TD0696: Removal of 160 bit selection from FCS_COP.1/HASH & FCS_COP.1/KEYHMAC
Publication Date
2022.12.15
Protection Profiles
PP_OS_V4.3
Other References
FCS_COP.1/HASH, FCS_COP.1/KEYHMAC
Issue Description
Support for SHA-1 was removed, but the 160 bit message size remained. Resolution
OS PP v4.3 is modified as follows, with strikethroughs denoting deletions:
FCS_COP.1.1/HASH is modified as follows: FCS_COP.1.1/HASH The OS shall perform [cryptographic hashing services] in accordance with a specified cryptographic algorithm [selection: · SHA-256 · SHA-384 · SHA-512 ] and message digest sizes [selection:
· 256 bits · 384 bits · 512 bits ] that meet the following: [FIPS Pub 180-4]. FCS_COP.1.1/KEYHMAC is modified as follows: FCS_COP.1.1/KEYHMAC (Refined) The OS shall perform [keyed-hash message authentication services] in accordance with a specified cryptographic algorithm [selection: SHA-256, SHA-384, SHA-512] with key sizes [assignment: key size (in bits) used in HMAC] and message digest sizes [selection: bits] that meet the following: [FIPS Pub 198-1 The Keyed-Hash Message Authentication Code and FIPS Pub 180-4 Secure Hash Standard].
Justification
SHA-1 algorithms from TLS Functional Package v1.1 and SSH Functional Package v1.0 cannot be selected when used with OS PP v4.3. Therefore, the 160 bits selection can be removed. |