[NIT Request]: FCS_TLSS_EXT.1.3 test 1ii for TLS 1.3

[mclearn]

Requesting Organization: Lightship Security

Status: [ ] On-going certification [X] Preparatory/Other

Certification Deadline Dates: N/A

SFR or Section of cPP/SD in question: FCS_TLSS_EXT.1.3 test 1ii for TLS 1.3 use case (paragraph 496 in the current SD PDF). I think this test case might also be referred to as FCS_TLSS_EXT.1.3 test 1b in the ASCII doc.

"The evaluator shall attempt a connection using a supported ECDHE ciphersuite (TLS 1.2) or group (TLS 1.3) and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."

Issue: When using TLS 1.3, it is unclear what it means to use "...a supported ECDHE ... group (TLS 1.3) and a single unsupported elliptic curve..." In TLS 1.3 there are two portions to the Client Hello which use group information: the key_share extension and the supported_groups extension. If we set both to a supported group/curve (eg. P-256) (i.e. test 1i), then the connection works as expected. If we try to set both to an unsupported group/curve, then the client will send a Client Hello, and the TOE server will NOT return a Server Hello (which is the desired response). If we try to manipulate the Client Hello to set (for example) the key_share to a supported value and the supported_groups extension to another, then it isn't clear this is actually testing the intent of the test case (test for unsupported TLS 1.3 groups).

Proposed Resolution: I believe that the test should be modified lightly for the purposes of TLS 1.3 to get the desired outcome.

"For TLS 1.2, the evaluator shall attempt a connection using a supported ECDHE ciphersuite and a single unsupported elliptic curve (e.g. secp192r1 (0x13)) specified in RFC4492, chap. 5.1.1. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established.
For TLS 1.3, the evaluator shall attempt a connection using a supported ciphersuite and a single unsupported group. Both the key_share and supported_groups extensions must be set to the same unsupported group. The evaluator shall verify that the TOE does not send a Server Hello message and the connection is not successfully established."

Rationale: The proposed resolution covers several main things: 1) Fixes the ambiguity between a "supported group" and an "unsupported elliptic curve". 2) Decouples the idea of ciphersuites and curves/groups from the protocol versions. 3) Realizes that groups in TLS 1.3 can be FFC or EC and permits the use of either for this negative test case.

[kr15tyk]

On the TLSWG call today, the group agreed with the proposed resolution.

[kr15tyk]

Update made in Commit https://github.com/ND-iTC/Documents/commit/4d97b1a7628a9e4d871eb900a26d751a5245f89b