PD 0145: Enabling/Disabling of Verification of Cryptographic Key Testing in WLAN PP

Subject: PD 0145: Enabling/Disabling of Verification of Cryptographic Key Testing in WLAN PP
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Fri, 12 Sep 2008 14:29:17 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


During its July 2008 meeting, the ORDB reviewed recent ODs and developed the 
following Precedent Decision. Comments on this decision are welcome and will be 
considered at the next ODRB meeting:

PD 0145:

TITLE
Enabling/Disabling of Verification of Cryptographic Key Testing in WLAN PP

ISSUE

The WLAN PP requires that the TOE include a FIPS-140-2 validated module
(FCS_BCM_EXP.1). The TOE's cryptographic module must run the suite of FIPS
140-2 self-tests after the generation of a key (FPT_TST_EXP.2.2). 

The WLAN PP additionally requires that the TOE be able to enable/disable
verification of cryptographic key testing in the following requirement
(FMT_SMF.1.1(3):

	FMT_SMF.1.1(3) The TSF shall be capable of performing the
	following security management functions: [set, modify, and
	delete the cryptographic keys and key data in support of the
	Wireless Client Policy and enable/disable verification of
	cryptographic key testing].

The FMT_SMF.1.1(3) requirement includes the capability to
"enable/disable verification of cryptographic key testing". However, the
meaning of this functionality is not clear; specifically, it is unclear
what is meant by verification of testing. It is not clear if the
required functionality the same as mandating that the TSF be able to
allow for the enabling and disabling of key testing.

If the intent was to refer to enabling/disabling of key testing, This
appears to violate the self-test requirements of FIPS 140-2, which
mandate that key testing be performed after the generation of keys. In
particular, there should be no capability required to disable key
testing.

RESOLUTION

In the US Government Protection Profile Wireless Local Area Network
(WLAN) Client for Basic Robustness Environments, Version 1.1
(pp_wlan_cli_br_v1.1) and the US Government Wireless Local Area Network
(WLAN) Access System for Basic Robustness Environments, Version 1.1
(pp_wlan_as_br_v1.1), as well as the prior versions of these profiles
that have been sunsetted, the SFR FMT_SMF.1.1(3) is modified to delete
the phrase "and enable/disable verification of cryptographic key
testing" from the completion of the assignment, giving:

FMT_SMF.1.1(3) The TSF shall be capable of performing the following
security management functions: [set, modify, and delete the
cryptographic keys and key data in support of the Wireless Client
Policy].

Note that products must still provide the ability to test keys after
generation, as this is required per FIPS 140-2. The TSF, however, is not
required to provide a capability to enable or disable this testing
capability.

RATIONALE

FIPS 140-2 mandates that keys be tested after generation. In order to be
FIPS compliant, this capability must never be disabled, and the PP
requires FIPS compliance. Thus, requiring the ability to disable the
capability is pointless. If there is no way to disable the capability,
and FIPS requires the capability to be present (and thus enabled), there
is no need to provide the ability to enable the capability once the
system is operational.

Prev by Date: PD 0144: Corrections to formatting and typographic errors in the WLAN Access System PPs
Next by Date: PD 0143: Meeting FTA_TAH_EXP.1 in the DBMS PP
Prev by thread: RE: TSFI Determination
Next by thread: PD 0144: Corrections to formatting and typographic errors in the WLAN Access System PPs

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov