The FIT has issued a technical decision for FCS_SNI_EXT.1.3 and FCS_COP.1(f).

CPP_FDE_AA_V2.0E and its Supporting Document are modified as follows, with green highlight with bold indicating addition, and red highlight with strikethrough indicating deletion:

FCS_SNI_EXT.1.3 in CPP_FDE_AA_V2.0E is modified as follows:

FCS_SNI_EXT.1.3 The TSF shall [selection: use no IVs, create IVs in the following manner [selection:

• CBC: IVs shall be non-repeating and unpredictable;

• CCM: Nonce shall be non-repeating and unpredictable;

• XTS: No IV. Tweak values shall be non-negative integers, assigned consecutively, 28 and starting at an arbitrary non-negative integer;

• GCM: IV shall be non-repeating. The number of invocations of GCM shall not exceed 30 2^32 for a given secret key]].

The TSS Evaluation Activity for FCS_SNI_EXT.1.3 in CPP_FDE_AA_V2.0E-SD is modified as follows:

TSS

If salts are used, tThe evaluator shall ensure the TSS describes how salts are generated. The evaluator shall confirm that the salt is generating using an RBG described in FCS_RBG_EXT.1 or by the Operational Environment. If external function is used for this purpose, the TSS should include the specific API that is called with inputs. If IVs or nonces are used, tThe evaluator shall ensure the TSS describes how nonces are created uniquely and how IVs and tweaks are handled (based on the AES mode). The evaluator shall confirm that the nonces are unique and the IVs and tweaks meet the stated requirements.

The Application Note for FCS_COP.1(f) in CPP_FDE_AA_V2.0E is modified as follows:

Application Note: The intent of this requirement in the context of this cPP is to provide a SFR that expresses the appropriate symmetric encryption/decryption algorithms suitable for use in the TOE. If the ST author incorporates the validation requirement (FCS_VAL_EXT.1) and chooses to select the option to decrypt a known value and perform a comparison, this is the requirement used to specify the algorithm, modes, and key sizes the ST author can choose from. Or, this requirement is used in the body of the ST if the ST author chooses to use AES encryption/decryption for protecting the keys as part of the key chaining approach that is specified in FCS_KYC_EXT.1.

When the XTS mode is selected, a cryptographic key of 256-bit or of 512-bit is allowed as specified in IEEE 1619. XTS-AES key is divided into two AES keys of equal size -for example, AES-128 is used as the underlying algorithm, when 256-bit key and XTS mode are selected. AES-256 is used when a 512-bit key and XTS mode are selected.

For further information, please see the FIT decision.