Cryptographic Support (FCS)

5.1.2.1

Cryptographic key generation (SSL: Symmetric algorithms) 

(FCS_CKM.1(1))

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm as defined in the SSL v3 standard and specified cryptographic key sizes 128 bit (RC4),168 Bit (TDES), 128 Bit (AES), 256 Bit (AES) that meet the following: generation and exchange of session keys as defined in the SSL v3 and standard with the cipher suites defined in

FCS_COP.1(2).

Application Note: Generation of symmetric keys is defined in section 6.2 in the SSL v3 standard. The OpenSSL library used by the TOE also supports SSL v2, but this is seen as being not part of the evaluated configuration. The evaluation will assess that the keys are generated in accordance with the requirements defined in the SSL v3 standard. With respect to the strength of function, no assessment of the strength of the cryptographic algorithm itself and no analysis for potential weaknesses of keys with respect to the algorithm is performed. The key generation process will only be analysed and rated with respect to the entropy of the input to the key generation process and with respect to the fact that any postprocessing of this input will maintain the entropy.

5.1.2.2

Cryptographic key generation (SSH: Symmetric algorithms) 

(FCS_CKM.1(2))

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified

cryptographic key generation algorithm as defined in the SSH v2 standard [SSH- TRANS] and specified cryptographic key sizes 168 bit (TDES) that meet the following: generation and exchange of session keys as defined in the SSHv2 standard using the Diffie-Hellman key negotiation protocol.

Application Note: For details of the key generation / key negotiation process see section 4.5, chapter 5 and chapter 6 of the SSH Transport Layer Protocol specification [SSH-TRANS] as published by the Secure Shell Charter of the Internet Engineering Task Force (IETF). The evaluation will assess that the keys are generated in accordance with the

requirements defined in the SSH v2 standard. The key generation process will only be analysed and rated with respect to the entropy of the input to the key generation process and with respect to the fact that any postprocessing of this input will maintain the entropy.

5.1.2.3

Cryptographic key generation (SSL: RSA) (FCS_CKM.1(3))

FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified

cryptographic key generation algorithm product specific and specified cryptographic key sizes 1024 bit that meet the following: not specified

Application Note: The SSL v3 specification does not define how the RSA key pair is generated. This is up to the implementation. Almost all implementations of the SSL v3 standard have their own algorithm for RSA key pair generation (if they support cipher suites that use RSA). Therefore the key generation and algorithm and the standard to follow are not defined here. Only the required key size is specified. The evaluation will assess that the keys generated form a correct RSA key pair. The key generation process will only be analysed and rated with respect to the entropy of the input to the key generation process and with respect to the primality tests and the probability of the numbers chosen to be prime.

5.1.2.4

Cryptographic key distribution (SSL: RSA public keys) (FCS_CKM.2(1))

FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified

cryptographic key distribution method digital certificates for public RSA keys that meets the following: certificate format as defined in the standard X.509 Version 3.

Application Note: This requirement addresses the exchange of public RSA keys as part of the SSL client and server authentication.

5.1.2.5

Cryptographic key distribution (SSH: Diffie­Hellman key negotiation) 

(FCS_CKM.2(2))

FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified

cryptographic key distribution method diffie-hellman-group1-sha1 that meets the following: Specification in [SSH-TRANS].

Application Note: The Diffie-Hellman protocol can be seen as a combined way to generate and distribute a shared session key between two communicating parties. So the Diffie-Hellman algorithm used by SSH is mentioned both in the key generation as well as in the key distribution security functional requirement.

5.1.2.6

Cryptographic key distribution (SSH: DSS public keys) (FCS_CKM.2(3))

FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified

cryptographic key distribution method digital certificates for public DSS keys that meets the following: ssh-dss key format as defined in: [SSH-TRANS].

5.1.2.7

Cryptographic key distribution (SSL: Symmetric keys) (FCS_CKM.2(4))

FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified

cryptographic key distribution method Secure Socket Layer handshake using RSA encrypted exchange of session keys that meets the following: SSL Version 3 [SSLv3]. Application Note: This requirement addresses the exchange of SSL session keys as part of the SSL

handshake protocol.

5.1.2.8

Cryptographic operation (RSA) (SSL: FCS_COP.1(1))

FCS_COP.1.1 The TSF shall perform digital signature generation and digital signature verification in accordance with a specified cryptographic algorithm RSA and cryptographic key sizes 1024 bit that meet the following: [SSLv3].

Application Note: This requirement addresses the RSA digital signature generation and verification operations using the RSA algorithm as required by the SSL session establishment protocol (provided a cipher suite including RSA is used). Note that the details of the signature format such as the use of the PKCS#1 block type 1 and block type 2 are defined in the SSL Version 3 standard.

5.1.2.9

Cryptographic operation (SSL: Symmetric operations) (FCS_COP.1(2))

FCS_COP.1.1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm RC4, TDES and AES and cryptographic key sizes 128 bit (RC4), 168 bit (TDES), 128 bit (AES) and 256 bit (AES) that meet the following: SSL Version 3 [SSLv3] and the following cipher suites:

SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, as defined in the SSL v3 standard and TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA as defined in [TLS-AES].

5.1.2.10

Cryptographic operation (SSH: Symmetric operations) (FCS_COP.1(3))

FCS_COP.1.1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm TDES and cryptographic key sizes 168 bit (TDES) that meet the following: SSH Transport Layer Protocol [SSH-TRANS] and the following cipher suite: 3des-cbc as defined in [SSH-TRANS].