Protection Profile For Application Software

ProtectionProfileforApplicationSoftware
Version:1.1
20141105
NationalInformationAssurancePartnership
RevisionHistory
Version Date
Comment
v1.1
20141105
AdditiontoTLSciphersuiteselections
v1.0
20141020
Initialrelease
Contents
1.Introduction
1.1.Overview
1.2.Terms
1.2.1.CommonCriteriaTerms
1.2.2.TechnologyTerms
1.3.CompliantTargetsofEvaluation
1.3.1.TOEBoundary
1.4.UseCases
2.ConformanceClaims
3.SecurityProblemDefinition
3.1.Threats
3.2.Assumptions
3.3.OrganizationalSecurityPolicies
4.SecurityObjectives
4.1.SecurityObjectivesfortheTOE
4.2.SecurityObjectivesfortheOperationalEnvironment
4.3.SecurityObjectivesRationale
5.SecurityRequirements
5.1.SecurityFunctionalRequirements
5.1.1.CryptographicSupport(FCS)
5.1.2.UserDataProtection(FDP)
5.1.3.IdentificationandAuthentication(FIA)
5.1.4.SecurityManagement(FMT)
5.1.5.ProtectionoftheTSF(FPT)
5.1.6.TrustedPath/Channel(FTP)
5.2.SecurityAssuranceRequirements
5.2.1.ClassASE:SecurityTarget
5.2.2.ClassADV:Development
5.2.3.ClassAGD:GuidanceDocumentation
5.2.4.ClassALC:LifecycleSupport
5.2.5.ClassATE:Tests
5.2.6.ClassAVA:VulnerabilityAssessment
AppendixA:OptionalRequirements
AppendixB:SelectionBasedRequirements
AppendixC:ObjectiveRequirements
AppendixD:EntropyDocumentationandAssessment
AppendixE:References
AppendixF:Acronyms
1.Introduction
1.1Overview
ThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofapplicationsoftwarein
termsof[CC]andtodefinefunctionalandassurancerequirementsforsuchsoftware.Inrecentyears,
softwareattackshaveshiftedfromtargetingoperatingsystemstotargetingapplications.Thishasbeenthe
naturalresponsetoimprovementsinoperatingsystemsecurityanddevelopmentprocesses.Asaresult,itis
paramountthatthesecurityofapplicationsbeimprovedtoreducetheriskofcompromise.
1.2Terms
ThefollowingsectionsprovidebothCommonCriteriaandtechnologytermsusedinthisProtectionProfile.
1.2.1CommonCriteriaTerms
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation.
CommonEvaluation
Methodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurity
Evaluation.
ProtectionProfile(PP)
Animplementationindependentsetofsecurityrequirementsfora
categoryofproducts.
SecurityTarget(ST)
Asetofimplementationdependentsecurityrequirementsforaspecific
product.
TargetofEvaluation(TOE)
Theproductunderevaluation.Inthiscase,applicationsoftwareandits
supportingdocumentation.
TOESecurityFunctionality
(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification
(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinaST.
SecurityFunctional
Requirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityAssurance
Requirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
1.2.2TechnologyTerms
Address
Anantiexploitationfeaturewhichloadsmemorymappingsintounpredictablelocations.
SpaceLayout ASLRmakesitmoredifficultforanattackertoredirectcontroltocodethattheyhave
Randomization introducedintotheaddressspaceofanapplicationprocess.
(ASLR)
Application
(app)
Softwarethatrunsonaplatformandperformstasksonbehalfoftheuserorownerofthe
platform,aswellasitssupportingdocumentation.ThetermsTOEandapplicationare
interchangeableinthisdocument.
Application
Programming
Interface
(API)
Aspecificationofroutines,datastructures,objectclasses,andvariablesthatallowsan
applicationtomakeuseofservicesprovidedbyanothersoftwarecomponent,suchasa
library.APIsareoftenprovidedforasetoflibrariesincludedwiththeplatform.
Credential
Datathatestablishestheidentityofauser,e.g.acryptographickeyorpassword.
Data
Execution
Prevention
(DEP)
Anantiexploitationfeatureofmodernoperatingsystemsexecutingonmoderncomputer
hardware,whichenforcesanonexecutepermissiononpagesofmemory.DEPprevents
pagesofmemoryfromcontainingbothdataandinstructions,whichmakesitmoredifficult
foranattackertointroduceandexecutecode.
Developer
Anentitythatwritesapplicationsoftware.Forthepurposesofthisdocument,vendors
anddevelopersarethesame.
MobileCode
Softwaretransmittedfromaremotesystemforexecutionwithinalimitedexecution
environmentonthelocalsystem.Typically,thereisnopersistentinstallationandexecution
beginswithouttheuser'sconsentorevennotification.Examplesofmobilecode
technologiesincludeJavaScript,Javaapplets,AdobeFlash,andMicrosoftSilverlight.
Operating
System(OS)
Softwarethatmanageshardwareresourcesandprovidesservicesforapplications.
Personally
Identifiable
Information
(PII)
Anyinformationaboutanindividualmaintainedbyanagency,including,butnotlimitedto,
education,financialtransactions,medicalhistory,andcriminaloremploymenthistoryand
informationwhichcanbeusedtodistinguishortraceanindividual'sidentity,suchastheir
name,socialsecuritynumber,dateandplaceofbirth,mothersmaidenname,biometric
records,etc.,includinganyotherpersonalinformationwhichislinkedorlinkabletoan
individual.[OMB]
Platform
Theenvironmentinwhichapplicationsoftwareruns.Theplatformcanbeanoperating
system,anexecutionenvironmentwhichrunsatopanoperatingsystem,orsome
combinationofthese.
SensitiveData
Sensitivedatamayincludealluserorenterprisedataormaybespecificapplicationdata
suchasemails,messaging,documents,calendaritems,andcontacts.Sensitivedatamust
minimallyincludePII,credentials,andkeys.Sensitivedatashallbeidentifiedinthe
applicationsTSSbytheSTauthor.
StackCookie
Anantiexploitationfeaturethatplacesavalueonthestackatthestartofafunctioncall,
andchecksthatthevalueisthesameattheendofthefunctioncall.Thisisalsoreferred
toasStackGuard,orStackCanaries.
Vendor
Anentitythatsellsapplicationsoftware.Forpurposesofthisdocument,vendorsand
developersarethesame.Vendorsareresponsibleformaintainingandupdating
applicationsoftware.
1.3CompliantTargetsofEvaluation
Therequirementsinthisdocumentapplytoapplicationsoftwarewhichrunsonmobiledevices("apps"),as
wellasondesktopandserverplatforms.SomeapplicationtypesarecoveredbymorespecificPPs,which
maybeexpressedasExtendedPackagesofthisPP.Suchapplicationsaresubjecttotherequirementsof
boththisPPandtheExtendedPackagethataddressestheirspecialfunctionality.PPsforsomeparticularly
specializedapplicationsmaynotbeexpressedasEPsatthistime,thoughtherequirementsinthisdocument
shouldbeseenasobjectivesforthosehighlyspecializedapplications.
Althoughtherequirementsinthisdocumentapplytoawiderangeofapplicationsoftware,consultguidance
fromtherelevantnationalschemestodeterminewhenformalCommonCriteriaevaluationisexpectedfora
particulartypeofapplication.Thismayvarydependinguponthenatureofthesecurityfunctionalityofthe
application.
1.3.1TOEBoundary
Anapplicationisdefinedassoftwarethatrunsonaplatformandperformstasksonbehalfoftheuseror
ownerofthesystem.Theapplicationconsistsofthesoftwareprovidedbyitsvendorandwhichisinstalled
ontothefilesystemprovidedbytheoperatingsystem.Itexecutesontheplatform,whichmaybeanoperating
system(Figure1),anexecutionenvironment,orsomecombinationofthese(Figure2).Someassurance
activitiesarespecifictotheparticularplatformonwhichtheapplicationruns,inordertoprovideprecisionand
repeatability.Testactivitiesareactivelysoughtfromplatformvendorssothatcoverageacrossplatformsisas
completeandaccurateaspossible.Thiswillalsoenablecertificationofapplicationsonthoseplatforms.
Applicationsincludesadiverserangeofsoftwaresuchasofficesuites,thinclients,PDFreaders,and
downloadablesmartphoneapps.TheTOEincludesanysoftwareintheapplicationinstallationpackage,even
thosepiecesthatmayextendthefunctionalityoftheunderlyingplatform,suchaskerneldrivers.Many
platformscomebundledwithapplicationssuchaswebbrowsers,emailclientsandmediaplayersandthese
tooshouldbeconsideredsubjecttotherequirementsdefinedinthisdocumentalthoughtheexpectationof
formalCommonCriteriaevaluationdependsuponthenationalscheme.BIOSandotherfirmware,the
operatingsystemkernel,andothersystemssoftware(anddrivers)providedaspartoftheplatformare
outsidethescopeofthisdocument.
Figure1:TOEasanApplicationandKernelModuleRunningonanOperatingSystem
Figure2:TOEasanApplicationRunninginanExecutionEnvironmentPlusNativeCode
1.4UseCases
RequirementsinthisProtectionProfilearedesignedtoaddressthesecurityprobleminthefollowinguse
cases.Theseusecasesareintentionallyverybroad,asmanyspecificusecasesexistforapplicationsoftware.
Manyapplicationsmaybeusedincombinationsofthesebroadusecases,andevaluationagainstExtended
PackagesofthisPP,whenavailable,maybemostappropriateforsomeapplicationtypes.
[USECASE1]ContentCreation
Theapplicationallowsausertocreatecontent,savingittoeitherlocalorremotestorage.Example
contentincludestextdocuments,presentations,andimages.
[USECASE2]ContentConsumption
Theapplicationallowsausertoconsumecontent,retrievingitfromeitherlocalorremotestorage.
Examplecontentincludeswebpagesandvideo.
[USECASE3]Communication
Theapplicationallowsforcommunicationinteractivelyornoninteractivelywithotherusersor
applicationsoveracommunicationschannel.Examplecommunicationsincludeinstantmessages,email,
andvoice.
2.ConformanceClaims
ConformanceStatement
TobeconformanttothisPP,aSTmustdemonstrateExactConformance,asubsetofStrict
Conformanceasdefinedin[CC]Part1(ASE_CCL).TheSTmustincludeallcomponentsinthisPP
thatare:
unconditional(whicharealwaysrequired)
selectionbased(whicharerequiredwhencertainselectionsarechosenintheunconditional
requirements)
andmayincludecomponentsthatare
optionalor
objective.
Unconditionalrequirementsarefoundinthemainbodyofthedocument,whileappendicescontainthe
selectionbased,optional,andobjectiverequirements.TheSTmayiterateanyofthesecomponents,
butitmustnotincludeanyadditionalcomponent(e.g.fromCCPart2or3oraPPnotconformant
withthisone,orextendedbytheST)notdefinedinthisPPoraPPconformanttothisone.See
Section1.3regardingmorespecificPPsthatmayextendthisone.
CCConformanceClaims
ThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,
Revision4.[CC].
PPClaim
ThisPPdoesnotclaimconformancetoanyotherProtectionProfile.
PackageClaim
ThisPPdoesnotclaimconformancetoanypackages.
3.SecurityProblemDefinition
ThesecurityproblemisdescribedintermsofthethreatsthattheTOEisexpectedtoaddress,assumptions
abouttheoperationalenvironment,andanyorganizationalsecuritypoliciesthattheTOEisexpectedto
enforce.
3.1Threats
T.NETWORK_ATTACK
Anattackerispositionedonacommunicationschannelorelsewhereonthenetworkinfrastructure.
Attackersmayengageincommunicationswiththeapplicationsoftwareoraltercommunications
betweentheapplicationsoftwareandotherendpointsinordertocompromiseit.
T.NETWORK_EAVESDROP
Anattackerispositionedonacommunicationschannelorelsewhereonthenetworkinfrastructure.
Attackersmaymonitorandgainaccesstodataexchangedbetweentheapplicationandother
endpoints.
T.LOCAL_ATTACK
Anattackercanactthroughunprivilegedsoftwareonthesamecomputingplatformonwhichthe
applicationexecutes.Attackersmayprovidemaliciouslyformattedinputtotheapplicationintheform
offilesorotherlocalcommunications.
T.PHYSICAL_ACCESS
Anattackermaytrytoaccesssensitivedataatrest.
3.2Assumptions
A.PLATFORM
TheTOEreliesuponatrustworthycomputingplatformforitsexecution.Thisincludestheunderlying
platformandwhateverruntimeenvironmentitprovidestotheTOE.
A.PROPER_USER
Theuseroftheapplicationsoftwareisnotwillfullynegligentorhostile,andusesthesoftwarein
compliancewiththeappliedenterprisesecuritypolicy.
A.PROPER_ADMIN
Theadministratoroftheapplicationsoftwareisnotcareless,willfullynegligentorhostile,and
administersthesoftwarewithincomplianceoftheappliedenterprisesecuritypolicy.
3.3OrganizationalSecurityPolicies
TherearenoOSPsfortheapplication.
4.SecurityObjectives
4.1SecurityObjectivesfortheTOE
O.INTEGRITY
ConformantTOEsensuretheintegrityoftheirinstallationandupdatepackages,andalsoleverage
executionenvironmentbasedmitigations.Softwareisseldomifevershippedwithouterrors,andthe
abilitytodeploypatchesandupdatestofieldedsoftwarewithintegrityiscriticaltoenterprisenetwork
security.Processormanufacturers,compilerdevelopers,executionenvironmentvendors,andoperating
systemvendorshavedevelopedexecutionenvironmentbasedmitigationsthatincreasethecostto
attackersbyaddingcomplexitytothetaskofcompromisingsystems.Applicationsoftwarecanoften
takeadvantageofthesemechanismsbyusingAPIsprovidedbytheruntimeenvironmentorby
enablingthemechanismthroughcompilerorlinkeroptions.
Addressedby:FDP_DEC_EXT.1,FMT_CFG_EXT.1,FPT_AEX_EXT.1,FPT_TUD_EXT.1
O.QUALITY
Toensurequalityofimplementation,conformantTOEsleverageservicesandAPIsprovidedbythe
runtimeenvironmentratherthanimplementingtheirownversionsoftheseservicesandAPIs.Thisis
especiallyimportantforcryptographicservicesandothercomplexoperationssuchasfileandmedia
parsing.LeveragingthisplatformbehaviorreliesuponusingonlydocumentedandsupportedAPIs.
Addressedby:FMT_MEC_EXT.1,FPT_API_EXT.1,FPT_LIB_EXT.1
O.MANAGEMENT
Tofacilitatemanagementbyusersandtheenterprise,conformantTOEsprovideconsistentand
supportedinterfacesfortheirsecurityrelevantconfigurationandmaintenance.Thisincludesthe
deploymentofapplicationsandapplicationupdatesthroughtheuseofplatformsupporteddeployment
mechanismsandformats,aswellasprovidingmechanismsforconfiguration.
Addressedby:FMT_SMF.1,FPT_IDV_EXT.1,FPT_TUD_EXT.1.5
O.PROTECTED_STORAGE
Toaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofphysicalcontrolofthe
storagemedium,conformantTOEswillusedataatrestprotection.Thisinvolvesencryptingdataand
keysstoredbytheTOEinordertopreventunauthorizedaccesstothisdata.
Addressedby:FDP_DAR_EXT.1,FCS_STO_EXT.1,FCS_RBG_EXT.1
O.PROTECTED_COMMS
Toaddressbothpassive(eavesdropping)andactive(packetmodification)networkattackthreats,
conformantTOEswilluseatrustedchannelforsensitivedata.Sensitivedataincludescryptographic
keys,passwords,andanyotherdataspecifictotheapplicationthatshouldnotbeexposedoutsideof
theapplication.
Addressedby:FTP_DIT_EXT.1,FCS_TLSC_EXT.1,FCS_DTLS_EXT.1,FCS_RBG_EXT.1
4.2SecurityObjectivesfortheOperationalEnvironment
ThefollowingsecurityobjectivesfortheoperationalenvironmentassisttheTOEincorrectlyprovidingits
securityfunctionality.Thesetrackwiththeassumptionsabouttheenvironment.
OE.PLATFORM
TheTOEreliesuponatrustworthycomputingplatformforitsexecution.Thisincludestheunderlying
operatingsystemandanydiscreteexecutionenvironmentprovidedtotheTOE.
OE.PROPER_USER
Theuseroftheapplicationsoftwareisnotwillfullynegligentorhostile,andusesthesoftwarewithin
complianceoftheappliedenterprisesecuritypolicy.
OE.PROPER_ADMIN
Theadministratoroftheapplicationsoftwareisnotcareless,willfullynegligentorhostile,and
administersthesoftwarewithincomplianceoftheappliedenterprisesecuritypolicy.
4.3SecurityObjectivesRationale
Thissectiondescribeshowtheassumptions,threats,andorganizationalsecuritypoliciesmaptothesecurity
objectives.
Threat,Assumption,orOSP
SecurityObjectives
Rationale
T.NETWORK_ATTACK
O.PROTECTED_COMMS,
O.INTEGRITY,
O.MANAGEMENT
ThethreatT.NETWORK_ATTACK
iscounteredby
O.PROTECTED_COMMSasthis
providesforintegrityoftransmitted
data.
iscounteredbyO.INTEGRITYasthis
providesforintegrityofsoftwarethatis
installedontothesystemfromthe
network.
iscounteredbyO.MANAGEMENT
asthisprovidesfortheabilityto
configuretheapplicationtodefend
againstnetworkattack.
T.NETWORK_EAVESDROP
O.PROTECTED_COMMS,
O.QUALITY,
O.MANAGEMENT
Thethreat
T.NETWORK_EAVESDROPis
counteredby
O.PROTECTED_COMMSasthis
providesforconfidentialityof
transmitteddata.
TheobjectiveO.QUALITYensures
useofmechanismsthatprovide
protectionagainstnetworkbased
attack.
Thethreat
T.NETWORK_EAVESDROPis
counteredbyO.MANAGEMENTas
thisprovidesfortheabilitytoconfigure
theapplicationtoprotectthe
confidentialityofitstransmitteddata.
T.LOCAL_ATTACK
O.QUALITY
TheobjectiveO.QUALITYprotects
againsttheuseofmechanismsthat
weakentheTOEwithregardtoattack
byothersoftwareontheplatform.
T.PHYSICAL_ACCESS
O.PROTECTED_STORAGE Theobjective
O.PROTECTED_STORAGE
protectsagainstunauthorizedattempts
toaccessphysicalstorageusedbythe
TOE.
A.PLATFORM
OE.PLATFORM
Theoperationalenvironmentobjective
OE.PLATFORMisrealizedthrough
A.PLATFORM.
A.PROPER_USER
OE.PROPER_USER
OE.PROPER_USERisrealized
throughA.PROPER_USER.
A.PROPER_ADMIN
OE.PROPER_ADMIN
OE.PROPER_ADMINisrealized
throughA.PROPER_ADMIN.
5.SecurityRequirements
ThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheTOE.Thoserequirements
comprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowing
notationsareused:
Refinementoperation(denotedbyboldtext):isusedtoadddetailstoarequirement,andthus
furtherrestrictsarequirement.
Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]in
statingarequirement.
Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecified
parameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicates
assignment.
Iterationoperation:areidentifiedwithanumberinsideparentheses(e.g."(1)")
5.1SecurityFunctionalRequirements
TheSecurityFunctionalRequirementsincludedinthissectionarederivedfromPart2oftheCommonCriteria
forInformationTechnologySecurityEvaluation,Version3.1,Revision4,withadditionalextendedfunctional
components.
5.1.1CryptographicSupport(FCS)
FCS_RBG_EXT.1RandomBitGenerationServices
FCS_RBG_EXT.1.1
Theapplicationshall[selection:
usenoDRBGfunctionality,
invokeplatformprovidedDRBGfunctionality,
implementDRBGfunctionality
]foritscryptographicoperations.
ApplicationNote:IfimplementDRBGfunctionalityischosen,then
additionalFCS_RBG_EXT.2elementsshallbeincludedintheST.Inthis
requirement,cryptographicoperationsincludeallcryptographickey
generation/derivation/agreement,IVs(forcertainmodes),aswellasprotocol
specificrandomvalues.
AssuranceActivity
IfusenoDRBGfunctionalityisselected,theevaluatorshallinspect
theapplicationanditsdeveloperdocumentationandverifythatthe
applicationneedsnorandombitgenerationservices.
IfimplementDRBGfunctionalityisselected,theevaluatorshall
ensurethatadditionalFCS_RBG_EXT.2elementsareincludedinthe
ST.
IfinvokeplatformprovidedDRBGfunctionalityisselected,the
evaluationactivitieswillbeperformedasstatedinthefollowing
requirements.TheevaluatorshallverifythattheTSSidentifiesthe
callsusedinacquiringrandomfromeachinstantiationoftheRBG
usedfortheapplication'scryptographicfunctionality.Theevaluator
shallensurethatrandombitsareacquiredproperlyfromthe
platform.Thisvariesonaperplatformbasis:
ForBlackBerry:Theevaluatorshallverifythattheapplication
invokesSecurityBuilderCryptoGSE.
ForAndroid:Theevaluatorshallverifythattheapplicationusesat
leastoneofjavax.crypto.KeyGeneratorclassorthe
java.security.SecureRandomclassor/dev/random or
/dev/urandom.
ForWindows:TheevaluatorshallverifythatBCryptGenRandomor
CryptGenRandomAPIisusedforclassicdesktopapplications.The
evaluatorshallverifythattheSystem.RandomAPIisusedfor
WindowsStoreApplications.Infutureversionsofthisdocument,
CryptGenRandommayberemovedasanoptionasitisnolongerthe
preferredAPIpervendordocumentation.
