Version: 1, Published: 2025-10-27
Impacted Documents
-
CPP_HCD_V1.0e
References
CPP:
-
5.3.7. FCS_COP.1/SigGen Cryptographic Operation (Signature Generation and Verification)
Issue Description
HCDcPP v1.0e references the now withdrawn (February 3, 2024) FIPS 186-4 Digital Signature Standard for RSA digital signatures. NIAP TD0937 (published August 5, 2025) clarifies stricter NIAP PCL requirements making 3072-bit modulus RSA keys the minimum, and effectively only, length available. FIPS 186-5 provides for additional keylengths to meet NIAP TD0937 requirements.
Resolution
Future revisions of the HCDcPP will replace FIPS 186-4 with FIPS 186-5. The intent of the change is to permit, rather than require, FIPS 186-5 implementations in HCDcPP v1.0e for evaluations requiring NIAP PCL listing.
-
Add RFC 8017 and FIPS PUB 186-5 to permitted standards for RSA schemes to FCS_COP.1.1/SigGen based on List of Standards expected in the upcoming Common Criteria Crypto Catalog.
CPP_HCD_V1.0e
-
Modify FCS_COP.1.1/SigGen:
FCS_COP.1.1/SigGen
that meet the following: [selection:
Case: RSA schemes
-
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSA-PKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2 or Digital Signature scheme 3; RFC 8017 (Section 8.2) [PKCS #1 v2.2], FIPS PUB 186-5 (Section 5.4) [RSASSA-PKCS1-v1_5].