Guía de Seguridad de las TIC

CCN-STIC 2100-Anexo B

Cryptographic Mechanisms
Evaluation Vendor Questionnaire - Lite

Noviembre de 2024
 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

cpage.mpr.gob.es
Catálogo de Publicaciones de la Administración General del Estado
https://cpage.mpr.gob.es

Edita:
CENTRO CRIPTOLOGICO
NACIONAL
cn=CENTRO CRIPTOLOGICO
NACIONAL, 2.5.4.97=VATES-
Pº de la Castellana 109, 28046 Madrid S2800155J, ou=CENTRO
 Centro Criptológico Nacional, 2024 CRIPTOLOGICO NACIONAL,
o=CENTRO CRIPTOLOGICO
Fecha de Edición: noviembre de 2024 NACIONAL, c=ES
NIPO: 083-25-057-3. 2025.05.27 10:02:39 +02'00'

LIMITACIÓN DE RESPONSABILIDAD
El presente documento se proporciona de acuerdo con los términos en él recogidos, rechazando
expresamente cualquier tipo de garantía implícita que se pueda encontrar relacionada. En ningún caso, el
Centro Criptológico Nacional puede ser considerado responsable del daño directo, indirecto, fortuito o
extraordinario derivado de la utilización de la información y software que se indican incluso cuando se
advierta de tal posibilidad.

AVISO LEGAL
Quedan rigurosamente prohibidas, sin la autorización escrita del Centro Criptológico Nacional, bajo las
sanciones establecidas en las leyes, la reproducción parcial o total de este documento por cualquier medio
o procedimiento, comprendidos la reprografía y el tratamiento informático, y la distribución de
ejemplares del mismo mediante alquiler o préstamo públicos.

Centro Criptológico Nacional 2

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

TABLE OF CONTENTS
2
1 INTRODUCTION.................................................................................................... 5
1.1 OBJECTIVE ................................................................................................................5
1.2 STRUCTURE OF THE DOCUMENT .............................................................................5
2 TOE DEFINITION ................................................................................................... 7
3 CRYPTOGRAPHIC MECHANISMS IMPLEMENTATION ............................................. 9
3.1 SYMMETRIC ELEMENTARY PRIMITIVES ...................................................................9
3.1.1 BLOCK CIPHER......................................................................................................9
3.1.2 STREAM CIPHER...................................................................................................9
3.1.3 HASH FUNCTIONS ..............................................................................................10
3.1.4 SECRET SHARING ...............................................................................................11
3.1.5 EXTENDABLE-OUTPUT FUNCTIONS (XOF) .........................................................11
3.2 SYMMETRIC CONSTRUCTIONS ...............................................................................13
3.2.1 SYMMETRIC ENCRYPTION (CONFIDENTIALITY ONLY) .......................................13
3.2.2 DISK ENCRYPTION..............................................................................................14
3.2.3 INTEGRITY MODES: MESSAGE AUTHENTICATION CODE ..................................14
3.2.4 SYMMETRIC ENTITY AUTHENTICATION SCHEMES ............................................17
3.2.5 AUTHENTICATED ENCRYPTION (AE) ..................................................................17
3.2.6 KEY PROTECTION ...............................................................................................18
3.2.7 KEY DERIVATION FUNCTIONS (KDF) ..................................................................19
3.2.8 PASSWORD PROTECTION/HASHING MECHANISMS .........................................24
3.3 ASYMMETRIC ELEMENTARY PRIMITIVES ...............................................................27
3.3.1 RSA/INTEGER FACTORIZATION..........................................................................27
3.3.2 MULTIPLICATIVE DISCRETE LOGARITHM PROBLEM (FFDLOG) .........................28
3.3.3 ADDITIVE DISCRETE LOGARITHM PROBLEM (ECDLOG) ....................................29
3.4 ASYMMETRIC CONSTRUCTIONS.............................................................................33
3.4.1 ASYMMETRIC ENCRYPTION SCHEMES ..............................................................33
3.4.2 DIGITAL SIGNATURE ..........................................................................................34
3.4.3 KEY ESTABLISHMENT .........................................................................................40
3.5 RANDOM NUMBER GENERATORS .........................................................................43
3.5.1 DETERMINISTIC RANDOM NUMBER GENERATOR CONSTRUCTION .................43
3.5.2 DRNG INITIALIZATION .......................................................................................44
3.5.3 DRNG RESEEDING CONFIGURATION .................................................................44
4 CRYPTOGRAPHIC PROTOCOLS IMPLEMENTATION .............................................. 45
4.1 TRANSPORT LAYER SECURITY PROTOCOL (TLS) .....................................................46
4.1.1 TLS V1.3 .............................................................................................................46
4.1.2 TLS V1.2 .............................................................................................................48
4.2 SECURE SHELL (SSH) ...............................................................................................52
4.3 INTERNET PROTOCOL SECURITY (IPSEC) WITH IKEV2 ............................................54
5 REFERENCES....................................................................................................... 56
6 ACRONYMS ........................................................................................................ 57

Centro Criptológico Nacional 3

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Note:
This document is an official reference document
as part of the [CCN-MEMeC] methodology, so the
vendor shall complete the vendor-specific
version of this document.

Centro Criptológico Nacional 4

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

1 INTRODUCTION

1.1 OBJECTIVE
1. This document is a vendor questionnaire that aims to gather the required
information related to a cryptographic module implementation in order to
comply with the Certification Level 1 (CL1) of the CCN Cryptographic
Mechanisms Evaluation Methodology [CCN-MEMeC].
2. On the one hand, this document will help vendors provide information about
their cryptographic implementation with guided questions regarding the
cryptographic mechanisms implemented by the TOE. On the other hand, this
document also will help the tester to gather all the needed information about
the TOE cryptographic implementation by reducing the evaluation effort and
time of reviewing.
3. Taking into account that this document contains the main topics related to the
cryptographic mechanism implementation according to the [CCN-MEMeC]
methodology, it will be useful for vendors to avoid inconsistencies or forget to
include relevant information.

1.2 STRUCTURE OF THE DOCUMENT

4. The document is composed of a set of tables including the necessary questions
to help the vendor specify the information that will be required by the lab in
order to carry out the CL1 of the CCN Cryptographic Mechanisms Evaluation.
5. The document is organized with a structure similar to the main sections of the
[CCN-MEMeC] methodology and includes a table of questions for each type of
cryptographic mechanism (usually associated with a cryptographic test).
Therefore, this will help the tester to associate the vendor information with the
specific evaluation tasks.
6. The specific structure is as detailed below:
- The name of the question tables will be the same as their associated section
identifier, followed by the vendor questionnaire identifier, represented in the
following format: SectionID-VQ.
- Each table contains one or several questions related to vendor requirements
and evaluation tests that will be identified with the same number as the
question number indicated under the column name Q-ID.
7. The format of the table is as detailed below:

Centro Criptológico Nacional 5

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID SectionID-VQ

Description of Question 1
1
Row for vendor Answer 1

Description of Question 2
2
Row for vendor Answer 2

…
…
…

Description of Question N
N
Row for vendor Answer N

Centro Criptológico Nacional 6

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

2 TOE DEFINITION
8. This section contains information related to the Target of Evaluation (TOE). The
vendor shall provide the hardware, firmware, and/or software versions of the
TOE and a brief description of its functionality from the cryptographic operation
point of view.

Q-ID TOE Description

TOE Name

1 The vendor shall provide the name/model of the TOE under evaluation.

MEMEC Certification Level

2 The vendor shall indicate the certification level (CL1, CL2, or CL3).

Certification Level 1 (CL1)

TOE Versioning Information

The vendor shall provide the version of the TOE under evaluation.
Note: Indicate (N/A) if hardware, firmware, or software versions do not apply.

TOE Version
3
Hardware Version

Firmware Version

Software Version

TOE Description
The vendor shall provide a general description specifying the cryptographic
capabilities of the TOE.
This general description shall include at least the following information:
- Description of the TOE, indicating its main cryptographic functionalities.
- Descriptive figure of the TOE, indicating the cryptographic boundary that
will be subject to evaluation.
4 - List of all the cryptographic mechanisms included in each cryptographic
implementation of the TOE.
The purpose of each cryptographic mechanism implemented in the TOE shall be
detailed in the tables associated with each of them.

