Archived
TD0225: NIT Technical Decision for Make CBC cipher suites optional in IPsec
Publication Date
2017.07.27
Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0
Other References
ND SD V1.0
Issue Description
The NIT has issued a technical decision for making CBC cipher suites optional in IPsec. Resolution
To align with NIT interpretation # 201707, FCS_IPSEC_EXT.1.4 and FCS_IPSEC_EXT.1.6 shall therefore be modified as follows: FCS_IPSEC_EXT.1.4 shall therefore be modified as follows: FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using the cryptographic algorithms [selection: AES-CBC-128 (specified by RFC 3602), AES-CBC-256 (specified by RFC 3602), AES-GCM-128 (specified in RFC 4106), AES-GCM-256 (specified in RFC 4106)] together with a Secure Hash Algorithm (SHA)-based HMAC."
FCS_IPSEC_EXT.1.6 shall be modified as follows: FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [selection: IKEv1, IKEv2] protocol uses the cryptographic algorithms [selection: AES-CBC-128 (as specified in RFC 3602), AES-CBC-256 (as specified in RFC 3602), AES-GCM-128 (as specified in RFC 5282), AES-GCM-256 (as specified in RFC 5282)].
The TSS requirements for FCS_IPSEC_EXT.1.4 in NDSD V1.0 shall be modified as follows: The evaluator shall examine the TSS to verify the TSS describes all cryptographic algorithms selected in FCS_IPSEC_EXT.1.4. In addition, the evaluator ensures that the SHA-based HMAC algorithm conforms to the algorithms specified in FCS_COP.1(4) Cryptographic Operations (for keyed-hash message authentication).
The TSS requirements for FCS_IPSEC_EXT.1.6 in NDSD V1.0 shall be modified as follows: The evaluator shall ensure the TSS identifies the algorithms used for encrypting the IKEv1 and/or IKEv2 payload, and that all cryptographic algorithms selected in FCS_IPSEC_EXT.1.6 are included in the TSS discussion.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201707.pdf
Justification
The NIT acknowledges that there are some security related concerns regarding AES-CBC mode and therefore supports making AES-128-CBC and AES-256-CBC optional for IKE and ESP. |