mobile device fundamentals - niap-ccevs

MobileDeviceFundamentals

Version:3.22021-04-15

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2013-10-21

InitialRelease

1.1 2014-01-12

Typographicalchangesandadditionalclarificationsinapplicationnotes.RemovedassignmentfromFCS_TLS_EXT.1andlimitedtestingtothoseciphersuitesinbothFCS_TLS_EXT.1andFCS_TLS_EXT.2.

2.0 2015-09-14

IncludedchangesbasedonTechnicalRapidResponseTeamDecisions.Clarifiedmanyrequirementsandassuranceactivities.Mandatedobjectiverequirements:

ApplicationAccessControl(FDP_ACF_EXT.1.2)VPNInformationFlowControl(FDP_IFC_EXT.1)

Addednewobjectiverequirements:SuiteBcryptographyforIEEE802.11CertificateenrollmentProtectionofadditionalkeymaterialtypesHeapoverflowprotectionBluetoothrequirementsCryptographicoperationservicesforapplicationsRemoteAttestation(FPT_NOT_EXT.1)

Addedtransitiondatesforsomeobjectiverequirements.Includedhardware-isolatedREKandkeystorageselections.AllowedkeyderivationbyREK.ClarifiedFTP_ITC_EXT.1andaddedFDP_UPC_EXT.1.MandatedHTTPSandTLSforapplicationuse.(FDP_UPC_EXT.1)RemovedDual_EC_DRBGasanapprovedDRBG.AdoptednewTLSrequirements.MandatedTSFWipeuponauthenticationfailurelimitandrequirednumberofauthenticationfailuresbemaintainedacrossreboot.ClarifiedManagementClass.Includedmoredomainisolationdiscussionandtests.UpdatedAuditrequirementsandaddedAuditableEventstable.AddedSFRCategoryMappingTable.UpdatedUseCaseTemplates.MovedGlossarytoIntroduction.

3.0 2015-09-17

IncludedchangesbasedonTechnicalRapidResponseTeamDecisions.Clarifiedmanyrequirementsandassuranceactivities.Mandatedobjectiverequirements:

GenerationofAuditRecords(FAU_GEN.1)AuditStorageProtection(FAU_STG.1)AuditStorageOverwrite(FAU_STG.4)LockScreenDAR(FDP_DAR_EXT.2)DiscardBluetoothConnectionAttemptsfromBluetoothAddresseswithExistingConnection(FIA_BLT_EXT.3)JTAGDisablement(FPT_JTA)

Addednewobjectiverequirements:ApplicationBackupBiometricAuthenticationFactorAccessControlUserAuthenticationBluetoothEncryption

WLANclientrequirementsmovedtoExtendedPackageforWLANClient.AddedSFRstosupportBYODUseCaseBYODUseCaseUpdatedkeydestructionSFR

3.1 2017-04-05

IncludedchangesbasedonTechnicalRapidResponseTeamDecisionsandincorporatedTechnicalDecisions.Modifiedbiometricrequirements:

FIA_UAU.5-Addediris,face,voiceandveinassupportedmodalities,inadditiontofingerprint(allowedinversion3)FIA_BMG_EXT.1.1-ClarifiedAAtospecifythatvendorevidenceisacceptableandexpectationsofevidenceprovided.FIA_BMG_EXT.1.2-SAFARwaschangedtoanassignmentofaSAFARnogreaterthan1:500.FIA_AFL_EXT.1-Updatedtoalloweachbiometricmodalitytoutilizeanindividualorsharedcounter.

FCS_TLSC_EXT.1.1-RemovedTLSciphersuitesthatutilizedSHA1andupdatedoptionalciphersuitestobeuniformedacrossPPs.FCS_STG_EXT.2.2-Modifiedtorequirelongtermtrustedchannelkeymaterialbeencryptedbyanapprovedmethod.

FIA_UAU_EXT.1.1-Modifiedtoallowthelongtermtrustedchannelkeymaterialtobeavailablepriortopasswordbeingenteredatstart-up.

3.2 2021-04-15

RemovedTLSSFRsandutilizedTLSFunctionalPackageRemovedBluetoothSFRsandutilizedBluetoothModule.BluetoothSFRmovedtoImplementationDependent.FPT_TUD_EXT.2.4renumberedtoFPT_TUD_EXT.3.1.FPT_TUD_EXT.3renumberedtoFPT_TUD_EXT.4.FPT_TUD_EXT.4.1renumberedtoFPT_TUD_EXT.5.1.FPT_TUD_EXT.4.2renumberedtoFPT_TUD_EXT.6.1.

Contents

1 Introduction1.1 ObjectivesofDocument1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms

1.3 ScopeofDocument1.4 IntendedReadership1.5 TOEOverview1.6 TOEUsage

2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies

4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale

5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 Class:SecurityAudit(FAU)5.1.2 Class:CryptographicSupport(FCS)5.1.3 CryptographicStorage(FCS_STG)5.1.4 Class:UserDataProtection(FDP)5.1.5 Class:IdentificationandAuthentication(FIA)5.1.6 Class:SecurityManagement(FMT)5.1.7 Class:ProtectionoftheTSF(FPT)5.1.8 Class:TOEAccess(FTA)5.1.9 Class:TrustedPath/Channels(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale

5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTarget5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocumentation5.2.4 ClassALC:Life-cycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment

AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 Class:IdentificationandAuthentication(FIA)

A.2 ObjectiveRequirementsA.2.1 Class:SecurityAudit(FAU)A.2.2 Class:CryptographicSupport(FCS)A.2.3 Class:UserDataProtection(FDP)A.2.4 Class:IdentificationandAuthentication(FIA)A.2.5 Class:SecurityManagement(FMT)A.2.6 Class:ProtectionoftheTSF(FPT)A.2.7 Class:TOEAccess(FTA)

A.3 Implementation-basedRequirementsA.3.1 BluetoothA.3.1.1 Class:UserDataProtection(FDP)

AppendixB- Selection-basedRequirementsB.1 Class:CryptographicSupport(FCS)B.2 Class:UserDataProtection(FDP)B.3 Class:IdentificationandAuthentication(FIA)B.4 Class:ProtectionoftheTSF(FPT)

AppendixC- ImplicitlySatisfiedRequirementsAppendixD- EntropyDocumentationAndAssessmentD.1 DesignDescriptionD.2 EntropyJustificationD.3 OperatingConditionsD.4 HealthTesting

AppendixE- UseCaseTemplatesE.1 [USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuse

E.2 [USECASE2]Enterprise-owneddeviceforspecialized,high-securityuseE.3 [USECASE3]Personally-owneddeviceforpersonalandenterpriseuseE.4 [USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuse

AppendixF- InitializationVectorRequirementsforNIST-ApprovedCipherModesAppendixG- BiometricDerivationandExamplesG.1 ExperimentalSetupsAndErrorBarsInTestingFARAndFRRG.1.1 IntroductionG.1.2 TestingenvironmentthatcouldmeetFIA_BMG_EXT.1.1G.1.3 DerivingFalseAcceptRateG.1.4 DerivingFalseRejectRate

G.2 DerivationoftheRuleof3(andsimilarrules,forcompleteness)G.3 SAFARCalculationEquationsG.4 SAFARCalculationExample

AppendixH- AcknowledgementsAppendixI- AcronymsAppendixJ- Bibliography

1Introduction

1.1ObjectivesofDocumentThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofmobiledevicesintermsof[CC]andtodefinefunctionalandassurancerequirementsforsuchdevices.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

DistributedTOE

ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

SecurityFunctionalRequirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

SecurityTarget(ST)

Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

TOESecurityFunctionality(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

TargetofEvaluation(TOE)

Theproductunderevaluation.

1.2.2TechnicalTerms

AdaptiveTemplate

Atypeofauthenticationtemplatethatevolveswitheachsamplethatisverifiedandintroducedintothebiometricsdatabaseorgallery.

AddressSpaceLayoutRandomization(ASLR)

Ananti-exploitationfeature,whichloadsmemorymappingsintounpredictablelocations.ASLRmakesitmoredifficultforanattackertoredirectcontroltocodethattheyhaveintroducedintotheaddressspaceofaprocessorthekernel.

Administrator TheAdministratorisresponsibleformanagementactivities,includingsettingthepolicythatisappliedbytheenterpriseontheMobileDevice.ThisadministratorislikelytobeactingremotelyandcouldbetheMobileDeviceManagement(MDM)AdministratoractingthroughanMDMAgent.Ifthedeviceisunenrolled,theuseristheadministrator.

AuthenticationTemplate

Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.Suchtemplatesareusedduringbiometricauthenticationandverificationasthebasisforcomparison.Unlikeenrollmenttemplates,thesetemplatescanbeadaptive.

AuxiliaryBootModes

Auxiliarybootmodesarestatesinwhichthedeviceprovidespowertooneormorecomponentstoprovideaninterfacethatenablesanunauthenticatedusertointeractwitheitheraspecificcomponentorseveralcomponentsthatexistoutsideofthedevice’sfullyauthenticated,operationalstate.

BiometricAuthenticationFactor(BAF)

Authenticationfactor,whichusesbiometricsample,matchedtoabiometricauthenticationtemplatetohelpestablishidentity.

BiometricData

Digitaldatacreatedduringabiometricprocess.Itencompassesrawsensorobservations,biometricsamples,models,templates,and/orsimilarityscores,amongotherdata.Thisdataisusedtodescribetheinformationcollectedduringanenrollment,verification,oridentificationprocess,butdoesnotapplytoenduserinformationsuchasusername,password(unlesstiedtothebiometricmodality),demographicinformation,andauthorizations.

BiometricSample

Informationorcomputerdataobtainedfromabiometricsensordeviceorcapturedfromanindividualtothesensor.

BiometricSystem

Multipleindividualcomponents(suchassensor,matchingalgorithm,andresultdisplay)thatcombinetomakeafullyoperationalsystemcompletelycontainedwithintheTOE.Abiometricsystemisautomatedandcapableof:

1. Capturingabiometricsamplefromanenduser2. Extractingandprocessingthebiometricdatafromthatsample3. Generatingvarioustemplatesbasedonprocessingofthatsampleduringenrollment,

or,ifadaptive,duringverificationaswell4. Storingtheextractedinformationinadatabaseonthedevice5. Comparingthebiometricdatawithdatacontainedinoneormoreauthentication

templates6. Decidinghowwelltheymatchandindicatingwhetherornotanidentificationor

verificationofidentityhasbeenachieved.

CommonApplicationDeveloper

Applicationdevelopers(orsoftwarecompanies)oftenproducemanyapplicationsunderthesamename.Mobiledevicesoftenallowsharedresourcesbysuchapplicationswhereotherwiseresourceswouldnotbeshared.