[TOE Description]
[TOE Figure]
[List of all the cryptographic mechanisms for each implementation]

Centro Criptológico Nacional 7

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TOE Description

Cryptographic Mechanism Implementation

Centro Criptológico Nacional 8

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3 CRYPTOGRAPHIC MECHANISMS IMPLEMENTATION

9. This section contains the questions associated with the cryptographic
mechanisms implemented in the TOE. It aims to provide the tester with all the
needed information to demonstrate that the implementation of the
cryptographic primitives and cryptographic constructions complies with the
requirements from Section 3 “CCN Agreed Cryptographic Mechanisms” of the
[CCN-MEMeC] methodology.

3.1 SYMMETRIC ELEMENTARY PRIMITIVES

3.1.1 BLOCK CIPHER

Q-ID BlockCipher-VQ

Does the TOE implement Block Cipher cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Block Cipher cryptographic primitives implemented in the TOE?

2 ☐ AES-128 ☐ AES-192 ☐ AES-256

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Block

Cipher cryptographic primitive with its associated key length. If there is more
than one implementation for the same primitive, please provide the purpose
of each of them (on different rows).
6
(e.g., AES-128 is implemented in the TOE as a primitive of the AES-128-GCM
cryptographic mechanism of the cipher suites utilized by TLS v1.3)

3.1.2 STREAM CIPHER

Q-ID StreamCipher-VQ

Does the TOE implement Stream Cipher cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Stream Cipher cryptographic primitives implemented in the TOE?

Centro Criptológico Nacional 9

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID StreamCipher-VQ

☐ ChaCha20
2
☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Stream

Cipher cryptographic primitive. If there is more than one implementation for
the same primitive, please provide the purpose of each of them (on different
rows).
5
(e.g., Chacha20 is implemented in the TOE as a primitive of the ChaCha20-
Poly1305 cryptographic mechanism of the cipher suites utilized by TLS v1.3)

3.1.3 HASH FUNCTIONS

Q-ID Hash-VQ

Does the TOE implement Hash cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Hash cryptographic primitives implemented in the TOE?

☐ SHA2-256 ☐ SHA2-384 ☐ SHA2-512 ☐ SHA2-512/256

2
☐ SHA3-256 ☐ SHA3-384 ☐ SHA3-512 ☐ BLAKE2b

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Hash

cryptographic primitive. If there is more than one implementation for the
same primitive, please provide the purpose of each of them (on different
4 rows).
(e.g., All the CSPs stored in the TOE are encrypted with AES-256-KeyWrapping,
moreover, their SHA-256 digests are also stored in order to protect their
integrity)

Centro Criptológico Nacional 10

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID Hash-VQ

3.1.4 SECRET SHARING

Q-ID SecretSharing-VQ

Does the TOE implement the Secret Sharing (Shamir) cryptographic primitive?
Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

Please provide a brief description of the purpose of each implemented Secret

Sharing cryptographic primitive. If there is more than one implementation for
the same primitive, please provide the purpose of each of them (on different
rows).
3
(e.g., Secret sharing is utilized by the TOE to securely distribute a secret among
a group of users)

3.1.5 EXTENDABLE-OUTPUT FUNCTIONS (XOF)

Q-ID XOF-VQ

Does the TOE implement XOF cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the XOF cryptographic primitives implemented in the TOE?

☐ SHAKE128 ☐ SHAKE256
2
☐ cSHAKE128 ☐ cSHAKE256

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented XOF

cryptographic primitive. If there is more than one implementation for the
4 same primitive, please provide the purpose of each of them (on different
rows).
(e.g., cSHAKE is used by the TOE as an underlying primitive to KMAC)

Centro Criptológico Nacional 11

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID XOF-VQ

Centro Criptológico Nacional 12

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.2 SYMMETRIC CONSTRUCTIONS

3.2.1 SYMMETRIC ENCRYPTION (CONFIDENTIALITY ONLY)

Q-ID SymEncryption-VQ

Does the TOE implement Symmetric Encryption (Confidentiality Only)

cryptographic constructions?

1 Note: If the response is “No”, the following questions in this table shall not be
answered.

☐ Yes ☐ No

What are the Symmetric Encryption (Confidentiality Only) cryptographic

constructions implemented in the TOE?

☐ No-Padding

☐ AES-CBC-128 ☐ PKCS#7

☐ ISO 7816

☐ No-Padding

☐ AES-CBC-192 ☐ PKCS#7

☐ ISO 7816

2 ☐ No-Padding

☐ AES-CBC -256 ☐ PKCS#7

☐ ISO 7816

☐ AES-CBC-CS-128 ☐ AES-CBC-CS-192 ☐ AES-CBC-CS-256

☐ AES-CFB-128 ☐ AES-CFB-192 ☐ AES-CFB-256

☐ AES-CTR-128 ☐ AES-CTR -192 ☐ AES-CTR -256

☐ AES-OFB-128 ☐ AES-OFB-192 ☐ AES-OFB-256

☐ Other(s) - Please indicate which one(s)

Please indicate whether the implemented symmetric constructions are

employed in conjunction with a cryptographic mechanism to provide data
3 integrity and authentication.
Note: Justify the answer either in the affirmative or negative case.

Centro Criptológico Nacional 13

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID SymEncryption-VQ

Please provide a brief description of the purpose of each implemented

Symmetric Encryption cryptographic construction with its associated key
length. If there is more than one implementation for the same construction,
please provide the purpose of each of them (on different rows).
7
(e.g., The AES-CBC-256 No-Padding construction is used to encrypt the data
received from the input interface)

3.2.2 DISK ENCRYPTION

Q-ID DiskEncryption-VQ

Does the TOE implement Disk Encryption cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Disk Encryption cryptographic constructions implemented in the

TOE?

2 ☐ AES-XTS-256 ☐ AES-XTS-512

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Disk

Encryption cryptographic construction with its associated key length. If there
is more than one implementation for the same construction, please provide
7 the purpose of each of them (on different rows).
(e.g., The AES-XTS-256 mode is used to perform disk encryption)

3.2.3 INTEGRITY MODES: MESSAGE AUTHENTICATION CODE

Q-ID MAC-VQ

Does the TOE implement Message Authentication Code cryptographic

constructions?
1
Note: If the response is “No”, the following questions in this table shall not be
answered.

Centro Criptológico Nacional 14

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID MAC-VQ

☐ Yes ☐ No

What are the Message Authentication Code cryptographic constructions

implemented in the TOE?

☐ AES-CMAC-128 ☐ AES-CMAC-192 ☐ AES-CMAC-256

☐ AES-CBC-MAC-128 ☐ AES-CBC-MAC-192 ☐ AES-CBC-MAC-256

☐ HMAC-SHA-1 ☐ HMAC-SHA2-256 ☐ HMAC-SHA2-384

☐ HMAC-SHA2-512 ☐ HMAC-SHA2-512/256 ☐ HMAC-SHA3-256

2
☐ HMAC-SHA3-384 ☐ HMAC-SHA3-512

☐ AES-GMAC-128 ☐ AES-GMAC-192 ☐ AES-GMAC-256

☐ KMAC-128 ☐ KMAC-256

☐ Poly1305

☐ Other(s) - Please indicate which one(s)

In the case of implementing the HMAC cryptographic construction, please

provide the size of the HMAC keys used.

3 Note: Please, provide evidence for each HMAC implementation (e.g., a pointer
to the source code, a piece of source code, etc.).

In the case of implementing the CMAC, CBC-MAC, or HMAC cryptographic

construction, does the TOE implement MAC truncation? What is the output bit
length of the truncation?
Note: In affirmative case, please, describe how it is implemented and provide
evidence of the implementation for each message authentication code
cryptographic construction (e.g., a pointer to the source code, a piece of source
4 code, etc.).
Note: In the case of performing MAC truncation to 64 bits, please also provide
evidence that the maximal number of MAC verifications performed for a given
key over its lifetime can be bounded by 220.

Centro Criptológico Nacional 15

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID MAC-VQ

In the case of implementing the GMAC cryptographic construction, does the

TOE comply with the following requirements related to IV management?
a. The IV length is equal to 96 bits.
b. The IV is constructed according to the deterministic IV construction
method [SP800-38D] section 8.2.1.
5
Note: In affirmative case, please, describe how each requirement is
implemented and provide evidence of the implementation for each GMAC
cryptographic construction (e.g., a pointer to the source code, a piece of source
code, etc.).

In the case of implementing the GMAC cryptographic construction, what is the

output bit length of the MAC?

