Archived
TD0283: Cipher Suites for TLS in SWApp v1.2
Publication Date
2018.01.26
Protection Profiles
PP_APP_v1.2
Other References
FCS_TLSC_EXT.1; FCS_TLSS_EXT.1
Issue Description
In PP_APP_v1.2 , FCS_TLSC_EXT.1.1 and FCS_TLSS_EXT.1.1 mandates the support for the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite. This cipher suite is being removed as mandatory and will become an optional cipher suite selection. Resolution
FCS_TLSC_EXT.1.1 The mandatory cipher suite selections will be removed from the PP, and TLS_RSA_WITH_AES_128_CBC_SHA will be moved as a cipher suite selection. FCS_TLSC_EXT.1.1 ο TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246
Application Note: When "invoke platform-provided TLS 1.2" is selected, it may be the case that the application is being claimed to run on more than one platform, and the underlying platforms support different sets of ciphersuites that are subsets of the ciphersuites listed in the selection for the SFR. In this case, it is expected that the ST author iterate this requirement for each platform or set of platfroms; each iteration would have the set of ciphersuites implemented by the platform(s). Note this is only necessary if the application wants to make a distinction; otherwise, the least common set of ciphersuites can be specified in the single SFR. Also note that the testing requirements would be applied to each iteration (meaning application/platform combination) during the evaluation. ------
FCS_TLSS_EXT.1.1
ο TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 This requirement depends upon selection in FTP_DIT_EXT.1.1. Application Note: The cipher suites to be tested in the evaluated configuration are limited by this requirement. It is necessary to limit the cipher suites that can be used in an evaluated configuration administratively on the server in the test environment. The Suite B algorithms listed above (RFC 6460) are the preferred algorithms for implementation. TLS_RSA_WITH_AES_128_CBC_SHA is mandatory in RFC 5246, but has been moved to the selection based ciphersuites for this Protection Profile. These requirements will be revisited as new TLS versions are standardized by the IETF. If any cipher suites are selected using ECDHE, then FCS_TLSC_EXT.4 is required. If implement TLS 1.2 (RFC 5246) is selected, then FCS_CKM.2.1, FCS_COP.1.1(1), FCS_COP.1.1(2), FCS_COP.1.1(3), and FCS_COP.1.1(4) are required. When "invoke platform-provided TLS 1.2" is selected, it may be the case that the application is being claimed to run on more than one platform, and the underlying platforms support different sets of ciphersuites that are subsets of the ciphersuites listed in the selection for the SFR. In this case, it is expected that the ST author iterate this requirement for each platform or set of platfroms; each iteration would have the set of ciphersuites implemented by the platform(s). Note this is only necessary if the application wants to make a distinction; otherwise, the least common set of ciphersuites can be specified in the single SFR. Also note that the testing requirements would be applied to each iteration (meaning application/platform combination) during the evaluation.
Justification
See Issue Description. |