CriticalSecurity

Security-relatedinformationwhosedisclosureormodificationcancompromisethesecurityofacryptographicmoduleand/orauthenticationsystem.

Parameter(CSP)

Data Program/applicationordatafilesthatarestoredortransmittedbyaserverorMobileDevice(MD).

DataEncryptionKey(DEK)

Akeyusedtoencryptdata-at-rest.

DeveloperModes

Developermodesarestatesinwhichadditionalservicesareavailabletoauserinordertoprovideenhancedsystemaccessfordebuggingofsoftware.

EncryptedSoftwareKeys

Thesekeysarestoredinthemainfilesystemencryptedbyanotherkeyandcanbechangedandsanitized.

EnrolledState ThestateinwhichtheMobileDeviceismanagedwithactivepolicysettingsfromtheadministrator.

Enrollment(Biometrics)

Theprocessofcollectingabiometricsamplefromanenduser,convertingitintoanenrollmentand/orauthenticationtemplate,andstoringitinthebiometricsystem’sdatabase.Ifanenrollmenttemplateisgenerated,itisusedduringtheenrollmentprocessforlatercomparisontootherenrollmenttemplatesalreadystored.Iftherearemultipleenrollmenttemplates,theymaybefused,averaged,orotherwise,inordertocreateauthenticationtemplates,whichareusedforlatercomparisoninverification.

EnrollmentTemplate

Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.Suchtemplatesaregeneratedduringtheenrollmentprocessandutilizedinvariousways(includingaveraging,fusion,etc.)inordertogenerateanauthenticationtemplate.

EnterpriseApplications

Applicationsthatareprovidedandmanagedbytheenterprise.

EnterpriseData

Enterprisedataisanydataresidingintheenterpriseservers,ortemporarilystoredonMobileDevicestowhichtheMobileDeviceuserisallowedaccessaccordingtosecuritypolicydefinedbytheenterpriseandimplementedbytheadministrator.

EphemeralKeys

Thesekeysarestoredinvolatilememory.

FalseAcceptRate(FAR)

Astatisticusedtomeasurebiometricperformancewhenoperatinginverification,definedasthepercentageoftimesasystemproducesafalseaccept,whichoccurswhenanindividualisincorrectlymatchedtoanotherindividual’sexistingbiometric.Forexample,MalloryclaimstobeAliceandthesystemverifiestheclaim.

FalseRejectRate(FRR)

Astatisticusedtomeasurebiometricperformanceinverification,definedasthepercentageoftimesthesystemproducesafalsereject.Afalserejectoccurswhenanindividualisnotmatchedtohisorherownexistingbiometrictemplate.Forexample,JohnclaimstobeJohn,butthesystemincorrectlydeniestheclaim.

Feature(s)(Biometrics)

Distinctivemathematicalcharacteristic(s)derivedfromabiometricsample,usedtogenerateenrollmentorauthenticationtemplates.

FileEncryptionKey(FEK)

ADEKusedtoencryptafileoradirectorwhenFileEncryptionisused.FEKsareuniquetoeachencryptedfileordirectory.

Hardware-IsolatedKeys

TheOScanonlyaccessthesekeysbyreference,ifatall,duringruntime.

HybridAuthentication

AhybridauthenticationfactorisonewhereauserhastosubmitacombinationofabiometricsampleandaPINorpasswordandbothtopass.Ifeitherfactorfails,theentireattemptfails.Theusershallnotbemadeawareofwhichfactorfailed,ifeitherfails.

ImmutableHardwareKey

Thesekeysarestoredashardware-protectedrawkeyandcannotbechangedorsanitized.

KeyChaining Themethodofusingmultiplelayersofencryptionkeystoprotectdata.Atoplayerkeyencryptsalowerlayerkey,whichencryptsthedata;thismethodcanhaveanynumberoflayers.

KeyEncryptionKey(KEK)

Akeyusedtoencryptotherkeys,suchasDEKsorstoragethatcontainskeys.

LivenessDetection

Atechniqueusedtoensurethatthebiometricsamplesubmittedisfromanenduser.Alivenessdetectionmethodcanhelpprotectthesystemagainstsometypesofspoofingattacks.

LockedState Poweredonbutmostfunctionalityisunavailableforuse.Userauthenticationisrequiredtoaccessfunctionality.

MDMAgent TheMDMAgentisinstalledonaMobileDeviceasanapplicationorispartoftheMobileDevice’sOS.TheMDMAgentestablishesasecureconnectionbacktotheMDMServercontrolledbytheadministrator.

MinutiaPoint Frictionridgecharacteristicsthatareusedtoindividualizeafingerprintimage.Minutiaarethepointswherefrictionridgesbegin,terminate,orsplitintotwoormoreridges.Inmanyfingerprintsystems,theminutiapointsarecomparedforrecognitionpurposes.

MobileDevice(MD)

Adevicewhichiscomposedofahardwareplatformanditssystemsoftware.Thedevicetypicallyprovideswirelessconnectivityandmayincludesoftwareforfunctionslikesecuremessaging,email,web,VPN(VirtualPrivateNetwork)connection,andVoIP(VoiceoverIP),foraccesstotheprotectedenterprisenetwork,enterprisedataandapplications,andforcommunicatingtootherMobileDevices.

MobileDeviceManagement(MDM)

Mobiledevicemanagement(MDM)productsallowenterprisestoapplysecuritypoliciestomobiledevices.Thissystemconsistsoftwoprimarycomponents:theMDMServerandtheMDMAgent.

MobileDeviceUser(User)

TheindividualauthorizedtophysicallycontrolandoperatetheMobileDevice.Dependingontheusecase,thiscanbethedeviceowneroranindividualauthorizedbythedeviceowner.

Modality(Biometrics)

Atypeorclassofbiometricsystem,suchasfingerprintrecognition,facialrecognition,irisrecognition,voicerecognition,signature/sign,andothers.

MutableHardwareKey

Thesekeysarestoredashardware-protectedrawkeyandcanbechangedorsanitized.

NISTFingerprintImageQuality(NFIQ)

Amachine-learningalgorithmthatreflectsthepredictivepositiveornegativecontributionofanindividualsampletotheoverallperformanceofafingerprintmatchingsystem.NFIQ1.0scoresarecalculatedonascalefrom1to5,whereNFIQ=1indicateshighqualitysamplesandNFIQ=5indicatespoorqualitysamples[NFIQ1.0].NFIQ2.0scoresarecalculatedonascalefrom0to100,whereNFIQ=0indicatespoorqualitysamplesandNFIQ=100indicateshighqualitysamples[NFIQ2.0].

OperatingSystem(OS)

Softwarethatrunsatthehighestprivilegelevelandcandirectlycontrolhardwareresources.ModernMobileDevicestypicallyhaveatleasttwoprimaryoperatingsystems:one,whichrunsontheapplicationprocessorandone,whichrunsonthecellularbasebandprocessor.TheOSoftheapplicationprocessorhandlesmostuserinteractionsandprovidestheexecutionenvironmentforapps.TheOSofthecellularbasebandprocessorhandlescommunicationswiththecellularnetworkandmaycontrolotherperipherals.ThetermOS,withoutcontext,maybeassumedtorefertotheOSoftheapplicationprocessor.

PINAuthenticationFactor

APINisasetofnumericoralphabeticcharactersthatmaybeusedinadditiontoabiometricfactortoprovideahybridauthenticationfactor.Atthistimeitisnotconsideredasastand-aloneauthenticationmechanism.APINisdistinctfromapasswordinthattheallowedcharactersetandrequiredlengthofaPINistypicallysmallerthanthatofapasswordasitisdesignedtobeinputquickly.

PasswordAuthenticationFactor

Atypeofauthenticationfactorrequiringtheusertoprovideasecretsetofcharacterstogainaccess.

PoweredOffState

ThedevicehasbeenshutdownsuchthatnoTOEfunctioncanbeperformed.

PresentationAttackDetection(PAD)

Atechniqueusedtoensurethatthebiometricsamplesubmittedisfromanenduser.Apresentationattackdetectionmethodcanhelpprotectthesystemagainstsometypesofspoofingattacks.

ProtectedData(PD)

Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.

RootEncryptionKey(REK)

Akeytiedtothedeviceusedtoencryptotherkeys.

Sensitivedata SensitivedatashallbeidentifiedintheTSSsectionoftheSecurityTarget(ST)bytheSTauthor.SensitivedataisasubsetoralloftheProtecteddata.Sensitivedatamayincludealluserorenterprisedataormaybespecificapplicationdatasuchasemails,messaging,documents,calendaritems,andcontacts.Sensitivedataisprotectedwhileinthelockedstate(FDP_DAR_EXT.2).

SoftwareKeys TheOSaccesstherawbytesofthesekeysduringruntime.

TSFData DatafortheoperationoftheTSFuponwhichtheenforcementoftherequirementsrelies.

Template(Biometrics)

Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.ThisPPfurtherdefinesenrollmenttemplatesandauthenticationtemplates.

Threshold Ausersettingforbiometricsystemsoperatinginverification.Thresholdsarealsousedinenrollmentifenrollmenttemplatesarecreatedandcomparedtoeachother.Theacceptanceorrejectionofbiometricdatainverificationisdependentonthematchscorefallingaboveorbelowthethreshold.Thethresholdisadjustablesothatthebiometricsystemcanbemoreorlessstrict,dependingontherequirementsofanygivenbiometricapplication.

TrustAnchorDatabase

AlistoftrustedrootCertificateAuthoritycertificates.

UnenrolledState

ThestateinwhichtheMobileDeviceisnotmanaged.

UnlockedState

Poweredonanddevicefunctionalityisavailableforuse.Impliesuserauthenticationhasoccurred(whensoconfigured).

Verification(Biometrics)

Ataskwherethebiometricsystemattemptstoconfirmanindividual’sclaimedidentitybycomparingasubmittedsampletooneormorepreviouslyenrolledauthenticationtemplates.

1.3ScopeofDocumentThescopeoftheProtectionProfilewithinthedevelopmentandevaluationprocessisdescribedintheCommonCriteriaforInformationTechnologySecurityEvaluation[CC].Inparticular,aPPdefinestheITsecurityrequirementsofagenerictypeofTOEandspecifiesthefunctionalandassurancesecuritymeasurestobeofferedbythatTOEtomeetstatedrequirements[CC].

1.4IntendedReadershipThetargetaudiencesofthisPPareMobileDevicedevelopers,CCconsumers,evaluatorsandschemes.