6 Note: Please, provide evidence for each GMAC implementation (e.g., a pointer
to the source code, a piece of source code, etc.).

In the case of implementing the KMAC cryptographic construction, please

provide the following information:
a. The size of the KMAC keys used.
b. Is KMAC used in XOF mode?
c. What is the output bit length of the MAC?
7
d. Does the bit length of the MAC output correspond to the direct output
of the algorithm or truncation is applied?
Note: Please, provide evidence for each KMAC implementation (e.g., a pointer
to the source code, a piece of source code, etc.).

Please provide a brief description of the purpose of each implemented

Message Authentication Code cryptographic construction with its associated
key length, underlying mechanism, etc. If there is more than one
implementation for the same construction, please provide the purpose of each
10 of them (on different rows).
(e.g., The HMAC-SHA-256 algorithm is used to check the integrity and
authenticity of a firmware update before installing it)

Centro Criptológico Nacional 16

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.2.4 SYMMETRIC ENTITY AUTHENTICATION SCHEMES

Q-ID EntityAuth-VQ

Does the TOE implement Symmetric Entity Authentication (challenge-

response) cryptographic constructions?

1 Note: If the response is “No”, the following questions in this table shall not be
answered.

☐ Yes ☐ No

What are the length ranges used in the Symmetric Entity Authentication
cryptographic constructions implemented in the TOE?

2 ☐ len ≥ 125 ☐ 96 ≤ len < 125

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented

Symmetric Entity Authentication cryptographic construction. If there is more
than one implementation for the same construction, please provide the
purpose of each of them (on different rows).
5
(e.g., A challenge-response authentication method, based on a zero-knowledge
proof, is used as the initial step of communication)

3.2.5 AUTHENTICATED ENCRYPTION (AE)

Q-ID AuthEncryption-VQ

Does the TOE implement Authenticated Encryption cryptographic

constructions?

1 Note: If the response is “No”, the following questions in this table shall not be
answered.

☐ Yes ☐ No

What are the Authenticated Encryption cryptographic constructions

implemented in the TOE?

☐ Encrypt-then-MAC - Please indicate the encryption and MAC mechanism

2 ☐ AES-CCM-128 ☐ AES-CCM-192 ☐ AES-CCM-256

☐ AES-GCM-128 ☐ AES-GCM-192 ☐ AES-GCM-256

☐ AES-EAX-128 ☐ AES-EAX-192 ☐ AES-EAX-256

Centro Criptológico Nacional 17

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID AuthEncryption-VQ

☐ ChaCha20-Poly1305

☐ Other(s) - Please indicate which one(s)

In the case of implementing the GCM cryptographic construction, does the TOE
comply with the following requirements related to IV management?
a. The IV length is equal to 96 bits.
b. The IV is constructed according to the deterministic IV construction
3 method [SP800-38D] section 8.2.1.
Note: In affirmative case, please, describe how each is implemented and provide
evidence of the implementation for each GCM cryptographic construction (e.g.,
a pointer to the source code, a piece of source code, etc.).

In the case of implementing any authenticated encryption cryptographic

construction, what is the output bit length of the MAC (or tag)?
Note: Please, provide evidence for each authenticated encryption construction
4 and implementation (e.g., a pointer to the source code, a piece of source code,
etc.).

Please provide a brief description of the purpose of each implemented

Authenticated Encryption cryptographic construction with its associated key
length. If there is more than one implementation for the same construction,
please provide the purpose of each of them (on different rows).
10
(e.g., The data sent through the communication channel is encrypted with AES-
GCM-256, providing confidentiality, integrity, and authentication to the data)

3.2.6 KEY PROTECTION

Q-ID KeyProtection-VQ

Does the TOE implement Key Protection cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Key Protection cryptographic constructions implemented in the

TOE?
2
☐ AES-SIV-256 ☐ AES-SIV-384 ☐ AES-SIV-512

Centro Criptológico Nacional 18

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyProtection-VQ

☐ AES-KW-128 ☐ AES-KW-192 ☐ AES-KW-256

☐ AES-KWP-128 ☐ AES-KWP-192 ☐ AES-KWP-256

☐ Authenticated Encryption Construction(s) - Please indicate which one(s)

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Key

Protection cryptographic construction with its associated key length. If there
is more than one implementation for the same construction, please provide
8 the purpose of each of them (on different rows).
(e.g., The SSPs are entered into the TOE encrypted with AES-KWP-256)

3.2.7 KEY DERIVATION FUNCTIONS (KDF)

Q-ID KeyDerivation-VQ

Does the TOE implement Key Derivation cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Key Derivation cryptographic constructions implemented in the

TOE?

☐ NIST SP800-56A/B/C One-Step KDF

☐ NIST SP800-56A/B/C Two-Step KDF

☐ NIST SP800-108 KDF in Counter Mode

☐ NIST SP800-108 KDF in Feedback Mode

2
☐ NIST SP800-108 KDF in Double-Pipeline Mode

☐ NIST SP800-108 KDF using KMAC

☐ ANSI-X9.63 KDF

☐ PBKDF2

☐ HKDF (RFC 5869)

Centro Criptológico Nacional 19

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyDerivation-VQ

☐ Other(s) - Please indicate which one(s)

In the case of implementing the NIST SP800-56A/B/C One-Step KDF

cryptographic construction, please indicate its parameterization.

☐ SHA2-256 ☐ SHA2-384 ☐ SHA2-512

☐ SHA2-512/256 ☐ SHA3-256 ☐ SHA3-384

☐ SHA3-512

3 ☐ HMAC SHA1 ☐ HMAC SHA2-256 ☐ HMAC SHA2-384

☐ HMAC SHA2-512 ☐ HMAC SHA2-512/256 ☐ HMAC SHA3-256

☐ HMAC SHA3-384 ☐ HMAC SHA3-512

☐ KMAC-128 ☐ KMAC-256

☐ Other(s) - Please indicate which one(s)

In the case of implementing the NIST SP800-56A/B/C Two-Step KDF

cryptographic construction, please indicate its parameterization.

Extraction Step

☐ HMAC SHA1 ☐ HMAC SHA2-256

☐ HMAC SHA2-384 ☐ HMAC SHA2-512

☐ HMAC SHA2-512/256 ☐ HMAC SHA3-256

☐ HMAC SHA3-384 ☐ HMAC SHA3-512

☐ AES-128-CMAC ☐ AES-192-CMAC
4
☐ AES-256-CMAC

☐ Other(s) - Please indicate which one(s)

Expansion Step

☐ NIST SP800-108 KDF

Please indicate which one(s) and the complete parameterization.
It is necessary to complete the associated questions (Q-5 to Q-8) for the
implemented NIST SP800-108 KDFs.

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 20

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyDerivation-VQ

In the case of implementing the NIST SP800-108 KDF in Counter Mode

cryptographic construction, please indicate its parameterization.

Underlying Mechanisms

☐ HMAC SHA1 ☐ HMAC SHA2-256

☐ HMAC SHA2-384 ☐ HMAC SHA2-512

☐ HMAC SHA2-512/256 ☐ HMAC SHA3-256

☐ HMAC SHA3-384 ☐ HMAC SHA3-512

☐ AES-128-CMAC ☐ AES-192-CMAC

☐ AES-256-CMAC

5 ☐ KMAC-128 ☐ KMAC-256

☐ Other(s) - Please indicate which one(s)

Supported Parameterization

Counter i: XXX bits ☐ Big-endian ☐ Little-endian

Requested length L: XXX bits ☐ Big-endian ☐ Little-endian

Label: ☐ Yes ☐ No

Context: ☐ Yes ☐ No

All-zero octet (z): ☐ Yes ☐ No

The pattern for the input to the underlying PRF:

(For example, i || Label || 0x00 || Context || L )

In the case of implementing the NIST SP800-108 KDF in Feedback Mode

cryptographic construction, please indicate its parameterization.

