Welcome to the Acumen Security Blog

Updates to the OSPP

In the beginning of March an updated version of the Protection Profile for General Purpose Operating Systems was released. This brings the OSPP up to version 4.1, with version 4.0 now having a sunset date of September 9, 2016. The changes to this version of the PP are relatively modest and all of them affect cryptographic support (FCS) SFRs.

The first change to the PP is that the use of FFC schemes for asymmetric cryptographic key generation and cryptographic key establishment is now permitted. The affected SFRs are FCS_CKM.1(1) and FCS_CKM.2(1). Version 4.0 of the OSPP had only allowed the use of RSA and ECC schemes for key generation and RSA-based schemes for key establishment. These options are retained in version 4.1, but FFC schemes that meet FIPS 186-4 Appendix B.1 (for key generation) NIST SP 800-56A (for key establishment) are now selectable options as well.

The second change to the updated PP is the removal of AES-CCMP from the required list of algorithms for data encryption/decryption in FCS_COP.1(1). CCMP remains an optional selection and becomes mandatory if the WLAN Client Extended Package is included in an ST. Since CCMP is designed for WLAN use its inclusion only makes sense for a TOE that has WLAN client functionality. This change reflects the move towards more modular PPs with optional extended packages.

The final change that has been made is the removal of X9.31 DRBGs as an option from FCS_RBG_EXT.1.1. These types of DRBGs were deprecated in 2015 and this change brings the OSPP up to current standards.

Speak Your Mind