1.5TOEOverviewThisassurancestandardspecifiesinformationsecurityrequirementsforMobileDevicesforuseinanenterprise.AMobileDeviceinthecontextofthisassurancestandardisadevice,whichiscomposedofahardwareplatformanditssystemsoftware.Thedevicetypicallyprovideswirelessconnectivityandmayincludesoftwareforfunctionslikesecuremessaging,email,web,VPNconnection,andVoIP(VoiceoverIP),foraccesstotheprotectedenterprisenetwork,enterprisedataandapplications,andforcommunicatingtootherMobileDevices.

Figure1illustratesthenetworkoperatingenvironmentoftheMobileDevice.

Figure1:MobileDeviceNetworkEnvironment

Examplesofa"MobileDevice"thatshouldclaimconformancetothisProtectionProfileincludesmartphones,tabletcomputers,andotherMobileDeviceswithsimilarcapabilities.

TheMobileDeviceprovidesessentialservices,suchascryptographicservices,data-at-restprotection,andkeystorageservicestosupportthesecureoperationofapplicationsonthedevice.Additionalsecurityfeaturessuchassecuritypolicyenforcement,applicationmandatoryaccesscontrol,anti-exploitationfeatures,userauthentication,andsoftwareintegrityprotectionareimplementedinordertoaddressthreats.

ThisassurancestandarddescribestheseessentialsecurityservicesprovidedbytheMobileDeviceandservesasafoundationforasecuremobilearchitecture.Thewirelessconnectivityshallbevalidatedagainstthe

ExtendedPackageforWLANClient.IfthemobiledevicecontainsBluetoothfunctionality(i.e.,hasBluetoothhardware),theBluetoothconnectivityshallbeevaluatedagainstthePP-ModuleforBluetooth.AsillustratedinFigure2,itisexpectedthatatypicaldeploymentwouldalsoincludeeitherthird-partyorbundledcomponents.WhetherthesecomponentsarebundledaspartoftheMobileDevicebythemanufacturerordevelopedbyathird-party,theymustbeseparatelyvalidatedagainsttherelatedassurancestandardssuchasthePP-ModuleforMDMAgent,PP-ModuleforVPNClient,andPP-ModuleforVVoIP.Itistheresponsibilityofthearchitectoftheoverallsecuremobilearchitecturetoensurevalidationofthesecomponents.Additionalapplicationsthatmaycomepre-installedontheMobileDevicethatarenotvalidatedareconsideredtobepotentiallyflawed,butnotmalicious.Examplesincludeemailclientandwebbrowser.

Figure2:OptionalAdditionalMobileDeviceComponents

1.6TOEUsageTheMobileDevicemaybeoperatedinanumberofusecases.AppendixE-UseCaseTemplatesprovidesusecasetemplatesthatlistthoseselections,assignments,andobjectiverequirementsthatbestsupporttheusecasesidentifiedbythisProtectionProfile.Inadditiontoprovidingessentialsecurityservices,theMobileDeviceincludesthenecessarysecurityfunctionalitytosupportconfigurationsforthesevarioususecases.Eachusecasemayrequireadditionalconfigurationandapplicationstoachievethedesiredsecurity.Aselectionoftheseusecasesiselaboratedbelow.

Severaloftheusecasetemplatesincludeobjectiverequirementsthatarestronglydesiredfortheindicatedusecases.Readerscanexpectthoserequirementstobemademandatoryinafuturerevisionofthisprotectionprofile,andindustryshouldaimtoincludethatsecurityfunctionalityinproductsinthenear-term.

AsofpublicationofthisversionoftheProtectionProfile,meetingtherequirementsinSection5SecurityRequirementsisnecessaryforallusecases.

[USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuseandlimitedpersonaluse

Anenterprise-owneddeviceforgeneral-purposebusinessuseiscommonlycalledCorporatelyOwned,PersonallyEnabled(COPE).Thisusecaseentailsasignificantdegreeofenterprisecontroloverconfigurationand,possibly,softwareinventory.TheenterpriseelectstoprovideuserswithMobileDevicesandadditionalapplications(suchasVPNoremailclients)inordertomaintaincontroloftheirEnterprisedataandsecurityoftheirnetworks.UsersmayuseInternetconnectivitytobrowsetheweboraccesscorporatemailorrunenterpriseapplications,butthisconnectivitymaybeundersignificantcontroloftheenterprise.

[USECASE2]Enterprise-owneddeviceforspecialized,high-securityuse

Anenterprise-owneddevicewithintentionallylimitednetworkconnectivity,tightlycontrolledconfiguration,andlimitedsoftwareinventoryisappropriateforspecialized,high-securityusecases.Forexample,thedevicemaynotbepermittedconnectivitytoanyexternalperipherals.ItmayonlybeabletocommunicateviaitsWi-Fiorcellularradioswiththeenterprise-runnetwork,whichmaynotevenpermitconnectivitytotheInternet.Useofthedevicemayentailcompliancewithpoliciesthataremorerestrictivethanthoseinanygeneral-purposeusecase,yetmaymitigateriskstohighlysensitiveinformation.Asinthepreviouscase,theenterprisewilllookforadditionalapplicationsprovidingenterpriseconnectivityandservicestohaveasimilarlevelofassuranceastheplatform.

[USECASE3]Personally-owneddeviceforpersonalandenterpriseuse

Apersonally-owneddevice,whichisused,forbothpersonalactivitiesandenterprisedataiscommonlycalledBringYourOwnDevice(BYOD).Thedevicemaybeprovisionedforaccesstoenterpriseresourcesaftersignificantpersonalusagehasoccurred.Unlikeintheenterprise-ownedcases,theenterpriseislimitedinwhatsecuritypoliciesitcanenforcebecausetheuserpurchasedthedeviceprimarilyforpersonaluseandisunlikelytoacceptpoliciesthatlimitthefunctionalityofthedevice.However,becausetheenterpriseallowstheuserfull(ornearlyfull)accesstotheenterprisenetwork,theenterprisewillrequiretheirownsecuritycontrolstoensurethatenterpriseresourcesareprotectedfrompotentialthreatsposedbythepersonalactivitiesonthedevice.Thesecontrolscouldpotentiallybeenforcedbyaseparationmechanismbuilt-intothedeviceitselftodistinguishbetweenenterpriseandpersonalactivities,orbyathird-partyapplicationthatprovidesaccesstoenterpriseresourcesandleveragessecuritycapabilitiesprovidedbythemobiledevice.Basedupontheoperationalenvironmentandtheacceptableriskleveloftheenterprise,thosesecurity

functionalrequirementsoutlinedinSection5SecurityRequirementsofthisPPalongwiththeselectionsintheUseCase3templatedefinedinAppendixE-UseCaseTemplatesaresufficientforthesecureimplementationofthisBYODusecase.

[USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuse

Apersonally-owneddevice,whichisused,forbothpersonalactivitiesandenterprisedataiscommonlycalledBringYourOwnDevice(BYOD).Thisdevicemaybeprovisionedforlimitedaccesstoenterpriseresourcessuchasenterpriseemail.Becausetheuserdoesnothavefullaccesstotheenterpriseorenterprisedata,theenterprisemaynotneedtoenforceanysecuritypoliciesonthedevice.However,theenterprisemaywantsecureemailandwebbrowsingwithassurancethattheservicesbeingprovidedtothoseclientsbytheMobileDevicearenotcompromised.Basedupontheoperationalenvironmentandtheacceptableriskleveloftheenterprise,thosesecurityfunctionalrequirementsoutlinedinSection5SecurityRequirementsofthisPParesufficientforthesecureimplementationofthisBYODusecase.

2ConformanceClaimsConformanceStatement

AnSTmustclaimexactconformancetothisPP,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP.

PP-ModuleforVPNClient,Version2.2PP-ModuleforBluetooth,Version1.0PP-ModuleforMDMAgent,Version1.0

CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Revision5.

PPClaimThisPPdoesnotclaimconformancetoanyProtectionProfile.

PackageClaimThisPPisTLSPackageConformant.

3SecurityProblemDescription

3.1ThreatsMobiledevicesaresubjecttothethreatsoftraditionalcomputersystemsalongwiththoseentailedbytheirmobilenature.ThethreatsconsideredinthisProtectionProfilearethoseofnetworkeavesdropping,networkattacks,physicalaccess,maliciousorflawedapplications,persistentpresence,andbackupasdetailedinthefollowingsections.

T.NETWORK_EAVESDROPAnattackerispositionedonawirelesscommunicationschannelorelsewhereonthenetworkinfrastructure.AttackersmaymonitorandgainaccesstodataexchangedbetweentheMobileDeviceandotherendpoints.

T.NETWORK_ATTACKAnattackerispositionedonawirelesscommunicationschannelorelsewhereonthenetworkinfrastructure.AttackersmayinitiatecommunicationswiththeMobileDeviceoraltercommunicationsbetweentheMobileDeviceandotherendpointsinordertocompromisetheMobileDevice.Theseattacksincludemalicioussoftwareupdateofanyapplicationsorsystemsoftwareonthedevice.Theseattacksalsoincludemaliciouswebpagesoremailattachments,whichareusuallydeliveredtodevicesoverthenetwork.

T.PHYSICAL_ACCESSAnattacker,withphysicalaccess,mayattempttoaccessuserdataontheMobileDeviceincludingcredentials.Thesephysicalaccessthreatsmayinvolveattacks,whichattempttoaccessthedevicethroughexternalhardwareports,impersonatetheuserauthenticationmechanisms,throughitsuserinterface,andalsothroughdirectandpossiblydestructiveaccesstoitsstoragemedia.Note:Defendingagainstdevicere-useafterphysicalcompromiseisoutofscopeforthisProtectionProfile.

T.MALICIOUS_APPApplicationsloadedontotheMobileDevicemayincludemaliciousorexploitablecode.Thiscodecouldbeincludedintentionallyorunknowinglybythedeveloper,perhapsaspartofasoftwarelibrary.Maliciousappsmayattempttoexfiltratedatatowhichtheyhaveaccess.Theymayalsoconductattacksagainsttheplatform’ssystemsoftware,whichwillprovidethemwithadditionalprivilegesandtheabilitytoconductfurthermaliciousactivities.Maliciousapplicationsmaybeabletocontrolthedevice'ssensors(GPS,camera,microphone)togatherintelligenceabouttheuser'ssurroundingsevenwhenthoseactivitiesdonotinvolvedataresidentortransmittedfromthedevice.Flawedapplicationsmaygiveanattackeraccesstoperformnetwork-basedorphysicalattacksthatotherwisewouldhavebeenprevented

T.PERSISTENT_PRESENCEPersistentpresenceonadevicebyanattackerimpliesthatthedevicehaslostintegrityandcannotregainit.Thedevicehaslikelylostthisintegrityduetosomeotherthreatvector,yetthecontinuedaccessbyanattackerconstitutesanon-goingthreatinitself.Inthiscase,thedeviceanditsdatamaybecontrolledbyanadversaryaswellasbyitslegitimateowner.