Underlying Mechanisms

☐ HMAC SHA1 ☐ HMAC SHA2-256

6
☐ HMAC SHA2-384 ☐ HMAC SHA2-512

☐ HMAC SHA2-512/256 ☐ HMAC SHA3-256

☐ HMAC SHA3-384 ☐ HMAC SHA3-512

Centro Criptológico Nacional 21

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyDerivation-VQ

☐ AES-128-CMAC ☐ AES-192-CMAC

☐ AES-256-CMAC

☐ KMAC-128 ☐ KMAC-256

☐ Other(s) - Please indicate which one(s)

Supported Parameterization

Counter i: XXX bits ☐ Big-endian ☐ Little-endian

Requested length L: XXX bits ☐ Big-endian ☐ Little-endian

IV: ☐ Yes ☐ No

Label: ☐ Yes ☐ No

Context: ☐ Yes ☐ No

All-zero octet (z): ☐ Yes ☐ No

The pattern for the input to the underlying PRF:

(For example, IV || i || Label || 0x00 || Context || L )

In the case of implementing the NIST SP800-108 KDF in Double-Pipeline Mode

cryptographic construction, please indicate its parameterization.

Underlying Mechanisms

☐ HMAC SHA1 ☐ HMAC SHA2-256

☐ HMAC SHA2-384 ☐ HMAC SHA2-512

☐ HMAC SHA2-512/256 ☐ HMAC SHA3-256

7 ☐ HMAC SHA3-384 ☐ HMAC SHA3-512

☐ AES-128-CMAC ☐ AES-192-CMAC

☐ AES-256-CMAC

☐ KMAC-128 ☐ KMAC-256

☐ Other(s) - Please indicate which one(s)

Supported Parameterization

Centro Criptológico Nacional 22

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyDerivation-VQ

Counter i: XXX bits ☐ Big-endian ☐ Little-endian

Requested length L: XXX bits ☐ Big-endian ☐ Little-endian

Label: ☐ Yes ☐ No

Context: ☐ Yes ☐ No

All-zero octet (z): ☐ Yes ☐ No

The pattern for the input to the underlying PRF:

(For example, i || Label || 0x00 || Context || L )

In the case of implementing the NIST SP800-108 KDF in KMAC mode

cryptographic construction, please indicate its parameterization.

8 ☐ KMAC-128 ☐ KMAC-256

☐ Other(s) - Please indicate which one(s)

In the case of implementing the ANSI-X9.63 KDF cryptographic construction,

please indicate its parameterization.

☐ SHA2-256 ☐ SHA2-384

☐ SHA2-512 ☐ SHA2-512/256
9
☐ SHA3-256 ☐ SHA3-384

☐ SHA3-512

☐ Other(s) - Please indicate which one(s)

In the case of implementing the PBKDF2 cryptographic construction, please

indicate its parameterization.

☐ HMAC-SHA-1 ☐ HMAC-SHA2-256 ☐ HMAC-SHA2-384

10 ☐ HMAC-SHA2-512 ☐ HMAC-SHA2-512/256 ☐ HMAC-SHA3-256

☐ HMAC-SHA3-384 ☐ HMAC-SHA3-512

☐ Other(s) - Please indicate which one(s)

In the case of implementing the HKDF (RFC 5869) cryptographic construction,

please indicate its parameterization.
12
☐ HMAC-SHA-1 ☐ HMAC-SHA2-256 ☐ HMAC-SHA2-384

Centro Criptológico Nacional 23

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyDerivation-VQ

☐ HMAC-SHA2-512 ☐ HMAC-SHA2-512/256 ☐ HMAC-SHA3-256

☐ HMAC-SHA3-384 ☐ HMAC-SHA3-512

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Key

Derivation cryptographic construction with its associated underlying
mechanism, length of the derived key, etc. If there is more than one
implementation for the same construction, please provide the purpose of each
15 of them (on different rows).
(e.g., The PBKDF2-HMAC-SHA-256 derives a new key of 256 bits using the user
password)

3.2.8 PASSWORD PROTECTION/HASHING MECHANISMS

Q-ID PasswordMechanisms-VQ

Does the TOE implement Password Protection/Hashing cryptographic

constructions?

1 Note: If the response is “No”, the following questions in this table shall not be
answered.

☐ Yes ☐ No

What are the Password Protection/Hashing cryptographic constructions

implemented in the TOE?

☐ Argon2id

2 ☐ PBKDF2

☐ SCRYPT

☐ Other(s) - Please indicate which one(s)

In the case of implementing the PBKDF2 cryptographic construction, please

indicate its parameterization.

☐ HMAC-SHA-1 ☐ HMAC-SHA2-256 ☐ HMAC-SHA2-384

3
☐ HMAC-SHA2-512 ☐ HMAC-SHA2-512/256 ☐ HMAC-SHA3-256

☐ HMAC-SHA3-384 ☐ HMAC-SHA3-512

Centro Criptológico Nacional 24

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID PasswordMechanisms-VQ

☐ Other(s) - Please indicate which one(s)

In the case of implementing the SCRYPT cryptographic construction, please

indicate its parameterization.

4 ☐ PBKDF2 HMAC SHA2-256

☐ Other(s) - Please indicate which one(s)

In the case of implementing the Argon2id cryptographic construction, please

indicate the following parameterization.
Note: Please, provide evidence for each Argon2id implementation (e.g., a
pointer to the source code, a piece of source code, etc.).

The memory size (m) is: XXX

The number of passes (t) is: XXX passes

The password length (P) is XXX bytes

5
The degree of parallelism (p) is XXX lanes

The salt (S) length is: XXX bits

Is the salt unique for each password? ☐ Yes ☐ No

The tag (T) length is: XXX bits

The secret value (K) length is: XXX bytes

The associated data (X) length is: XXX bytes

In the case of implementing the PBKDF2 cryptographic construction, please

indicate the following parameterization.
Note: Please, provide evidence for each PBKDF2 implementation (e.g., a pointer
6 to the source code, a piece of source code, etc.).

The number of iterations is: XXX iterations

The salt length is: XXX bits

Please provide a brief description of the purpose of each implemented

Password Protection/Hashing cryptographic with its associated underlying
mechanism, length of the derived key, etc. If there is more than one
9 implementation for the same construction, please provide the purpose of each
of them (on different rows).
(e.g., The TOE protects the user password using PBKDF2-HMAC-SHA-256
cryptographic construction)

Centro Criptológico Nacional 25

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID PasswordMechanisms-VQ

Centro Criptológico Nacional 26

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.3 ASYMMETRIC ELEMENTARY PRIMITIVES

3.3.1 RSA/INTEGER FACTORIZATION

Q-ID RSA-VQ

Does the TOE implement cryptographic primitives based on the integer

factorization problem (RSA)?

1 Note: If the response is “No”, the following questions in this table shall not be
answered.

☐ Yes ☐ No

What are the RSA cryptographic primitives implemented in the TOE?

2 ☐ RSA-2048 bits ☐ RSA-3072 bits ☐ RSA-4096 bits

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented

cryptographic primitive based on the integer factorization problem (RSA). If
there is more than one implementation for the same primitive, please provide
the purpose of each of them (on different rows).
3
(e.g., The TOE uses a digital signature based on RSA-2048 to perform firmware
authentication)

Q-ID RSA-IMPLEMENTATION-VQ

What are the RSA cryptographic operations implemented in the TOE?

1 Please complete a row for each of the different RSA parameterizations and/or
implementations. Add as many as necessary.

RSA Implementation – 1

☐ Modular Exponentiation operations with an RSA Public Key

☐ Modular Exponentiation operations with an RSA Public Key, where the value
of e is equal to 65537
1-1
☐ Modular Exponentiation operations with an RSA Private Key

☐ Modular Exponentiation operations with extended parameters using

recombination of the Chinese Remainder Theorem (CRT)

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 27

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

RSA Implementation – 2

☐ Modular Exponentiation operations with an RSA Public Key

☐ Modular Exponentiation operations with an RSA Public Key, where the value
of e is equal to 65537
1-2
☐ Modular Exponentiation operations with an RSA Private Key

☐ Modular Exponentiation operations with extended parameters using

recombination of the Chinese Remainder Theorem (CRT)

☐ Other(s) - Please indicate which one(s)

1-3 …

… …

3.3.2 MULTIPLICATIVE DISCRETE LOGARITHM PROBLEM (FFDLOG)

Q-ID FFDLOG-VQ

Does the TOE implement FFDLOG cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the FFDLOG cryptographic primitives implemented in the TOE?