ForiOS:Theevaluatorshallverifythattheapplicationinvokes
SecRandomCopyBytesoruses/dev/randomdirectlytoacquire
random.
ForLinux:Theevaluatorshallverifythattheapplicationcollects
randomfrom/dev/randomor/dev/urandom.
ForSolaris:Theevaluatorshallverifythattheapplicationcollects
randomfrom/dev/random.
ForMacOSX:Theevaluatorshallverifythattheapplicationuses
/dev/randomtoacquirerandom.
Ifinvocationofplatformprovidedfunctionalityisachievedin
anotherway,theevaluatorshallensuretheTSSdescribeshowthisis
carriedout,andhowitisequivalenttothemethodslistedhere(e.g.
higherlevelAPIinvokesidenticallowlevelAPI).
FCS_STO_EXT.1StorageofSecrets
FCS_STO_EXT.1.1
notstoreanycredentials,
invokethefunctionalityprovidedbytheplatformtosecurelystore
[assignment:listofcredentials],
implementfunctionalitytosecurelystore[assignment:listof
credentials]
]tononvolatilememory.
ApplicationNote:Thisrequirementensuresthatpersistentcredentials(secret
keys,PKIprivatekeys,orpasswords)arestoredsecurelywhennotinuse.
Ifimplementfunctionalitytosecurelystorecredentialsisselected,thenthe
followingrequirementsmustbeincludedintheST:FCS_COP.1(1).Ifother
cryptographicoperationsareusedtoimplementthesecurestorageof
credentials,thecorrespondingrequirementsmustbeincludedintheST.
AssuranceActivity
TheevaluatorshallchecktheTSStoensurethatitlistsallpersistent
credentials(secretkeys,PKIprivatekeys,orpasswords)neededto
meettherequirementsintheST.Foreachoftheseitems,the
evaluatorshallconfirmthattheTSSlistsforwhatpurposeitisused,
andhowitisstored.
Forallcredentialsforwhichtheapplicationinvokesplatform
providedfunctionality,theevaluatorshallperformthefollowing
actionswhichvaryperplatform.
ForBlackBerry:Theevaluatorshallverifythattheapplicationuses
theBlackBerryKeyStoreandSecurityBuilderAPIstostore
credentials.
ForAndroid:Theevaluatorshallverifythattheapplicationusesthe
AndroidKeyStoretostorecertificates.
ForWindows:Theevaluatorshallverifythatallcertificatesare
storedintheWindowsCertificateStore.Theevaluatorshallverify
thatothersecrets,likepasswords,arestoredintheWindows
CredentialManagerorstoredusingtheDataProtectionAPI
(DPAPI).ForWindowsStoreApps,theevaluatorshallverifythatthe
applicationisusingtheProtectDataclassandstoringcredentialsin
IsolatedStorage.
ForiOS:Theevaluatorshallverifythatallcredentialsarestored
withinaKeychain.
ForLinux:Theevaluatorshallverifythatallkeysarestoredusing
Linuxkeyrings.
ForSolaris:Theevaluatorshallverifythatallkeysarestoredusing
SolarisKey Management Framework (KMF).
ForMacOSX:Theevaluatorshallverifythatallcredentialsare
storedwithinKeychain.
5.1.2UserDataProtection(FDP)
FDP_DEC_EXT.1AccesstoPlatformResources
FDP_DEC_EXT.1.1
Theapplicationshallprovideuserawarenessofitsintenttoaccess[selection:
nohardwareresources,
networkconnectivity,
camera,
microphone,
locationservices,
NFC,
USB,
Bluetooth,
[assignment:listofadditionalhardwareresources]
].
ApplicationNote:Theevaluatorshouldensurethattheselectioncapturesall
platformhardwareresourceswhichtheapplicationintendstoaccess.The
requirementiswordedinthiswayduetothediversityofmethodsbywhichuser
awarenesscanbeachieved,whichvariesperplatform.Selectionsshouldbe
expressedinamannerconsistentwithhowtheapplicationexpressesitsaccess
needstotheunderlyingplatform.Forexample,theplatformmayprovide
locationserviceswhichimpliesthepotentialuseofavarietyofhardware
resources(e.g.satellitereceivers,WiFi,cellularradio)yetlocationservicesis
theproperselection.Thisisbecauseuseoftheseresourcescanbeinferred,but
alsobecausetheactualusagemayvarybasedontheparticularplatform.
Resourcesthatdonotneedtobeexplicitlyidentifiedarethosewhichare
ordinarilyusedbyanyapplicationsuchascentralprocessingunits,main
memory,displays,inputdevices(e.g.keyboards,mice),andpersistentstorage
devicesprovidedbytheplatform.
AssuranceActivity
Theevaluatorshallinstallandruntheapplicationandinspectitsuser
documentationtoverifythattheuserisinformedofanyneedto
accesshardwareresources.Themethodofdoingsovariesper
platform.
ForBlackBerry:Theevaluatorshallinstalltheapplicationandrunit
forthefirsttime.Theevaluatorshallverifythattheapplication
displaysallplatformresourcesitwouldliketoaccess.Note:Ifthe
usergoesto:App permissions > Settings > Security and
Privacy > Application Permissions > Select application
in question,itwilllistwhichplatformresourceare
approved/deniedandcanbechanged.
ForAndroid:Theevaluatorshallinstalltheapplicationandverify
thattheapplicationdisplaystheplatformresourcesitwouldliketo
access.Thisincludespermissionssuchas
ACCESS_COARSE_LOCATION,ACCESS_FINE_LOCATION,
BLUETOOTH,CAMERA,INTERNET,NFC,
READ_EXTERNAL_STORAGE,RECORD_AUDIO.Acompletelist
ofAndroidpermissionscanbefoundat:
http://developer.android.com/reference/android/Manifest.permission.html
http://developer.android.com/reference/android/Manifest.permission_group.html
ForWindows:ForWindowsStoreAppstheevaluatorshallcheckthe
WMAppManifest.xmlfileforalistofrequiredhardwarecapabilities.
Theevaluatorshallverifythattheuserismadeawareoftherequired
hardwarecapabilitieswhentheapplicationisfirstinstalled.This
includespermissionssuchasID_CAP_ISV_CAMERA,
ID_CAP_LOCATION,ID_CAP_NETWORKING,
ID_CAP_MICROPHONE,ID_CAP_PROXIMITYandsoon.A
completelistofWindowsApppermissionscanbefoundat:
http://msdn.microsoft.com/en
US/library/windows/apps/jj206936.aspx
ForWindowsDesktopApplicationstheevaluatorshallverifythat
eithertheapplicationorthedocumentationprovidetheuserwitha
listoftherequiredhardwareresources.
ForiOS:Theevaluatorshallverifythateithertheapplicationorthe
documentationprovidetheuserwithalistoftherequiredhardware
resources.
ForLinux:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistofthe
requiredhardwareresources.
ForSolaris:Theevaluatorshallverifythateithertheapplication
ForMacOSX:Theevaluatorshallverifythateithertheapplication
FDP_DEC_EXT.1.2
Theapplicationshallprovideuserawarenessofitsintenttoaccess[selection:
nosensitiveinformationrepositories,
addressbook,
calendar,
calllists,
systemlogs,
[assignment:listofadditionalsensitiveinformationrepositories]
].
ApplicationNote:Sensitiveinformationrepositoriesaredefinedasthose
collectionsofsensitivedatathatcouldbeexpectedtobesharedamongsome
applications,users,oruserroles,buttowhichnotallofthesewouldordinarily
requireaccess.Theintentisfortheevaluatortoensurethattheselection
capturesallsensitiveinformationrepositorieswhichtheapplicationisintendedto
access.Therequirementiswordedinthiswayduetothediversityofmethods
bywhichuserawarenesscanbeachieved,whichvariesperplatform.
AssuranceActivity
Theevaluatorshallensurethattheselectioncapturesallsensitive
informationrepositorieswhichtheapplicationisintendedtoaccess.
Theevaluatorshallinstallandruntheapplicationsoftwareand
inspectitsuserdocumentationtoverifythattheuserisinformedof
anyneedtoaccesstheserepositories.Themethodofdoingsovaries
perplatform.
ForBlackBerry:Theevaluatorshallinstalltheapplicationandrunit
forthefirsttime.Theevaluatorshallverifythattheapplication
displaysallplatformresourcesitwouldliketoaccess.
ForAndroid:Theevaluatorshallinstalltheapplicationandverify
thattheapplicationdisplaysthepermissionsusedtoaccesssystem
widerepositories.Thisincludespermissionssuchas
READ_CALENDAR,READ_CALL_LOG,READ_CONTACTS,
READ_EXTERNAL_STORAGE,READ_LOGS.Acompletelistof
Androidpermissionscanbefoundat:
http://developer.android.com/reference/android/Manifest.permission.html
http://developer.android.com/reference/android/Manifest.permission_group.html
ForWindows:ForWindowsStoreAppstheevaluatorshallcheckthe
WMAppManifest.xmlfileforalistofrequiredcapabilities.The
evaluatorshallverifythattheuserismadeawareoftherequired
informationrepositorieswhentheapplicationisfirstinstalled.This
includespermissionssuchas
ID_CAP_CONTACTS,ID_CAP_APPOINTMENTS,ID_CAP_MEDIALIB
andsoon.AcompletelistofWindowsApppermissionscanbefound
at:
http://msdn.microsoft.com/en
US/library/windows/apps/jj206936.aspx
ForWindowsDesktopApplicationtheevaluatorshallverifythat
eithertheapplicationsoftwareoritsdocumentationprovidestheuser
withalistoftherequiredsensitiveinformationrepositories.
ForiOS:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidesprovidestheuserwithalist
oftherequiredsensitiveinformationrepositories.
ForLinux:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistof
requiredsensitiveinformationrepositories.
ForSolaris:Theevaluatorshallverifythateithertheapplication
ForMacOSX:Theevaluatorshallverifythateithertheapplication
FDP_DEC_EXT.1.3
Theapplicationshallonlyseekaccesstothoseresourcesforwhichithas
providedajustificationtoaccess.
AssuranceActivity
Theevaluatorshallreviewdocumentationprovidedbythe
applicationdeveloperandforeachresourcewhichitrequestsaccess
to,identifythejustificationastowhyaccessisrequired.
FDP_DEC_EXT.1.4
Theapplicationshallrestrictnetworkcommunicationto[selection:
nonetworkcommunication,
userinitiatedcommunicationfor[assignment:listoffunctionsfor
whichtheusercaninitiatenetworkcommunication],
respondto[assignment:listofremotelyinitiatedcommunication],
[assignment:listofapplicationinitiatednetworkcommunication]
].
ApplicationNote:Thisrequirementisintendedtorestrictbothinboundand
outboundnetworkcommunicationstoonlythoserequired,ortonetwork
communicationsthatareuserinitiated.Itdoesnotapplytonetwork
communicationsinwhichtheapplicationmaygenericallyaccessthefilesystem
whichmayresultintheplatformaccessingremotelymounteddrives/shares.
AssuranceActivity
Theevaluatorshallperformthefollowingtests:
Test1:Theevaluatorshallruntheapplication.Whilethe
applicationisrunning,theevaluatorshallsniffnetworktraffic
ignoringallnonapplicationassociatedtrafficandverifythat
anynetworkcommunicationswitnessedaredocumentedinthe
TSSorareuserinitiated.
Test2:Theevaluatorshallruntheapplication.Afterthe
applicationinitializes,theevaluatorshallrunnetworkport
scanstoverifythatanyportsopenedbytheapplicationhave
beencapturedintheSTforthethirdselectionandits
assignment.Thisincludesconnectionbasedprotocols(e.g.
TCP,DCCP)aswellasconnectionlessprotocols(e.g.UDP).
FDP_DEC_EXT.1.5
nottransmitPIIoveranetwork,
requireuserapprovalbeforeexecuting[assignment:listoffunctions
thattransmitPIIoveranetwork]
].
ApplicationNote:ThisrequirementonlyappliestoPIIthatisspecifically
requestedbytheapplicationitdoesnotapplyiftheuservolunteersPIIwithout
promptingfromtheapplicationintoageneral(orinappropriate)datafield.A
dialogboxthatdeclaresintenttosendPIIpresentedtotheuseratthetimethe
applicationisstartedissufficienttomeetthisrequirement.
AssuranceActivity
TheevaluatorshallinspecttheTSSdocumentationtoidentify
functionalityintheapplicationwherePIIcanbetransmitted,and
performthefollowingtests.
Test1:Theevaluatorshallruntheapplicationandexercisethe
functionalityresponsiblyfortransmittingPIIandverifythat
userapprovalisrequiredbeforetransmissionofthePII.
FDP_DAR_EXT.1EncryptionOfSensitiveApplicationData
FDP_DAR_EXT.1.1
leverageplatformprovidedfunctionalitytoencryptsensitivedata,
implementfunctionalitytoencryptsensitivedata,
notstoreanysensitivedata
]innonvolatilememory.
ApplicationNote:Ifimplementfunctionalitytoencryptsensitivedatais
selected,thenevaluationisrequiredagainsttheApplicationSoftware
ProtectionProfileExtendedPackage:FileEncryption.
Anyfilethatmaypotentiallycontainsensitivedata(toincludetemporaryfiles)
shallbeprotected.Theonlyexceptionisiftheuserintentionallyexportsthe
sensitivedatatononprotectedfiles.
AssuranceActivity
Theevaluatorshallinventorythefilesystemlocationswherethe
applicationmaywritedata.Theevaluatorshallruntheapplication
andattempttostoresensitivedata.Theevaluatorshalltheninspect
thoseareasofthefilesystemtonotewheredatawasstored(ifany),
anddeterminewhetherithasbeenencrypted.
Ifnotstoreanysensitivedataisselected,theevaluatorshallinspect
theTSSandensurethatitdescribeshowsensitivedatacannotbe
writtentononvolatilememory.Theevaluatorshallalsoensurethat
thisisconsistentwiththefilesystemtestabove.
Ifimplementfunctionalitytoencryptsensitivedataisselected,then
evaluationisrequiredagainsttheApplicationSoftwareProtection
ProfileExtendedPackage:FileEncryption.Theevaluatorshall
ensurethatsuchevaluationisunderway.
Ifleverageplatformprovidedfunctionalityisselected,the
evaluationactivitieswillbeperformedasstatedinthefollowing
requirements,whichvaryonaperplatformbasis:
ForBlackBerry:TheevaluatorshallinspecttheTSSandensurethat
itdescribeshowtheapplicationusestheAdvancedDataatRest
ProtectionAPIandhowtheapplicationusestheappropriatedomain
tostoreandprotecteachdatafile.
ForAndroid:TheevaluatorshallinspecttheTSSandverifythatit
describeshowfilescontainingsensitivedataarestoredwiththe
MODE_PRIVATEflagset.
ForWindows:TheWindowsplatformcurrentlydoesnotprovide
dataatrestencryptionserviceswhichdependuponinvocationby
applicationdevelopers.Theevaluatorshallverifythatthe
OperationalUserGuidancemakestheneedtoactivateplatform
encryption,suchasBitLockerorEncryptingFileSystem(EFS),clear
totheenduser.
ForiOS:TheevaluatorshallinspecttheTSSandensurethatit
describeshowtheapplicationusestheCompleteProtection,
ProtectedUnlessOpen,orProtectedUntilFirstUserAuthentication
DataProtectionClassforeachdatafilestoredlocally.
ForLinux:TheLinuxplatformcurrentlydoesnotprovidedataat
restencryptionserviceswhichdependuponinvocationbyapplication
developers.TheevaluatorshallverifythattheOperationalUser
Guidancemakestheneedtoactivateplatformencryptioncleartothe
enduser.
ForSolaris:TheSolarisplatformcurrentlydoesnotprovidedataat
restencryptionserviceswhichdependuponinvocationbyapplication
developers.TheevaluatorshallverifythattheOperationalUser
Guidancemakestheneedtoactivateplatformencryptioncleartothe
enduser.
ForMacOSX:TheMacOSXplatformcurrentlydoesnotprovide
dataatrestencryptionserviceswhichdependuponinvocationby
applicationdevelopers.Theevaluatorshallverifythatthe
OperationalUserGuidancemakestheneedtoactivateplatform
encryptioncleartotheenduser.
5.1.3IdentificationandAuthentication(FIA)
5.1.4SecurityManagement(FMT)
FMT_MEC_EXT.1SupportedConfigurationMechanism
FMT_MEC_EXT.1.1
Theapplicationshallinvokethemechanismsrecommendedbytheplatform
vendorforstoringandsettingconfigurationoptions.
ApplicationNote:Configurationoptionsthatarestoredremotelyarenot
subjecttothisrequirement.
AssuranceActivity
TheevaluatorshallreviewtheTSStoidentifytheapplication's
configurationoptions(e.g.settings)anddeterminewhethertheseare
storedandsetusingthemechanismssupportedbytheplatform.The
methodofdoingsovariesperplatform.
ForBlackBerry:Theevaluatorshallruntheapplicationandmake
securityrelatedchangestoitsconfiguration.Theevaluatorshall
checkthatatleastonefileintheappfolderoftheapplication
workingdirectorywasmodifiedtoreflectthechangemade.
ForAndroid:Theevaluatorshallruntheapplicationandmake
securityrelatedchangestoitsconfiguration.Theevaluatorshall
checkthatatleastoneXMLfileatlocation
/data/data/package/shared_prefs/reflectsthechangesmadetothe
configurationtoverifythattheapplicationusedSharedPreferences
and/orPreferenceActivityclassesforstoringconfigurationdata,
wherepackageistheJavapackageoftheapplication.
ForWindows:Theevaluatorshalldetermineandverifythat
WindowsStoreAppapplicationsuseeitherthe
Windows.UI.ApplicationSettingsnamespaceorthe
IsolatedStorageSettingsnamespaceforstoringapplicationspecific
settings.ForClassicDesktopapplications,theevaluatorshallrunthe
applicationwhilemonitoringitwiththeSysInternaltoolProcMon
andmakechangestoitsconfiguration.Theevaluatorshallverify
thatProcMonlogsshowcorrespondingchangestothetheWindows
Registry.
ForiOS:Theevaluatorshallverifythattheappusestheuser
defaults systemorkey-value storeforstoringallsettings.
ForLinux:Theevaluatorshallruntheapplicationwhilemonitoring
itwiththeutilitystrace.Theevaluatorshallmakesecurityrelated
changestoitsconfiguration.Theevaluatorshallverifythatstrace
logscorrespondingchangestoconfigurationfilesthatresidein/etc
(forsystemspecificconfiguration)orintheuser'shomedirectory(for
userspecificconfiguration).
ForSolaris:Theevaluatorshallruntheapplicationwhilemonitoring
itwiththeutilitydtrace.Theevaluatorshallmakesecurityrelated
changestoitsconfiguration.Theevaluatorshallverifythatdtrace
logscorrespondingchangestoconfigurationfilesthatresidein/etc
(forsystemspecificconfiguration)orintheuser'shomedirectory(for
userspecificconfiguration).
ForMacOSX:Theevaluatorshallverifythattheapplicationstores
andretrievessettingsusingtheNSUserDefaultsclass.
FMT_CFG_EXT.1SecurebyDefaultConfiguration
FMT_CFG_EXT.1.1
Theapplicationshallonlyprovideenoughfunctionalitytosetnewcredentials
whenconfiguredwithdefaultcredentialsornocredentials.
ApplicationNote:Defaultcredentialsarecredentials(e.g.,passwords,keys)
thatareautomatically(withoutuserinteraction)loadedontotheplatformduring
applicationinstallation.Credentialsthataregeneratedduringinstallationusing
requirementslaidoutinFCS_RBG_EXT.1arenotbydefinitiondefault
credentials.
AssuranceActivity
TheevaluatorshallchecktheTSStodetermineiftheapplication
requiresanytypeofcredentialsandiftheapplicationsinstallswith
defaultcredentials.Iftheapplicationusesanydefaultcredentialsthe
evaluatorshallrunthefollowingtests.
Test1:Theevaluatorshallinstallandruntheapplication
withoutgeneratingorloadingnewcredentialsandverifythat
onlytheminimalapplicationfunctionalityrequiredtosetnew
credentialsisavailable.
Test2:Theevaluatorshallattempttoclearallcredentialsand
verifythatonlytheminimalapplicationfunctionalityrequired
tosetnewcredentialsisavailable.
Test3:Theevaluatorshallruntheapplication,establishnew
credentialsandverifythattheoriginaldefaultcredentialsno
longerprovideaccesstotheapplication.
FMT_CFG_EXT.1.2
Theapplicationshallbeconfiguredbydefaultwithfilepermissionswhichprotect
itanditsdatafromunauthorizedaccess.
ApplicationNote:Thepreciseexpectationsforfilepermissionsvaryper
platformbutthegeneralintentionisthatatrustboundaryprotectstheapplication
anditsdata.
AssuranceActivity
Theevaluatorshallinstallandruntheapplication.Theevaluator
shallinspectthefilesystemoftheplatform(totheextentpossible)for
anyfilescreatedbytheapplicationandensurethattheirpermissions
areadequatetoprotectthem.Themethodofdoingsovariesper
platform.
ForBlackBerry:Theevaluatorshallrunls -alR|grep -E
'$.......(r|-w|--x)'insidetheapplication'sdatadirectoriesto
ensurethatallfilesarenotworldaccessible(eitherread,write,or
execute).Thecommandshouldnotprintanyfiles.Theevaluatorshall
alsoverifythatnosensitivedataiswrittentoexternalstoragewhich
couldberead/modifiedbyanyotherapplication.
ForAndroid:Theevaluatorshallrunls -alR|grep -E '$.......
(r|-w|--x)'insidetheapplication'sdatadirectoriestoensurethat
allfilesarenotworldaccessible(eitherread,write,orexecute).The
commandshouldnotprintanyfiles.Theevaluatorshallalsoverify
thatnosensitivedataiswrittentoexternalstorageasthisdatacan
beread/modifiedbyanyapplicationcontainingthe
READ_EXTERNAL_STORAGEand/or
WRITE_EXTERNAL_STORAGEpermissions.
ForWindows:TheevaluatorshallruntheSysInternalstools,Process
MonitorandAccessCheck(ortoolsofequivalentcapability,like
icacls.exe)forClassicDesktopapplicationstoverifythatfileswritten
todiskduringanapplicationsinstallationhavethecorrectfile
permissions,suchthatastandardusercannotmodifytheapplication
oritsdatafiles.ForWindowsStoreAppstheevaluatorshallconsider
therequirementmetbecauseoftheAppContainersandbox.
ForiOS:Theevaluatorshalldeterminewhethertheapplication
leveragestheappropriateDataProtectionClassforeachdatafile
storedlocally.
ForLinux:Theevaluatorshallrunthecommandfind . -perm
/007insidetheapplication'sdatadirectoriestoensurethatallfiles
arenotworldaccessible(eitherread,write,orexecute).The
commandshouldnotprintanyfiles.
ForSolaris:Theevaluatorshallrunthecommandfind . $ perm -001 -o -perm -002 -o -perm -004 $insidethe
application'sdatadirectoriestoensurethatallfilesarenotworld
accessible(eitherread,write,orexecute).Thecommandshouldnot
printanyfiles.
ForMacOSX:Theevaluatorshallrunthecommandfind . -perm
+007insidetheapplication'sdatadirectoriestoensurethatallfiles
arenotworldaccessible(eitherread,write,orexecute).The
commandshouldnotprintanyfiles.
FMT_SMF.1SpecificationofManagementFunctions
FMT_SMF.1.1
TheTSFshallbecapableofperformingthefollowingmanagementfunctions
[selection:
nomanagementfunctions,
enable/disablethetransmissionofanyinformationdescribingthe
system'shardware,software,orconfiguration,
enable/disablethetransmissionofanyPII,
enable/disabletransmissionofanyapplicationstate(e.g.crashdump)
information,
enable/disablenetworkbackupfunctionalityto[assignment:listof
enterpriseorcommercialcloudbackupsystems],
[assignment:listofothermanagementfunctionstobeprovidedby
theTSF]
].
ApplicationNote:Thisrequirementstipulatesthatanapplicationneedsto
providetheabilitytoenable/disableonlythosefunctionsthatitactually
implements.Theapplicationisnotresponsibleforcontrollingthebehaviorofthe
platformorotherapplications.
AssuranceActivity
Theevaluatorshallverifythateverymanagementfunctionmandated
bythePPisdescribedintheoperationalguidanceandthatthe
descriptioncontainstheinformationrequiredtoperformthe
managementdutiesassociatedwiththemanagementfunction.The
evaluatorshalltesttheapplication'sabilitytoprovidethe
managementfunctionsbyconfiguringtheapplicationandtesting
eachoptionselectedfromabove.Theevaluatorisexpectedtotest
thesefunctionsinallthewaysinwhichtheSTandguidance
documentationstatetheconfigurationcanbemanaged.
5.1.5ProtectionoftheTSF(FPT)
FPT_API_EXT.1UseofSupportedServicesandAPIs
FPT_API_EXT.1.1
TheapplicationshallonlyusesupportedplatformAPIs.
ApplicationNote:Thedefinitionofsupportedmayvarydependingupon
whethertheapplicationisprovidedbyathirdparty(whoreliesupon
documentedplatformAPIs)orbyaplatformvendorwhomaybeableto
guaranteesupportforplatformAPIswhicharenotexternallydocumented.
AssuranceActivity
TheevaluatorshallverifythattheTSSliststheplatformAPIsusedin
theapplication.Theevaluatorshallthencomparethelistwiththe
supportedAPIs(availablethroughe.g.developeraccounts,platform
developergroups)andensurethatallAPIslistedintheTSSare
supported.
FPT_AEX_EXT.1AntiExploitationCapabilities
FPT_AEX_EXT.1.1
Theapplicationshallnotrequesttomapmemoryatanexplicitaddressexcept
for[assignment:listofexplicitexceptions].
ApplicationNote:Requestingamemorymappingatanexplicitaddress
subvertsaddressspacelayoutrandomization(ASLR).
AssuranceActivity
TheevaluatorshallensurethattheTSSdescribesthecompilerflags
usedtoenableASLRwhentheapplicationiscompiled.Theevaluator
shallperformeitherastaticordynamicanalysistodeterminethatno
memorymappingsareplacedatanexplicitandconsistentaddress.
Themethodofdoingsovariesperplatform.
ForBlackBerry:Theevaluatorshallrunthesameapplicationon
twodifferentBlackBerrysystemsandrunatoolthatwilllistall
memorymappedaddressesfortheapplication.Theevaluatorshall
thenverifythetwodifferentinstancessharenomappinglocations.
ForAndroid:Theevaluatorshallrunthesameapplicationontwo
differentAndroidsystems.ConnectviaADBandinspect
/proc/PID/maps.Ensurethetwodifferentinstancessharenomapping
locations.
ForWindows:Theevaluatorshallrunthesameapplicationontwo
differentWindowssystemsandrunatoolthatwilllistallmemory
mappedaddressesfortheapplication.Theevaluatorshallthenverify
thetwodifferentinstancessharenomappinglocations.The
Microsoftsysinternalstool,VMMap,couldbeusedtoviewmemory
addressesofarunningapplication.Theevaluatorshalluseatool
suchasMicrosoft'sBinScopeBinaryAnalyzertoconfirmthatthe
applicationhasASLRenabled.
ForiOS:Theevaluatorshallperformastaticanalysistosearchfor
anymmapcalls(orAPIcallsthatcallmmap),andensurethatno
argumentsareprovidedthatrequestamappingatafixedaddress
ForLinux:Theevaluatorshallrunthesameapplicationontwo
differentLinuxsystems.Theevaluatorshallthencomparetheir
memorymapsusingpmap -x PID toensurethetwodifferent
instancessharenomappinglocations.
ForSolaris:Theevaluatorshallrunthesameapplicationontwo
differentSolarissystems.Theevaluatorshallthencomparetheir
memorymapsusingpmap -x PID toensurethetwodifferent
instancessharenomappinglocations.
ForMacOSX:Theevaluatorshallrunthesameapplicationontwo
differentMacOSXsystems.Theevaluatorshallthencomparetheir
memorymapsusingvmmap PIDtoensurethetwodifferentinstances
sharenomappinglocations.
FPT_AEX_EXT.1.2
notallocateanymemoryregionwithbothwriteandexecute
permissions,
allocatememoryregionswithwriteandexecutepermissionsforonly
[assignment:listoffunctionsperformingjustintimecompilation]
].
ApplicationNote:Requestingamemorymappingwithbothwriteandexecute
permissionssubvertstheplatformprotectionprovidedbyDEP.Iftheapplication
performsnojustintimecompiling,thenthefirstselectionmustbechosen.
AssuranceActivity
Theevaluatorshallverifythatnomemorymappingrequestsare
madewithwriteandexecutepermissions.Themethodofdoingso
variesperplatform.
ForBlackBerry:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythat
mmapisneverinvokedwithboththePROT_WRITEand
PROT_EXECpermissions,and
mprotectisneverinvoked.
ForAndroid:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythat
mmapisneverinvokedwithboththePROT_WRITEand
mprotectisneverinvoked.
ForWindows:TheevaluatorshalluseatoolsuchasMicrosoft's
BinScopeBinaryAnalyzertoconfirmthattheapplicationpassesthe
NXCheck.Theevaluatormayalsoensurethatthe/NXCOMPATflag
wasusedduringcompilationtoverifythatDEPprotectionsare
enabledfortheapplication.
ForiOS:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatmprotectisneverinvokedwiththe
PROT_EXECpermission.
ForLinux:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatboth
mmapisneverbeinvokedwithboththePROT_WRITEand
mprotectisneverinvokedwiththePROT_EXECpermission.
ForSolaris:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatboth
mmapisneverbeinvokedwithboththePROT_WRITEand
mprotectisneverinvokedwiththePROT_EXECpermission.
ForMacOSX:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatmprotectisneverinvokedwiththe
PROT_EXECpermission.
FPT_AEX_EXT.1.3
Theapplicationshallbecompatiblewithsecurityfeaturesprovidedbythe
platformvendor.
ApplicationNote:Thisrequirementisdesignedtoensurethatplatformsecurity
featuresdonotneedtobedisabledinorderfortheapplicationtorun.
AssuranceActivity
Theevaluatorshallconfiguretheplatformintheascribedmanner
andcarryoutoneoftheprescribedtests:
ForBlackBerry:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionoftheBlackBerryOS.
ForAndroid:Theevaluatorshallensurethattheapplicationcanrun
withSEforAndroidenabledandenforcing.
ForWindows:ForbothclassicdesktopandWindowsStore
applications,theevaluatorshallconfigurethelatestversionof
Microsoft'sEnhancedMitigationExperienceToolkit(EMET)to
protecttheapplication.Theevaluatorshallthenruntheapplication
andverifythattheapplicationdoesnotcrashwhileprotectedby
EMET.
ForiOS:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionofiOS.
ForLinux:Theevaluatorshallensurethattheapplicationcan
successfullyrunonasystemwithSELinuxenabledandenforcing.
ForSolaris:Theevaluatorshallensurethattheapplicationcanrun
withSolarisTrustedExtensionsenabledandenforcing.
ForMacOSX:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionofOSX.
FPT_AEX_EXT.1.4
Theapplicationshallnotwriteusermodifiablefilestodirectoriesthatcontain
executablefilesunlessexplicitlydirectedbytheusertodoso.
ApplicationNote:Executablesandusermodifiablefilesmaynotsharethe
sameparentdirectory,butmaysharedirectoriesabovetheparent.
AssuranceActivity
Theevaluatorshallruntheapplicationanddeterminewhereitwrites
itsfiles.Forfileswheretheuserdoesnotchoosethedestination,the
evaluatorshallcheckwhetherthedestinationdirectorycontains
executablefiles.Thisvariesperplatform:
ForBlackBerry:Theevaluatorshallconsidertherequirementmet
becausetheplatformforcesapplicationstowritealldatawithinthe
applicationworkingdirectory(sandbox).
ForAndroid:Theevaluatorshallruntheprogram,mimicking
normalusage,andnotewhereallfilesarewritten.Theevaluator
shallensurethattherearenoexecutablefilesstoredunder
/data/data/package/wherepackageistheJavapackageofthe
application.
ForWindows:ForWindowsStoreAppstheevaluatorshallconsider
therequirementmetbecausetheplatformforcesapplicationstowrite
alldatawithintheapplicationworkingdirectory(sandbox).For
WindowsDesktopApplicationstheevaluatorshallruntheprogram,
mimickingnormalusage,andnotewhereallfilesarewritten.The
evaluatorshallensurethattherearenoexecutablefilesstoredinthe
samedirectoriestowhichtheapplicationwroteandnodatafilesin
theapplicationsinstalldirectory.
ForiOS:Theevaluatorshallconsidertherequirementmetbecause
theplatformforcesapplicationstowritealldatawithinthe
applicationworkingdirectory(sandbox).
ForLinux:Theevaluatorshallruntheprogram,mimickingnormal
usage,andnotewhereallfilesarewritten.Theevaluatorshallensure
thattherearenoexecutablefilesstoredinthesamedirectoriesto
whichtheapplicationwrote.
ForSolaris:Theevaluatorshallruntheprogram,mimickingnormal
usage,andnotewhereallfilesarewritten.Theevaluatorshallensure
thattherearenoexecutablefilesstoredinthesamedirectoriesto
whichtheapplicationwrote.
ForMacOSX:Theevaluatorshallruntheprogram,mimicking
normalusage,andnotewhereallfilesarewritten.Theevaluator
shallensurethattherearenoexecutablefilesstoredinthesame
directoriestowhichtheapplicationwrote.
FPT_AEX_EXT.1.5
Theapplicationshallbecompiledwithstackbasedbufferoverflowprotection
enabled.
AssuranceActivity
TheevaluatorshallensurethattheTSSsectionoftheSTdescribes
thecompilerflagusedtoenablestackbasedbufferoverflow
protectionintheapplication.Theevaluatorshallperformastatic
analysistoverifythatstackbasedbufferoverflowprotectionis
present.Themethodofdoingsovariesperplatform:
ForBlackBerry:Theevaluatorshallensurethatthefstack
protectorstrongorfstackprotectorallflagsareused.Thefstack
protectorallflagispreferredbutfstackprotectorstrongis
acceptable.
ForAndroid:ApplicationsthatareentirelyJavarunintheJava
machineanddonotneedtraditionalstackprotection.For
applicationsusingJavaNativeInterface(JNI),theevaluatorshall
ensurethatthe-fstack-protector-strongor-fstackprotector-allflagsareused.The-fstack-protector-allflagis
preferredbut-fstack-protector-strongisacceptable.
ForWindows:TheevaluatorshallreviewtheTSSandverifythatthe
/GSflagwasusedduringcompilation.Theevaluatorshallrunatool,
likeBinScope,thatcanverifythecorrectusageof/GS
ForiOS:IftheapplicationiscompiledusingGCCorXcode,the
evaluatorshallensurethatthe-fstack-protector-strongorfstack-protector-allflagsareused.The-fstack-protectorallflagispreferredbut-fstack-protector-strongisacceptable.
Iftheapplicationisbuiltusinganyothercompiler,thentheevaluator
shalldeterminethatappropriatestackprotectionhasbeenused
duringthebuildprocess.
ForLinux:IftheapplicationiscompiledusingGCC,theevaluator
shallensurethatthe-fstack-protector-strongor-fstackprotector-allflagsareused.The-fstack-protector-allflagis
preferredbut-fstack-protector-strongisacceptable.Ifthe
applicationisbuiltusingclang,itmustbecompiledandlinkedwith
the-fsanitize=addressflag.Iftheapplicationisbuiltusingany
othercompiler,thentheevaluatorshalldeterminethatappropriate
stackprotectionhasbeenusedduringthebuildprocess.
ForSolaris:IftheapplicationiscompiledusingGCC,theevaluator
shallensurethatthe-fstack-protector-strongor-fstackprotector-allflagsareused.The-fstack-protector-allflagis
preferredbut-fstack-protector-strongisacceptable.Ifthe
applicationisbuiltusingclang,itmustbecompiledandlinkedwith
the-fsanitize=addressflag.Iftheapplicationisbuiltusingany
othercompiler,thentheevaluatorshalldeterminethatappropriate
stackprotectionhasbeenusedduringthebuildprocess.
ForMacOSX:IftheapplicationiscompiledusingGCCorXcode,
theevaluatorshallensurethatthe-fstack-protector-strongorfstack-protector-allflagsareused.The-fstack-protectorallflagispreferredbut-fstack-protector-strongisacceptable.
Iftheapplicationisbuiltusinganyothercompiler,thentheevaluator
shalldeterminethatappropriatestackprotectionhasbeenused
duringthebuildprocess.
FPT_TUD_EXT.1IntegrityforInstallationandUpdate
FPT_TUD_EXT.1.1
Theapplicationshall[selection:providetheability,leveragetheplatform]to
checkforupdatesandpatchestotheapplicationsoftware.
ApplicationNote:Thisrequirementisabouttheabilityto"check"forupdates.
Theactualinstallationofanyupdatesshouldbedonebytheplatform.This
requirementisintendedtoensurethattheapplicationcancheckforupdates
providedbythevendor,asupdatesprovidedbyanothersourcemaycontain
maliciouscode.
AssuranceActivity
Theevaluatorshallcheckforanupdateusingproceduresdescribed
inthedocumentationandverifythattheapplicationdoesnotissuean
error.Ifitisupdatedorifitreportsthatnoupdateisavailablethis
requirementisconsideredtobemet.
FPT_TUD_EXT.1.2
Theapplicationshallbedistributedusingtheformatoftheplatformsupported
packagemanager.
AssuranceActivity
Theevaluatorshallverifythatapplicationupdatesaredistributedin
theformatsupportedbytheplatform.Thisvariesperplatform:
ForBlackBerry:Theevaluatorshallensurethattheapplicationis
packagedintheBlackberry(BAR)format.
ForAndroid:Theevaluatorshallensurethattheapplicationis
packagedintheAndroidapplicationpackage(APK)format.
ForWindows:Theevaluatorshallensurethattheapplicationis
packagedintheStandardWindowsInstaller(MSI)formatorthe
WindowsAppStorepackage(APPX)format.
ForiOS:Theevaluatorshallensurethattheapplicationispackaged
intheIPAformat.
ForLinux:Theevaluatorshallensurethattheapplicationis
packagedintheformatofthepackagemanagementinfrastructureof
thechosendistribution.Forexample,applicationsrunningonRed
HatandRedHatderivativesshouldbepackagedinRPMformat.
ApplicationsrunningonDebianandDebianderivativesshouldbe
packagedindebformat.
ForSolaris:Theevaluatorshallensurethattheapplicationis
packagedinthePKGformat.
ForMacOSX:Theevaluatorshallensurethatapplicationis
packagedintheDMGformat,thePKGformat,ortheMPKG
format.
FPT_TUD_EXT.1.3
Theapplicationshallbepackagedsuchthatitsremovalresultsinthedeletionof
alltracesoftheapplication,withtheexceptionofconfigurationsettings,output
files,andaudit/logevents.
ApplicationNote:Applicationsbundledwiththesystem/firmwareimageare
notsubjecttothisrequirementiftheuserisunabletoremovetheapplication
throughmeansprovidedbytheOS.
AssuranceActivity
Theevaluatorshallrecordthepathofeveryfileontheentire
filesystempriortoinstallationoftheapplication,andtheninstalland
runtheapplication.Afterwards,theevaluatorshallthenuninstallthe
application,andcomparetheresultingfilesystemtotheinitialrecord
toverifythatnofiles,otherthanconfiguration,output,andaudit/log
files,havebeenaddedtothefilesystem.
FPT_TUD_EXT.1.4
Theapplicationshallnotdownload,modify,replaceorupdateitsownbinary
code.
ApplicationNote:Thisrequirementappliestothecodeoftheapplicationit
doesnotapplytomobilecodetechnologiesthataredesignedfordownloadand
executionbytheapplication.
AssuranceActivity
Theevaluatorshallverifythattheapplication'sexecutablefilesare
notchangedbytheapplication.Theevaluatorshallcompletethe
followingtest:
Test1:Theevaluatorshallinstalltheapplicationandthen
locateallofitsexecutablefiles.Theevaluatorshallthen,for
eachfile,saveoffeitherahashofthefileoracopyofthefile
itself.Theevaluatorshallthenruntheapplicationandexercise
allfeaturesoftheapplicationasdescribedintheTSS.The
evaluatorshallthencompareeachexecutablefilewiththe
eitherthesavedhashorthesavedcopyofthefiles.The
evaluatorshallverifythattheseareidentical.
FPT_TUD_EXT.1.5
Theapplicationshall[selection,atleastoneof:providetheability,leverage
theplatform]toquerythecurrentversionoftheapplicationsoftware.
AssuranceActivity
Theevaluatorshallquerytheapplicationforthecurrentversionof
thesoftwareaccordingtotheoperationaluserguidance
(AGD_OPE.1)andshallverifythatthecurrentversionmatchesthat
ofthedocumentedandinstalledversion.
FPT_TUD_EXT.1.6
Theapplicationinstallationpackageanditsupdatesshallbedigitallysignedsuch
thatitsplatformcancryptographicallyverifythempriortoinstallation.
ApplicationNote:Thespecificsoftheverificationofinstallationpackagesand
updatesinvolvesrequirementsontheplatform(andnottheapplication),sothese
arenotfullyspecifiedhere.
AssuranceActivity
TheevaluatorshallverifythattheTSSidentifieshowtheapplication
installationpackageandupdatestoitaresignedbyanauthorized
source.Thedefinitionofanauthorizedsourcemustbecontainedin
theTSS.TheevaluatorshallalsoensurethattheTSS(orthe
operationalguidance)describeshowcandidateupdatesareobtained.
FPT_LIB_EXT.1UseofThirdPartyLibraries
FPT_LIB_EXT.1.1
Theapplicationshallbepackagedwithonly[assignment:listofthirdparty
libraries].
ApplicationNote:Theintentionofthisrequirementisfortheevaluatorto
discoveranddocumentwhethertheapplicationisincludingunnecessaryor
unexpectedthirdpartylibraries.Thisincludesadwarelibrarieswhichcould
presentaprivacythreat,aswellasensuringdocumentationofsuchlibrariesin
casevulnerabilitiesarelaterdiscovered.
AssuranceActivity
Theevaluatorshallinstalltheapplicationandsurveyitsinstallation
directoryfordynamiclibraries.Theevaluatorshallverifythat
librariesfoundtobepackagedwithoremployedbytheapplication
arelimitedtothoseintheassignment.
5.1.6TrustedPath/Channel(FTP)
FTP_DIT_EXT.1ProtectionofDatainTransit
FTP_DIT_EXT.1.1
nottransmitanydata,
nottransmitanysensitivedata,
encryptalltransmittedsensitivedatawith[selection,atleastoneof:
HTTPS,TLS,DTLS],
encryptalltransmitteddatawith[selection,atleastoneof:HTTPS,
TLS,DTLS]
]betweenitselfandanothertrustedITproduct.
ApplicationNote:Extendedpackagesmayoverridethisrequirementto
provideforotherprotocols.Encryptionisnotrequiredforapplications
transmittingdatathatisnotsensitive.
