TD0702: DIT Technical Decision for Additional Workload Options in FCS_COP.1/PBKDF
Publication Date
2022.12.19
Protection Profiles
CPP_DSC_V1.0
Other References
FCS_COP.1/PBKDF, SD
Issue Description
The FCS_COP.1/PBKDF requirement provides only a single method for ensuring the workload necessary to by requiring at least 1000 iterations of a PBKDF function. There are additional methods for ensuring a sufficient workload equivalent to the 1000 PBKDF iterations that should be allowed. Resolution
FCS_COP.1/PBKDF in cPP_DSC_v1.0 is modified as follows (yellow highlights for additions, strikethrough for deletions): FCS_COP.1.1/PBKDF The TSF shall perform [password-based key derivation functions] in accordance with a specified cryptographic algorithm [HMAC-[selection: SHA-256, SHA-384, SHA-512] ], with [selection: [assignment: integer number greater than or equal to 1000 iterations], at least 1 iteration followed by a function equivalent to the workload of at least 1000 ] iterations], and output cryptographic key sizes [selection: 128, 192, 256] bits that meet the following standard: [NIST SP 800-132].
Section 4.1.3.1 of cPP_DSC_v1.0-SD is updated as follows (yellow highlights for additions, strikethrough for deletions): 4.1.3.1.1 TSS The evaluator shall review the TSS to verify that it contains a description of the PBKDF. The evaluator shall also confirm the ST TSF supports the selected hash function itself. The evaluator shall confirm that the TSS contains a description of how the TOE ensures that the output of the PBKDF is at least the same length as that specified in FCS_CKM.1/SK and for the KeyDrv4, KeyDrv5, or KeyDrv6 in FCS_CKM_EXT.5. If the ST claims iterations less than 1000 iterations, the evaluator shall verify the TSS contains a description of the workload function used to claim equivalence to at least 1000 iterations of PBKDF. If the ST TSF performs additional conditioning, whitening, or manipulation of the password or passphrase before applying the PBKDF, or to the output of the PBKDF, the evaluator shall ensure that the TSS describes the actions and provides assurance that the TSF does not negatively impact the entropy of the PBKDF output. If any manipulation of the key is performed in forming the submask that will be used to form the KEK, that process shall be described in the TSS. 4.1.3.1.2 AGD There are no AGD evaluation activities for this component. 4.1.3.1.3 Test No explicit testing of the formation of the submask from the input password is required. For the NIST SP 800-132-based conditioning of the passphrase, the required evaluation activities will be performed when doing the evaluation activities for the appropriate requirements (FCS_COP.1/HMAC). The evaluator shall verify that the iteration count for PBKDFs performed by the TOE comply with NIST SP 800-132 by ensuring that the TSS contains a description of the estimated time required to derive key material from passwords and how the TOE increases the computation time for password-based key derivation (including but not limited to increasing the iteration count). 4.1.3.1.4 KMD There are no KMD evaluation activities for this component. If the ST claims less than 1000 PBKDF iterations, the evaluator shall verify the KMD contains a description of the process for increasing the workload. The description shall provide a flow diagram of the operations involved including the keys used in the operations. The evaluator shall also confirm that the TSF supports any algorithms in use for this sequence of operations. The KMD shall include an equivalency argument comparing the workload (time to completion) using at least 1000 PBKDF iterations vs the workload of the alternative process. For more information, please see the DIT technical decision here: https://dsc-itc.github.io/TD/DSC0001.html
Justification
The FCS_COP.1/PBKDF requirement mandates a specific implementation to thwart brute force attacks on the DSC. As there are many different approaches that can be used to thwart such attacks, the cPP and SD can be updated to be less prescriptive in the implementation details while providing equivalent strength in terms of the workload required. |