☐ MODP-2048 bits ☐ MODP-3072 bits ☐ MODP-4096 bits

☐ MODP-6144 bits ☐ MODP-8192 bits

2
☐ FFDHE-2048 bits ☐ FFDHE-3072 bits ☐ FFDHE-4096 bits

☐ FFDHE-6144 bits ☐ FFDHE-8192 bits

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented

asymmetric cryptographic primitive based on FFDLOG. If there is more than
one implementation for the same primitive, please provide the purpose of
each of them (on different rows).
3
(e.g., The FFDHE-2048 group is used in the DH key establishment scheme of the
cipher suites utilized by TLS v1.2)

Centro Criptológico Nacional 28

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.3.3 ADDITIVE DISCRETE LOGARITHM PROBLEM (ECDLOG)

Q-ID ECDLOG-VQ

Does the TOE implement ECDLOG cryptographic primitives?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the ECDLOG cryptographic primitives implemented in the TOE?

☐ BrainpoolP256r1 ☐ BrainpoolP384r1 ☐ BrainpoolP512r1

☐ NIST P-256 ☐ NIST P-384 ☐ NIST P-521

2
☐ FRP256v1 ☐ Curve25519 ☐ Curve448

☐ Edwards25519 ☐ Edwards448

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented

asymmetric cryptographic primitive based on ECDLOG. If there is more than
one implementation for the same primitive, please provide the purpose of
each of them (on different rows).
3
(e.g., The NIST P-256 curve is used in the ECDHE key establishment scheme of
the cipher suites utilized by TLS v1.2)

Q-ID ECDLOG-IMPLEMENTATION-VQ

What are the Elliptic Curve cryptographic operations implemented in the TOE?
Please complete a row for each of the different ECDLOG parameterizations
1 and/or implementations. Add as many as necessary.
In the case of NIST P Curves, BrainpoolP Curves, and FRP256v1 Curve:

ECDLOG Implementation – 1

☐ EC Scalar Multiplication with Fixed Basepoint

R=dxG
1-1 ☐ Key Generation
where G denotes the generator
Please indicate the
associated operation
☐ EC Scalar Multiplication
R=dxP

Centro Criptológico Nacional 29

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID ECDLOG-IMPLEMENTATION-VQ
where P is generic and G is introduced into it as
the generator

☐ Other(s) - Please indicate which one(s)

☐ EC Scalar Multiplication
☐ Signature Generation R=dxP
Please indicate the where P is a point lying on the curve
associated operation
☐ Other(s) - Please indicate which one(s)

☐ MultiScalar Multiplication
R=uxS+vxT
where S and T are points lying on the curve
S is generic and G is introduced into it as the
☐ Signature Verification generator
Please indicate the
☐ MultiScalar Multiplication with Fixed Basepoint
associated operation
R=uxG+vxT
where T is a point lying on the curve and G denotes
the generator

☐ Other(s) - Please indicate which one(s)

☐ EC Scalar Multiplication
☐ Preshared Secret
Computation R=dxP

Please indicate the where P is a point lying on the curve

associated operation
☐ Other(s) - Please indicate which one(s)

1-2 …

… …

What are the Elliptic Curve cryptographic operations implemented in the TOE?
Please complete a row for each of the different ECDLOG parameterizations
2 and/or implementations. Add as many as necessary.
In the case of Curve25519 and Curve448:

ECDLOG Implementation – 1

2-1 ☐ EC Scalar Multiplication with Fixed Basepoint

☐ Key Generation
R=dxG

Centro Criptológico Nacional 30

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID ECDLOG-IMPLEMENTATION-VQ
Please indicate the where G denotes the generator
associated operation
☐ EC Scalar Multiplication
R=dxP
where P is generic and G is introduced into it as the
generator

☐ Other(s) - Please indicate which one(s)

☐ EC Scalar Multiplication
☐ Preshared Secret
Computation R=dxP

Please indicate the where P is a point lying on the curve

associated operation
☐ Other(s) - Please indicate which one(s)

2-2 …

2-3 …

What are the Elliptic Curve cryptographic operations implemented in the TOE?
Please complete a row for each of the different ECDLOG parameterizations
3 and/or implementations. Add as many as necessary.
In the case of Edwards25519 and Edwards448 curves:

ECDLOG Implementation – 1

☐ EC Scalar Multiplication with Fixed Basepoint

R=dxG
where G denotes the generator
☐ Key Generation
☐ EC Scalar Multiplication
Please indicate the
associated operation R=dxP
where P is generic and G is introduced into it as the
3-1 generator

☐ Other(s) - Please indicate which one(s)

☐ EC Scalar Multiplication
☐ Signature Generation R=dxP
Please indicate the where P is a point lying on the curve
associated operation
☐ Other(s) - Please indicate which one(s)

☐ Signature Verification ☐ MultiScalar Multiplication

Centro Criptológico Nacional 31

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID ECDLOG-IMPLEMENTATION-VQ
Please indicate the R=uxS+vxT
associated operation
where S and T are points lying on the curve
S is generic and G is introduced into it as the
generator

☐ MultiScalar Multiplication with Fixed Basepoint

R=uxG+vxT
where T is a point lying on the curve and G denotes
the generator

☐ Other(s) - Please indicate which one(s)

3-2 …

3-3 …

Centro Criptológico Nacional 32

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.4 ASYMMETRIC CONSTRUCTIONS

3.4.1 ASYMMETRIC ENCRYPTION SCHEMES

Q-ID AsymEncryption-VQ

Does the TOE implement Asymmetric Encryption cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Asymmetric Encryption cryptographic constructions implemented

in the TOE?

2 ☐ RSA-OAEP (PKCS#1v2.1) ☐ RSA-PKCS#1v1.5

☐ Other(s) - Please indicate which one(s)

In the case of implementing the RSA-OAEP (PKCS#1v2.1) cryptographic

construction, please indicate its parameterization.

Mod 2048-bit Mod 3072-bit Mod 4096-bit

SHA2-256 ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐
3
SHA2-512/256 ☐ ☐ ☐

SHA3-256 ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the RSA-PKCS#1v1.5 cryptographic construction,

5 please indicate its parameterization.

Centro Criptológico Nacional 33

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID AsymEncryption-VQ

☐ RSA-2048 bits ☐ RSA-3072 bits ☐ RSA-4096 bits

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented

Asymmetric Encryption cryptographic construction with its associated modulus,
hash primitive, etc. If there is more than one implementation for the same
construction, please provide the purpose of each of them (on different rows).
8
(e.g., User data are entered into the TOE encrypted with RSA-OAEP with modulus
2048 bits and SHA-256)

3.4.2 DIGITAL SIGNATURE

Q-ID DigitalSignature-VQ

Does the TOE implement Digital Signature cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Digital Signature cryptographic constructions implemented in the

TOE?

☐ RSA-PSS (PKCS#1v2.1) ☐ RSA-PKCS#1v1.5

☐ DSA ☐ KCDSA ☐ Schnorr (SDSA)

☐ EC-DSA ☐ EC-KCDSA ☐ EC-GDSA

2
☐ EC-Schnorr (EC-SDSA) ☐ EC-Schnorr (EC-FSDSA) ☐ EdDSA

☐ XMSS

☐ ML-DSA ☐ Falcon ☐ SLH-DSA

☐ Other(s) - Please indicate which one(s)

In the case of implementing the RSA-PSS (PKCS#1v2.1) cryptographic

construction, please indicate its parameterization.
3 Mod 2048-bit Mod 3072-bit Mod 4096-bit

SHA2-256 ☐ ☐ ☐

Centro Criptológico Nacional 34

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

SHA2-384 ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐

SHA2-512/256 ☐ ☐ ☐

SHA3-256 ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the RSA-PKCS#1v1.5 cryptographic construction,

please indicate its parameterization.

Mod 2048-bit Mod 3072-bit Mod 4096-bit

SHA2-256 ☐ ☐ ☐

4 SHA2-384 ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐

SHA2-512/256 ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the DSA cryptographic construction, please indicate

its parameterization.

MODP MODP MODP MODP MODP

2048-bit 3072-bit 4096-bit 6144-bit 8192-bit

SHA2-256 ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐

5 SHA2-512 ☐ ☐ ☐ ☐ ☐

SHA2-512/256 ☐ ☐ ☐ ☐ ☐

SHA3-256 ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 35

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

In the case of implementing the KCDSA cryptographic construction, please

indicate its parameterization.

MODP MODP MODP MODP MODP

2048-bit 3072-bit 4096-bit 6144-bit 8192-bit

SHA2-256 ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐

6 SHA2-512 ☐ ☐ ☐ ☐ ☐

SHA2-512/256 ☐ ☐ ☐ ☐ ☐

SHA3-256 ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the SDSA cryptographic construction, please

indicate its parameterization.