3.2AssumptionsThespecificconditionslistedbelowareassumedtoexistintheTOE’sOperationalEnvironment.TheseincludebothpracticalrealitiesinthedevelopmentoftheTOEsecurityrequirementsandtheessentialenvironmentalconditionsontheuseoftheTOE.

A.CONFIGItisassumedthattheTOE’ssecurityfunctionsareconfiguredcorrectlyinamannertoensurethattheTOEsecuritypolicieswillbeenforcedonallapplicablenetworktrafficflowingamongtheattachednetworks.

A.NOTIFYItisassumedthatthemobileuserwillimmediatelynotifytheadministratoriftheMobileDeviceislostorstolen.

A.PRECAUTIONItisassumedthatthemobileuserexercisesprecautionstoreducetheriskoflossortheftoftheMobileDevice.

A.PROPER_USERMobileDeviceusersarenotwillfullynegligentorhostile,andusethedevicewithincomplianceofareasonableEnterprisesecuritypolicy.

3.3OrganizationalSecurityPoliciesThisdocumentdoesnotdefineanyadditionalOSPs.

4SecurityObjectives

4.1SecurityObjectivesfortheTOEO.PROTECTED_COMMS

Toaddressthenetworkeavesdropping(T.EAVESDROP)andnetworkattack(T.NETWORK)threatsdescribedinSection3.1Threats,concerningwirelesstransmissionofEnterpriseanduserdataandconfigurationdatabetweentheTOEandremotenetworkentities,conformantTOEswilluseatrustedcommunicationpath.TheTOEwillbecapableofcommunicatingusingone(ormore)ofthesestandardprotocols:IPsec,DTLS,TLS,HTTPS,orBluetooth.TheprotocolsarespecifiedbyRFCsthatofferavarietyofimplementationchoices.Requirementshavebeenimposedonsomeofthesechoices(particularlythoseforcryptographicprimitives)toprovideinteroperabilityandresistancetocryptographicattack.

WhileconformantTOEsmustsupportallofthechoicesspecifiedintheSTincludinganyoptionalSFRsdefinedinthisPP,theymaysupportadditionalalgorithmsandprotocols.Ifsuchadditionalmechanismsarenotevaluated,guidancemustbegiventotheadministratortomakeclearthefactthattheywerenotevaluated.

O.STORAGEToaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofaMobileDevice(T.PHYSICAL),conformantTOEswillusedata-at-restprotection.TheTOEwillbecapableofencryptingdataandkeysstoredonthedeviceandwillpreventunauthorizedaccesstoencrypteddata.

O.CONFIGToensureaMobileDeviceprotectsuserandenterprisedatathatitmaystoreorprocess,conformantTOEswillprovidethecapabilitytoconfigureandapplysecuritypoliciesdefinedbytheuserandtheEnterpriseAdministrator.IfEnterprisesecuritypoliciesareconfiguredthesemustbeappliedinprecedenceofuserspecifiedsecuritypolicies.

O.AUTHToaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofaMobileDevice(T.PHYSICAL),usersarerequiredtoenteranauthenticationfactortothedevicepriortoaccessingprotectedfunctionalityanddata.Somenon-sensitivefunctionality(e.g.,emergencycalling,textnotification)canbeaccessedpriortoenteringtheauthenticationfactor.Thedevicewillautomaticallylockfollowingaconfiguredperiodofinactivityinanattempttoensureauthorizationwillberequiredintheeventofthedevicebeinglostorstolen.

Authenticationoftheendpointsofatrustedcommunicationpathisrequiredfornetworkaccesstoensureattacksareunabletoestablishunauthorizednetworkconnectionstounderminetheintegrityofthedevice.

RepeatedattemptsbyausertoauthorizetotheTSFwillbelimitedorthrottledtoenforceadelaybetweenunsuccessfulattempts.

O.INTEGRITYToensuretheintegrityoftheMobileDeviceismaintainedconformantTOEswillperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.Theusershallbenotifiedofanyfailureoftheseself-tests.ThiswillprotectagainstthethreatT.PERSISTENT.

Toaddresstheissueofanapplicationcontainingmaliciousorflawedcode(T.FLAWAPP),theintegrityofdownloadedupdatestosoftware/firmwarewillbeverifiedpriortoinstallation/executionoftheobjectontheMobileDevice.Inaddition,theTOEwillrestrictapplicationstoonlyhaveaccesstothesystemservicesanddatatheyarepermittedtointeractwith.TheTOEwillfurtherprotectagainstmalicious

applicationsfromgainingaccesstodatatheyarenotauthorizedtoaccessbyrandomizingthememorylayout.

O.PRIVACYInaBYODenvironment(usecases3and4),apersonally-ownedmobiledeviceisusedforbothpersonalactivitiesandenterprisedata.Enterprisemanagementsolutionsmayhavethetechnicalcapabilitytomonitorandenforcesecuritypoliciesonthedevice.However,theprivacyofthepersonalactivitiesanddatamustbeensured.Inaddition,sincetherearelimitedcontrolsthattheenterprisecanenforceonthepersonalside,separationofpersonalandenterprisedataisneeded.ThiswillprotectagainsttheT.FLAWAPPandT.PERSISTENTthreats.

4.2SecurityObjectivesfortheOperationalEnvironmentThefollowingsecurityobjectivesfortheoperationalenvironmentassisttheOSincorrectlyprovidingitssecurityfunctionality.Thesetrackwiththeassumptionsabouttheenvironment.

OE.CONFIGTOEadministratorswillconfiguretheMobileDevicesecurityfunctionscorrectlytocreatetheintendedsecuritypolicy

OE.NOTIFYTheMobileUserwillimmediatelynotifytheadministratoriftheMobileDeviceislostorstolen.

OE.PRECAUTIONThemobiledeviceuserexercisesprecautionstoreducetheriskoflossortheftoftheMobileDevice.

OE.DATA_PROPER_USERAdministratorstakemeasurestoensurethatmobiledeviceusersareadequatelyvettedagainstmaliciousintentandaremadeawareoftheexpectationsforappropriateuseofthedevice.

4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.

Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP

SecurityObjectives Rationale

T.NETWORK_EAVESDROP O.PROTECTED_COMMS ThethreatT.NETWORK_EAVESDROPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.

O.CONFIG ThethreatT.NETWORK_EAVESDROPiscounteredbyO.CONFIGasthisprovidesasecureconfigurationofthemobiledevicetoprotectdatathatitprocesses.

O.AUTH ThethreatT.NETWORK_EAVESDROPiscounteredbyO.AUTHasthisprovidesauthenticationoftheendpointsofatrustedcommunicationpath.

T.NETWORK_ATTACK O.PROTECTED_COMMS ThethreatT.NETWORK_ATTACKiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.

O.CONFIG ThethreatT.NETWORK_ATTACKiscounteredbyO.CONFIGasthisprovidesasecureconfigurationofthemobiledevicetoprotectdatathatitprocesses.

O.AUTH ThethreatT.NETWORK_ATTACKiscounteredbyO.AUTHasthisprovidesauthenticationoftheendpointsofatrustedcommunicationpath.

T.PHYSICAL_ACCESS O.STORAGE ThethreatT.PHYSICAL_ACCESSiscounteredbyO.STORAGEasthisprovidesthecapabilitytoencryptalluserandenterprisedataandauthenticationkeystoensuretheconfidentialityofdatathatitstores.

O.AUTH ThethreatT.PHYSICAL_ACCESSiscounteredbyO.AUTHasthisprovidesthecapabilityto

authenticatetheuserpriortoaccessingprotectedfunctionalityanddata.

T.MALICIOUS_APP O.PROTECTED_COMMS ThethreatT.MALICIOUS_APPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.

O.CONFIG ThethreatT.MALICIOUS_APPiscounteredbyO.CONFIGasthisprovidesthecapabilitytoconfigureandapplysecuritypoliciestoensuretheMobileDevicecanprotectuserandenterprisedatathatitmaystoreorprocess.

O.AUTH ThethreatT.MALICIOUS_APPiscounteredbyO.AUTHasthisprovidesthecapabilitytoauthenticatetheuserandendpointsofatrustedpathtoensuretheyarecommunicatingwithanauthorizedentitywithappropriateprivileges.

O.INTEGRITY ThethreatT.MALICIOUS_APPiscounteredbyO.INTEGRITYasthisprovidesthecapabilitytoperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.

O.PRIVACY ThethreatT.MALICIOUS_APPiscounteredbyO.PRIVACYasthisprovidesseparationandprivacybetweenuseractivities.

T.PERSISTENT_PRESENCE O.INTEGRITY ThethreatT.PERSISTENT_PRESENCEiscounteredbyO.INTEGRITYasthisprovidesthecapabilitytoperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.

O.PRIVACY ThethreatT.PERSISTENT_PRESENCEiscounteredbyO.PRIVACYasthisprovidesseparationandprivacybetweenuseractivities.

A.CONFIG OE.CONFIG TheoperationalenvironmentobjectiveOE.CONFIGisrealizedthroughA.CONFIG.

A.NOTIFY OE.NOTIFY TheoperationalenvironmentobjectiveOE.NOTIFYisrealizedthroughA.NOTIFY.

A.PRECAUTION OE.PRECAUTION TheoperationalenvironmentobjectiveOE.PRECAUTIONisrealizedthroughA.PRECAUTION.

A.PROPER_USER OE.DATA_PROPER_USER TheoperationalenvironmentobjectiveOE.DATA_PROPER_USERisrealizedthroughA.PROPER_USER.

5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

5.1SecurityFunctionalRequirements

5.1.1Class:SecurityAudit(FAU)

FAU_GEN.1AuditDataGenerationFAU_GEN.1.1

TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

1. Start-upandshutdownoftheauditfunctions2. Allauditableeventsforthe[notselected]levelofaudit3. Alladministrativeactions4. Start-upandshutdownoftheOS5. Insertionorremovalofremovablemedia6. SpecificallydefinedauditableeventsinTable27. [selection:Auditrecordsreaching[assignment:integervaluelessthan100]percentageofauditcapacity,SpecificallydefinedauditableeventsinTable3,[assignment:otherauditableeventsderivedfromthisProtectionProfile],[assignment:noadditionalauditableevents]]

Requirement AuditableEvents AdditionalAuditRecordContents

FAU_GEN.1 None.

FAU_STG.1 None.

FAU_STG.4 None.

FCS_CKM_EXT.1 [selection:generationofaREK,None].

Noadditionalinformation.

FCS_CKM_EXT.2 None.

FCS_CKM_EXT.3 None.

FCS_CKM_EXT.4 None.

FCS_CKM_EXT.5 [selection:Failureofthewipe,None].


FCS_CKM_EXT.6 None.

