Archived
TD0134: AES Data Encryption/Decryption in NDcPP MACsec EP v1.2
Publication Date
2016.12.21
Protection Profiles
PP_NDCPP_MACSEC_EP_V1.2
Other References
FCS_COP.1
Issue Description
FCS_COP.1(1) replaces the SFR from NDcPP. This SFR only allows the use of ASE KW and ASE GCM modes, so none of the trusted path SFRs can be implemented when restricted to these options. It appears that MACsec is the only trusted channel SFR that can be implemented with these algorithm restrictions. Resolution
This TD has been superseded by TD 0466 and is archived as of 11-15-2019. FCS_COP.1(1) will be updated to indicate a different iteration that focuses on the MACsec trusted channel SFR. The original FCS_COP.1(1) will be inherited (with no change) from the NDcPP. Remove section 4.2.1.2 “FCS_COP.1(1) Cryptographic Operation (AES Data Encryption/Decryption)” from the EP. Add a section (4.2.2.11) “FCS_COP.1(5) Cryptographic Operation (MACsec AES Data Encryption/Decryption)” FCS_COP.1.1(5) Refinement: The TSF shall perform encryption/decryption in accordance with a specified cryptographic algorithm AES used in AES Key Wrap, GCM and cryptographic key sizes 128 bits, 256 bits that meet the following: AES as specified in ISO 18033-3, AES Key Wrap in CMAC mode as specified in NIST SP 800-38F, GCM as specified in ISO 19772.
Application Note: This EP mandates the use of GCM for MACsec and AES Key Wrap for key distribution so this SFR has been further refined from the NDcPP.
Application Note: AES-CMAC is a keyed hash function that is used as part of the key derivation function (KDF) that is used for key generation.
Justification
To meet all SFRs, FCS_COP.1(1) from the NDcPP must be met. |