MODP MODP MODP MODP MODP

2048-bit 3072-bit 4096-bit 6144-bit 8192-bit

SHA2-256 ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐

7 SHA2-512 ☐ ☐ ☐ ☐ ☐

SHA2-512/256 ☐ ☐ ☐ ☐ ☐

SHA3-256 ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the EC-DSA cryptographic construction, please

indicate its parameterization.

8 P-256 P-384 P-521

Brainpool Brainpool Brainpool
FRP256v1
P256r1 P384r1 P512r1

SHA2-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

Centro Criptológico Nacional 36

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

SHA2-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512
☐ ☐ ☐ ☐ ☐ ☐ ☐
/256

SHA3-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the EC-KCDSA cryptographic construction, please

indicate its parameterization.

Brainpool Brainpool Brainpool

P-256 P-384 P-521 FRP256v1
P256r1 P384r1 P512r1

SHA2-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐
9
SHA2-512
☐ ☐ ☐ ☐ ☐ ☐ ☐
/256

SHA3-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the EC-GDSA cryptographic construction, please

indicate its parameterization.

Brainpool Brainpool Brainpool

P-256 P-384 P-521 FRP256v1
P256r1 P384r1 P512r1

SHA2-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐
10
SHA2-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512
☐ ☐ ☐ ☐ ☐ ☐ ☐
/256

Centro Criptológico Nacional 37

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

SHA3-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the EC-SDSA cryptographic construction, please

indicate its parameterization.

Brainpool Brainpool Brainpool

P-256 P-384 P-521 FRP256v1
P256r1 P384r1 P512r1

SHA2-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐
11
SHA2-512
☐ ☐ ☐ ☐ ☐ ☐ ☐
/256

SHA3-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the EC-FSDSA cryptographic construction, please

indicate its parameterization.

Brainpool Brainpool Brainpool

P-256 P-384 P-521 FRP256v1
P256r1 P384r1 P512r1

SHA2-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐
12
SHA2-512
☐ ☐ ☐ ☐ ☐ ☐ ☐
/256

SHA3-256 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-384 ☐ ☐ ☐ ☐ ☐ ☐ ☐

SHA3-512 ☐ ☐ ☐ ☐ ☐ ☐ ☐

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 38

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

In the case of implementing the EdDSA cryptographic construction, please

indicate its parameterization.

Ed25519 with SHA2-512 Ed448 with SHAKE256

13 PureEdDSA ☐ ☐

Pre-Hash ☐ ☐

☐ Other(s) - Please indicate which one(s)

In the case of implementing the XMSS cryptographic construction, please indicate

its parameterization.

☐ SHA2-256 ☐ SHA2-512
15
☐ SHAKE128 ☐ SHAKE256

☐ Other(s) - Please indicate which one(s)

In the case of implementing the ML-DSA cryptographic construction, please

indicate its parameterization.
16
☐ Supported Configuration(s) - Please indicate which one(s)

In the case of implementing the Falcon cryptographic construction, please

indicate its parameterization.
17
☐ Supported Configuration(s) - Please indicate which one(s)

In the case of implementing the SLH-DSA cryptographic construction, please

indicate its parameterization.
18
☐ Supported Configuration(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Digital

Signature cryptographic construction with its associated RSA modulus and
scheme, finite field group, elliptic curve, hash primitive, etc. If there is more than
23 one implementation for the same construction, please provide the purpose of
each of them (on different rows).
(e.g., Data sent through the communication channel is signed using ECDSA with P-
256 curve with SHA-256 hash primitive)

Centro Criptológico Nacional 39

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DigitalSignature-VQ

3.4.3 KEY ESTABLISHMENT

Q-ID KeyEstablishment-VQ

Does the TOE implement Key Establishment cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the Key Establishment cryptographic constructions implemented in the

TOE?

☐ Diffie-Hellman (DH) ☐ DLIES-KEM

2 ☐ Elliptic Curve Diffie-Hellman (ECDH) ☐ ECIES-KEM

☐ ML-KEM ☐ FrodoKEM

☐ Other(s) - Please indicate which one(s)

In the case of implementing the Diffie-Hellman (DH) cryptographic construction,

please indicate its parameterization.

☐ Non-Ephemeral ☐ Ephemeral

In case both apply, indicate which parameterization applies to each.

☐ MODP-2048 bits ☐ MODP-3072 bits ☐ MODP-4096 bits

☐ MODP-6144 bits ☐ MODP-8192 bits

3
☐ FFDHE-2048 bits ☐ FFDHE-3072 bits ☐ FFDHE-4096 bits

☐ FFDHE-6144 bits ☐ FFDHE-8192 bits

☐ Key Derivation Function - Please indicate which one(s)

Please, complete the information according to those provided in Section 3.2.7 “Key
Derivation Functions”

☐ Other(s) Configuration(s) - Please indicate which one(s)

In the case of implementing the DLIES-KEM cryptographic construction, please

4 indicate its parameterization.

Centro Criptológico Nacional 40

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyEstablishment-VQ

☐ Non-Ephemeral ☐ Ephemeral

In case both apply, indicate which parameterization applies to each.

☐ MODP-3072 bits ☐ MODP-4096 bits

☐ FFDHE-3072 bits ☐ FFDHE-4096 bits

Key Derivation Function:

☐ HKDF with HMAC-SHA2-256

☐ Other(s) Configuration(s) - Please indicate which one(s)

In the case of implementing the Elliptic Curve Diffie-Hellman (EC-DH)

cryptographic construction, please indicate its parameterization.

☐ Non-Ephemeral ☐ Ephemeral

In case both apply, indicate which parameterization applies to each.

☐ BrainpoolP256r1 ☐ BrainpoolP384r1 ☐ BrainpoolP512r1

5 ☐ NIST P-256 ☐ NIST P-384 ☐ NIST P-521

☐ FRP256v1 ☐ Curve25519 (x25519) ☐ Curve448 (x448)

☐ Key Derivation Function - Please indicate which one(s)

Please, complete the information according to those provided in Section 3.2.7 “Key
Derivation Functions”

☐ Other(s) Configuration(s) - Please indicate which one(s)

In the case of implementing the ECIES-KEM cryptographic construction, please

indicate its parameterization.

☐ Non-Ephemeral ☐ Ephemeral

In case both apply, indicate which parameterization applies to each.

6 ☐ BrainpoolP256r1 ☐ BrainpoolP384r1 ☐ BrainpoolP512r1

☐ NIST P-256 ☐ NIST P-384 ☐ NIST P-521

Key Derivation Function:

☐ HKDF with HMAC-SHA2-256

Centro Criptológico Nacional 41

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID KeyEstablishment-VQ

☐ Other(s) Configuration(s) - Please indicate which one(s)

In the case of implementing the FrodoKEM cryptographic construction, please

indicate its parameterization.

☐ Non-Ephemeral ☐ Ephemeral

In case both apply, indicate which parameterization applies to each.

7
☐ AES ☐ SHAKE128

☐ FrodoKEM-640 ☐ FrodoKEM-976 ☐ FrodoKEM-1344

☐ Other(s) Configuration(s) - Please indicate which one(s)

In the case of implementing the ML-KEM cryptographic construction, please

indicate its parameterization.
8
☐ Supported Configuration(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each implemented Key

Establishment cryptographic construction with its associated parameterization
(finite field group, elliptic curve, etc.). If there is more than one implementation
for the same construction, please provide the purpose of each of them (on
13 different rows).
(e.g., The TOE implements TLS 1.2 whose cipher suites rely on ECDHE with P-256
curve to perform key establishment)

Centro Criptológico Nacional 42

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

3.5 RANDOM NUMBER GENERATORS

3.5.1 DETERMINISTIC RANDOM NUMBER GENERATOR CONSTRUCTION

10. Note: In case of multiple DRNG parameterizations and/or implementations,

please complete the following tables for each of them, in order to clearly define
them. Add as many tables as necessary.

Q-ID DRNG-VQ

Does the TOE implement DRNG cryptographic constructions?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the DRNG cryptographic schemes implemented in the TOE?