FCS_CKM.1 [selection:Failureofkeygenerationactivityforauthenticationkeys,None].


FCS_CKM.2/UNLOCKED None.

FCS_CKM.2/LOCKED None.

FCS_COP.1/ENCRYPT None.

FCS_COP.1/HASH None.

FCS_COP.1/SIGN None.

FCS_COP.1/KEYHMAC None.

FCS_COP.1/CONDITION None.

FCS_IV_EXT.1 None.

FCS_SRV_EXT.1 None.

FCS_STG_EXT.1 Importordestructionofkey.

Identityofkey.Roleandidentityofrequestor.

[selection:Exceptionstouseanddestructionrules,Nootherevents]

FCS_STG_EXT.2 None.

FCS_STG_EXT.3 Failuretoverifyintegrityofstoredkey.

Identityofkeybeingverified.

FDP_DAR_EXT.1 [selection:Failuretoencrypt/decryptdata,None].


FDP_DAR_EXT.2 Failuretoencrypt/decryptdata.


FDP_IFC_EXT.1 None.

FDP_STG_EXT.1 AdditionorremovalofcertificatefromTrustAnchorDatabase.

Subjectnameofcertificate.

FIA_PMG_EXT.1 None.

FIA_TRT_EXT.1 None.

FIA_UAU_EXT.1 None.

FIA_UAU.5 None.

FIA_UAU.7 None.

FIA_X509_EXT.1 FailuretovalidateX.509v3certificate.

Reasonforfailureofvalidation.

FMT_MOF_EXT.1 None.

FPT_AEX_EXT.1 None.

FPT_AEX_EXT.2 None.

FPT_AEX_EXT.3 None.

FPT_JTA_EXT.1 None.

FPT_KST_EXT.1 None.

FPT_KST_EXT.2 None.

FPT_KST_EXT.3 None.

FPT_NOT_EXT.1 [selection:MeasurementofTSFsoftware,None].

[selection:Integrityverificationvalue,Noadditionalinformation].

FPT_STM.1 None.

FPT_TST_EXT.1 Initiationofself-test.

[selection:Algorithmthatcausedthefailure,none]

Failureofself-test.

FPT_TST_EXT.2/PREKERNEL Start-upofTOE. Noadditionalinformation.

[selection:Detectedintegrityviolation,none]

[selection:TheTSFcodefilethatcausedtheintegrityviolation,Noadditionalinformation]

FPT_TUD_EXT.1 None.

FTA_SSL_EXT.1 None.

Table2:MandatoryAuditableEvents

Requirement AuditableEvents AdditionalAuditRecordContents

FAU_SAR.1 None.

FAU_SEL.1 Allmodificationstotheauditconfigurationthatoccurwhiletheauditcollectionfunctionsareoperating.


FCS_CKM_EXT.7 None.

FCS_DTLS_EXT.1(TLSPackage)

Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.

FCS_HTTPS_EXT.1 Failureofthecertificatevaliditycheck.

IssuerNameandSubjectNameofcertificate.[selection:User’sauthorizationdecision,Noadditionalinformation].

FCS_RBG_EXT.1 Failureoftherandomizationprocess.


FCS_RBG_EXT.2 None.

FCS_RBG_EXT.3 None.

FCS_SRV_EXT.2 None.

FCS_TLSC_EXT.1(TLSPackage)

Establishment/terminationofaTLSsession.

Non-TOEendpointofconnection.

FailuretoestablishaTLSsession.

Reasonforfailure.

Failuretoverifypresentedidentifier.

Presentedidentifierandreferenceidentifier.


None.


None.

FDP_ACF_EXT.1 None.

FDP_ACF_EXT.2 None.

FDP_ACF_EXT.3 None.

FDP_BCK_EXT.1 None.

FDP_PBA_EXT.1 None.

FDP_UPC_EXT.1/APPS Applicationinitiationoftrustedchannel.

Nameofapplication.Trustedchannelprotocol.Non-TOEendpointofconnection.

FDP_UPC_EXT.1/BLUETOOTH Applicationinitiationoftrustedchannel.

Nameofapplication.Trustedchannelprotocol.Non-TOEendpointofconnection.

FIA_AFL_EXT.1 Excessofauthenticationfailurelimit.

Authenticationfactorused.

FIA_BMG_EXT.1 None.

FIA_BMG_EXT.2 None.

FIA_BMG_EXT.3 None.

FIA_BMG_EXT.4 None.

FIA_BMG_EXT.5 None.

FIA_BMG_EXT.6 None.

FIA_UAU_EXT.2 Actionperformedbeforeauthentication.


FIA_UAU.6 UserchangesPasswordAuthenticationFactor.


FIA_UAU_EXT.4 None.

FIA_X509_EXT.2 Failuretoestablishconnectiontodeterminerevocationstatus.


FIA_X509_EXT.3 None.

FIA_X509_EXT.4 GenerationofCertificateEnrollmentRequest.

IssuerandSubjectnameofESTServer.Methodofauthentication.IssuerandSubjectnameofcertificateusedtoauthenticate.ContentofCertificateRequestMessage.

Successorfailureofenrollment.

IssuerandSubjectnameofaddedcertificateorreasonforfailure.

UpdateofESTTrustAnchorDatabase

SubjectnameofaddedRootCA.

FIA_X509_EXT.5 None.

FMT_SMF_EXT.1 [selection:Initiationofpolicyupdate,none].

[selection:Policyname,none].

[selection:Changeofsettings,none]

[selection:Roleofuserthatchangedsetting,Valueofnewsetting,none].

[selection:Successorfailureoffunction,none]

[selection:Roleofuserthatperformedfunction,Functionperformed,Reasonforfailure,none].

Initiationofsoftwareupdate.

Versionofupdate.

Initiationofapplicationinstallationorupdate.

Nameandversionofapplication.

FMT_SMF_EXT.2 [selection:Unenrollment,Initiationofunenrollment,none]

[selection:IdentityofadministratorRemediationactionperformed,failureofacceptingcommandtounenroll,none]

FMT_SMF_EXT.3 None.

FPT_AEX_EXT.4 None.

FPT_AEX_EXT.5 None.

FPT_AEX_EXT.6 None.

FPT_AEX_EXT.7 None.

FPT_BBD_EXT.1 None.

FPT_BLT_EXT.1 None.

FPT_NOT_EXT.2 None.

FPT_TST_EXT.2/POSTKERNEL [selection:Detectedintegrityviolation,none]

[selection:TheTSFcodefilethatcausedtheintegrityviolation,Noadditionalinformation]

FPT_TST_EXT.3 None.

FPT_TUD_EXT.2 Successorfailureofsignatureverificationforsoftwareupdates.


FPT_TUD_EXT.3 Successorfailureofsignatureverificationforapplications.


FPT_TUD_EXT.4 None.

FPT_TUD_EXT.5 None.

FPT_TUD_EXT.6 None.

FTA_TAB.1 None.

FTP_ITC_EXT.1 Initiationandterminationoftrustedchannel.

Trustedchannelprotocol.Non-TOEendpointofconnection.

Table3:AdditionalAuditableEvents

ApplicationNote:AdministratoractionsaredefinedasfunctionslabeledasmandatoryforFMT_MOF_EXT.1.2(i.e.‘M-MM’inTable7).IftheTSFdoesnotsupportremovablemedia,number4isimplicitlymet.

TheTSFmustgenerateanauditrecordforalleventscontainedinTable2.GeneratingauditrecordsforeventsinTable3iscurrentlyobjective.ItisacceptabletoincludeindividualSFRsfromTable3intheST,withoutincludingtheentiretyofTable3.

Table2ApplicationNote:FPT_TST_EXT.1–Auditofself-testsisrequiredonlyatinitialstart-up.SincetheTOE"transitionstonon-operationalmode"uponfailureofaself-test,perFPT_NOT_EXT.1,thisisconsideredequivalentevidencetoanauditrecordforthefailureofaself-test.

FDP_DAR_EXT.1-"None"mustbeselected,iftheTOEutilizeswholevolumeencryptionforprotectedmemory,sinceitisnotfeasibletoauditwhentheencryption/decryptionfails.IftheTOEutilizesfile-basedencryptionforprotecteddataandauditswhenthisencryption/decryptionfails,thenthatauditableeventshallbeselected.

Table3ApplicationNote:IftheauditeventforFMT_SMF_EXT.1isincludedintheST,itisacceptablefortheinitiationofthesoftwareupdatetobeauditedwithoutindicatingtheoutcome(successorfailure)oftheupdate.

FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:

1. Dateandtimeoftheevent2. Typeofevent3. Subjectidentity4. Theoutcome(successorfailure)oftheevent5. AdditionalinformationinTable26. [selection:AdditionalinformationinTable3,noadditionalinformation]

ApplicationNote:Thesubjectidentityisusuallytheprocessname/ID.Theeventtypeisoftenindicatedbyaseveritylevel,forexample,‘info’,‘warning’,or‘error’.

If"noadditionalauditableevents"isselectedinthesecondselectionofFAU_GEN.1.1,then"noadditionalinformation"mustbeselected.

ForeachauditeventselectedfromTable3inFAU_GEN.1.1ifadditionalinformationisrequiredtoberecordedwithintheauditrecord,itshouldbeincludedinthisselection.

EvaluationActivities

FAU_GEN.1:TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypemustbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePPisdescribedandthatthedescriptionofthefieldscontainstheinformationrequiredinFAU_GEN.1.2.

GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPPincludingthoselistedintheManagementsection.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommandsarerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePP.TheevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurityrelevantwithrespecttothisPP.TheevaluatormayperformthisactivityaspartoftheactivitiesassociatedwithensuringtheAGD_OPEguidancesatisfiestherequirements.

TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedintheprovidedtableandadministrativeactions.Thisshouldincludeallinstancesofanevent.TheevaluatorshalltestthatauditrecordsaregeneratedfortheestablishmentandterminationofachannelforeachofthecryptographicprotocolscontainedintheST.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsspecifiedinFAU_GEN.1.2arecontainedineachauditrecord.

Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.Forexample,testingperformedtoensurethattheadministrativeguidanceprovidediscorrectverifiesthatAGD_OPE.1issatisfiedandshouldaddresstheinvocationoftheadministrativeactionsthatareneededtoverifytheauditrecordsaregeneratedasexpected.

FAU_STG.1AuditStorageProtectionFAU_STG.1.1

TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.

FAU_STG.1.2TheTSFshallbeabletopreventunauthorizedmodificationstothestoredauditrecordsintheaudittrail.


FAU_STG.1:TSSTheevaluatorshallensurethattheTSSliststhelocationofalllogsandtheaccesscontrolsofthosefilessuchthatunauthorizedmodificationanddeletionareprevented.

GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.

Tests

Test1:Theevaluatorshallattempttodeletetheaudittrailinamannerthattheaccesscontrolsshouldprevent(asanunauthorizeduser)andshallverifythattheattemptfails.Test2:Theevaluatorshallattempttomodifytheaudittrailinamannerthattheaccesscontrolsshouldprevent(asanunauthorizedapplication)andshallverifythattheattemptfails.

FAU_STG.4PreventionofAuditDataLossFAU_STG.4.1

TheTSFshalloverwritetheoldeststoredauditrecordsiftheaudittrailisfull.


FAU_STG.4:TSSTheevaluatorshallexaminetheTSStoensurethatitdescribesthesizelimitsontheauditrecords,thedetectionofafullaudittrail,andtheaction(s)takenbytheTSFwhentheaudittrailisfull.Theevaluatorshallensurethattheaction(s)resultsinthedeletionoroverwriteoftheoldeststoredrecord.


TestsTherearenotestevaluationactivitiesforthiscomponent.

5.1.2Class:CryptographicSupport(FCS)Thissectiondescribeshowkeysaregenerated,derived,combined,releasedanddestroyed.Therearetwomajortypesofkeys:DEKsandKEKs.(AREKisconsideredaKEK.)DEKsareusedtoprotectdata(asintheDARprotectiondescribedinFDP_DAR_EXT.1andFDP_DAR_EXT.2).KEKsareusedtoprotectotherkeys–DEKs,otherKEKs,andothertypesofkeysstoredbytheuserorapplications.Thefollowingdiagramshowsanexamplekeyhierarchytoillustratetheconceptsofthisprofile.Thisexampleisnotmeantasanapproveddesign,butSTauthorswillbeexpectedtoprovideadiagramillustratingtheirkeyhierarchyinordertodemonstratethattheymeettherequirementsofthisprofile.PleasenoteifaBAFisselectedinFIA_UAU.5.1,theBAFshallbeillustratedinthekeyhierarchydiagram,toincludeadescriptionofwhenandhowtheBAFisusedtoreleasekeys.If"hybrid"isselectedinFIA_UAU.5.1,meaningthataPINorpasswordmustbeusedinconjunctionwiththeBAFthisinteractionshallbeincluded.

Figure3:AnIllustrativeKeyHierarchy

FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1

TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:

RSAschemesusingcryptographickeysizesof2048-bitorgreaterthatmeetFIPSPUB186-4,"DigitalSignatureStandard(DSS)",Appendix

B.3,ECCschemesusing[selection:

"NISTcurves"P-384and[selection:P-256,P-521,noothercurves]thatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",AppendixB.4,Curve25519schemesthatmeetthefollowing:RFC7748

],FFCschemesusing[selection:

cryptographickeysizesof2048-bitorgreaterthatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",AppendixB.1,Diffie-Hellmangroup14thatmeetthefollowing:RFC3526,"safe-prime"groupsthatmeetthefollowing:'NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography"'

]].

ApplicationNote:TheSTauthormustselectallkeygenerationschemesusedforkeyestablishmentandentityauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2/UNLOCKEDandselectedcryptographicprotocolsmustmatchtheselection.Whenkeygenerationisusedforentityauthentication,thepublickeymaybeassociatedwithanX.509v3certificate.

IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.

Curve25519canonlybeusedforECDHandinconjunctionwithFDP_DAR_EXT.2.2.


FCS_CKM.1:TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.

GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationscheme(s)andkeysize(s)forallusesdefinedinthisPP.

TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.

KeyGenerationforFIPSPUB186-4RSASchemes

TheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.

KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:

1. RandomPrimes:ProvableprimesProbableprimes

2. PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobableprimesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes

TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatormustseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseed(s),

thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.

Ifpossible,theRandomProbableprimesmethodshouldalsobeverifiedagainstaknowngoodimplementationasdescribedabove.Otherwise,theevaluatorshallhavetheTSFgenerate10keyspairsforeachsupportedkeylengthnlenandverify:

n=p*qpandqareprobablyprimeaccordingtoMiller-RabintestsGCD(p-1,e)=1GCD(q-1,e)=12^16<e<2^256andeisanoddinteger|p-q|>2^(nlen/2–100)p>=squareroot(2)*(2^(nlen/2-1))q>=squareroot(2)*(2^(nlen/2-1))2^(nlen/2)<d<LCM(p-1,q-1)e*d=1modLCM(p-1,q-1)

KeyGenerationforFIPS186-4EllipticCurveCryptography(ECC)FIPS186-4ECCKeyGenerationTest

ForeachsupportedNISTcurve,i.e.P-256,P-384andP-521,theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.

FIPS186-4PublicKeyVerification(PKV)Test

ForeachsupportedNISTcurve,i.e.P-256,P-384andP-521,theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

KeyGenerationforCurve25519Theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.TheprivatekeyshallbegeneratedasspecifiedinRFC7748usinganapprovedrandombitgenerator(RBG)andshallbewritteninlittle-endianorder(leastsignificantbytefirst).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.

Note:AssumingthePKVfunctionofthegoodimplementationwill(usinglittle-endianorder):

a. confirmtheprivateandpublickeysare32-bytevaluesb. confirmthethreeleastsignificantbitsofthefirstbyteoftheprivatekeyarezeroc. confirmthemostsignificantbitofthelastbyteiszerod. confirmthesecondmostsignificantbitofthelastbyteisonee. calculatetheexpectedpublickeyfromtheprivatekeyandconfirmitmatchesthesupplied

publickey

Theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodify5ofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

KeyGenerationforFinite-FieldCryptography(FFC)TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.TheParametergenerationspecifies2ways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:

CryptographicandFieldPrimes:

PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes

andtwowaystogeneratethecryptographicgroupgeneratorg:

CryptographicGroupGenerator:

GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess

TheKeygenerationspecifies2waystogeneratetheprivatekeyx:

PrivateKey:

len(q)bitoutputofRBGwhere1<=x<=q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1<=x<=q-1

ThesecuritystrengthoftheRBGmustbeatleastthatofthesecurityofferedbytheFFCparameterset.

Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodand/orthegroupgeneratorgforaverifiableprocess,theevaluatormustseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.

Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationmustalsoconfirm

g!=0,1qdividesp-1g^qmodp=1g^xmodp=y

foreachFFCparametersetandkeypair.Diffie-HellmanGroup14andFFCSchemesusing"safe-prime"groupsTestingforFFCSchemesusingDiffie-Hellmangroup14and/or"safe-prime"groupsisdoneaspartoftestinginFCS_CKM.2/UNLOCKED.

FCS_CKM.2/UNLOCKEDCryptographicKeyEstablishmentFCS_CKM.2.1/UNLOCKED

TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod[selection:

RSA-basedkeyestablishmentschemesthatmeetthefollowing[selection:

NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,RSAES-PKCS1-v1_5asspecifiedinSection7.2ofRFC8017,"Public-KeyCryptographyStandards(PKCS)#1:RSACryptographySpecificationsVersion2.2"

],Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",KeyestablishmentschemesusingDiffie-Hellmangroup14thatmeetsthefollowing:RFC3526

].

ApplicationNote:TheSTauthormustselectallkeyestablishmentschemesusedfortheselectedcryptographicprotocolsandanyRSA-basedkeyestablishmentschemesthatmaybeusedtosatisfyFDP_DARorFCS_STG.Also,FCS_TLSC_EXT.1requiresciphersuitesthatuseRSA-basedkeyestablishmentschemes.

TheRSA-basedkeyestablishmentschemesaredescribedinSection9ofNISTSP800-56B;however,Section9reliesonimplementationofothersectionsinSP800-56B.IftheTOEonlyactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.

TheellipticcurvesusedforthekeyestablishmentschememustcorrelatewiththecurvesspecifiedinFCS_CKM.1.1.

Thedomainparametersusedforthefinitefield-basedkeyestablishmentschemearespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.Thefinitefield-basedkeyestablishmentschemesthatconformtoNISTSP800-56ARevision3correspondtothe"safe-prime"groupsselectioninFCS_CKM.1.1.


FCS_CKM.2/UNLOCKED:TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.

IfDiffie-Hellmangroup14isselectedfromFCS_CKM.2/UNLOCKED,theTSSshalldescribehowtheimplementationmeetsRFC3526Section3.

GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentscheme(s).


TheevaluatorshallverifytheimplementationofthekeyestablishmentschemessupportedbytheTOEusingtheapplicabletestsbelow.

SP800-56ARevision3KeyEstablishmentSchemesTheevaluatorshallverifyaTOE'simplementationofSP800-56ARevision3keyaestablishmentschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.

FunctionTest

TheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-keyagreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.

TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticand/orephemeral),theMACtag(s),andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEidfields.

IftheTOEdoesnotuseaKDFdefinedinSP800-56ARevision3,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.

TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.

Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.

ValidityTest

TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56ARevision3keyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomainparametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEidfields.

TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluator

willalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionand/orthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).

TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.

SP800-56BKeyEstablishmentSchemesTheevaluatorshallverifythattheTSSdescribeswhethertheTOEactsasasender,arecipient,orbothforRSA-basedkeyestablishmentschemes.

IftheTOEactsasasender,thefollowingevaluationactivityshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withorwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSApublickey,theplaintextkeyingmaterial,anyadditionalinputparametersifapplicable,theMacKeyandMacTagifkeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformakeyestablishmentencryptionoperationontheTOEwiththesameinputs(incaseswherekeyconfirmationisincorporated,thetestshallusetheMacKeyfromthetestvectorinsteadoftherandomlygeneratedMacKeyusedinnormaloperation)andensurethattheoutputtedciphertextisequivalenttotheciphertextinthetestvector.

IftheTOEactsasareceiver,thefollowingevaluationactivitiesshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsFCS_CKM.2.1/LOCKEDfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withourwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSAprivatekey,theplaintextkeyingmaterial(KeyData),anyadditionalinputparametersifapplicable,theMacTagincaseswherekeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformthekeyestablishmentdecryptionoperationontheTOEandensurethattheoutputtedplaintextkeyingmaterial(KeyData)isequivalenttotheplaintextkeyingmaterialinthetestvector.Incaseswherekeyconfirmationisincorporated,theevaluatorshallperformthekeyconfirmationstepsandensurethattheoutputtedMacTagisequivalenttotheMacTaginthetestvector.

TheevaluatorshallensurethattheTSSdescribeshowtheTOEhandlesdecryptionerrors.InaccordancewithNISTSpecialPublication800-56B,theTOEmustnotrevealtheparticularerrorthatoccurred,eitherthroughthecontentsofanyoutputtedorloggederrormessageorthroughtimingvariations.IfKTS-OAEPissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.2.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.IfKTS-KEMKWSissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.3.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.