IfHTTPSisselected,thenevaluationofelementsfromFCS_TLSC_EXT.1is
required.
IfTLSisselected,thenevaluationofelementsfromFCS_HTTPS_EXT.1is
required.
IfDTLSisselected,thenevaluationofelementsfromFCS_DTLS_EXT.1is
required.
AssuranceActivity
Theevaluatorshallperformthefollowingtests.
Test1:Theevaluatorshallexercisetheapplication(attempting
totransmitdataforexamplebyconnectingtoremotesystems
orwebsites)whilecapturingpacketsfromtheapplication.The
evaluatorshallverifyfromthepacketcapturethatthetrafficis
encryptedwithHTTPS,TLSorDTLSinaccordancewiththe
selectionintheST.
Test2:Theevaluatorshallexercisetheapplication(attempting
totransmitdataforexamplebyconnectingtoremotesystems
orwebsites)whilecapturingpacketsfromtheapplication.The
evaluatorshallreviewthepacketcaptureandverifythatno
sensitivedataistransmittedintheclear.
Test3:TheevaluatorshallinspecttheTSStodetermineifuser
credentialsaretransmitted.Ifcredentialsaretransmittedthe
evaluatorshallsetthecredentialtoaknownvalue.The
evaluatorshallcapturepacketsfromtheapplicationwhile
causingcredentialstobetransmittedasdescribedintheTSS.
Theevaluatorshallperformastringsearchofthecaptured
networkpacketsandverifythattheplaintextcredential
previouslysetbytheevaluatorisnotfound.
5.2SecurityAssuranceRequirements
TheSecurityObjectivesfortheTOEinSection5wereconstructedtoaddressthreatsidentifiedinSection
3.1.TheSecurityFunctionalRequirements(SFRs)inSection5.1areaformalinstantiationoftheSecurity
Objectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichthe
evaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.
ThissectionliststhesetofSARsfromCCpart3thatarerequiredinevaluationsagainstthisPP.Individual
AssuranceActivities(AAs)tobeperformedarespecifiedbothinSection5aswellasinthissection.
ThegeneralmodelforevaluationofTOEsagainstSTswrittentoconformtothisPPisasfollows:
AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility
(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.
TheITSEFisexpectedtoperformactionsmandatedbytheCommonEvaluationMethodology(CEM)for
theASEandALCSARs.TheITSEFalsoperformstheAssuranceActivitiescontainedwithinSection5,
whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothe
specifictechnologyinstantiatedintheTOE.TheAssuranceActivitiesthatarecapturedinSection5also
provideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththe
PP.
5.2.1ClassASE:SecurityTarget
AsperASEactivitiesdefinedin[CEM].
5.2.2ClassADV:Development
TheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswell
astheTSSportionoftheST.TheTOEdevelopermustconcurwiththedescriptionoftheproductthatis
containedintheTSSasitrelatestothefunctionalrequirements.TheAssuranceActivitiescontainedinSection
5.1shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSS
section.
ADV_FSP.1BasicFunctionalSpecification(ADV_FSP.1)
ADV_FSP.1.1D
ADV_FSP.1.2D
Thedevelopershallprovideafunctionalspecification.
Thedevelopershallprovideatracingfromthefunctionalspecificationtothe
SFRs.
ApplicationNote:Asindicatedintheintroductiontothissection,thefunctional
specificationiscomprisedoftheinformationcontainedintheAGD_OPEand
AGD_PREdocumentation.Thedevelopermayreferenceawebsiteaccessible
toapplicationdevelopersandtheevaluator.Theassuranceactivitiesinthe
functionalrequirementspointtoevidencethatshouldexistinthedocumentation
andTSSsectionsincethesearedirectlyassociatedwiththeSFRs,thetracingin
elementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditional
documentationisnecessary.
ADV_FSP.1.1C
ADV_FSP.1.2C
ADV_FSP.1.3C
ADV_FSP.1.4C
Thefunctionalspecificationshalldescribethepurposeandmethodofusefor
eachSFRenforcingandSFRsupportingTSFI.
Thefunctionalspecificationshallidentifyallparametersassociatedwitheach
SFRenforcingandSFRsupportingTSFI.
Thefunctionalspecificationshallproviderationalefortheimplicitcategorization
ofinterfacesasSFRnoninterfering.
ThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctional
specification.
ADV_FSP.1.1E
ADV_FSP.1.2E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
Theevaluatorshalldeterminethatthefunctionalspecificationisanaccurateand
completeinstantiationoftheSFRs.
5.2.3ClassAGD:GuidanceDocumentation
TheguidancedocumentswillbeprovidedwiththeST.GuidancemustincludeadescriptionofhowtheIT
personnelverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.The
documentationshouldbeinaninformalstyleandreadablebytheITpersonnel.Guidancemustbeprovided
foreveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes
instructionstosuccessfullyinstalltheTSFinthatenvironmentandInstructionstomanagethesecurityofthe
TSFasaproductandasacomponentofthelargeroperationalenvironment.Guidancepertainingtoparticular
securityfunctionalityisalsoprovidedrequirementsonsuchguidancearecontainedintheassuranceactivities
specifiedwitheachrequirement.
AGD_OPE.1OperationalUserGuidance(AGD_OPE.1)
AGD_OPE.1.1D
Thedevelopershallprovideoperationaluserguidance.
ApplicationNote:Theoperationuserguidancedoesnothavetobecontained
inasingledocument.Guidancetousers,administratorsandapplication
developerscanbespreadamongdocumentsorwebpages.Whereappropriate,
theguidancedocumentationisexpressedintheeXtensibleConfiguration
ChecklistDescriptionFormat(XCCDF)tosupportsecurityautomation.Rather
thanrepeatinformationhere,thedevelopershouldreviewtheassurance
activitiesforthiscomponenttoascertainthespecificsoftheguidancethatthe
evaluatorwillbecheckingfor.Thiswillprovidethenecessaryinformationforthe
preparationofacceptableguidance.
AGD_OPE.1.1C
Theoperationaluserguidanceshalldescribe,foreachuserrole,theuser
accessiblefunctionsandprivilegesthatshouldbecontrolledinasecure
processingenvironment,includingappropriatewarnings.
ApplicationNote:Userandadministratoraretobeconsideredinthedefinition
ofuserrole.
AGD_OPE.1.2C
AGD_OPE.1.3C
AGD_OPE.1.4C
Theoperationaluserguidanceshalldescribe,foreachuserrole,howtousethe
availableinterfacesprovidedbytheTOEinasecuremanner.
Theoperationaluserguidanceshalldescribe,foreachuserrole,theavailable
functionsandinterfaces,inparticularallsecurityparametersunderthecontrolof
theuser,indicatingsecurevaluesasappropriate.
Theoperationaluserguidanceshall,foreachuserrole,clearlypresenteachtype
ofsecurityrelevanteventrelativetotheuseraccessiblefunctionsthatneedtobe
performed,includingchangingthesecuritycharacteristicsofentitiesunderthe
controloftheTSF.
AGD_OPE.1.5C
AGD_OPE.1.6C
AGD_OPE.1.7C
AGD_OPE.1.1E
Theoperationaluserguidanceshallidentifyallpossiblemodesofoperationof
theTOE(includingoperationfollowingfailureoroperationalerror),their
consequences,andimplicationsformaintainingsecureoperation.
Theoperationaluserguidanceshall,foreachuserrole,describethesecurity
measurestobefollowedinordertofulfillthesecurityobjectivesforthe
operationalenvironmentasdescribedintheST.
Theoperationaluserguidanceshallbeclearandreasonable.
AssuranceActivity
Someofthecontentsoftheoperationalguidancewillbeverifiedby
theassuranceactivitiesinSection5.1andevaluationoftheTOE
accordingtothe[CEM].Thefollowingadditionalinformationisalso
required.IfcryptographicfunctionsareprovidedbytheTOE,the
operationalguidanceshallcontaininstructionsforconfiguringthe
cryptographicengineassociatedwiththeevaluatedconfigurationof
theTOE.Itshallprovideawarningtotheadministratorthatuseof
othercryptographicengineswasnotevaluatednortestedduringthe
CCevaluationoftheTOE.Thedocumentationmustdescribethe
processforverifyingupdatestotheTOEbyverifyingadigital
signaturethismaybedonebytheTOEortheunderlyingplatform.
Theevaluatorshallverifythatthisprocessincludesthefollowing
steps:Instructionsforobtainingtheupdateitself.Thisshouldinclude
instructionsformakingtheupdateaccessibletotheTOE(e.g.,
placementinaspecificdirectory).Instructionsforinitiatingthe
updateprocess,aswellasdiscerningwhethertheprocesswas
successfulorunsuccessful.Thisincludesgenerationofthe
hash/digitalsignature.TheTOEwilllikelycontainsecurity
functionalitythatdoesnotfallinthescopeofevaluationunderthis
PP.Theoperationalguidanceshallmakeitcleartoanadministrator
whichsecurityfunctionalityiscoveredbytheevaluationactivities.
AGD_PRE.1PreparativeProcedures(AGD_PRE.1)
AGD_PRE.1.1D
ThedevelopershallprovidetheTOE,includingitspreparativeprocedures.
ApplicationNote:Aswiththeoperationalguidance,thedevelopershouldlook
totheassuranceactivitiestodeterminetherequiredcontentwithrespectto
preparativeprocedures.
AGD_PRE.1.1C
AGD_PRE.1.2C
Thepreparativeproceduresshalldescribeallthestepsnecessaryforsecure
acceptanceofthedeliveredTOEinaccordancewiththedeveloper'sdelivery
procedures.
Thepreparativeproceduresshalldescribeallthestepsnecessaryforsecure
installationoftheTOEandforthesecurepreparationoftheoperational
environmentinaccordancewiththesecurityobjectivesfortheoperational
environmentasdescribedintheST.
AGD_PRE.1.1E
AGD_PRE.1.2E
TheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOE
canbepreparedsecurelyforoperation.
AssuranceActivity
Asindicatedintheintroductionabove,therearesignificant
expectationswithrespecttothedocumentationespeciallywhen
configuringtheoperationalenvironmenttosupportTOEfunctional
requirements.Theevaluatorshallchecktoensurethattheguidance
providedfortheTOEadequatelyaddressesallplatformsclaimedfor
theTOEintheST.
5.2.4ClassALC:LifecycleSupport
AttheassurancelevelprovidedforTOEsconformanttothisPP,lifecyclesupportislimitedtoenduser
visibleaspectsofthelifecycle,ratherthananexaminationoftheTOEvendorsdevelopmentand
configurationmanagementprocess.Thisisnotmeanttodiminishthecriticalrolethatadeveloperspractices
playincontributingtotheoveralltrustworthinessofaproductrather,itisareflectionontheinformationtobe
madeavailableforevaluationatthisassurancelevel.
ALC_CMC.1LabelingoftheTOE(ALC_CMC.1)
ALC_CMC.1.1D
ALC_CMC.1.1C
ThedevelopershallprovidetheTOEandareferencefortheTOE.
TheTOEshallbelabeledwithauniquereference.
ApplicationNote:Uniquereferenceinformationincludes:
ApplicationName
ApplicationVersion
ApplicationDescription
PlatformonwhichApplicationRuns
SoftwareIdentification(SWID)tags,ifavailable
ALC_CMC.1.1E
AssuranceActivity
TheevaluatorshallchecktheSTtoensurethatitcontainsan
identifier(suchasaproductname/versionnumber)thatspecifically
identifiestheversionthatmeetstherequirementsoftheST.Further,
theevaluatorshallchecktheAGDguidanceandTOEsamples
receivedfortestingtoensurethattheversionnumberisconsistent
withthatintheST.Ifthevendormaintainsawebsiteadvertisingthe
TOE,theevaluatorshallexaminetheinformationonthewebsiteto
ensurethattheinformationintheSTissufficienttodistinguishthe
product.
ALC_CMS.1TOECMCoverage(ALC_CMS.1)
ALC_CMS.1.1D
ALC_CMS.1.1C
ALC_CMS.1.2C
ALC_CMS.1.1E
ThedevelopershallprovideaconfigurationlistfortheTOE.
Theconfigurationlistshallincludethefollowing:theTOEitselfandthe
evaluationevidencerequiredbytheSARs.
Theconfigurationlistshalluniquelyidentifytheconfigurationitems.
AssuranceActivity
The"evaluationevidencerequiredbytheSARs"inthisPPislimited
totheinformationintheSTcoupledwiththeguidanceprovidedto
administratorsandusersundertheAGDrequirements.Byensuring
thattheTOEisspecificallyidentifiedandthatthisidentificationis
consistentintheSTandintheAGDguidance(asdoneinthe
assuranceactivityforALC_CMC.1),theevaluatorimplicitly
confirmstheinformationrequiredbythiscomponent.Lifecycle
supportistargetedaspectsofthedeveloperslifecycleand
instructionstoprovidersofapplicationsforthedevelopersdevices,
ratherthananindepthexaminationoftheTSFmanufacturers
developmentandconfigurationmanagementprocess.Thisisnot
meanttodiminishthecriticalrolethatadeveloperspracticesplayin
contributingtotheoveralltrustworthinessofaproductrather,itsa
reflectionontheinformationtobemadeavailableforevaluation.
Theevaluatorshallensurethatthedeveloperhasidentified(in
guidancedocumentationforapplicationdevelopersconcerningthe
targetedplatform)oneormoredevelopmentenvironments
appropriateforuseindevelopingapplicationsforthedevelopers
platform.Foreachofthesedevelopmentenvironments,thedeveloper
shallprovideinformationonhowtoconfiguretheenvironmentto
ensurethatbufferoverflowprotectionmechanismsinthe
environment(s)areinvoked(e.g.,compilerflags).Theevaluatorshall
ensurethatthisdocumentationalsoincludesanindicationofwhether
suchprotectionsareonbydefault,orhavetobespecificallyenabled.
TheevaluatorshallensurethattheTSFisuniquelyidentified(with
respecttootherproductsfromtheTSFvendor),andthat
documentationprovidedbythedeveloperinassociationwiththe
requirementsintheSTisassociatedwiththeTSFusingthisunique
identification.
ALC_TSU_EXT.1TimelySecurityUpdates
ALC_TSU_EXT.1.1D
ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurity
updatesaremadetotheTOE.Applicationdevelopersmustsupportupdatesto
theirproductsforpurposesoffixingsecurityvulnerabilities.
ALC_TSU_EXT.1.2D
ThedevelopershallprovideadescriptionintheTSSofhowusersarenotified
whenupdateschangesecuritypropertiesortheconfigurationoftheproduct.
ALC_TSU_EXT.1.1C
Thedescriptionshallincludetheprocessforcreatinganddeployingsecurity
updatesfortheTOEsoftware.
ALC_TSU_EXT.1.2C
Thedescriptionshallexpressthetimewindowasthelengthoftime,indays,
betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurity
updatestotheTOE.
ALC_TSU_EXT.1.3C
Thedescriptionshallincludethemechanismspubliclyavailableforreporting
securityissuespertainingtotheTOE.Thereportingmechanismcouldinclude
websites,emailaddresses,aswellasameanstoprotectthesensitivenatureof
thereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof
ofconceptexploit).
ALC_TSU_EXT.2.1E
AssuranceActivity
TheevaluatorshallverifythattheTSScontainsadescriptionofthe
timelysecurityupdateprocessusedbythedevelopertocreateand
deploysecurityupdates.Theevaluatorshallverifythatthis
descriptionaddressestheentireapplication.Theevaluatorshallalso
verifythat,inadditiontotheTOEdevelopersprocess,anythird
partyprocessesarealsoaddressedinthedescription.Theevaluator
shallalsoverifythateachmechanismfordeploymentofsecurity
updatesisdescribed.
Theevaluatorshallverifythat,foreachdeploymentmechanism
describedfortheupdateprocess,theTSSlistsatimebetweenpublic
disclosureofavulnerabilityandpublicavailabilityofthesecurity
updatetotheTOEpatchingthisvulnerability,toincludeanythird
partyorcarrierdelaysindeployment.Theevaluatorshallverifythat
thistimeisexpressedinanumberorrangeofdays.
Theevaluatorshallverifythatthisdescriptionincludesthepublicly
availablemechanisms(includingeitheranemailaddressorwebsite)
forreportingsecurityissuesrelatedtotheTOE.Theevaluatorshall
verifythatthedescriptionofthismechanismincludesamethodfor
protectingthereporteitherusingapublickeyforencryptingemailor
atrustedchannelforawebsite.
5.2.5ClassATE:Tests
Testingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignor
implementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughthe
AVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityand
interfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsofthe
evaluationprocessisthetestreportasspecifiedinthefollowingrequirements.
ATE_IND.1IndependentTestingConformance(ATE_IND.1)
ATE_IND.1.1D
ATE_IND.1.1C
ATE_IND.1.1E
ATE_IND.1.2E
ThedevelopershallprovidetheTOEfortesting.
TheTOEshallbesuitablefortesting.
TheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesas
specified.
ApplicationNote:Theevaluatorshalltesttheapplicationonthemostcurrent
fullypatchedversionoftheplatform.
AssuranceActivity
Theevaluatorshallprepareatestplanandreportdocumentingthe
testingaspectsofthesystem,includinganyapplicationcrashes
duringtesting.Theevaluatorshalldeterminetherootcauseofany
applicationcrashesandincludethatinformationinthereport.The
testplancoversallofthetestingactionscontainedinthe[CEM]and
thebodyofthisPPsAssuranceActivities.
Whileitisnotnecessarytohaveonetestcasepertestlistedinan
AssuranceActivity,theevaluatormustdocumentinthetestplanthat
eachapplicabletestingrequirementintheSTiscovered.Thetest
planidentifiestheplatformstobetested,andforthoseplatformsnot
includedinthetestplanbutincludedintheST,thetestplanprovides
ajustificationfornottestingtheplatforms.Thisjustificationmust
addressthedifferencesbetweenthetestedplatformsandtheuntested
platforms,andmakeanargumentthatthedifferencesdonotaffect
thetestingtobeperformed.Itisnotsufficienttomerelyassertthat
thedifferenceshavenoaffectrationalemustbeprovided.Ifall
platformsclaimedintheSTaretested,thennorationaleisnecessary.
Thetestplandescribesthecompositionofeachplatformtobetested,
andanysetupthatisnecessarybeyondwhatiscontainedintheAGD
documentation.Itshouldbenotedthattheevaluatorisexpectedto
followtheAGDdocumentationforinstallationandsetupofeach
platformeitheraspartofatestorasastandardpretestcondition.
Thismayincludespecialtestdriversortools.Foreachdriverortool,
anargument(notjustanassertion)shouldbeprovidedthatthe
driverortoolwillnotadverselyaffecttheperformanceofthe
functionalitybytheTOEanditsplatform.
Thisalsoincludestheconfigurationofthecryptographicenginetobe
used.Thecryptographicalgorithmsimplementedbythisengineare
thosespecifiedbythisPPandusedbythecryptographicprotocols
beingevaluated(IPsec,TLS,SSH).Thetestplanidentifieshighlevel
testobjectivesaswellasthetestprocedurestobefollowedto
achievethoseobjectives.Theseproceduresincludeexpectedresults.
Thetestreport(whichcouldjustbeanannotatedversionofthetest
plan)detailstheactivitiesthattookplacewhenthetestprocedures
wereexecuted,andincludestheactualresultsofthetests.Thisshall
beacumulativeaccount,soiftherewasatestrunthatresultedina
failureafixinstalledandthenasuccessfulrerunofthetest,the
reportwouldshowafailandpassresult(andthesupporting
details),andnotjustthepassresult.
5.2.6ClassAVA:VulnerabilityAssessment
Forthefirstgenerationofthisprotectionprofile,theevaluationlabisexpectedtosurveyopensourcesto
discoverwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,these
vulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreated
anduniformlydistributedtotheevaluationlabs,theevaluatorwillnotbeexpectedtotestforthese
vulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilities
giventhedocumentationprovidedbythevendor.Thisinformationwillbeusedinthedevelopmentof
penetrationtestingtoolsandforthedevelopmentoffutureprotectionprofiles.
AVA_VAN.1VulnerabilitySurvey(AVA_VAN.1)
AVA_VAN.1.1D
AVA_VAN.1.1C
ThedevelopershallprovidetheTOEfortesting.
TheTOEshallbesuitablefortesting.
ApplicationNote:Suitabilityfortestingmeansnotbeingobfuscatedor
packagedinsuchawayastodisrupteitherstaticordyanmicanalysisbythe
evaluator.
AVA_VAN.1.1E
AVA_VAN.1.2E
Theevaluatorshallperformasearchofpublicdomainsourcestoidentify
potentialvulnerabilitiesintheTOE.
ApplicationNote:PublicdomainsourcesincludetheCommonVulnerabilities
andExposures(CVE)dictionaryforpubliclyknownvulnerabilities.Public
domainsourcesalsoincludesiteswhichprovidefreecheckingoffilesforviruses.
AVA_VAN.1.3E
Theevaluatorshallconductpenetrationtesting,basedontheidentifiedpotential
vulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyan
attackerpossessingBasicattackpotential.
AssuranceActivity
Theevaluatorshallgenerateareporttodocumenttheirfindingswith
respecttothisrequirement.Thisreportcouldphysicallybepartofthe
overalltestreportmentionedinATE_IND,oraseparatedocument.
Theevaluatorperformsasearchofpublicinformationtofind
vulnerabilitiesthathavebeenfoundinsimilarapplicationswitha
particularfocusonnetworkprotocolstheapplicationusesand
documentformatsitparses.Theevaluatorshallalsorunavirus
scannerwiththemostcurrentvirusdefinitionsagainstthe
applicationfilesandverifythatnofilesareflaggedasmalicious.The
evaluatordocumentsthesourcesconsultedandthevulnerabilities
foundinthereport.
Foreachvulnerabilityfound,theevaluatoreitherprovidesa
rationalewithrespecttoitsnonapplicability,ortheevaluator
formulatesatest(usingtheguidelinesprovidedinATE_IND)to
confirmthevulnerability,ifsuitable.Suitabilityisdeterminedby
assessingtheattackvectorneededtotakeadvantageofthe
vulnerability.Ifexploitingthevulnerabilityrequiresexpertskillsand
anelectronmicroscope,forinstance,thenatestwouldnotbe
suitableandanappropriatejustificationwouldbeformulated.
A.OptionalRequirements
AsindicatedinSection2,thebaselinerequirements(thosethatmustbeperformedbytheTOE)are
containedinthebodyofthisPP.Additionally,therearethreeothertypesofrequirementsspecifiedin
AppendixA,AppendixB,andAppendixC.Thefirsttype(inthisAppendix)arerequirementsthatcanbe
includedintheST,butarenotrequiredinorderforaTOEtoclaimconformancetothisPP.Thesecondtype
(inAppendixB)arerequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,
thenadditionalrequirementsinthatappendixmustbeincluded.Thethirdtype(inAppendixCare
componentsthatarenotrequiredinordertoconformtothisPP,butwillbeincludedinthebaseline
requirementsinfutureversionsofthisPP,soadoptionbyvendorsisencouraged.NotethattheSTauthoris
responsibleforensuringthatrequirementsthatmaybeassociatedwiththoseinAppendixA,AppendixB,and
AppendixCbutarenotlisted(e.g.,FMTtyperequirements)arealsoincludedintheST.
FCS_TLSC_EXT.1TLSClientProtocol
FCS_TLSC_EXT.1.4
TheapplicationshallsupportmutualauthenticationusingX.509v3certificates.
ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedin
FIA_X509_EXT.2.1.Thisrequirementaddsthataclientmustbecapableof
presentingacertificatetoaTLSserverforTLSmutualauthentication.
AssuranceActivity
TheevaluatorshallensurethattheTSSdescriptionrequiredper
FIA_X509_EXT.2.1includestheuseofclientsidecertificatesforTLS
mutualauthentication.
TheevaluatorshallverifythattheAGDguidancerequiredper
FIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient
sidecertificatesforTLSmutualauthentication.
Theevaluatorshallalsoperformthefollowingtest:
Test1:Theevaluatorshallperformthefollowingmodification
tothetraffic:
Configuretheservertorequiremutualauthentication
andthenmodifyabyteinaCAfieldintheServers
CertificateRequesthandshakemessage.Themodified
CAfieldmustnotbetheCAusedtosigntheclients
certificate.Theevaluatorshallverifytheconnectionis
unsuccessful.
B.SelectionBasedRequirements
AsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbythe
TOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.Thereareadditionalrequirementsbased
onselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowwill
needtobeincluded.
FCS_RBG_EXT.2RandomBitGenerationfromApplication
FCS_RBG_EXT.2.1
Theapplicationshallperformalldeterministicrandombitgeneration(DRBG)
servicesinaccordancewith[selection,atleastoneof:
NISTSpecialPublication80090Ausing[selection:Hash_DRBG
(any),HMAC_DRBG(any),CTR_DRBG(AES)],
FIPSPub1402AnnexC:X9.31Appendix2.4usingAES
].
ThisrequirementdependsuponselectioninFCS_RBG_EXT.1.1.
ApplicationNote:ThisrequirementshallbeincludedinSTsinwhich
implementDRBGfunctionalityischoseninFCS_RBG_EXT.1.1.TheST
authorshouldselectthestandardtowhichtheRBGservicescomply(eitherSP
80090AorFIPS1402AnnexC).
SP80090Acontainsthreedifferentmethodsofgeneratingrandomnumbers
eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hash
functions/ciphers).TheSTauthorwillselectthefunctionused(ifSP80090Ais
selected),andincludethespecificunderlyingcryptographicprimitivesusedinthe
requirementorintheTSS.Whileanyoftheidentifiedhashfunctions(SHA1,
SHA224,SHA256,SHA384,SHA512)areallowedforHash_DRBGor
HMAC_DRBG,onlyAESbasedimplementationsforCTR_DRBGare
allowed.
NotethatforFIPSPub1402AnnexC,currentlyonlythemethoddescribedin
NISTRecommendedRandomNumberGeneratorBasedonANSIX9.31
AppendixA.2.4,Section3isvalid.UseofthisDRBGisdisallowedafter2015
perNISTSP800131A.ThePPwillbeupdatedtoreflectthishowever,
developersshouldbegintransitioningfromthisDRBGassoonaspossible.
AssuranceActivity
Theevaluatorshallperformthefollowingtests,dependingonthe
standardtowhichtheRBGconforms.
ImplementationsConformingtoFIPS1402AnnexC.
ThereferenceforthetestscontainedinthissectionisTheRandom
NumberGeneratorValidationSystem(RNGVS).Theevaluatorsshall
conductthefollowingtwotests.Notethatthe"expectedvalues"are
producedbyareferenceimplementationofthealgorithmthatis
knowntobecorrect.ProofofcorrectnessislefttoeachScheme.
Test1:TheevaluatorsshallperformaVariableSeedTest.The
evaluatorsshallprovideasetof128(Seed,DT)pairstothe
TSFRBGfunction,each128bits.Theevaluatorsshallalso
provideakey(ofthelengthappropriatetotheAESalgorithm)
thatisconstantforall128(Seed,DT)pairs.TheDTvalueis
incrementedby1foreachset.Theseedvaluesshallhaveno
repeatswithintheset.Theevaluatorsensurethatthevalues
returnedbytheTSFmatchtheexpectedvalues.
Test2:TheevaluatorsshallperformaMonteCarloTest.For
thistest,theysupplyaninitialSeedandDTvaluetotheTSF
RBGfunctioneachoftheseis128bits.Theevaluatorsshall
alsoprovideakey(ofthelengthappropriatetotheAES
algorithm)thatisconstantthroughoutthetest.Theevaluators
theninvoketheTSFRBG10,000times,withtheDTvalue
beingincrementedby1oneachiteration,andthenewseedfor
thesubsequentiterationproducedasspecifiedinNIST
RecommendedRandomNumberGeneratorBasedonANSI
X9.31AppendixA.2.4Usingthe3KeyTripleDESandAES
Algorithms,Section3.Theevaluatorsensurethatthe10,000th
valueproducedmatchestheexpectedvalue.
ImplementationsConformingtoNISTSpecialPublication80090A
Test1:Theevaluatorshallperform15trialsfortheRNG
implementation.IftheRNGisconfigurable,theevaluatorshall
perform15trialsforeachconfiguration.Theevaluatorshall
alsoconfirmthattheoperationalguidancecontains
appropriateinstructionsforconfiguringtheRNGfunctionality.
IftheRNGhaspredictionresistanceenabled,eachtrial
consistsof(1)instantiateDRBG,(2)generatethefirstblockof
randombits(3)generateasecondblockofrandombits(4)
uninstantiate.Theevaluatorverifiesthatthesecondblockof
randombitsistheexpectedvalue.Theevaluatorshallgenerate
eightinputvaluesforeachtrial.Thefirstisacount(014).
Thenextthreeareentropyinput,nonce,andpersonalization
stringfortheinstantiateoperation.Thenexttwoareadditional
inputandentropyinputforthefirstcalltogenerate.Thefinal
twoareadditionalinputandentropyinputforthesecondcall
togenerate.Thesevaluesarerandomlygenerated.generate
oneblockofrandombitsmeanstogeneraterandombitswith
numberofreturnedbitsequaltotheOutputBlockLength(as
definedinNISTSP80090A).
IftheRNGdoesnothavepredictionresistance,eachtrial
consistsof(1)instantiateDRBG,(2)generatethefirstblockof
randombits(3)reseed,(4)generateasecondblockofrandom
bits(5)uninstantiate.Theevaluatorverifiesthatthesecond
blockofrandombitsistheexpectedvalue.Theevaluatorshall
generateeightinputvaluesforeachtrial.Thefirstisacount(0
14).Thenextthreeareentropyinput,nonce,and
personalizationstringfortheinstantiateoperation.Thefifth
valueisadditionalinputtothefirstcalltogenerate.Thesixth
andseventhareadditionalinputandentropyinputtothecall
toreseed.Thefinalvalueisadditionalinputtothesecond
generatecall.
Thefollowingparagraphscontainmoreinformationonsome
oftheinputvaluestobegenerated/selectedbytheevaluator.
Entropyinput:thelengthoftheentropyinputvaluemust
equaltheseedlength.
Nonce:Ifanonceissupported(CTR_DRBGwithno
DerivationFunctiondoesnotuseanonce),thenoncebitlength
isonehalftheseedlength.
Personalizationstring:Thelengthofthepersonalization
stringmustbelessthenorequaltoseedlength.Ifthe
implementationonlysupportsonepersonalizationstringlength,
thenthesamelengthcanbeusedforbothvalues.Ifmorethan
onestringlengthissupport,theevaluatorshalluse
personalizationstringsoftwodifferentlengths.Ifthe
implementationdoesnotuseapersonalizationstring,novalue
needstobesupplied.
Additionalinput:theadditionalinputbitlengthshavethe
samedefaultsandrestrictionsasthepersonalizationstring
lengths.
FCS_RBG_EXT.2.2
ThedeterministicRBGshallbeseededbyanentropysourcethataccumulates
entropyfromaplatformbasedDRBGand[selection:
asoftwarebasednoisesource,
noothernoisesource
]withaminimumof[selection:
128bits,
256bits
]ofentropyatleastequaltothegreatestsecuritystrength(accordingtoNIST
SP80057)ofthekeysandhashesthatitwillgenerate.
ThisrequirementdependsuponselectioninFCS_RBG_EXT.1.1.
ApplicationNote:ThisrequirementshallbeincludedinSTsinwhich
implementDRBGfunctionalityischoseninFCS_RBG_EXT.1.1.Forthefirst
selectioninthisrequirement,theSTauthorselects'softwarebasednoisesource'
ifanyadditionalnoisesourcesareusedasinputtotheapplication'sDRBG.
Notethattheapplicationmustusetheplatform'sDRBGtoseeditsDRBG.
Inthesecondselectioninthisrequirement,theSTauthorselectstheappropriate
numberofbitsofentropythatcorrespondstothegreatestsecuritystrengthof
thealgorithmsincludedintheST.SecuritystrengthisdefinedinTables2and3
ofNISTSP80057A.Forexample,iftheimplementationincludes2048bit
RSA(securitystrengthof112bits),AES128(securitystrength128bits),and
HMACSHA256(securitystrength256bits),thentheSTauthorwouldselect
256bits.
AssuranceActivity
Documentationshallbeproducedandtheevaluatorshallperform
theactivitiesinaccordancewithAppendixDandtheClarification
totheEntropyDocumentationandAssessmentAnnex.
Inthefuture,specificstatisticaltesting(inlinewithNISTSP800
90B)willberequiredtoverifytheentropyestimates.
FCS_CKM_EXT.1CryptographicKeyGenerationServices
FCS_CKM_EXT.1.1
generatenoasymmetriccryptographickeys,
invokeplatformprovidedfunctionalityforasymmetrickey
generation,
implementasymmetrickeygeneration
].
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.
ApplicationNote:Ifimplementasymmetrickeygenerationorinvoke
platformprovidedfunctionalityforasymmetrickeygenerationischosen,
thenadditionalFCS_CKM.1elementsshallbeincludedintheST.
AssuranceActivity
Theevaluatorshallinspecttheapplicationanditsdeveloper
documentationtodetermineiftheapplicationneedsasymmetrickey
generationservices.Ifnot,theevaluatorshallverifythegenerateno
asymmetriccryptographickeysselectionispresentintheST.
Otherwise,theevaluationactivitiesshallbeperformedasstatedin
theselectionbasedrequirements.
FCS_CKM.1CryptographicKeyGeneration
FCS_CKM.1.1
Theapplicationshallgenerateasymmetriccryptographickeysinaccordance
withaspecifiedcryptographickeygenerationalgorithm[selection:
[RSAschemes]usingcryptographickeysizesof[2048bitor
greater]thatmeetthefollowing:[selection:
FIPSPUB1864,DigitalSignatureStandard(DSS),Appendix
B.3,
ANSIX9.311998,Section4.1
],
[ECCschemes]using[NISTcurvesP256,P384and[selection:
P521,noothercurves]]thatmeetthefollowing:[FIPSPUB186
4,DigitalSignatureStandard(DSS),AppendixB.4],
[FFCschemes]usingcryptographickeysizesof[2048bitor
greater]thatmeetthefollowing:[FIPSPUB1864,Digital
SignatureStandard(DSS),AppendixB.1]
].
ThisrequirementdependsuponselectioninFCS_CKM_EXT.1.
ApplicationNote:TheSTauthorshallselectallkeygenerationschemesused
forkeyestablishmentandentityauthentication.Whenkeygenerationisusedfor
keyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographic
protocolsmustmatchtheselection.Whenkeygenerationisusedforentity
authentication,thepublickeyisexpectedtobeassociatedwithanX.509v3
certificate.
IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOE
doesnotneedtoimplementRSAkeygeneration.
TheANSIX9.311998optionwillberemovedfromtheselectioninafuture
publicationofthisdocument.Presently,theselectionisnotexclusivelylimitedto
theFIPSPUB1864optionsinordertoallowindustrysomefurthertimeto
completethetransitiontothemodernFIPSPUB1864standard.
ECCschemeswillberequiredforproductsenteringevaluationafterJuly1,
2015.
AssuranceActivity
TheevaluatorshallensurethattheTSSidentifiesthekeysizes
supportedbytheTOE.IftheSTspecifiesmorethanonescheme,the
evaluatorshallexaminetheTSStoverifythatitidentifiestheusage
foreachscheme.
TheevaluatorshallverifythattheAGDguidanceinstructsthe
administratorhowtoconfiguretheTOEtousetheselectedkey
generationscheme(s)andkeysize(s)forallusesdefinedinthisPP.
Iftheapplicationinvokesplatformprovidedfunctionalityfor
asymmetrickeygeneration,thentheevaluatorshallexaminetheTSS
toverifythatitdescribeshowthekeygenerationfunctionalityis
invoked.
Iftheapplicationimplementsasymmetrickeygeneration,thenthe
followingtestactivitiesshallbecarriedout.
AssuranceActivityNote:Thefollowingtestsmayrequirethe
developertoprovideaccesstoadeveloperenvironmentthatprovides
theevaluatorwithtoolsthataretypicallyavailabletoendusersof
theapplication.
KeyGenerationforFIPSPUB1864RSASchemes
TheevaluatorshallverifytheimplementationofRSAKeyGeneration
bytheTOEusingtheKeyGenerationtest.Thistestverifiesthe
abilityoftheTSFtocorrectlyproducevaluesforthekeycomponents
includingthepublicverificationexponente,theprivateprimefactors
pandq,thepublicmodulusnandthecalculationoftheprivate
signatureexponentd.KeyPairgenerationspecifies5ways(or
methods)togeneratetheprimespandq.Theseinclude:
1. RandomPrimes:
Provableprimes
Probableprimes
2. PrimeswithConditions:
Primesp1,p2,q1,q2,pandqshallallbeprovable
primes
Primesp1,p2,q1,andq2shallbeprovableprimesandp
andqshallbeprobableprimes
Primesp1,p2,q1,q2,pandqshallallbeprobable
primes
TotestthekeygenerationmethodfortheRandomProvableprimes
methodandforallthePrimeswithConditionsmethods,the
evaluatormustseedtheTSFkeygenerationroutinewithsufficient
datatodeterministicallygeneratetheRSAkeypair.Thisincludesthe
randomseed(s),thepublicexponentoftheRSAkey,andthedesired
keylength.Foreachkeylengthsupported,theevaluatorshallhave
theTSFgenerate25keypairs.Theevaluatorshallverifythe
correctnessoftheTSFsimplementationbycomparingvalues
generatedbytheTSFwiththosegeneratedfromaknowngood
implementation.
Ifpossible,theRandomProbableprimesmethodshouldalsobe
verifiedagainstaknowngoodimplementationasdescribedabove.
Otherwise,theevaluatorshallhavetheTSFgenerate10keyspairs
foreachsupportedkeylengthnlenandverify:
n=p*q,
pandqareprobablyprimeaccordingtoMillerRabintests,
GCD(p1,e)=1,
GCD(q1,e)=1,
2^16<=e<=2^256andeisanoddinteger,
|pq|>2^(nlen/2100),
p>=squareroot(2)*(2^(nlen/21)),
q>=squareroot(2)*(2^(nlen/21)),
2^(nlen/2)<d<LCM(p1,q1),
e*d=1modLCM(p1,q1).
KeyGenerationforANSIX9.311998RSASchemes
IftheTSFimplementstheANSIX9.311998scheme,theevaluator
shallchecktoensurethattheTSSdescribeshowthekeypairsare
generated.InordertoshowthattheTSFimplementationcomplies
withANSIX9.311998,theevaluatorshallensurethattheTSS
containsthefollowinginformation:
TheTSSshalllistallsectionsofthestandardtowhichtheTOE
complies
ForeachapplicablesectionlistedintheTSS,forallstatements
thatarenot"shall"(thatis,"shallnot","should",and"should
not"),iftheTOEimplementssuchoptionsitshallbedescribed
intheTSS.Iftheincludedfunctionalityisindicatedas"shall
not"or"shouldnot"inthestandard,theTSSshallprovidea
rationaleforwhythiswillnotadverselyaffectthesecurity
policyimplementedbytheTOE
ForeachapplicablesectionofAppendixB,anyomissionof
functionalityrelatedto"shall"orshouldstatementsshallbe
described.
KeyGenerationforEllipticCurveCryptography(ECC)
FIPS1864ECCKeyGenerationTestForeachsupportedNIST
curve,i.e.,P256,P384andP521,theevaluatorshallrequirethe
implementationundertest(IUT)togenerate10private/publickey
pairs.Theprivatekeyshallbegeneratedusinganapprovedrandom
bitgenerator(RBG).Todeterminecorrectness,theevaluatorshall
submitthegeneratedkeypairstothepublickeyverification(PKV)
functionofaknowngoodimplementation.
FIPS1864PublicKeyVerification(PKV)TestForeachsupported
NISTcurve,i.e.,P256,P384andP521,theevaluatorshall
generate10private/publickeypairsusingthekeygeneration
functionofaknowngoodimplementationandmodifyfiveofthe
publickeyvaluessothattheyareincorrect,leavingfivevalues
unchanged(i.e.,correct).Theevaluatorshallobtaininresponseaset
of10PASS/FAILvalues.
KeyGenerationforFiniteFieldCryptography(FFC)
TheevaluatorshallverifytheimplementationoftheParameters
GenerationandtheKeyGenerationforFFCbytheTOEusingthe
ParameterGenerationandKeyGenerationtest.Thistestverifiesthe
abilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,
thecryptographicprimeq(dividingp1),thecryptographicgroup
generatorg,andthecalculationoftheprivatekeyxandpublickeyy.
TheParametergenerationspecifies2ways(ormethods)togenerate
thecryptographicprimeqandthefieldprimep:
CryptographicandFieldPrimes:
Primesqandpshallbothbeprovableprimes
Primesqandfieldprimepshallbothbeprobableprimes
andtwowaystogeneratethecryptographicgroupgeneratorg:
CryptographicGroupGenerator:
Generatorgconstructedthroughaverifiableprocess
Generatorgconstructedthroughanunverifiableprocess.
TheKeygenerationspecifies2waystogeneratetheprivatekeyx:
PrivateKey:
len(q)bitoutputofRBGwhere1<=x<=q1
len(q)+64bitoutputofRBG,followedbyamodq1operation
where1<=x<=q1.
ThesecuritystrengthoftheRBGmustbeatleastthatofthesecurity
offeredbytheFFCparameterset.Totestthecryptographicandfield
primegenerationmethodfortheprovableprimesmethodand/orthe
groupgeneratorgforaverifiableprocess,theevaluatormustseed
theTSFparametergenerationroutinewithsufficientdatato
deterministicallygeneratetheparameterset.Foreachkeylength
supported,theevaluatorshallhavetheTSFgenerate25parameter
setsandkeypairs.Theevaluatorshallverifythecorrectnessofthe
TSFsimplementationbycomparingvaluesgeneratedbytheTSF
withthosegeneratedfromaknowngoodimplementation.
Verificationmustalsoconfirm
g!=0,1
qdividesp1
g^qmodp=1
g^xmodp=y
foreachFFCparametersetandkeypair.
FCS_CKM.2CryptographicKeyEstablishment
FCS_CKM.2.1
Theapplicationshall[selection:invokeplatformprovidedfunctionality,
implementfunctionality]toperformcryptographickeyestablishmentin
accordancewithaspecifiedcryptographickeyestablishmentmethod:
[RSAbasedkeyestablishmentschemes]thatmeetsthefollowing:[NIST
SpecialPublication80056B,RecommendationforPairWiseKey
EstablishmentSchemesUsingIntegerFactorizationCryptography]
and[selection:
[Ellipticcurvebasedkeyestablishmentschemes]thatmeetsthe
following:[NISTSpecialPublication80056A,Recommendation
forPairWiseKeyEstablishmentSchemesUsingDiscrete
LogarithmCryptography],
[Finitefieldbasedkeyestablishmentschemes]thatmeetsthe
following:[NISTSpecialPublication80056A,Recommendation
forPairWiseKeyEstablishmentSchemesUsingDiscrete
LogarithmCryptography],
Nootherschemes
].
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.1.
