Archived
TD0209: Additional DH Group added as selection for IKE Protocols
Publication Date
2017.06.09
Protection Profiles
EP_VPN_GW_V2.1
Other References
FCS_IPSEC_EXT.1.11
Issue Description
FCS_CKM.1.1 allows for RSA schemes using cryptographic key sized of 2048-bit or greater but the corresponding cryptographic protocol requirement FCS_IPSEC_EXT.1.11 does not provide a selection for 3072-bit MODP. Resolution
FCS_IPSEC_EXT.1.11 is replaced as follows: FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), 19 (256-bit Random ECP), 20 (384-bit Random ECP), and [selection: 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS), 15 (3072-bit MODP), no other DH groups].
Justification
Allows for greater than 2048-bit cryptographic key sizes. |