RSAES-PKCS1-v1_5KeyEstablishmentSchemesTheevaluatorshallverifythecorrectnessoftheTSF'simplementationofRSAES-PKCS1-v1_5byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesRSAES-PKCS1-v1_5.

Diffie-HellmanGroup14TheevaluatorshallverifythecorrectnessoftheTSF'simplementationofDiffie-Hellmangroup14byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesDiffie-HellmanGroup14.

FFCSchemesusing"safe-prime"groupsTheevaluatorshallverifythecorrectnessoftheTSF'simplementationof"safe-prime"groupsbyusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatuses"safe-prime"groups.Thistestmustbeperformedforeach"safe-prime"groupthateachprotocoluses.

FCS_CKM.2/LOCKEDCryptographicKeyEstablishmentFCS_CKM.2.1/LOCKED

TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:

RSA-basedkeyestablishmentschemesthatmeetthefollowing:NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:[selection:

NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",RFC7748,"EllipticCurvesforSecurity"

],Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography"

]forthepurposesofencryptingsensitivedatareceivedwhilethedeviceislocked.

ApplicationNote:TheRSA-basedkeyestablishmentschemesaredescribedinSection9ofNISTSP800-56B;however,Section9reliesonimplementationofothersectionsinSP800-56B.IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.

TheellipticcurvesusedforthekeyestablishmentschememustcorrelatewiththecurvesspecifiedinFCS_CKM.1.1.

Thedomainparametersusedforthefinitefield-basedkeyestablishmentschemearespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.


FCS_CKM.2/LOCKED:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsThetestforSP800-56ARevision3andSP800-56BkeyestablishmentschemesisperformedinassociationwithFCS_CKM.2/UNLOCKED.

Curve25519KeyEstablishmentSchemes

TheevaluatorshallverifyaTOE'simplementationofthekeyagreementschemeusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecification.ThesecomponentsincludethecalculationofthesharedsecretKandthehashofK.

FunctionTest

TheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementroleandhashfunctioncombination,thetestershallgenerate10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.

TheevaluatorshallobtainthesharedsecretvalueK,andthehashofK.

TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalueKandcomparethehashgeneratedfromthisvalue.

ValidityTest

TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresults.Toconductthistest,theevaluatorgeneratesasetof30testvectorsconsistingofdatasetsincludingtheevaluator’spublickeysandtheTOE’spublic/privatekey

pairs.

TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueKorthehashofK.Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).

TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.

FCS_CKM_EXT.1CryptographicKeySupportFCS_CKM_EXT.1.1

TheTSFshallsupport[selection:immutablehardware,mutablehardware]REK(s)witha[selection:symmetric,asymmetric]keyofstrength[selection:112bits,128bits,192bits,256bits].

FCS_CKM_EXT.1.2EachREKshallbehardware-isolatedfromtheOSontheTSFinruntime.

FCS_CKM_EXT.1.3EachREKshallbegeneratedbyaRBGinaccordancewithFCS_RBG_EXT.1.

ApplicationNote:Eitherasymmetricorsymmetrickeysareallowed;theSTauthormakestheselectionappropriateforthedevice.Symmetrickeysmustbeofsize128or256bitsinordertocorrespondwithFCS_COP.1/ENCRYPT.AsymmetrickeysmaybeofanystrengthcorrespondingtoFCS_CKM.1.

Therawkeymaterialof"immutablehardware"REK(s)iscomputationallyprocessedbyhardwareandsoftwarecannotaccesstherawkeymaterial.Thusif"immutable-hardware"isselectedinFCS_CKM_EXT.1.1itimplicitlymeetsFCS_CKM_EXT.7.If"mutable-hardware"isselectedinFCS_CKM_EXT.1.1,FCS_CKM_EXT.7mustbeincludedintheST.

Thelackofapublic/documentedAPIforimportingorexportingtheREK,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.

TheRBGusedtogenerateaREKmaybeaRBGnativetothehardwarekeycontainerormaybeanoff-deviceRBG.Ifperformedbyanoff-deviceRBG,thedevicemanufacturermustnotbeabletoaccessaREKafterthemanufacturingprocesshasbeencompleted.TheEvaluationActivitiesforthesetwocasesdiffer.


FCS_CKM_EXT.1:TSSTheevaluatorshallreviewtheTSStodeterminethataREKissupportedbytheTOE,thattheTSSincludesadescriptionoftheprotectionprovidedbytheTOEforaREK,andthattheTSSincludesadescriptionofthemethodofgenerationofaREK.

TheevaluatorshallverifythatthedescriptionoftheprotectionofaREKdescribeshowanyreading,import,andexportofthatREKisprevented.(Forexample,ifthehardwareprotectingtheREKisremovable,thedescriptionshouldincludehowotherdevicesarepreventedfromreadingtheREK.)TheevaluatorshallverifythattheTSSdescribeshowencryption/decryption/derivationactionsareisolatedsoastopreventapplicationsandsystem-levelprocessesfromreadingtheREKwhileallowingencryption/decryption/derivationbythekey.

TheevaluatorshallverifythatthedescriptionincludeshowtheOSispreventedfromaccessingthememorycontainingREKkeymaterial,whichsoftwareisallowedaccesstotheREK,howanyothersoftwareintheexecutionenvironmentispreventedfromreadingthatkeymaterial,andwhatothermechanismspreventtheREKkeymaterialfrombeingwrittentosharedmemorylocationsbetweentheOSandtheseparateexecutionenvironment.

IfkeyderivationisperformedusingaREK,theevaluatorshallensurethattheTSSdescriptionincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoFCS_CKM_EXT.3.2.

TheevaluatorshallverifythatthegenerationofaREKmeetstheFCS_RBG_EXT.1.1andFCS_RBG_EXT.1.2requirements:

IfREK(s)is/aregeneratedon-device,theTSSshallincludeadescriptionofthegenerationmechanismincludingwhattriggersageneration,howthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked,andwhetheraseparateinstanceoftheRBGisusedforREK(s).

IfREK(s)is/aregeneratedoff-device,theTSSshallincludeevidencethattheRBGmeetsFCS_RBG_EXT.1.ThiswilllikelynecessitateasecondsetofRBGdocumentationequivalenttothedocumentationprovidedfortheRBGEvaluationActivities.Inaddition,theTSSshalldescribethemanufacturingprocessthatpreventsthedevicemanufacturerfromaccessinganyREK(s).



FCS_CKM_EXT.2CryptographicKeyRandomGenerationFCS_CKM_EXT.2.1

AllDEKsshallbe[selection:randomlygenerated,fromthecombinationofarandomlygeneratedDEKwithanotherDEKorsaltinawaythatpreservestheeffectiveentropyofeachfactorby[selection:usinganXORoperation,concatenatingthekeysandusingaKDF(asdescribedinSP800-108),concatenatingthekeysandusingaKDF(asdescribedinSP800-56C)]

]withentropycorrespondingtothesecuritystrengthofAESkeysizesof[selection:128,256]bits.

ApplicationNote:TheintentofthisrequirementistoensurethattheDEKcannotberecoveredwithlessworkthanafullexhaustofthekeyspaceforAES.ThekeygenerationcapabilityoftheTOEusesaRBGimplementedontheTOEdevice(FCS_RBG_EXT.1).Either128-bitor256-bit(orboth)areallowed;theSTauthormakestheselectionappropriateforthedevice.ADEKisusedinadditiontotheKEKsothatauthenticationfactorscanbechangedwithouthavingtore-encryptalloftheuserdataonthedevice.

TheSTauthorselectsallapplicableDEKgenerationtypesimplementedbytheTOE.

SP800-56Cspecifiesatwo-stepkeyderivationprocedurethatemploysanextraction-then-expansiontechniqueforderivingkeyingmaterialfromasharedsecretgeneratedduringakeyestablishmentscheme.TheRandomnessExtractionstepasdescribedinSection5ofSP800-56CisfollowedbyKeyExpansionusingthekeyderivationfunctionsdefinedinSP800-108(asdescribedinSection6ofSP800-56C).


FCS_CKM_EXT.2:TSSTheevaluatorshallensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.

TheevaluatorshallalsoexaminethekeyhierarchysectionoftheTSStoensurethattheformationofallDEKsisdescribedandthatthekeysizesmatchthatdescribedbytheSTauthor.TheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethateachDEKisgeneratedorcombinedfromkeysofequalorgreatersecuritystrengthusingoneoftheselectedmethods.

IfthesymmetricDEKisgeneratedbyanRBG,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked.TheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeingrequestedisgreaterthanorequaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.IftheDEKisformedfromacombination,theevaluatorshallverifythattheTSSdescribesthemethodofcombinationandthatthismethodiseitheranXORoraKDFtojustifythattheeffectiveentropyofeachfactorispreserved.TheevaluatorshallalsoverifythateachcombinedvaluewasoriginallygeneratedfromanApprovedDRBGdescribedinFCS_RBG_EXT.1.If“concatenatingthekeysandusingaKDF(asdescribedin(SP800-56C)”isselected,theevaluatorshallensuretheTSSincludesadescriptionoftherandomnessextractionstep.

ThedescriptionmustincludehowanapproveduntruncatedMACfunctionisbeingusedforthe

randomnessextractionstepandtheevaluatormustverifytheTSSdescribesthattheoutputlength(inbits)oftheMACfunctionisatleastaslargeasthetargetedsecuritystrength(inbits)oftheparametersetemployedbythekeyestablishmentscheme(seeTables1-3ofSP800-56C).

ThedescriptionmustincludehowtheMACfunctionbeingusedfortherandomnessextractionstepisrelatedtothePRFusedinthekeyexpansionandverifytheTSSdescriptionincludesthecorrectMACfunction:

IfanHMAC-hashisusedintherandomnessextractionstep,thenthesameHMAC-hash(withthesamehashfunctionhash)isusedasthePRFinthekeyexpansionstep.IfanAES-CMAC(withkeylength128,192,or256bits)isusedintherandomnessextractionstep,thenAES-CMACwitha128-bitkeyisusedasthePRFinthekeyexpansionstep.ThedescriptionmustincludethelengthsofthesaltvaluesbeingusedintherandomnessextractionstepandtheevaluatorshallverifytheTSSdescriptionincludescorrectsaltlengths:IfanHMAC-hashisbeingusedastheMAC,thesaltlengthcanbeanyvalueuptothemaximumbitlengthpermittedforinputtothehashfunctionhash.IfanAES-CMACisbeingusedastheMAC,thesaltlengthshallbethesamelengthastheAESkey(i.e.128,192,or256bits).

(conditional)IfaKDFisused,theevaluatorshallensurethattheTSSincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoSP800-108orSP800-56C.

GuidanceTheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeinggeneratedorcombinedisidenticaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.