ApplicationNote:TheSTauthorshallselectallkeyestablishmentschemes
usedfortheselectedcryptographicprotocols.FCS_TLSC_EXT.1requires
ciphersuitesthatuseRSAbasedkeyestablishmentschemes.
TheRSAbasedkeyestablishmentschemesaredescribedinSection9ofNIST
SP80056Bhowever,Section9reliesonimplementationofothersectionsin
SP80056B.IftheTOEactsasareceiverintheRSAkeyestablishment
scheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
Theellipticcurvesusedforthekeyestablishmentschemeshallcorrelatewiththe
curvesspecifiedinFCS_CKM.1.1.Ellipticcurvebasedschemeswillberequired
forproductsenteringevaluationafterJuly1,2015.
Thedomainparametersusedforthefinitefieldbasedkeyestablishmentscheme
arespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.
AssuranceActivity
Theevaluatorshallensurethatthesupportedkeyestablishment
schemescorrespondtothekeygenerationschemesidentifiedin
FCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,the
evaluatorshallexaminetheTSStoverifythatitidentifiestheusage
foreachscheme.
TheevaluatorshallverifythattheAGDguidanceinstructsthe
administratorhowtoconfiguretheTOEtousetheselectedkey
establishmentscheme(s).
AssuranceActivityNote:Thefollowingtestsrequirethedeveloperto
provideaccesstoatestplatformthatprovidestheevaluatorwith
toolsthataretypicallynotfoundonfactoryproducts.
KeyEstablishmentSchemes
Theevaluatorshallverifytheimplementationofthekey
establishmentschemessupportedbytheTOEusingtheapplicable
testsbelow.
SP80056AKeyEstablishmentSchemes
TheevaluatorshallverifyaTOE'simplementationofSP80056Akey
agreementschemesusingthefollowingFunctionandValiditytests.
Thesevalidationtestsforeachkeyagreementschemeverifythata
TOEhasimplementedthecomponentsofthekeyagreementscheme
accordingtothespecificationsintheRecommendation.These
componentsincludethecalculationoftheDLCprimitives(theshared
secretvalueZ)andthecalculationofthederivedkeyingmaterial
(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationis
supported,theevaluatorshallalsoverifythatthecomponentsofkey
confirmationhavebeenimplementedcorrectly,usingthetest
proceduresdescribedbelow.ThisincludestheparsingoftheDKM,
thegenerationofMACdataandthecalculationofMACtag.
FunctionTest
TheFunctiontestverifiestheabilityoftheTOEtoimplement
thekeyagreementschemescorrectly.Toconductthistestthe
evaluatorshallgenerateorobtaintestvectorsfromaknown
goodimplementationoftheTOEsupportedschemes.Foreach
supportedkeyagreementschemekeyagreementrole
combination,KDFtype,and,ifsupported,keyconfirmation
rolekeyconfirmationtypecombination,thetestershall
generate10setsoftestvectors.Thedatasetconsistsofoneset
ofdomainparametervalues(FFC)ortheNISTapprovedcurve
(ECC)per10setsofpublickeys.Thesekeysarestatic,
ephemeralorbothdependingontheschemebeingtested.
TheevaluatorshallobtaintheDKM,thecorrespondingTOEs
publickeys(staticand/orephemeral),theMACtag(s),andany
inputsusedintheKDF,suchastheOtherInformationfieldOI
andTOEidfields.
IftheTOEdoesnotuseaKDFdefinedinSP80056A,the
evaluatorshallobtainonlythepublickeysandthehashedvalue
ofthesharedsecret.
TheevaluatorshallverifythecorrectnessoftheTSFs
implementationofagivenschemebyusingaknowngood
implementationtocalculatethesharedsecretvalue,derivethe
keyingmaterialDKM,andcomparehashesorMACtags
generatedfromthesevalues.
Ifkeyconfirmationissupported,theTSFshallperformthe
aboveforeachimplementedapprovedMACalgorithm.
ValidityTest
TheValiditytestverifiestheabilityoftheTOEtorecognize
anotherpartysvalidandinvalidkeyagreementresultswithor
withoutkeyconfirmation.Toconductthistest,theevaluator
shallobtainalistofthesupportingcryptographicfunctions
includedintheSP80056Akeyagreementimplementationto
determinewhicherrorstheTOEshouldbeabletorecognize.
Theevaluatorgeneratesasetof24(FFC)or30(ECC)test
vectorsconsistingofdatasetsincludingdomainparameter
valuesorNISTapprovedcurves,theevaluatorspublickeys,the
TOEspublic/privatekeypairs,MACTag,andanyinputsusedin
theKDF,suchastheotherinfoandTOEidfields.
Theevaluatorshallinjectanerrorinsomeofthetestvectorsto
testthattheTOErecognizesinvalidkeyagreementresults
causedbythefollowingfieldsbeingincorrect:thesharedsecret
valueZ,theDKM,theotherinformationfieldOI,thedatatobe
MACed,orthegeneratedMACTag.IftheTOEcontainsthefull
orpartial(onlyECC)publickeyvalidation,theevaluatorwill
alsoindividuallyinjecterrorsinbothpartiesstaticpublickeys,
bothpartiesephemeralpublickeysandtheTOEsstaticprivate
keytoassuretheTOEdetectserrorsinthepublickeyvalidation
functionand/orthepartialkeyvalidationfunction(inECC
only).Atleasttwoofthetestvectorsshallremainunmodified
andthereforeshouldresultinvalidkeyagreementresults(they
shouldpass).
TheTOEshallusethesemodifiedtestvectorstoemulatethekey
agreementschemeusingthecorrespondingparameters.The
evaluatorshallcomparetheTOEsresultswiththeresultsusing
aknowngoodimplementationverifyingthattheTOEdetects
theseerrors.
SP80056BKeyEstablishmentSchemes
TheevaluatorshallverifythattheTSSdescribeswhethertheTOE
actsasasender,arecipient,orbothforRSAbasedkeyestablishment
schemes.
IftheTOEactsasasender,thefollowingassuranceactivityshallbe
performedtoensuretheproperoperationofeveryTOEsupported
combinationofRSAbasedkeyestablishmentscheme:
Toconductthistesttheevaluatorshallgenerateorobtaintest
vectorsfromaknowngoodimplementationoftheTOE
supportedschemes.Foreachcombinationofsupportedkey
establishmentschemeanditsoptions(withorwithoutkey
confirmationifsupported,foreachsupportedkeyconfirmation
MACfunctionifkeyconfirmationissupported,andforeach
supportedmaskgenerationfunctionifKTSOAEPissupported),
thetestershallgenerate10setsoftestvectors.Eachtestvector
shallincludetheRSApublickey,theplaintextkeyingmaterial,
anyadditionalinputparametersifapplicable,theMacKeyand
MacTagifkeyconfirmationisincorporated,andtheoutputted
ciphertext.Foreachtestvector,theevaluatorshallperforma
keyestablishmentencryptionoperationontheTOEwiththe
sameinputs(incaseswherekeyconfirmationisincorporated,
thetestshallusetheMacKeyfromthetestvectorinsteadofthe
randomlygeneratedMacKeyusedinnormaloperation)and
ensurethattheoutputtedciphertextisequivalenttothe
ciphertextinthetestvector.
IftheTOEactsasareceiver,thefollowingassuranceactivitiesshall
beperformedtoensuretheproperoperationofeveryTOEsupported
combinationofRSAbasedkeyestablishmentscheme:
Toconductthistesttheevaluatorshallgenerateorobtaintest
vectorsfromaknowngoodimplementationoftheTOE
supportedschemes.Foreachcombinationofsupportedkey
establishmentschemeanditsoptions(withourwithoutkey
confirmationifsupported,foreachsupportedkeyconfirmation
MACfunctionifkeyconfirmationissupported,andforeach
supportedmaskgenerationfunctionifKTSOAEPissupported),
thetestershallgenerate10setsoftestvectors.Eachtestvector
shallincludetheRSAprivatekey,theplaintextkeyingmaterial
(KeyData),anyadditionalinputparametersifapplicable,the
MacTagincaseswherekeyconfirmationisincorporated,and
theoutputtedciphertext.Foreachtestvector,theevaluator
shallperformthekeyestablishmentdecryptionoperationonthe
TOEandensurethattheoutputtedplaintextkeyingmaterial
(KeyData)isequivalenttotheplaintextkeyingmaterialinthe
testvector.Incaseswherekeyconfirmationisincorporated,the
evaluatorshallperformthekeyconfirmationstepsandensure
thattheoutputtedMacTagisequivalenttotheMacTaginthe
testvector.
TheevaluatorshallensurethattheTSSdescribeshowtheTOE
handlesdecryptionerrors.InaccordancewithNISTSpecial
Publication80056B,theTOEmustnotrevealtheparticularerror
thatoccurred,eitherthroughthecontentsofanyoutputtedorlogged
errormessageorthroughtimingvariations.IfKTSOAEPis
supported,theevaluatorshallcreateseparatecontrivedciphertext
valuesthattriggereachofthethreedecryptionerrorchecks
describedinNISTSpecialPublication80056Bsection7.2.2.3,ensure
thateachdecryptionattemptresultsinanerror,andensurethatany
outputtedorloggederrormessageisidenticalforeach.IfKTSKEM
KWSissupported,theevaluatorshallcreateseparatecontrived
ciphertextvaluesthattriggereachofthethreedecryptionerror
checksdescribedinNISTSpecialPublication80056Bsection7.2.3.3,
ensurethateachdecryptionattemptresultsinanerror,andensure
thatanyoutputtedorloggederrormessageisidenticalforeach.
FCS_COP.1(1)CryptographicOperationEncryption/Decryption
FCS_COP.1.1(1)
Theapplicationshallperformencryption/decryptioninaccordancewitha
specifiedcryptographicalgorithm
AESCBC(asdefinedinNISTSP80038A)mode
and[selection:
AESGCM(asdefinedinNISTSP80038D),
noothermodes
]andcryptographickeysizes128bitkeysizesand[selection:256bitkey
sizes,nootherkeysizes].
ThisrequirementdependsuponselectioninFDP_TLSC_EXT.1.1.
ApplicationNote:Forthefirstselection,theSTauthorshouldchoosethe
modeormodesinwhichAESoperates.Forthesecondselection,theSTauthor
shouldchoosethekeysizesthataresupportedbythisfunctionality.128bitkey
sizeisrequiredinordertocomplywithFCS_TLSC_EXT.1and
FCS_CKM.1(1),ifthoseareselected.
Supportfor256bitkeysizeswillberequiredforproductsenteringevaluation
afterQuarter3,2015.
AssuranceActivity
TheevaluatorcheckstheAGDdocumentstodeterminethatany
configurationthatisrequiredtobedonetoconfigurethe
functionalityfortherequiredmodesandkeysizesispresent.The
evaluatorshallperformallofthefollowingtestsforeachalgorithm
implementedbytheTSFandusedtosatisfytherequirementsofthis
PP:
AESCBCKnownAnswerTests
TherearefourKnownAnswerTests(KATs),describedbelow.Inall
KATs,theplaintext,ciphertext,andIVvaluesshallbe128bitblocks.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluator
directlyorbysupplyingtheinputstotheimplementerandreceiving
theresultsinresponse.Todeterminecorrectness,theevaluatorshall
comparetheresultingvaluestothoseobtainedbysubmittingthe
sameinputstoaknowngoodimplementation.
KAT1.TotesttheencryptfunctionalityofAESCBC,the
evaluatorshallsupplyasetof10plaintextvaluesandobtain
theciphertextvaluethatresultsfromAESCBCencryptionof
thegivenplaintextusingakeyvalueofallzerosandanIVof
allzeros.Fiveplaintextvaluesshallbeencryptedwitha128
bitallzeroskey,andtheotherfiveshallbeencryptedwitha
256bitallzeroskey.TotestthedecryptfunctionalityofAES
CBC,theevaluatorshallperformthesametestasforencrypt,
using10ciphertextvaluesasinputandAESCBCdecryption.
evaluatorshallsupplyasetof10keyvaluesandobtainthe
ciphertextvaluethatresultsfromAESCBCencryptionofan
allzerosplaintextusingthegivenkeyvalueandanIVofall
zeros.Fiveofthekeysshallbe128bitkeys,andtheotherfive
shallbe256bitkeys.TotestthedecryptfunctionalityofAES
CBC,theevaluatorshallperformthesametestasforencrypt,
usinganallzerociphertextvalueasinputandAESCBC
decryption.
evaluatorshallsupplythetwosetsofkeyvaluesdescribed
belowandobtaintheciphertextvaluethatresultsfromAES
encryptionofanallzerosplaintextusingthegivenkeyvalue
andanIVofallzeros.Thefirstsetofkeysshallhave128128
bitkeys,andthesecondsetshallhave256256bitkeys.Keyi
ineachsetshallhavetheleftmostibitsbeonesandthe
rightmostNibitsbezeros,foriin[1,N].Totestthedecrypt
functionalityofAESCBC,theevaluatorshallsupplythetwo
setsofkeyandciphertextvaluepairsdescribedbelowand
obtaintheplaintextvaluethatresultsfromAESCBC
decryptionofthegivenciphertextusingthegivenkeyandan
IVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave
128128bitkey/ciphertextpairs,andthesecondsetof
key/ciphertextpairsshallhave256256bitkey/ciphertext
pairs.Keyiineachsetshallhavetheleftmostibitsbeones
andtherightmostNibitsbezeros,foriin[1,N].The
ciphertextvalueineachpairshallbethevaluethatresultsin
anallzerosplaintextwhendecryptedwithitscorresponding
key.
evaluatorshallsupplythesetof128plaintextvaluesdescribed
belowandobtainthetwociphertextvaluesthatresultfrom
AESCBCencryptionofthegivenplaintextusinga128bitkey
valueofallzeroswithanIVofallzerosandusinga256bitkey
valueofallzeroswithanIVofallzeros,respectively.Plaintext
valueiineachsetshallhavetheleftmostibitsbeonesandthe
rightmost128ibitsbezeros,foriin[1,128].
TotestthedecryptfunctionalityofAESCBC,theevaluatorshall
performthesametestasforencrypt,usingciphertextvaluesofthe
sameformastheplaintextintheencrypttestasinputandAESCBC
decryption.
AESCBCMultiBlockMessageTest
Theevaluatorshalltesttheencryptfunctionalitybyencryptingani
blockmessagewhere1<i<=10.Theevaluatorshallchooseakey,
anIVandplaintextmessageoflengthiblocksandencryptthe
message,usingthemodetobetested,withthechosenkeyandIV.
Theciphertextshallbecomparedtotheresultofencryptingthesame
plaintextmessagewiththesamekeyandIVusingaknowngood
implementation.Theevaluatorshallalsotestthedecrypt
functionalityforeachmodebydecryptinganiblockmessagewhere
1<i<=10.Theevaluatorshallchooseakey,anIVandaciphertext
messageoflengthiblocksanddecryptthemessage,usingthemode
tobetested,withthechosenkeyandIV.Theplaintextshallbe
comparedtotheresultofdecryptingthesameciphertextmessage
withthesamekeyandIVusingaknowngoodimplementation.AES
CBCMonteCarloTestsTheevaluatorshalltesttheencrypt
functionalityusingasetof200plaintext,IV,andkey3tuples.100of
theseshalluse128bitkeys,and100shalluse256bitkeys.The
plaintextandIVvaluesshallbe128bitblocks.Foreach3tuple,
1000iterationsshallberunasfollows:
# Input: PT, IV, Key
for i = 1 to 1000:
if i == 1:
CT[1] = AES-CBC-Encrypt(Key, IV, PT)
PT = IV
else:
CT[i] = AES-CBC-Encrypt(Key, PT)
PT = CT[i-1]
Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])is
theresultforthattrial.Thisresultshallbecomparedtotheresultof
running1000iterationswiththesamevaluesusingaknowngood
implementation.
Theevaluatorshalltestthedecryptfunctionalityusingthesametest
asforencrypt,exchangingCTandPTandreplacingAESCBC
EncryptwithAESCBCDecrypt.
AESGCMMonteCarloTests
Theevaluatorshalltesttheauthenticatedencryptfunctionalityof
AESGCMforeachcombinationofthefollowinginputparameter
lengths:
128bitand256bitkeys
Twoplaintextlengths.Oneoftheplaintextlengthsshallbea
nonzerointegermultipleof128bits,ifsupported.Theother
plaintextlengthshallnotbeanintegermultipleof128bits,if
supported.
ThreeAADlengths.OneAADlengthshallbe0,ifsupported.
OneAADlengthshallbeanonzerointegermultipleof128
bits,ifsupported.OneAADlengthshallnotbeaninteger
multipleof128bits,ifsupported.
TwoIVlengths.If96bitIVissupported,96bitsshallbeoneof
thetwoIVlengthstested.
Theevaluatorshalltesttheencryptfunctionalityusingasetof10
key,plaintext,AAD,andIVtuplesforeachcombinationofparameter
lengthsaboveandobtaintheciphertextvalueandtagthatresults
fromAESGCMauthenticatedencrypt.Eachsupportedtaglength
shallbetestedatleastoncepersetof10.TheIVvaluemaybe
suppliedbytheevaluatorortheimplementationbeingtested,aslong
asitisknown.
Theevaluatorshalltestthedecryptfunctionalityusingasetof10
key,ciphertext,tag,AAD,andIV5tuplesforeachcombinationof
parameterlengthsaboveandobtainaPass/Failresulton
authenticationandthedecryptedplaintextifPass.Thesetshall
includefivetuplesthatPassandfivethatFail.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluator
directlyorbysupplyingtheinputstotheimplementerandreceiving
theresultsinresponse.Todeterminecorrectness,theevaluatorshall
comparetheresultingvaluestothoseobtainedbysubmittingthe
sameinputstoaknowngoodimplementation.
FCS_COP.1(2)CryptographicOperationHashing
FCS_COP.1.1(2)
Theapplicationshallperformcryptographichashingservicesinaccordancewith
aspecifiedcryptographicalgorithmSHA1and[selection:
SHA256,
SHA384,
SHA512,
nootheralgorithms
]andmessagedigestsizes160and[selection:
256,
384,
512,
noothermessagedigestsizes
]bitsthatmeetthefollowing:FIPSPub1804.
ApplicationNote:PerNISTSP800131A,SHA1forgeneratingdigital
signaturesisnolongerallowed,andSHA1forverificationofdigitalsignaturesis
stronglydiscouragedastheremayberiskinacceptingthesesignatures.
SHA1iscurrentlyrequiredinordertocomplywithFCS_TLSC_EXT.1.
Vendorsarestronglyencouragedtoimplementupdatedprotocolsthatsupport
theSHA2familyuntilupdatedprotocolsaresupported,thisPPallowssupport
forSHA1implementationsincompliancewithSP800131A.
Theintentofthisrequirementistospecifythehashingfunction.Thehash
selectionmustsupportthemessagedigestsizeselection.Thehashselection
shouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,
SHA256for128bitkeys).
AssuranceActivity
Theevaluatorshallcheckthattheassociationofthehashfunction
withotherapplicationcryptographicfunctions(forexample,the
digitalsignatureverificationfunction)isdocumentedintheTSS.
TheTSFhashingfunctionscanbeimplementedinoneoftwomodes.
Thefirstmodeisthebyteorientedmode.InthismodetheTSFonly
hashesmessagesthatareanintegralnumberofbytesinlengthi.e.,
thelength(inbits)ofthemessagetobehashedisdivisibleby8.The
secondmodeisthebitorientedmode.InthismodetheTSFhashes
messagesofarbitrarylength.Astherearedifferenttestsforeach
mode,anindicationisgiveninthefollowingsectionsforthebit
orientedvs.thebyteorientedtestmacs.Theevaluatorshallperform
allofthefollowingtestsforeachhashalgorithmimplementedbythe
TSFandusedtosatisfytherequirementsofthisPP.
Thefollowingtestsrequirethedevelopertoprovideaccesstoatest
applicationthatprovidestheevaluatorwithtoolsthataretypically
notfoundintheproductionapplication.
Test1:ShortMessagesTestBitorientedModeTheevaluators
deviseaninputsetconsistingofm+1messages,wheremisthe
blocklengthofthehashalgorithm.Thelengthofthemessages
rangesequentiallyfrom0tombits.Themessagetextshallbe
pseudorandomlygenerated.Theevaluatorscomputethe
messagedigestforeachofthemessagesandensurethatthe
correctresultisproducedwhenthemessagesareprovidedto
theTSF.
Test2:ShortMessagesTestByteorientedModeThe
evaluatorsdeviseaninputsetconsistingofm/8+1messages,
wheremistheblocklengthofthehashalgorithm.Thelength
ofthemessagesrangesequentiallyfrom0tom/8bytes,with
eachmessagebeinganintegralnumberofbytes.Themessage
textshallbepseudorandomlygenerated.Theevaluators
computethemessagedigestforeachofthemessagesand
ensurethatthecorrectresultisproducedwhenthemessages
areprovidedtotheTSF.
Test3:SelectedLongMessagesTestBitorientedModeThe
evaluatorsdeviseaninputsetconsistingofmmessages,where
mistheblocklengthofthehashalgorithm.Thelengthofthe
ithmessageis512+99*i,where1im.Themessagetext
shallbepseudorandomlygenerated.Theevaluatorscompute
themessagedigestforeachofthemessagesandensurethat
thecorrectresultisproducedwhenthemessagesareprovided
totheTSF.
Test4:SelectedLongMessagesTestByteorientedModeThe
evaluatorsdeviseaninputsetconsistingofm/8messages,
wheremistheblocklengthofthehashalgorithm.Thelength
oftheithmessageis512+8*99*i,where1im/8.The
messagetextshallbepseudorandomlygenerated.The
evaluatorscomputethemessagedigestforeachofthe
messagesandensurethatthecorrectresultisproducedwhen
themessagesareprovidedtotheTSF.
