Archived
TD0075: Revisions to FCS_CKM.1, FCS_CKM.2, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4) in OSPPv4
Publication Date
2015.12.16
Protection Profiles
PP_OS_v4.0
Other References
PP_OS_v4.0
Issue Description
Revisions to FCS_CKM.1, FCS_CKM.2, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4) requirements in OS PP V4.0 are needed to meet the intent of the Protection Profile. Resolution
The following requirements have been revised to read:
FCS_CKM.1 Cryptographic Key Generation (Refined) The OS shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection: RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: [selection: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3], ECC schemes using “NIST curves” P-256, P-384 and [selection: P-521, no other curves] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4]. and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards].
FCS_CKM.2 Cryptographic Key Establishment (Refined) The OS shall implement functionality to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: [RSA-based key establishment schemes] that meets the following: [NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”] and [selection: Elliptic curve-based key establishment schemes that meets the following: NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”, No other schemes ] that meets the following: [assignment: list of standards].
FCS_COP.1(1) Cryptographic Operation - Encryption/Decryption (Refined) The OS shall perform [encryption/decryption services for data] in accordance with a specified cryptographic algorithm [
[selection: AES-CCMP (as defined in FIPS PUB 197, NIST SP 800-38C, and IEEE 802.11-2012, AES Key Wrap (KW) (as defined in NIST SP 800-38F), AES Key Wrap with Padding (KWP) (as defined in NIST SP 800-38F), AES-GCM (as defined in NIST SP 800-38D), AES-CCM (as defined in NIST SP 800-38C), AES-CCMP-256 (as defined in NIST SP800-38C and IEEE 802.11ac-2013), AES-GCMP-256 (as defined in NIST SP800-38D and IEEE 802.11ac-2013), no other modes ]] and cryptographic key sizes [128-bit, 256-bit] that meet the following: [assignment: list of standards].
FCS_COP.1(2) Cryptographic Operation – Hashing (Refined) The OS shall perform [cryptographic hashing services] in accordance with a specified cryptographic algorithm [SHA-1 and [selection: SHA-256, SHA-384, SHA-512, no other algorithms ]] and message digest sizes [160 bits, [selection: 256 bits, 384 bits, 512 bits, no other sizes ]] that meet the following: [FIPS Pub 180-4].
FCS_COP.1(3) Cryptographic Operation – Signing (Refined) The OS shall perform [cryptographic signature services (generation and verification)] in accordance with a specified cryptographic algorithm [selection: RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS2v1_5, ECDSA schemes using “NIST curves” P-256, P-384 and [selection: P-521, no other curves] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D] and cryptographic key sizes [assignment: cryptographic algorithm] that meet the following: [assignment: list of standards].
FCS_COP.1(4) Cryptographic Operation - Keyed-Hash Message Authentication (Refined) The OS shall perform [keyed-hash message authentication services] in accordance with a specified cryptographic algorithm [selection: SHA-1, SHA-256, SHA-384, SHA-512, ] with key sizes [assignment: key size (in bits) used in HMAC] and message digest sizes [selection: 160 bits, 256 bits, 384 bits, 512 bits] that meet the following: [FIPS Pub 198-1 The Keyed-Hash Message Authentication Code and FIPS Pub 180-4 Secure Hash Standard]. Justification
Revision of requirements needed |