☐ NR (Non-PredictionResistance and Non-Reseed)

☐ HMAC-DRBG ☐ NPR (Non-PredictionResistance but with Reseed)

☐ PR (PredictionResistance and Reseed)

☐ NR (Non-PredictionResistance and Non-Reseed)

☐ Hash-DRBG ☐ NPR (Non-PredictionResistance but with Reseed)

☐ PR (PredictionResistance and Reseed)

☐ NR with DF (Non-PredictionResistance and Non-

Reseed with Derivation Function)
2
☐ NR without DF (Non-PredictionResistance and Non-
Reseed without Derivation Function)

☐ NPR with DF (Non-PredictionResistance with Reseed

and Derivation Function)
☐ CTR-DRBG (AES)
☐ NPR without DF (Non-PredictionResistance with
Reseed but without Derivation Function)

☐ PR with DF (PredictionResistance and Reseed with

Derivation Function)

☐ PR without DF (PredictionResistance and Reseed but

without Derivation Function)

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 43

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID DRNG-VQ

Please provide a brief description of the purpose of the implemented DRNG

cryptographic construction, indicating the SSPs that can be generated using it and
the functionality class to which it belongs.
7 (e.g., the HMAC-DRBG is used to generate the AES-256 bits key that is used by the
TOE to encrypt the information entered through the data input interface)

3.5.2 DRNG INITIALIZATION

Q-ID Initialization-VQ

A DRNG secure initialization depends on the number of bits of the Input (seed),
Nonce, and Personalization String parameters.
Note: Please indicate the length in bits of each of them during the DRNG
initialization.
1
The input (seed) length is: XXX bits

The nonce length is: XXX bits

The personalization string length is: XXX bits

3.5.3 DRNG RESEEDING CONFIGURATION

Q-ID Reseeding-VQ

The DRNG reseeding depends on the number of bits used as Input Reseed and as
Additional Input in every call to generate a new CSP.
Note: Please indicate the length in bits of each of them during the reseeding.
1
The input reseed length is: XXX bits

The additional input length is: XXX bits

Centro Criptológico Nacional 44

CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

4 CRYPTOGRAPHIC PROTOCOLS IMPLEMENTATION

11. This section shall contain information related to the protocols implemented by the TOE which rely on cryptographic mechanisms.
The proprietary and/or standard (e.g., TLS, SSH, etc.) protocols and their configuration shall be described justifying the ensured
properties.
12. Note: This is the information that shall be included in each column:
- Protocol: The name of the implemented protocol.
- Configuration: The cipher suites (for TLS) or cryptographic mechanisms configuration employed to implement the protocol.
- Properties: The ensured properties with the protocol configuration. Some examples could be:
o Integrity protection of the exchanged messages
o Anti-replay protections
o Perfect forward secrecy
o Post compromise secrecy
o Quantum resistance
- Justification: Justification for each ensured property by the protocol configuration.
13. Please complete the following table with the protocols implemented by the TOE:

Protocol Configuration Properties Justification

Table 1. Cryptographic Protocols Implementation and Configuration

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

4.1 TRANSPORT LAYER SECURITY PROTOCOL (TLS)

14. This subsection contains the questions associated with the TLS cryptographic
protocol configurations implemented in the TOE. It aims to provide the tester
with all the needed information to demonstrate that the implementation of the
TLS cryptographic protocol complies with the requirements from Section 3 “CCN
Agreed Cryptographic Mechanisms” of the [CCN-MEMeC] methodology.

4.1.1 TLS V1.3

Q-ID TLS-VQ

Does the TOE implement TLS v1.3?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the TLS v1.3 Cipher Suites implemented in the TOE?

☐ TLS_AES_256_GCM_SHA384

☐ TLS_AES_128_GCM_SHA256
2
☐ TLS_AES_128_CCM_ SHA256

☐ TLS_CHACHA20_POLY1305_SHA256

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each TLSv1.3 implementation

with its associated cipher suites (on different rows).

3 (e.g., The TOE implements TLSv1.3 with the cipher suite

TLS_AES_256_GCM_SHA384 to establish secure channels with the server)

15. Note: Please complete the following table for each TLS v1.3 cipher suite
implemented, where [ID] means the cipher suite name. Add as many tables as
necessary.

Q-ID TLSv1.3 CIPHER SUITE – [ID]

Please indicate the implemented TLS v1.3 PSK modes (if supported).
1
☐ psk_ke ☐ psk_dhe_ke

Centro Criptológico Nacional 46

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TLSv1.3 CIPHER SUITE – [ID]

☐ Other(s) - Please indicate which one(s)

In the case of implementing TLS v1.3 PSK modes, please provide evidence that
the TOE does not allow the sending of zero Round-Trip Time data or 0-RTT data.
2 (e.g., a pointer to the source code, a piece of source code, etc.)

Please indicate the implemented DH groups for TLS v1.3 Key Establishment.

☐ ffdhe2048 ☐ ffdhe3072
3
☐ ffdhe4096

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented ECDH groups for TLS v1.3 Key Establishment.

☐ BrainpoolP256r1tls13 ☐ P-256 (secp256r1)

4 ☐ BrainpoolP384r1tls13 ☐ P-384 (secp384r1)

☐ BrainpoolP512r1tls13 ☐ P-521 (secp521r1)

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented xECDH groups for TLS v1.3 Key Establishment.
5
☐ x25519 ☐ x448

Please indicate the implemented TLS v1.3 Digital Signature Schemes to perform
client-server digital signature.

☐ rsa_pss_rsae_sha256 ☐ rsa_pss_rsae_sha384

☐ rsa_pss_rsae_sha512 ☐ rsa_pss_pss_sha256

☐ rsa_pss_pss_sha384 ☐ rsa_pss_pss_sha512

6 ☐ ecdsa_brainpoolP256r1tls13_sha256 ☐ ecdsa_secp256r1_sha256

☐ ecdsa_brainpoolP384r1tls13_sha384 ☐ ecdsa_secp384r1_sha384

☐ ecdsa_brainpoolP512r1tls13_sha512 ☐ ecdsa_secp521r1_sha512

☐ Ed25519 ☐ Ed448

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 47

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TLSv1.3 CIPHER SUITE – [ID]

Please indicate the implemented TLS v1.3 Digital Signature Schemes on

certificates.

☐ rsa_pkcs1_sha256 ☐ rsa_pkcs1_sha384

☐ rsa_pkcs1_sha512 ☐ rsa_pss_rsae_sha256

☐ rsa_pss_rsae_sha384 ☐ rsa_pss_rsae_sha512

☐ rsa_pss_pss_sha256 ☐ rsa_pss_pss_sha384

7 ☐ rsa_pss_pss_sha512

☐ ecdsa_brainpoolP256r1tls13_sha256 ☐ ecdsa_secp256r1_sha256

☐ ecdsa_brainpoolP384r1tls13_sha384 ☐ ecdsa_secp384r1_sha384

☐ ecdsa_brainpoolP512r1tls13_sha512 ☐ ecdsa_secp521r1_sha512

☐ Ed25519 ☐ Ed448

☐ Other(s) - Please indicate which one(s)

4.1.2 TLS V1.2

Q-ID TLS-VQ

Does the TOE implement TLS v1.2?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

What are the TLS v1.2 Cipher Suites implemented in the TOE?

☐ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

☐ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

2 ☐ TLS_ECDHE_ECDSA_WITH_AES_256_CCM

☐ TLS_ECDHE_ECDSA_WITH_AES_128_CCM

☐ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

☐ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Centro Criptológico Nacional 48

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TLS-VQ

☐ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

☐ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

☐ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

☐ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

☐ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

☐ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

☐ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

☐ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

☐ TLS_DHE_RSA_WITH_AES_256_CCM

☐ TLS_DHE_RSA_WITH_AES_128_CCM

☐ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

☐ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

☐ TLS_RSA_WITH_AES_256_GCM_SHA384

☐ TLS_RSA_WITH_AES_128_GCM_SHA256

☐ TLS_RSA_WITH_AES_256_CCM

☐ TLS_RSA_WITH_AES_128_CCM

☐ TLS_RSA_WITH_AES_256_CBC_SHA256

☐ TLS_RSA_WITH_AES_128_CBC_SHA256

☐ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

☐ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

☐ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

☐ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

☐ TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384

☐ TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256

Centro Criptológico Nacional 49

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TLS-VQ

☐ TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384

☐ TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

☐ TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256

☐ TLS_DHE_PSK_WITH_AES_128_CBC_SHA256

☐ TLS_DHE_PSK_WITH_AES_256_CBC_SHA384

☐ TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

☐ TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

☐ TLS_DHE_PSK_WITH_AES_128_CCM

☐ TLS_DHE_PSK_WITH_AES_256_CCM

☐ Other(s) - Please indicate which one(s)

In the case of implementing a TLS cipher suite whose encryption mechanisms are
based on CBC, please provide evidence that they are used in conjunction with the
“encrypt_then_mac” extension.
3
(e.g., a pointer to the source code, a piece of source code, etc.)

