Implementation specific answers to the security attestation (CON-1118)

[PhLuReh]

For certification approval a manufacturer has to answer security relevant questions in the CSA_Matter_Security_Attestation_Approved.docx document. Some of them are implementation specific and should be pre-answered by espressif.

13.6.1.e Device shall use non-repeating initialization vectors for given session key.

what is the specific implementation? or is it a connectedhomeip specific thing?

13.6.3.a

is there a CVE report for the esp-matter implementation?

[chshu]

@PhLuReh Here is a recommended response to 13.6.1e (if you are using esp-matter SDK without any change to the SDK source code):

13.6.1.e: Yes, the hardware RNG module is used for random number generation, which is true random, so it's non-repeating initialization vector.

Regarding 13.6.3.a: Yes, esp-matter SDK is built on top of connectedhomeip, we support the public vulnerability reporting flow.

is there a CVE report for the esp-matter implementation?

We can't provide a public report for esp-matter implementation, since it's a product specific report, but not SDK specific. If you have any particular questions on the report, feel free to contact us via technical-inquiries, we can assist you on it.

[shubhamdp]

@PhLuReh Can you please close the issue if the questions are answered.