TD0366: Flexibility in Password Conditioning in FCS_COP.1(5)
Publication Date
2018.10.12
Protection Profiles
PP_MD_V3.1
Other References
FCS_COP.1.1(5), FCS_CKM_EXT.3.2
Issue Description
There are ways to afford flexibility in mechanisms to prevent dictionary attacks. Resolution
and [selection: PBKDF2 with [assignment: number of iterations] iterations, [assignment: key stretching function], no other functions] and output cryptographic key sizes [ that meet the following: selection: 128, 256]NIST [selection: SP 800-132, no standard].
- Derive the KEK from a Password Authentication Factor using according to FCS_COP.1.1(5) and
[ *Generate the KEK using an RBG that meets this profile (as specified in**FCS_RBG_EXT.1**)*,*Generate the KEK using a key generation scheme that meets this profile (as specified in**FCS_CKM.1**)*,*Combine the KEK from other KEKs in a way that preserves the effective entropy of each factor by [***selection**: using an XOR operation, concatenating the keys and using a KDF (as described in SP 800-108), concatenating the keys and using a KDF (as described in SP 800-56C), encrypting one key with another]
].
*The evaluator shall review the TSS to verify that it contains a description of the conditioning use to derive KEKs. This description must include the size and storage location of salts. This activity may be performed in combination with that for**FCS_COP.1(5)**.**If the symmetric KEK is generated by an RBG, the evaluator shall review the TSS to determine that it describes how the functionality described by**FCS_RBG_EXT.1**is invoked. The evaluator uses the description of the RBG functionality in**FCS_RBG_EXT.1**or documentation available for the operational environment to determine that the key size being requested is greater than or equal to the key size and mode to be used for the encryption/decryption of the data.**If the KEK is generated according to an asymmetric key scheme, the evaluator shall review the TSS to determine that it describes how the functionality described by**FCS_CKM.1**is invoked. The evaluator uses the description of the key generation functionality in**FCS_CKM.1**or documentation available for the operational environment to determine that the key strength being requested is greater than or equal to 112 bits.**If the KEK is formed from a combination, the evaluator shall verify that the TSS describes the method of combination and that this method is either an XOR, a KDF, or encryption.*
*The description must include how an approved untruncated MAC function is being used for the randomness extraction step and the evaluator must verify the TSS describes that the output length (in bits) of the MAC function is at least as large as the targeted security strength (in bits) of the parameter set employed by the key establishment scheme (see Tables 1-3 of SP 800-56C).**The description must include how the MAC function being used for the randomness extraction step is related to the PRF used in the key expansion and verify the TSS description includes the correct MAC function:**If an HMAC-hash is used in the randomness extraction step, then the same HMAC-hash (with the same hash function hash) is used as the PRF in the key expansion step.**If an AES-CMAC (with key length 128, 192, or 256 bits) is used in the randomness extraction step, then AES-CMAC with a 128-bit key is used as the PRF in the key expansion step.**The description must include the lengths of the salt values being used in the randomness extraction step and the evaluator shall verify the TSS description includes correct salt lengths:**If an HMAC-hash is being used as the MAC, the salt length can be any value up to the maximum bit length permitted for input to the hash function hash.**If an AES-CMAC is being used as the MAC, the salt length shall be the same length as the AES key (i.e. 128, 192, or 256 bits).*
Table 3: Notations used in SP 800-108 and SP 800-56C
*One or more pseudorandom functions that are supported by the implementation (PRF).**One or more of the values {8, 16, 24, 32} that equal the length of the binary representation of the counter (r).**The length (in bits) of the output of the PRF (h).**Minimum and maximum values for the length (in bits) of the derived keying material (L). These values can be equal if only one value of L is supported. These must be evenly divisible by h.**Up to two values of L that are NOT evenly divisible by h.**Location of the counter relative to fixed input data: before, after, or in the middle.**Counter before fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter after fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter in the middle of fixed input data: length of data before counter (in bytes), length of data after counter (in bytes), value of string input before counter, value of string input after counter.**The length (I_length) of the input values I.*
*One or more pseudorandom functions that are supported by the implementation (PRF).**The length (in bits) of the output of the PRF (h).**Minimum and maximum values for the length (in bits) of the derived keying material (L). These values can be equal if only one value of L is supported. These must be evenly divisible by h.**Up to two values of L that are NOT evenly divisible by h.**Whether or not zero-length IVs are supported.**Whether or not a counter is used, and if so:**One or more of the values {8, 16, 24, 32} that equal the length of the binary representation of the counter (r).**Location of the counter relative to fixed input data: before, after, or in the middle.**Counter before fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter after fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter in the middle of fixed input data: length of data before counter (in bytes), length of data after counter (in bytes), value of string input before counter, value of string input after counter.**The length (I_length) of the input values I.*
*One or more pseudorandom functions that are supported by the implementation (PRF).**The length (in bits) of the output of the PRF (h).**Minimum and maximum values for the length (in bits) of the derived keying material (L). These values can be equal if only one value of L is supported. These must be evenly divisible by h.**Up to two values of L that are NOT evenly divisible by h.**Whether or not a counter is used, and if so:**One or more of the values {8, 16, 24, 32} that equal the length of the binary representation of the counter (r).**Location of the counter relative to fixed input data: before, after, or in the middle.**Counter before fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter after fixed input data: fixed input data string length (in bytes), fixed input data string value.**Counter in the middle of fixed input data: length of data before counter (in bytes), length of data after counter (in bytes), value of string input before counter, value of string input after counter.**The length (I_length) of the input values I.*
Justification
See issue description. |