Please provide a brief description of the purpose of each TLSv1.2 implementation

with its associated cipher suites (on different rows).
(e.g., The TOE implements TLSv1.2 with the cipher suite
4 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 to establish secure channels
with the server)

16. Note: Please complete the following table for each TLS v1.2 cipher suite
implemented, where [ID] means the cipher suite name. Add as many tables as
necessary.

Q-ID TLSv1.2 CIPHER SUITE – [ID]

Please indicate the implemented DH groups for TLS v1.2 Key Establishment.

1 ☐ ffdhe2048 ☐ ffdhe3072

☐ ffdhe4096

Centro Criptológico Nacional 50

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID TLSv1.2 CIPHER SUITE – [ID]

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented ECDH groups for TLS v1.2 Key Establishment.

☐ BrainpoolP256r1tls13 ☐ P-256 (secp256r1)

2 ☐ BrainpoolP384r1tls13 ☐ P-384 (secp384r1)

☐ BrainpoolP512r1tls13 ☐ P-521 (secp521r1)

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented xECDH groups for TLS v1.2 Key Establishment.
3
☐ x25519 ☐ x448

Please indicate the implemented TLS v1.2 Digital Signature Schemes and Hash
Functions.

RSA DSA ECDSA

SHA2-256 ☐ ☐ ☐

4 SHA2-384 ☐ ☐ ☐

SHA2-512 ☐ ☐ ☐

☐ Ed25519 ☐ Ed448

☐ Other(s) - Please indicate which one(s)

Centro Criptológico Nacional 51

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

4.2 SECURE SHELL (SSH)

17. This subsection contains the questions associated with the SSH cryptographic
protocol configurations implemented in the TOE. It aims to provide the tester
with all the needed information to demonstrate that the implementation of the
SSH cryptographic protocol complies with the requirements from Section 3 “CCN
Agreed Cryptographic Mechanisms” of the [CCN-MEMeC] methodology.
18. Note: In case of multiple SSH implementations, please complete the following
table for each of them, in order to clearly define them. Add as many tables as
necessary.

Q-ID SSH-VQ

Does the TOE implement SSH-2 protocol?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

Please indicate the implemented DH groups for SSH-2 Key Establishment.

☐ DH-exchange-SHA256 ☐ DH-group15-SHA512

2 ☐ DH-group16-SHA512 ☐ DH- group17-SHA512

☐ DH- group18-SHA512

☐ Other(s) - Please indicate which one(s)

In the case of implementing the Diffie-Hellman-group-exchange-SHA256 for SSH-

2 Key Establishment, please provide the following information:

The prime p and its length in bits: XXX

3
The generator g: XXX

The prime p and its length in bits: XXX

Please indicate the implemented ECDH groups for SSH-2 Key Establishment.

☐ secp256r1_sha512 ☐ secp384r1_sha512
4
☐ secp521r1_sha512

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented SSH-2 Encryption Mechanisms.

5
☐ AEAD_AES_128_GCM ☒ AEAD_AES_256_GCM

Centro Criptológico Nacional 52

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID SSH-VQ

☐ AES128-CTR ☐ AES192-CTR

☐ AES256-CTR

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented SSH-2 Integrity and Authenticity Mechanisms.

☐ HMAC-SHA1 ☐ HMAC-SHA2-256

6 ☐ HMAC-SHA2-512

☐ AEAD_AES_128_GCM ☐ AEAD_AES_256_GCM

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented SSH-2 Server-Client Authentication

Mechanisms.

☐ ECDSA-SHA2-secp256r1 ☐ ECDSA-SHA2-secp384r1

7 ☐ ECDSA-SHA2-secp521r1 ☐ x509v3-ECDSA-SHA2-secp256r1

☐ x509v3-ECDSA-SHA2-secp384r1 ☐ x509v3-ECDSA-SHA2-secp521r1

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of the SSH-2 implementation

with its associated configurations.
9 (e.g., The TOE implements SSH-2 to allow remote access to users)

Centro Criptológico Nacional 53

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

4.3 INTERNET PROTOCOL SECURITY (IPSEC) WITH IKEV2

19. This subsection contains the questions associated with the IPsec cryptographic
protocol configurations implemented in the TOE. It aims to provide the tester
with all the needed information to demonstrate that the implementation of the
IPsec cryptographic protocol complies with the requirements from Section 3
“CCN Agreed Cryptographic Mechanisms” of the [CCN-MEMeC] methodology.
20. Note: In case of multiple IPsec implementations, please complete the following
table for each of them, in order to clearly define them. Add as many tables as
necessary.

Q-ID IPsec-VQ

Does the TOE implement IPsec protocol with IKEv2?

Note: If the response is “No”, the following questions in this table shall not be
1 answered.

☐ Yes ☐ No

Please indicate the implemented Protocol Versions.

2 ☐ IPsec ☐ IKEv2

☐ ESP

Please indicate the implemented DH groups implemented for the IKEv2 Key
Establishment.

☐ 3072-bit MODP ☐ 4096-bit MODP

4
☐ 6144-bit MODP ☐ 8192-bit MODP

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented ECDH groups implemented for the IKEv2 Key
Establishment.

☐ 256-bit random ECP ☐ 384-bit random ECP

5 ☐ 521-bit random ECP ☐ brainpoolP256r1

☐ brainpoolP384r1 ☐ brainpoolP512r1

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented xECDH groups implemented for the IKEv2 Key
Establishment.
6
☐ x25519 ☐ x448

Centro Criptológico Nacional 54

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Q-ID IPsec-VQ

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented IKEv2 and ESP Encryption Mechanisms.

7

Please indicate the implemented IKEv2 and ESP Origin Integrity and Authenticity
Mechanisms.

☐ HMAC-SHA2-256_128 ☐ HMAC-SHA2-384_192

8 ☐ HMAC-SHA2-512_256 ☐ AES-CMAC-96

☐ AES-GMAC

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented IKEv2 Pseudo-Random Functions.

☐ HMAC-SHA2-256 ☐ HMAC-SHA2-384
9
☐ HMAC-SHA2-512 ☐ AES128-CMAC

☐ Other(s) - Please indicate which one(s)

Please indicate the implemented IKEv2 Authentication Mechanisms.

☐ RSA (RSASSA-PSS) with SHA-256 ☐ RSA (RSASSA-PSS) with SHA-384

☐ RSA (RSASSA-PSS) with SHA-512 ☐ ECDSA-SHA-256 and P-256

☐ ECDSA-SHA-384 and P-384 ☐ ECDSA-SHA-512 and P-521

10
☐ ECDSA-256-BrainpoolP256r1 ☐ ECDSA-384-BrainpoolP384r1

☐ ECDSA-512-BrainpoolP512r1 ☐ ECGDSA-256-BrainpoolP256r1

☐ ECGDSA-384-BrainpoolP384r1 ☐ ECGDSA-512-BrainpoolP512r1

☐ Other(s) - Please indicate which one(s)

Please provide a brief description of the purpose of each IPsec implementation

with its associated configurations.
11 (e.g., The TOE implements IPsec to establish secure channels over a VPN)

Centro Criptológico Nacional 55

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

5 REFERENCES

[CCN-MEMeC] CCN Cryptographic Mechanisms Evaluation Methodology

v1.3.3. November 2024
[SP800-38D] NIST. Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC.
National Institute of Standards and Technology, Special
Publication SP800-38D, November 2007.

Centro Criptológico Nacional 56

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

6 ACRONYMS
AE Authenticated Encryption
CCN Centro Criptológico Nacional
CL1 Certification Level 1
CL2 Certification Level 2
CL3 Certification Level 3
DRBG Deterministic Random Bit Generator
ECDLOG Discrete Logarithm in Elliptic Curves
FFDLOG Discrete Logarithm in Finite Fields
IPsec Internet Protocol security
KDF Key Derivation Function
MAC Message Authentication Code
RNG Random Number Generator
SSH Secure Shell
TLS Transport Layer Security Protocol
TOE Target Of Evaluation
VQ Vendor Questionnaire
XOF Extendable-Output Function

Centro Criptológico Nacional 57

 CCN-STIC-2100-B Cryptographic Mechanisms Evaluation Vendor Questionnaire v1.3.3 - Lite

Centro Criptológico Nacional 58