Test5:PseudorandomlyGeneratedMessagesTestThistestis
forbyteorientedimplementationsonly.Theevaluators
randomlygenerateaseedthatisnbitslong,wherenisthe
lengthofthemessagedigestproducedbythehashfunctionto
betested.Theevaluatorsthenformulateasetof100messages
andassociateddigestsbyfollowingthealgorithmprovidedin
Figure1of[SHAVS].Theevaluatorsthenensurethatthe
correctresultisproducedwhenthemessagesareprovidedto
theTSF.
FCS_COP.1(3)CryptographicOperationSigning
FCS_COP.1.1(3)
Theapplicationshallperformcryptographicsignatureservices(generationand
verification)inaccordancewithaspecifiedcryptographicalgorithm[selection:
RSAschemesusingcryptographickeysizesof2048bitorgreater
thatmeetthefollowing:FIPSPUB1864,DigitalSignature
Standard(DSS),Section4,
ECDSAschemesusingNISTcurvesP256,P384and[selection:
P521,noothercurves]thatmeetthefollowing:FIPSPUB1864,
DigitalSignatureStandard(DSS),Section5
].
ThisrequirementdependsuponselectioninFCS_COP_EXT.2.1.
ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedto
performdigitalsignaturesifmorethanonealgorithmisavailable,this
requirementshouldbeiteratedtospecifythefunctionality.Forthealgorithm
chosen,theSTauthorshouldmaketheappropriateassignments/selectionsto
specifytheparametersthatareimplementedforthatalgorithm.RSAsignature
generationandverificationiscurrentlyrequiredinordertocomplywith
FCS_TLSC_EXT.1.
AssuranceActivity
Theevaluatorshallperformthefollowingactivitiesbasedonthe
selectionsintheST.
Thefollowingtestsrequirethedevelopertoprovideaccesstoatest
applicationthatprovidestheevaluatorwithtoolsthataretypically
notfoundintheproductionapplication.
ECDSAAlgorithmTests
Test1:ECDSAFIPS1864SignatureGenerationTest.For
eachsupportedNISTcurve(i.e.,P256,P384andP521)and
SHAfunctionpair,theevaluatorshallgenerate101024bit
longmessagesandobtainforeachmessageapublickeyand
theresultingsignaturevaluesRandS.Todetermine
correctness,theevaluatorshallusethesignatureverification
functionofaknowngoodimplementation.
Test2:ECDSAFIPS1864SignatureVerificationTest.For
eachsupportedNISTcurve(i.e.,P256,P384andP521)and
SHAfunctionpair,theevaluatorshallgenerateasetof10
1024bitmessage,publickeyandsignaturetuplesandmodify
oneofthevalues(message,publickeyorsignature)infiveof
the10tuples.Theevaluatorshallobtaininresponseasetof10
PASS/FAILvalues.
RSASignatureAlgorithmTests
Test1:SignatureGenerationTest.Theevaluatorshallverify
theimplementationofRSASignatureGenerationbytheTOE
usingtheSignatureGenerationTest.Toconductthistestthe
evaluatormustgenerateorobtain10messagesfromatrusted
referenceimplementationforeachmodulussize/SHA
combinationsupportedbytheTSF.Theevaluatorshallhave
theTOEusetheirprivatekeyandmodulusvaluetosignthese
messages.Theevaluatorshallverifythecorrectnessofthe
TSFssignatureusingaknowngoodimplementationandthe
associatedpublickeystoverifythesignatures.
Test2:SignatureVerificationTest.Theevaluatorshall
performtheSignatureVerificationtesttoverifytheabilityof
theTOEtorecognizeanotherpartysvalidandinvalid
signatures.Theevaluatorshallinjecterrorsintothetest
vectorsproducedduringtheSignatureVerificationTestby
introducingerrorsinsomeofthepublickeys,e,messages,IR
format,and/orsignatures.TheTOEattemptstoverifythe
signaturesandreturnssuccessorfailure.
FCS_COP.1(4)CryptographicOperationKeyedHashMessageAuthentication
FCS_COP.1.1(4)
Theapplicationshallperformkeyedhashmessageauthenticationinaccordance
withaspecifiedcryptographicalgorithm
HMACSHA256
and[selection:
SHA1,
SHA384,
SHA512,
nootheralgorithms
]withkeysizes[assignment:keysize(inbits)usedinHMAC]andmessage
digestsizes256and[selection:160,384,512,noothersize]bitsthatmeetthe
following:FIPSPub1981TheKeyedHashMessageAuthenticationCode
andFIPSPub1804SecureHashStandard.
ApplicationNote:Theintentofthisrequirementistospecifythekeyedhash
messageauthenticationfunctionusedforkeyestablishmentpurposesforthe
variouscryptographicprotocolsusedbytheapplication(e.g.,trustedchannel).
Thehashselectionmustsupportthemessagedigestsizeselection.Thehash
selectionshouldbeconsistentwiththeoverallstrengthofthealgorithmusedfor
FCS_COP.1(1).HMACSHA256isrequiredinordertocomplywiththe
requiredciphersuitesinFCS_TLSC_EXT.1.
AssuranceActivity
Theevaluatorshallperformthefollowingactivitiesbasedonthe
selectionsintheST.
Foreachofthesupportedparametersets,theevaluatorshall
compose15setsoftestdata.Eachsetshallconsistofakeyand
messagedata.TheevaluatorshallhavetheTSFgenerateHMAC
tagsforthesesetsoftestdata.TheresultingMACtagsshallbe
comparedtotheresultofgeneratingHMACtagswiththesamekey
andIVusingaknowngoodimplementation.
FCS_TLSC_EXT.1.1
Theapplicationshall[selection:invokeplatformprovidedTLS1.2,
implementTLS1.2(RFC5246)]supportingthefollowingciphersuites:
MandatoryCiphersuites:TLS_RSA_WITH_AES_128_CBC_SHAasdefined
inRFC5246
OptionalCiphersuites:[selection:
TLS_DHE_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC
5246,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAasdefinedin
RFC4492,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedin
RFC5289,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefined
inRFC5289,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAasdefinedin
RFC4492,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedin
RFC5289,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefined
inRFC5289,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC
4492,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedin
RFC5289,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC
4492,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedin
RFC5289,
TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,
TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246,
TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,
nootherciphersuite
].
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Theciphersuitestobetestedintheevaluatedconfiguration
arelimitedbythisrequirement.TheSTauthorshouldselecttheoptional
ciphersuitesthataresupportediftherearenociphersuitessupportedotherthan
themandatorysuites,thenNoneshouldbeselected.Itisnecessarytolimitthe
ciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyonthe
serverinthetestenvironment.TheSuiteBalgorithmslistedabove(RFC6460)
arethepreferredalgorithmsforimplementation.
TLS_RSA_WITH_AES_128_CBC_SHAisrequiredinordertoensure
compliancewithRFC5246.
TheserequirementswillberevisitedasnewTLSversionsarestandardizedby
theIETF.
IfanyciphersuitesareselectedusingECDHE,thenFCS_TLSC_EXT.1.5is
required.
IfimplementTLS1.2(RFC5246)isselected,thenFCS_CKM.2.1,
FCS_COP.1.1(1),FCS_COP.1.1(2),FCS_COP.1.1(3),andFCS_COP.1.1(4)
arerequired.
AssuranceActivity
Theevaluatorshallcheckthedescriptionoftheimplementationof
thisprotocolintheTSStoensurethattheciphersuitessupportedare
specified.TheevaluatorshallchecktheTSStoensurethatthe
ciphersuitesspecifiedincludethoselistedforthiscomponent.The
evaluatorshallalsochecktheoperationalguidancetoensurethatit
containsinstructionsonconfiguringtheTOEsothatTLSconformsto
thedescriptionintheTSS.Theevaluatorshallalsoperformthe
followingtests:
Test1:TheevaluatorshallestablishaTLSconnectionusing
eachoftheciphersuitesspecifiedbytherequirement.This
connectionmaybeestablishedaspartoftheestablishmentofa
higherlevelprotocol,e.g.,aspartofanEAPsession.Itis
sufficienttoobservethesuccessfulnegotiationofaciphersuite
tosatisfytheintentofthetestitisnotnecessarytoexamine
thecharacteristicsoftheencryptedtrafficinanattemptto
discerntheciphersuitebeingused(forexample,thatthe
cryptographicalgorithmis128bitAESandnot256bitAES).
Test2:Theevaluatorshallattempttoestablishtheconnection
usingaserverwithaservercertificatethatcontainstheServer
AuthenticationpurposeintheextendedKeyUsagefieldand
verifythataconnectionisestablished.Theevaluatorwillthen
verifythattheclientrejectsanotherwisevalidserver
certificatethatlackstheServerAuthenticationpurposeinthe
extendedKeyUsagefieldandaconnectionisnotestablished.
Ideally,thetwocertificatesshouldbeidenticalexceptforthe
extendedKeyUsagefield.
Test3:TheevaluatorshallsendaservercertificateintheTLS
connectionthatdoesnotmatchtheserverselectedciphersuite
(forexample,sendaECDSAcertificatewhileusingthe
TLS_RSA_WITH_AES_128_CBC_SHAciphersuiteorsenda
RSAcertificatewhileusingoneoftheECDSAciphersuites.)
TheevaluatorshallverifythattheTOEdisconnectsafter
receivingtheserversCertificatehandshakemessage.
Test4:Theevaluatorshallconfiguretheservertoselectthe
TLS_NULL_WITH_NULL_NULLciphersuiteandverifythat
theclientdeniestheconnection.
Test5:Theevaluatorshallperformthefollowingmodifications
tothetraffic:
Test5.1:ChangetheTLSversionselectedbytheserver
intheServerHellotoanonsupportedTLSversion(for
example1.3representedbythetwobytes0304)and
verifythattheclientrejectstheconnection.
Test5.2:Modifyatleastonebyteintheserversnoncein
theServerHellohandshakemessage,andverifythatthe
clientrejectstheServerKeyExchangehandshake
message(ifusingaDHEorECDHEciphersuite)orthat
theserverdeniestheclientsFinishedhandshake
message.
Test5.3:Modifytheserversselectedciphersuiteinthe
ServerHellohandshakemessagetobeaciphersuitenot
presentedintheClientHellohandshakemessage.The
evaluatorshallverifythattheclientrejectsthe
connectionafterreceivingtheServerHello.
Test5.4:ModifythesignatureblockintheServersKey
Exchangehandshakemessage,andverifythattheclient
rejectstheconnectionafterreceivingtheServerKey
Exchangemessage.
Test5.5:ModifyabyteintheServerFinishedhandshake
message,andverifythattheclientsendsafatalalert
uponreceiptanddoesnotsendanyapplicationdata.
Test5.6:SendangarbledmessagefromtheServerafter
theServerhasissuedtheChangeCipherSpecmessage
andverifythattheclientdeniestheconnection.
FCS_TLSC_EXT.1.2
Theapplicationshallverifythatthepresentedidentifiermatchesthereference
identifieraccordingtoRFC6125.
ApplicationNote:TherulesforverificationofidentityaredescribedinSection
6ofRFC6125.Thereferenceidentifierisestablishedbytheuser(e.g.entering
aURLintoawebbrowserorclickingalink),byconfiguration(e.g.configuring
thenameofamailserverorauthenticationserver),orbyanapplication(e.g.a
parameterofanAPI)dependingontheapplicationservice.Basedonasingular
referenceidentifierssourcedomainandapplicationservicetype(e.g.HTTP,
SIP,LDAP),theclientestablishesallreferenceidentifierswhichareacceptable,
suchasaCommonNamefortheSubjectNamefieldofthecertificateanda
(caseinsensitive)DNSname,URIname,andServiceNamefortheSubject
AlternativeNamefield.Theclientthencomparesthislistofallacceptable
referenceidentifierstothepresentedidentifiersintheTLSserverscertificate.
ThepreferredmethodforverificationistheSubjectAlternativeNameusing
DNSnames,URInames,orServiceNames.VerificationusingtheCommon
Nameisrequiredforthepurposesofbackwardscompatibility.Additionally,
supportforuseofIPaddressesintheSubjectNameorSubjectAlternative
nameisdiscouragedasagainstbestpracticesbutmaybeimplemented.Finally,
theclientshouldavoidconstructingreferenceidentifiersusingwildcards.
However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthe
bestpracticesregardingmatchingthesebestpracticesarecapturedinthe
assuranceactivity.
AssuranceActivity
TheevaluatorshallensurethattheTSSdescribestheclientsmethod
ofestablishingallreferenceidentifiersfromtheapplication
configuredreferenceidentifier,includingwhichtypesofreference
identifiersaresupported(e.g.CommonName,DNSName,URI
Name,ServiceName,orotherapplicationspecificSubject
AlternativeNames)andwhetherIPaddressesandwildcardsare
supported.Theevaluatorshallensurethatthisdescriptionidentifies
whetherandthemannerinwhichcertificatepinningissupportedor
usedbytheTOE.
TheevaluatorshallverifythattheAGDguidanceincludes
instructionsforsettingthereferenceidentifiertobeusedforthe
purposesofcertificatevalidationinTLS.
Theevaluatorshallconfigurethereferenceidentifieraccordingtothe
AGDguidanceandperformthefollowingtestsduringaTLS
connection:
Test1:Theevaluatorshallpresentaservercertificatethat
doesnotcontainanidentifierineithertheSubjectAlternative
Name(SAN)orCommonName(CN)thatmatchesthe
referenceidentifier.Theevaluatorshallverifythatthe
connectionfails.
containsaCNthatmatchesthereferenceidentifier,contains
theSANextension,butdoesnotcontainanidentifierinthe
SANthatmatchesthereferenceidentifier.Theevaluatorshall
verifythattheconnectionfails.Theevaluatorshallrepeatthis
testforeachsupportedSANtype.
containsaCNthatmatchesthereferenceidentifieranddoes
notcontaintheSANextension.Theevaluatorshallverifythat
theconnectionsucceeds.
containsaCNthatdoesnotmatchthereferenceidentifierbut
doescontainanidentifierintheSANthatmatches.The
evaluatorshallverifythattheconnectionsucceeds.
Test5:Theevaluatorshallperformthefollowingwildcard
testswitheachsupportedtypeofreferenceidentifier:
Test5.1:Theevaluatorshallpresentaservercertificate
containingawildcardthatisnotintheleftmostlabelof
thepresentedidentifier(e.g.foo.*.example.com)and
verifythattheconnectionfails.
containingawildcardintheleftmostlabelbutnot
precedingthepublicsuffix(e.g.*.example.com).The
evaluatorshallconfigurethereferenceidentifierwitha
singleleftmostlabel(e.g.foo.example.com)andverify
thattheconnectionsucceeds.Theevaluatorshall
configurethereferenceidentifierwithoutaleftmost
labelasinthecertificate(e.g.example.com)andverify
thattheconnectionfails.Theevaluatorshallconfigure
thereferenceidentifierwithtwoleftmostlabels(e.g.
bar.foo.example.com)andverifythattheconnection
fails.
containingawildcardintheleftmostlabelimmediately
precedingthepublicsuffix(e.g.*.com).Theevaluator
shallconfigurethereferenceidentifierwithasingleleft
mostlabel(e.g.foo.com)andverifythattheconnection
fails.Theevaluatorshallconfigurethereference
identifierwithtwoleftmostlabels(e.g.bar.foo.com)and
verifythattheconnectionfails.
Test6:[conditional]IfURIorServicenamereference
identifiersaresupported,theevaluatorshallconfiguretheDNS
nameandtheserviceidentifier.Theevaluatorshallpresenta
servercertificatecontainingthecorrectDNSnameandservice
identifierintheURINameorSRVNamefieldsoftheSANand
verifythattheconnectionsucceeds.Theevaluatorshallrepeat
thistestwiththewrongserviceidentifier(butcorrectDNS
name)andverifythattheconnectionfails.
Test7:[conditional]Ifpinnedcertificatesaresupportedthe
evaluatorshallpresentacertificatethatdoesnotmatchthe
pinnedcertificateandverifythattheconnectionfails.
FCS_TLSC_EXT.1.3
Theapplicationshallonlyestablishatrustedchannelifthepeercertificateis
valid.
ApplicationNote:Validityisdeterminedbytheidentifierverification,certificate
path,theexpirationdate,andtherevocationstatusinaccordancewithRFC
5280.Certificatevalidityshallbetestedinaccordancewithtestingperformedfor
FIA_X509_EXT.1.
ForTLSconnections,thischannelshallnotbeestablishedifthepeercertificate
isinvalid.TheHTTPSprotocol(FCS_HTTPS_EXT.1)requiresdifferent
behavior,thoughHTTPSisimplementedoverTLS.Thiselementaddresses
nonHTTPSTLSconnections.
AssuranceActivity
TheevaluatorshalluseTLSasafunctiontoverifythatthevalidation
rulesinFIA_X509_EXT.1.1areadheredtoandshallperformthe
followingadditionaltest:
Test1:Theevaluatorshalldemonstratethatapeerusinga
certificatewithoutavalidcertificationpathresultsinan
authenticatefailure.Usingtheadministrativeguidance,the
evaluatorshallthenloadthetrustedCAcertificate(s)needed
tovalidatethepeer'scertificate,anddemonstratethatthe
connectionsucceeds.Theevaluatorthenshalldeleteoneofthe
CAcertificates,andshowthattheconnectionfails.
FCS_TLSC_EXT.1.5
TheapplicationshallpresentthesupportedEllipticCurvesExtensioninthe
ClientHellowiththefollowingNISTcurves:[selection:secp256r1,secp384r1,
secp521r1]andnoothercurves.
ApplicationNote:Thisrequirementlimitstheellipticcurvesallowedfor
authenticationandkeyagreementtotheNISTcurvesfromFCS_COP.1(3)and
FCS_CKM.1andFCS_CKM.2.Thisextensionisrequiredforclientssupporting
EllipticCurveciphersuites.
AssuranceActivity
TheevaluatorshallverifythatTSSdescribesthesupportedElliptic
CurvesExtensionandwhethertherequiredbehaviorisperformedby
defaultormaybeconfigured.IftheTSSindicatesthatthesupported
EllipticCurvesExtensionmustbeconfiguredtomeetthe
requirement,theevaluatorshallverifythatAGDguidanceincludes
configurationofthesupportedEllipticCurvesExtension.
Theevaluatorshallalsoperformthefollowingtests:
Test1:Theevaluatorshallconfiguretheservertoperforman
ECDHEkeyexchangemessageintheTLSconnectionusinga
nonsupportedECDHEcurve(forexample,P192)andshall
verifythattheTOEdisconnectsafterreceivingtheserver'sKey
Exchangehandshakemessage.
FCS_DTLS_EXT.1DTLSImplementation
FCS_DTLS_EXT.1.1
TheapplicationshallimplementtheDTLSprotocolinaccordancewithDTLS
1.2(RFC6347).
AssuranceActivity
Test1:Theevaluatorshallattempttoestablishaconnection
withaDTLSserver,observethetrafficwithapacketanalyzer,
andverifythattheconnectionsucceedsandthatthetrafficis
identifiedasDTLS.
OthertestsareperformedinconjunctionwiththeAssurance
ActivitylistedforFCS_TLSC_EXT.1.
FCS_DTLS_EXT.1.2
TheapplicationshallimplementtherequirementsinTLS(FCS_TLSC_EXT.1)
fortheDTLSimplementation,exceptwherevariationsareallowedaccordingto
DTLS1.2(RFC6347).
ApplicationNote:DifferencesbetweenDTLS1.2andTLS1.2areoutlinedin
RFC6347otherwisetheprotocolsarethesame.Inparticular,forthe
applicablesecuritycharacteristicsdefinedfortheTSF,thetwoprotocolsdonot
differ.Therefore,allapplicationnotesandassuranceactivitiesthatarelistedfor
TLSapplytotheDTLSimplementation.
AssuranceActivity
Theevaluatorshallperformtheassuranceactivitieslistedfor
FCS_TLSC_EXT.1.
FCS_DTLS_EXT.1.3
Theapplicationshallnotestablishatrustedcommunicationchannelifthepeer
certificateisdeemedinvalid.
ApplicationNote:Validityisdeterminedbythecertificatepath,theexpiration
date,andtherevocationstatusinaccordancewithRFC5280.
AssuranceActivity
Certificatevalidityshallbetestedinaccordancewithtesting
performedforFIA_X509_EXT.1,andtheevaluatorshallperformthe
followingtest.
Test1:Theevaluatorshalldemonstratethatusingacertificate
withoutavalidcertificationpathresultsinthefunctionfailing.
Usingtheadministrativeguidance,theevaluatorshallthen
loadacertificateorcertificatestotheTrustAnchorDatabase
neededtovalidatethecertificatetobeusedinthefunction,
anddemonstratethatthefunctionsucceeds.Theevaluator
thenshalldeleteoneofthecertificates,andshowthatthe
functionfails.
FCS_HTTPS_EXT.1HTTPSProtocol
FCS_HTTPS_EXT.1.1
TheapplicationshallimplementtheHTTPSprotocolthatcomplieswithRFC
2818.
AssuranceActivity
TheevaluatorshallattempttoestablishanHTTPSconnectionwitha
webserver,observethetrafficwithapacketanalyzer,andverifythat
theconnectionsucceedsandthatthetrafficisidentifiedasTLSor
HTTPS.
FCS_HTTPS_EXT.1.2
TheapplicationshallimplementHTTPSusingTLS(FCS_TLSC_EXT.1).
AssuranceActivity
OthertestsareperformedinconjunctionwithFCS_TLSC_EXT.1.
FCS_HTTPS_EXT.1.3
Theapplicationshallnotifytheuserand[selection:notestablishthe
connection,requestapplicationauthorizationtoestablishtheconnection,
nootheraction]ifthepeercertificateisdeemedinvalid.
