3

We are working to make a product Common Criteria Compliance for one of our customers. The Client part of the product uses OpenSSL for TLS communication, which implies that we need to fulfill the requirement for FCS_CKM.2 Cryptographic Key Establishment.

Since we have restricted the Cipher suites to RSA based only, the requirement for us is that RSA-based key establishment should fulfill NIST Special Publication SP 800-56B which is currently not claimed by OpenSSL. I would like to know what could be a NIAP acceptable resolution for this.

OpenSSL tls1.2

peterh
  • 2,938
  • 6
  • 25
  • 31
Umair Durrani
  • 31
  • 1
  • 2
    The TLS stasndards do not allow keyexchange using any of the methods in SP800-56B, and OpenSSL follows the standards so it doesn't either. I don't know about NIAP, but for NIST's jurisdiction (FISMA) SP800-52r1 from 2014 currently allows the RSA keytransport specified by TLS, which is RSAES-PKCS1v1_5 applied to a premaster secret that is mostly random but with tweaks to block some downgrade attacks. A draft of r2 released last Nov. proposes to delete those and permit only [EC]DH keyagreements (including the nonephemeral variants!?); I think you can still comment if you want. – dave_thompson_085 Feb 18 '18 at 08:39

2 Answers2

1

Short answer: You need to find a different approach to meeting FCS_CKM.2 requirement.

Long answer: Until next revision of SP800-56B finalized, RFC-conforming TLS is not directly compatible with SP 800-56B. The issue is establishing a common shared secret. In SP 800-56B it is defined differently from how RFC-implementing TLS operates. NIST realized this, conceded that nobody uses their method with TLS, and allowed in SP 800-56B rev.1 "application-specific" use of SP 800-135 KDF that is compatible with how TLS operates.

Kirill Sinitski
  • 989
  • 6
  • 12
0

See here for a reference about the OpenSSL versions supporting the requested RSAES-OAEP algorithm.

If you want FIPS-140 it looks like you have to wait like everyone else for OpenSSL FIPS 140-3 as I have not seen the requested NIST specifications in any other free crypto library such as NaCL etc.

As Mr. Thompson mentions it is not currently defined in rfc 5246 (tls 1.2) nor the new 1.3 draft for tls

jas-
  • 931
  • 5
  • 9
  • 3
    OpenSSL has supported RSA-OAEP as an algorithm for a long time -- I think soon after PKCS1v2.0 in 1998. But it can't use OAEP for keyexchange _in TLS_ because the standards (RFCs) for TLS do not allow it. – dave_thompson_085 Feb 18 '18 at 08:30