TSF’s implementation by comparing values generated by the TSF with those generated from a known good implementation. Verification must also confirm
* g != 0,1 * q divides p-1 * g^q mod p = 1 * g^x mod p = y
for each FFC parameter set and key pair. ***** Justification
FCS_CKM should be consistent with FCS_TLSC_EXT.1 in including DH schemes, which requires the addition of FFC to the CKM key generation and key establishment requirements. |