ApplicationNote:Validityisdeterminedbythecertificatepath,theexpiration
date,andtherevocationstatusinaccordancewithRFC5280.
AssuranceActivity
Certificatevalidityshallbetestedinaccordancewithtesting
performedforFIA_X509_EXT.1,andtheevaluatorshallperformthe
followingtest:
Test1:Theevaluatorshalldemonstratethatusingacertificate
withoutavalidcertificationpathresultsinanapplication
notification.Usingtheadministrativeguidance,theevaluator
shallthenloadacertificateorcertificatestotheTrustAnchor
Databaseneededtovalidatethecertificatetobeusedinthe
function,anddemonstratethatthefunctionsucceeds.The
evaluatorthenshalldeleteoneofthecertificates,andshow
thattheapplicationisnotifiedofthevalidationfailure.
FIA_X509_EXT.1X.509CertificateValidation
FIA_X509_EXT.1.1
Theapplicationshall[selection:invokedplatformprovidedfunctionality,
implementfunctionality]tovalidatecertificatesinaccordancewiththe
followingrules:
RFC5280certificatevalidationandcertificatepathvalidation.
ThecertificatepathmustterminatewithatrustedCAcertificate.
Theapplicationshallvalidateacertificatepathbyensuringthepresenceof
thebasicConstraintsextensionandthattheCAflagissettoTRUEforall
CAcertificates.
Theapplicationshallvalidatetherevocationstatusofthecertificateusing
[selection:theOnlineCertificateStatusProtocol(OCSP)as
specifiedinRFC2560,aCertificateRevocationList(CRL)as
specifiedinRFC5759].
TheapplicationshallvalidatetheextendedKeyUsagefieldaccordingto
thefollowingrules:
Certificatesusedfortrustedupdatesandexecutablecodeintegrity
verificationshallhavetheCodeSigningpurpose(idkp3withOID
1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.
ServercertificatespresentedforTLSshallhavetheServer
Authenticationpurpose(idkp1withOID1.3.6.1.5.5.7.3.1)inthe
ClientcertificatespresentedforTLSshallhavetheClient
Authenticationpurpose(idkp2withOID1.3.6.1.5.5.7.3.2)inthe
S/MIMEcertificatespresentedforemailencryptionandsignature
shallhavetheEmailProtectionpurpose(idkp4withOID
OCSPcertificatespresentedforOCSPresponsesshallhavethe
OCSPSigningpurpose(idkp9withOID1.3.6.1.5.5.7.3.9)in
theextendedKeyUsagefield.
ServercertificatespresentedforESTshallhavetheCMC
RegistrationAuthority(RA)purpose(idkpcmcRAwithOID
ApplicationNote:FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.
TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPor
CRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforHTTPS,TLS
andDTLSthisuserequiresthattheextendedKeyUsagerulesareverified.
Regardlessoftheselectionofimplementfunctionalityorinvokeplatform
providedfunctionality,thevalidationisexpectedtoendinatrustedrootCA
certificateinarootstoremanagedbytheplatform.
AssuranceActivity
TheevaluatorshallensuretheTSSdescribeswherethecheckof
validityofthecertificatestakesplace.TheevaluatorensurestheTSS
alsoprovidesadescriptionofthecertificatepathvalidation
algorithm.
Thetestsdescribedmustbeperformedinconjunctionwiththeother
certificateservicesassuranceactivities,includingthefunctionsin
FIA_X509_EXT.2.1.ThetestsfortheextendedKeyUsagerulesare
performedinconjunctionwiththeusesthatrequirethoserules.The
evaluatorshallcreateachainofatleastfourcertificates:thenode
certificatetobetested,twoIntermediateCAs,andtheselfsigned
RootCA.
Test1:Theevaluatorshalldemonstratethatvalidatinga
certificatewithoutavalidcertificationpathresultsinthe
functionfailing.Theevaluatorshallthenloadacertificateor
certificatesastrustedCAsneededtovalidatethecertificateto
beusedinthefunction,anddemonstratethatthefunction
succeeds.Theevaluatorshallthendeleteoneofthe
certificates,andshowthatthefunctionfails.
Test2:Theevaluatorshalldemonstratethatvalidatingan
expiredcertificateresultsinthefunctionfailing.
Test3:TheevaluatorshalltestthattheTOEcanproperly
handlerevokedcertificatesconditionalonwhetherCRLor
OCSPisselectedifbothareselected,thenatestshallbe
performedforeachmethod.Theevaluatorshalltestrevocation
ofthenodecertificateandrevocationoftheintermediateCA
certificate(i.e.theintermediateCAcertificateshouldbe
revokedbytherootCA).Theevaluatorshallensurethata
validcertificateisused,andthatthevalidationfunction
succeeds.Theevaluatorthenattemptsthetestwitha
certificatethathasbeenrevoked(foreachmethodchosenin
theselection)toensurewhenthecertificateisnolongervalid
thatthevalidationfunctionfails.
Test4:IfOCSPisselected,theevaluatorshallconfigurethe
OCSPserveroruseamaninthemiddletooltopresenta
certificatethatdoesnothavetheOCSPsigningpurposeand
verifythatvalidationoftheOCSPresponsefails.IfCRLis
selected,theevaluatorshallconfiguretheCAtosignaCRL
withacertificatethatdoesnothavethecRLsignkeyusagebit
set,andverifythatvalidationoftheCRLfails.
Test5:Theevaluatorshallmodifyanybyteinthefirsteight
bytesofthecertificateanddemonstratethatthecertificate
failstovalidate.(Thecertificatewillfailtoparsecorrectly.)
Test6:Theevaluatorshallmodifyanybyteinthelastbyteof
thecertificateanddemonstratethatthecertificatefailsto
validate.(Thesignatureonthecertificatewillnotvalidate.)
Test7:Theevaluatorshallmodifyanybyteinthepublickeyof
thecertificateanddemonstratethatthecertificatefailsto
validate.(Thesignatureonthecertificatewillnotvalidate.)
FIA_X509_EXT.1.2
TheapplicationshallonlytreatacertificateasaCAcertificateifthe
basicConstraintsextensionispresentandtheCAflagissettoTRUE.
ApplicationNote:Thisrequirementappliestocertificatesthatareusedand
processedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrusted
CAcertificates.
AssuranceActivity
Thetestsdescribedmustbeperformedinconjunctionwiththeother
certificateservicesassuranceactivities,includingthefunctionsin
FIA_X509_EXT.2.1.Theevaluatorshallcreateachainofatleastfour
certificates:thenodecertificatetobetested,twoIntermediateCAs,
andtheselfsignedRootCA.
Test1:Theevaluatorshallconstructacertificatepath,such
thatthecertificateoftheCAissuingtheTOE'scertificatedoes
notcontainthebasicConstraintsextension.Thevalidationof
thecertificatepathfails.
thatthecertificateoftheCAissuingtheTOE'scertificatehas
theCAflaginthebasicConstraintsextensionnotset.The
validationofthecertificatepathfails.
thatthecertificateoftheCAissuingtheTOE'scertificatehas
theCAflaginthebasicConstraintsextensionsettoTRUE.The
validationofthecertificatepathsucceeds.
FIA_X509_EXT.2X.509CertificateAuthentication
FIA_X509_EXT.2.1
TheapplicationshalluseX.509v3certificatesasdefinedbyRFC5280to
supportauthenticationfor[selection:HTTPS,TLS,DTLS].
ApplicationNote:TheSTauthor'sselectionshallmatchtheselectionin
FTP_DIT_EXT.1.1.
FIA_X509_EXT.2.2
Whentheapplicationcannotestablishaconnectiontodeterminethevalidityofa
certificate,theapplicationshall[selection:allowtheadministratortochoose
whethertoacceptthecertificateinthesecases,acceptthecertificate,not
acceptthecertificate].
ApplicationNote:Oftenaconnectionmustbeestablishedtoperforma
verificationoftherevocationstatusofacertificateeithertodownloadaCRL
ortoperformOCSP.Theselectionisusedtodescribethebehaviorintheevent
thatsuchaconnectioncannotbeestablished(forexample,duetoanetwork
error).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrules
inFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethe
validity.TheTOEmustnotacceptthecertificateifitfailsanyoftheother
validationrulesinFIA_X509_EXT.1.
AssuranceActivity
TheevaluatorshallchecktheTSStoensurethatitdescribeshowthe
TOEchooseswhichcertificatestouse,andanynecessaryinstructions
intheadministrativeguidanceforconfiguringtheoperating
environmentsothattheTOEcanusethecertificates.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthe
behavioroftheTOEwhenaconnectioncannotbeestablishedduring
thevaliditycheckofacertificateusedinestablishingatrusted
channel.Theevaluatorshallverifythatanydistinctionsbetween
trustedchannelsaredescribed.Iftherequirementthatthe
administratorisabletospecifythedefaultaction,thentheevaluator
shallensurethattheoperationalguidancecontainsinstructionson
howthisconfigurationactionisperformed.
Theevaluatorshallperformthefollowingtestforeachtrusted
channel:
Test1:Theevaluatorshalldemonstratethatusingavalid
certificatethatrequirescertificatevalidationcheckingtobe
performedinatleastsomepartbycommunicatingwithanon
TOEITentity.Theevaluatorshallthenmanipulatethe
environmentsothattheTOEisunabletoverifythevalidityof
thecertificate,andobservethattheactionselectedin
FIA_X509_EXT.2.2isperformed.Iftheselectedactionis
administratorconfigurable,thentheevaluatorshallfollowthe
operationalguidancetodeterminethatallsupported
administratorconfigurableoptionsbehaveintheirdocumented
manner.
C.ObjectiveRequirements
ThisAnnexincludesrequirementsthatspecifysecurityfunctionalitywhichalsoaddressesthreats.The
requirementsarenotcurrentlymandatedinthebodyofthisPPastheydescribesecurityfunctionalitynotyet
widelyavailableincommercialtechnology.However,theserequirementsmaybeincludedintheSTsuchthat
theTOEisstillconformanttothisPP,anditisexpectedthattheybeincludedassoonaspossible.
FCS_TLSC_EXT.1.6
Theapplicationshallpresentthesignature_algorithmsextensionintheClient
Hellowiththesupported_signature_algorithmsvaluecontainingthefollowing
hashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhash
algorithms.
ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedfor
thepurposeofdigitalsignatureverificationbytheclientandlimitstheserverto
thesupportedhashesforthepurposeofdigitalsignaturegenerationbythe
server.Thesignature_algorithmextensionisonlysupportedbyTLS1.2.
AssuranceActivity
TheevaluatorshallverifythatTSSdescribesthesignature_algorithm
extensionandwhethertherequiredbehaviorisperformedbydefault
ormaybeconfigured.IftheTSSindicatesthatthe
signature_algorithmextensionmustbeconfiguredtomeetthe
requirement,theevaluatorshallverifythatAGDguidanceincludes
configurationofthesignature_algorithmextension.
Theevaluatorshallalsoperformthefollowingtest:
Test1:Theevaluatorshallconfiguretheservertosenda
certificateintheTLSconnectionthatisnotsupported
accordingtotheClientsHashAlgorithmenumerationwithin
thesignature_algorithmsextension(forexample,senda
certificatewithaSHA1signature).Theevaluatorshallverify
thattheTOEdisconnectsafterreceivingtheservers
Certificatehandshakemessage.
FPT_API_EXT.1UseofSupportedServicesandAPIs
FPT_API_EXT.1.2
Theapplication[selection:shalluseplatformprovidedlibraries,doesnot
implementfunctionality]forparsing[assignment:listofformatsparsedthat
areincludedintheIANAMIMEmediatypes].
ApplicationNote:TheIANAMIMEtypesarelistedat
http://www.iana.org/assignments/mediatypesandincludemanyimage,audio,
video,andcontentfileformats.Thisrequirementdoesnotapplyifproviding
parsingservicesisthepurposeoftheapplication.
AssuranceActivity
TheevaluatorshallverifythattheTSSliststheIANAMIMEmedia
types(asdescribedbyhttp://www.iana.org/assignments/mediatypes)
forallformatstheapplicationprocessesandthatitmapsthose
formatstoparsingservicesprovidedbytheplatform.
FPT_IDV_EXT.1SoftwareIdentificationandVersions
FPT_IDV_EXT.1.1
TheapplicationshallincludeSWIDtagsthatcomplywiththeminimum
requirementsforSWIDtagfromISO/IEC197702:2009standard.
Thisrequirementisscheduledtobemandatoryforapplications
enteringevaluationsafterJuly1,2015.
ApplicationNote:ValidSWIDtagsmustcontainaSoftwareIdentityelement
andanEntityelementasdefinedintheISO/IEC197702:2009standard.
SWIDtagsmustbestoredwitha.swidtagfileextensionsasdefinedinthe
ISO/IEC197702:2009.
AssuranceActivity
Theevaluatorshallinstalltheapplication,thencheckforthe
existenceofSWIDtagsina.swidtagfile.Theevaluatorshallopen
thefileandverifythatiscontainsatleastaSoftwareIdentityelement
andanEntityelement.
D.EntropyDocumentationand
Assessment
ThisappendixdescribestherequiredsupplementaryinformationfortheentropysourceusedbytheTOE.
Thedocumentationoftheentropysourceshouldbedetailedenoughthat,afterreading,theevaluatorwill
thoroughlyunderstandtheentropysourceandwhyitcanbereliedupontoprovidesufficiententropy.This
documentationshouldincludemultipledetailedsections:designdescription,entropyjustification,operating
conditions,andhealthtesting.ThisdocumentationisnotrequiredtobepartoftheTSS.
D.1DesignDescription
Documentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofall
entropysourcecomponents.Anyinformationthatcanbesharedregardingthedesignshouldalsobeincluded
foranythirdpartyentropysourcesthatareincludedintheproduct.
Thedocumentationwilldescribetheoperationoftheentropysourcetoinclude,howentropyisproduced,
andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.The
documentationshouldwalkthroughtheentropysourcedesignindicatingwheretheentropycomesfrom,
wheretheentropyoutputispassednext,anypostprocessingoftherawoutputs(hash,XOR,etc.),if/where
itisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,
blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.
Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceanda
descriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffectthe
entropyrate.
Ifimplemented,thedesigndescriptionshallincludeadescriptionofhowthirdpartyapplicationscanadd
entropytotheRBG.AdescriptionofanyRBGstatesavingbetweenpoweroffandpoweronshallbe
included.
D.2EntropyJustification
Thereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythere
isconfidenceintheentropysourcedeliveringsufficiententropyfortheusesmadeoftheRBGoutput(bythis
particularTOE).Thisargumentwillincludeadescriptionoftheexpectedminentropyrate(i.e.theminimum
entropy(inbits)perbitorbyteofsourcedata)andexplainthatsufficiententropyisgoingintotheTOE
randomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbe
reliedupontoproducebitswithentropy.
Theamountofinformationnecessarytojustifytheexpectedminentropyratedependsonthetypeofentropy
sourceincludedintheproduct.
Fordeveloperprovidedentropysources,inordertojustifytheminentropyrate,itisexpectedthatalarge
numberofrawsourcebitswillbecollected,statisticaltestswillbeperformed,andtheminentropyrate
determinedfromthestatisticaltests.Whilenoparticularstatisticaltestsarerequiredatthistime,itisexpected
thatsometestingisnecessaryinordertodeterminetheamountofminentropyineachoutput.
Forthirdpartyprovidedentropysources,inwhichtheTOEvendorhaslimitedaccesstothedesignandraw
entropydataofthesource,thedocumentationwillindicateanestimateoftheamountofminentropyobtained
fromthisthirdpartysource.Itisacceptableforthevendortoassumeanamountofminentropy,however,
thisassumptionmustbeclearlystatedinthedocumentationprovided.Inparticular,theminentropyestimate
mustbespecifiedandtheassumptionincludedintheST.
Regardlessoftypeofentropysource,thejustificationwillalsoincludehowtheDRBGisinitializedwiththe
entropystatedintheST,forexamplebyverifyingthattheminentropyrateismultipliedbytheamountof
sourcedatausedtoseedtheDRBGorthattherateofentropyexpectedbasedontheamountofsourcedata
isexplicitlystatedandcomparedtothestatisticalrate.IftheamountofsourcedatausedtoseedtheDRBGis
notclearorthecalculatedrateisnotexplicitlyrelatedtotheseed,thedocumentationwillnotbeconsidered
complete.
Theentropyjustificationshallnotincludeanydataaddedfromanythirdpartyapplicationorfromanystate
savingbetweenrestarts.
D.3OperatingConditions
Theentropyratemaybeaffectedbyconditionsoutsidethecontroloftheentropysourceitself.Forexample,
voltage,frequency,temperature,andelapsedtimeafterpoweronarejustafewofthefactorsthatmayaffect
theoperationoftheentropysource.Assuch,documentationwillalsoincludetherangeofoperating
conditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethe
measuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunder
thoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceis
knowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesource
shallbeincluded.
D.4HealthTesting
Morespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludea
descriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,at
startup,continuously,orondemand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhy
eachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.
E.References
Identifier Title
[CC]
CommonCriteriaforInformationTechnologySecurityEvaluation
Part1:IntroductionandGeneralModel,CCMB201209001,Version3.1Revision
4,September2012.
Part2:SecurityFunctionalComponents,CCMB201209002,Version3.1Revision
4,September2012.
Part3:SecurityAssuranceComponents,CCMB201209003,Version3.1Revision
4,September2012.
[CEM]
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation
Methodology,CCMB201209004,Version3.1,Revision4,September2012.
[CESG]
CESGEndUserDevicesSecurityandConfigurationGuidance
[CSA]
ComputerSecurityActof1987,H.R.145,June11,1987.
[OMB]
ReportingIncidentsInvolvingPersonallyIdentifiableInformationandIncorporatingtheCost
forSecurityinAgencyInformationTechnologyInvestments,OMBM0619,July12,2006.
F.Acronyms
Acronym Meaning
ADB
AndroidDebugBridge
AES
AdvancedEncryptionStandard
ANSI
AmericanNationalStandardsInstitute
API
ApplicationProgrammingInterface
APK
AndroidApplicationPackage
APPX
WindowsStoreApplicationPackage
API
ApplicationProgrammingInterface
ASLR
AddressSpaceLayoutRandomization
BAR
BlackberryApplicationPackage
BIOS
BasicInput/OutputSystem
CDSA
CommonDataSecurityArchitecture
CESG
CommunicationsElectronicsSecurityGroup
CMC
CertificateManagementoverCMS
CMS
CryptographicMessageSyntax
CN
CommonNames
CRL
CertificateRevocationList
CSA
ComputerSecurityAct
DEP
DataExecutionPrevention
DES
DataEncryptionStandard
DHE
DiffieHellmanEphemeral
DMG
AppleDiskImage
DNS
DomainNameSystem
DPAPI
DataProtectionApplicationProgrammingInterface
DRBG
DeterministicRandomBitGenerator
DSS
DigitalSignatureStandard
DT
Date/TimeVector
DTLS
DatagramTransportLayerSecurity
EAP
ExtensibleAuthenticationProtocol
ECDHE
EllipticCurveDiffieHellmanEphemeral
ECDSA
EllipticCurveDigitalSignatureAlgorithm
EMET
EnhancedMitigationExperienceToolkit
EST
EnrollmentoverSecureTransport
FIPS
FederalInformationProcessingStandards
DSS
GPS
GlobalPositioningSystem
HMAC
HashbasedMessageAuthenticationCode
HTTP
HypertextTransferProtocol
HTTPS
HypertextTransferProtocolSecure
DSS
IANA
InternetAssignedNumberAuthority
IEC
InternationalElectrotechnicalCommission
IETF
InternetEngineeringTaskForce
IP
InternetProtocol
IPA
iOSPackagearchive
IR
IntermediateInteger
ISO
InternationalOrganizationforStandardization
IT
InformationTechnology
ITSEF
InformationTechnologySecurityEvaluationFacility
JNI
JavaNativeInterface
LDAP
LightweightDirectoryAccessProtocol
MIME
MultipurposeInternetMailExtensions
MPKG
MetaPackage
MSI
MicrosoftInstaller
NFC
NearFieldCommunication
NIAP
NationalInformationAssurancePartnership
NIST
NationalInstituteofStandardsandTechnology
OCSP
OnlineCertificateStatusProtocol
OID
ObjectIdentifier
OMB
OfficeofManagementandBudget
OS
OperatingSystem
PDF
PortableDocumentFormat
PID
ProcessIdentifier
PII
PersonallyIdentifiableInformation
PKG
Packagefile
PKI
PublicKeyInfrastructure
PP
ProtectionProfile
IT
InformationTechnology
RBG
RandomBitGenerator
RFC
RequestforComment
RNG
RandomNumberGenerator
RNGVS
RandomNumberGeneratorValidationSystem
SAN
SubjectAlternativeName
SAR
SecurityAssuranceRequirement
SE
SecurityEnhancements
SFR
SecurityFunctionalRequirement
SHA
SecureHashAlgorithm
S/MIME
Secure/MultipurposeInternetMailExtensions
SIP
SessionInitiationProtocol
SP
SpecialPublication
SSH
SecureShell
SWID
SoftwareIdentification
TLS
TransportLayerSecurity
UI
UserInterface
URI
UniformResourceIdentifier
URL
UniformResourceLocator
USB
UniversalSerialBus
XCCDF
eXtensibleConfigurationChecklistDescriptionFormat
XOR
ExclusiveOr

Protection Profile For Application Software

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Protection Profile For Application Software

Hochgeladen von

Copyright:

Verfügbare Formate

ProtectionProfileforApplicationSoftware

Das könnte Ihnen auch gefallen