reference update

[woodbe]

This updates the references in the document to the latest iterations of the specs that are published. The catalog doesn't have some of these, but it would seem that these are the right ones to list given they are the current versions and the older ones are no longer considered up to date.

This is to close #109

[jvdsn]

Do we want to add all references from the Crypto Catalog here? If so, the reference list should be expanded quite a bit.

[jvdsn]

I added a bunch of extra references to ISO and NIST standards which are referenced throughout the FCS SFRs from the crypto catalog. Still missing are a few RFC, ANSI, IEEE, and SECG references. I don't know if #109 can be closed until those are added.

[woodbe]

So my thoughts had actually been to just ignore the ones they didn't actually have listed in large part because explicitly including all the algorithms led to questions that didn't always have a good answer (like the official spec for the Korean algorithm, for one). I'm OK adding this though, I think that it in part makes the argument that the tests are "known good answer tests" better since we are pointing to the algorithm and mode in question.

[jvdsn]

So right now the following items are explicitly referenced in the cPP body text (i.e., as "[XXXX]"):

• [CC] (Section 1.2)
• [CC1] (Section 1.2, 3, Appendix G)
• [CC2] (Section 3, 6.1, Appendix C)
• [CC3] (Section 3)
• [CC4] (Section 3)
• [CC5] (Section 3)
• [CEM] (Section 3)
• [CC-E&I] (Section 3)
• [DSC SD] (Section 1.1, 3, 6, 7)
• [ISO-TR] (Section 6.6.4)
• [GP_ROT] (Section 6.6.6, Table 27)
• [SA] (Table 27)
• [GD] (Table 27)
• [NIST-ROTM] (Table 27)

Table 1 contains a list of "related documents", which contains:

• [CC1]
• [CC2]
• [CC3]
• [CC4]
• [CC5]
• [CEM]
• [CC-E&I]
• [DSC-SD]

Prior to this pull request, the References section contains:

• [FIPS-HMAC]
• [FIPS-SHA]
• [GD]
• [GP_ROT]
• [ISO-CIPH]
• [ISO-CMAC]
• [ISO-HASH]
• [ISO-HMAC]
• [ISO-RBG]
• [ISO-TR]
• [NIST-CMAC]
• [NIST-KDRV]
• [NIST-KDV]
• [NIST-ROTM]
• [SA]

Rather than adding more references, maybe we should remove the ones that are not explicitly used in the body text?

[woodbe]

Honestly I was being lazy on not adding all the algorithm references. I think it makes the document better if we capture all the "standards" we list in the document where feasible.

What may be useful instead would be to break things out into "Standards" and "References" at the end. So basically the crypto standards are listed on their own, and then other references would be listed separately. So things like the GD, GP_ROT, NIST_ROTM and SA, which are all useful (even if only the GP_ROT is explicitly referenced in the doc) would be listed separately and so it would be clear what the references are targeting.

I think this would literally be just breaking these into two subsections in this appendix, and probably only those 4 would be moved.

So call the appendix "References & Standards" and then have subsections for each and be done.

WDYT?

[slpotte]

👍

[woodbe]

@jvdsn will finish adding the other references as mentioned in https://github.com/DSC-iTC/cPP/pull/344#issuecomment-2264548363

[jvdsn]

@woodbe could you review?

[woodbe]

Application Note 45 mentions NIST SP 800-90B and AIS-31. We should add those as references even though they aren't in the SFR itself. Related for the 800-90B, should that be listed as 800-90B Rev. 1 given it is the first version still (as it is currently in a draft state for the next iteration)?

[jvdsn]

@jvdsn is this really a reference (this is the ISO-TR commit, since I thought it would link there instead of a general comment)? I get that it isn't a cryptographic algorithm or mode, but it is basically the test requirements for a FIPS module evaluation, so shouldn't it be left in the standards section? I'm not wedded either way, just not sure this one should be moved.

The only reason why I added it there is because of The TOE's protection against abnormal temperature and voltage can be considered equivalent to what is required by assertion AS07.77 of [ISO-TR]. in FPT_PHP.3 Resistance to Physical Attack.

I see your point though, maybe it does make more sense to put it under standards.

Application Note 45 mentions NIST SP 800-90B and AIS-31. We should add those as references even though they aren't in the SFR itself. Related for the 800-90B, should that be listed as 800-90B Rev. 1 given it is the first version still (as it is currently in a draft state for the next iteration)?

Oops, not sure how I missed those. I added them, though I'm not sure why you're referring to Rev.1 for 800-90B. For NIST standards, "Rev. 1" means it's the second version of the standard (the first revision).

[woodbe]

Honestly I hadn't thought about "Rev 1" basically being v2, so that was just me asking (I don't really pay attention to their versions so much). They were easy to miss though because they were specifically buried in the app note, they weren't in any SFR.

[woodbe]

I would prefer to have the TR under the standards, though I do understand what you are saying. It really can apply to both, but that is an ISO standard (I don't know if we would call a GP doc a standard, and the others are more like white papers).

[jvdsn]

I would prefer to have the TR under the standards, though I do understand what you are saying. It really can apply to both, but that is an ISO standard (I don't know if we would call a GP doc a standard, and the others are more like white papers).

I reverted the commit

[JDavid-Thompson]

Stan,

I’m not sure what your are asking. I was on github today trying to find out how to accept the changes to my pull requests and I might have inadvertently pushed some button I didn’t understand. I could find nothing that seemed to do what I think needs to be done regarding my suggestions.

Is there guidance on how the DSC iTC uses the github GUI? I found lots of CLI documentation.

Thanks.

-Dave

From: slpotte @.> Sent: Tuesday, August 27, 2024 4:38 PM To: DSC-iTC/cPP @.> Cc: J David D Thompson @.>; Review requested @.> Subject: Re: [DSC-iTC/cPP] reference update (PR #344)

@slpotte commented on this pull request.

Most of these have been added to the catalog, or were already there. What is the relevance of the first three IEEE standards?

— Reply to this email directly, view it on GitHubhttps://github.com/DSC-iTC/cPP/pull/344#pullrequestreview-2264405668, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFSTVCKCSNVZ6G6OMGUMNJLZTTPRHAVCNFSM6AAAAABLNEH6E6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDENRUGQYDKNRWHA. You are receiving this because your review was requested.Message ID: @.***>

[woodbe]

The closest instructions are https://itc-wgtools.github.io. These were written a few years ago, but largely walk you through it in the website or offline (if you use the GitHub desktop app). Whether it answers your specific questions though, I'm not sure (I wrote this pre-pandemic and it hasn't been updated in a long while).

[jvdsn]

Most of these have been added to the catalog, or were already there. What is the relevance of the first three IEEE standards?

CCMP and GCMP might not be part of the Crypto Catalog, in which case you can ignore them.

[slpotte]

Oh, yes. We deferred CCMP and GCMP until the next version of the catalog. Thanks!