TestsIfaKDFisused,theevaluatorshallperformoneormoreofthefollowingteststoverifythecorrectnessofthekeyderivationfunction,dependingonthemode(s)thataresupported.Table4mapsthedatafieldstothenotationsusedinSP800-108andSP800-56C.

Table4:NotationsusedinSP800-108andSP800-56C

DataFields Notations

SP800-108 SP800-56C

Pseudorandomfunction PRF PRF

Counterlength r r

LengthofoutputofPRF h h

Lengthofderivedkeyingmaterial L L

Lengthofinputvalues llength llength

PseudorandominputvaluesI K1(keyderivationkey) Z(sharedsecret)

Pseudorandomsaltvalues n/a s

RandomnessextractionMAC n/a MAC

CounterModeTests:

Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.

Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueof

stringinputaftercounter.Thelength(I_length)oftheinputvaluesI.

ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation,valueofr,andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.

Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

FeedbackModeTests:

Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotzero-lengthIVsaresupported.Whetherornotacounterisused,andifso:

Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.

Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.

Thelength(I_length)oftheinputvaluesI.ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesIandpseudorandomsaltvalues.IftheKDFsupportszero-lengthIVs,fiveofthesetestvectorswillbeaccompaniedbypseudorandomIVsandtheotherfivewillusezero-lengthIVs.Ifzero-lengthIVsarenotsupported,eachtestvectorwillbeaccompaniedbyanpseudorandomIV.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.

Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.

DoublePipelineIterationModeTests:

Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotacounterisused,andifso:



Thelength(I_length)oftheinputvaluesI.ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.


FCS_CKM_EXT.3CryptographicKeyGenerationFCS_CKM_EXT.3.1

TheTSFshalluse[selection:asymmetricKEKsof[assignment:securitystrengthgreaterthanorequalto112bits]securitystrength,symmetricKEKsof[selection:128-bit,256-bit]securitystrengthcorrespondingtoatleastthesecuritystrengthofthekeysencryptedbytheKEK

].

ApplicationNote:TheSTauthorselectsallapplicableKEKtypesimplementedbytheTOE.

FCS_CKM_EXT.3.2TheTSFshallgenerateallKEKsusingoneofthefollowingmethods:

DerivetheKEKfromaPasswordAuthenticationFactoraccordingtoFCS_COP.1.1/CONDITIONand

[selection:GeneratetheKEKusinganRBGthatmeetsthisprofile(asspecifiedinFCS_RBG_EXT.1),GeneratetheKEKusingakeygenerationschemethatmeetsthisprofile(asspecifiedinFCS_CKM.1),CombinetheKEKfromotherKEKsinawaythatpreservestheeffectiveentropyofeachfactorby[selection:usinganXORoperation,concatenatingthekeysandusingaKDF(asdescribedinSP800-108),concatenatingthekeysandusingaKDF(asdescribedinSP800-56C),encryptingonekeywithanother]

].

ApplicationNote:TheconditioningofpasswordsisperformedinaccordancewithFCS_COP.1/CONDITION.

Itisexpectedthatkeygenerationderivedfromconditioning,usinganRBGorgenerationscheme,andthroughcombination,willeachbenecessarytomeettherequirementssetoutinthisdocument.Inparticular,Figure3hasKEKsofeachtype:KEK_3isgenerated,KEK_1isderivedfromaPasswordAuthenticationFactor,andKEK_2iscombinedfromtwoKEKs.InFigure3,KEK_3mayeitherbeasymmetrickeygeneratedfromanRBGoranasymmetrickeygeneratedusingakeygenerationschemeaccordingtoFCS_CKM.1.

Ifcombined,theSTauthorshalldescribewhichmethodofcombinationisusedinordertojustifythattheeffectiveentropyofeachfactorispreserved.

SP800-56Cspecifiesatwo-stepkeyderivationprocedurethatemploysanextraction-then-expansiontechniqueforderivingkeyingmaterialfromasharedsecretgeneratedduringakeyestablishmentscheme.TheRandomnessExtractionstepasdescribedinSection5ofSP800-56CisfollowedbyKeyExpansionusingthekeyderivationfunctionsdefinedinSP800-108(asdescribedinSection6ofSP800-56C).


FCS_CKM_EXT.3:TSSTheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethattheformationofallKEKsaredescribedandthatthekeysizesmatchthatdescribedbytheSTauthor.TheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethateachkey(DEKs,software-basedkeystorage,andKEKs)isencryptedbykeysofequalorgreatersecuritystrengthusingoneoftheselectedmethods.

TheevaluatorshallreviewtheTSStoverifythatitcontainsadescriptionoftheconditioningusedtoderiveKEKs.Thisdescriptionmustincludethesizeandstoragelocationofsalts.ThisactivitymaybeperformedincombinationwiththatforFCS_COP.1/CONDITION.

(conditional)IfthesymmetricKEKisgeneratedbyanRBG,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked.TheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeingrequestedisgreaterthanorequaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.

(conditional)IftheKEKisgeneratedaccordingtoanasymmetrickeyscheme,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_CKM.1isinvoked.TheevaluatorusesthedescriptionofthekeygenerationfunctionalityinFCS_CKM.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeystrengthbeingrequestedisgreaterthanorequalto112bits.

(conditional)IftheKEKisformedfromacombination,theevaluatorshallverifythattheTSSdescribesthemethodofcombinationandthatthismethodiseitheranXOR,aKDF,orencryption.

(conditional)IfaKDFisused,theevaluatorshallensurethattheTSSincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoSP800-108.

(conditional)If"concatenatingthekeysandusingaKDF(asdescribedin(SP800-56C)"isselected,theevaluatorshallensuretheTSSincludesadescriptionoftherandomnessextractionstep.Thedescriptionmustinclude

HowanapproveduntruncatedMACfunctionisbeingusedfortherandomnessextractionstepandtheevaluatormustverifytheTSSdescribesthattheoutputlength(inbits)oftheMACfunctionisatleastaslargeasthetargetedsecuritystrength(inbits)oftheparametersetemployedbythekeyestablishmentscheme(seeTables1-3ofSP800-56C).HowtheMACfunctionbeingusedfortherandomnessextractionstepisrelatedtothePRFusedinthekeyexpansionandverifytheTSSdescriptionincludesthecorrectMACfunction:

IfanHMAC-hashisusedintherandomnessextractionstep,thenthesameHMAC-hash(withthesamehashfunctionhash)isusedasthePRFinthekeyexpansionstep.IfanAES-CMAC(withkeylength128,192,or256bits)isusedintherandomnessextractionstep,thenAES-CMACwitha128-bitkeyisusedasthePRFinthekeyexpansionstep.

ThelengthsofthesaltvaluesbeingusedintherandomnessextractionstepandtheevaluatorshallverifytheTSSdescriptionincludescorrectsaltlengths:

IfanHMAC-hashisbeingusedastheMAC,thesaltlengthcanbeanyvalueuptothemaximumbitlengthpermittedforinputtothehashfunctionhash.IfanAES-CMACisbeingusedastheMAC,thesaltlengthshallbethesamelengthastheAESkey(i.e.128,192,or256bits).

Theevaluatorshallalsoensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.


TestsIfaKDFisused,theevaluatorshallperformoneormoreofthefollowingteststoverifythecorrectnessofthekeyderivationfunction,dependingonthemode(s)thataresupported.Table5mapsthedatafieldstothenotationsusedinSP800-108andSP800-56C.

Table5:NotationsusedinSP800-108andSP800-56C

DataFields Notations

SP800-108 SP800-56C

Pseudorandomfunction PRF PRF

Counterlength r r

LengthofoutputofPRF h h

Lengthofderivedkeyingmaterial L L

Lengthofinputvalues I_length I_length

PseudorandominputvaluesI Z(sharedsecret)

K1(keyderivationkey)

Pseudorandomsaltvalues n/a s

RandomnessextractionMAC n/a MAC

CounterModeTests:

Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.


Thelength(I_length)oftheinputvaluesI.

ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation,valueofr,andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.


FeedbackModeTests:Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:

Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotzero-lengthIVsaresupported.Whetherornotacounterisused,andifso:




ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesIandpseudorandomsaltvalues.IftheKDFsupportszero-lengthIVs,fiveofthesetestvectorswillbeaccompaniedbypseudorandomIVsandtheotherfivewillusezero-lengthIVs.Ifzero-lengthIVsarenotsupported,eachtestvectorwillbeaccompaniedbyanpseudorandomIV.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.


DoublePipelineIterationModeTests:Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:

Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotacounterisused,andifso:




ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.


FCS_CKM_EXT.4KeyDestructionFCS_CKM_EXT.4.1

TheTSFshalldestroycryptographickeysinaccordancewiththespecifiedcryptographickeydestructionmethods:

byclearingtheKEKencryptingthetargetkeyinaccordancewiththefollowingrules

Forvolatilememory,thedestructionshallbeexecutedbyasingledirectoverwrite[selection:consistingofapseudo-randompatternusingtheTSF’sRBG,consistingofzeroes].Fornon-volatileEEPROM,thedestructionshallbeexecutedbyasingledirectoverwriteconsistingofapseudorandompatternusingtheTSF’sRBG(asspecifiedinFCS_RBG_EXT.1),followedbyaread-verify.Fornon-volatileflashmemory,thatisnotwear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzerosfollowedbyaread-verify,byablockerasethaterasesthereferencetomemorythatstoresdataaswellasthedataitself].Fornon-volatileflashmemory,thatiswear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzeros,byablockerase].Fornon-volatilememoryotherthanEEPROMandflash,thedestructionshallbeexecutedbyasingledirectoverwritewitharandompatternthatischangedbeforeeachwrite.

ApplicationNote:Theclearingindicatedaboveappliestoeachintermediatestorageareaforplaintextkey/cryptographiccriticalsecurityparameter(i.e.anystorage,suchasmemorybuffers,thatisincludedinthepathofsuchdata)uponthetransferofthekey/cryptographiccriticalsecurityparametertoanotherlocation.

Becauseplaintextkeymaterialisnotallowedtobewrittentonon-volatilememory(FPT_KST_EXT.1),thesecondselectiononlyappliestokeymaterialwrittentovolatilememory.

FCS_CKM_EXT.4.2TheTSFshalldestroyallplaintextkeyingmaterialandcriticalsecurityparameterswhennolongerneeded.

ApplicationNote:Forthepurposesofthisrequirement,plaintextkeyingmaterialreferstoauthenticationdata,passwords,secret/privatesymmetrickeys,privateasymmetrickeys,datausedtoderivekeys,valuesderivedfrompasswords,etc.IfaBAFisselectedinFIA_UAU.5.1theenrollmentorauthenticationtemplatesarenotsubjecttothisrequirement,sincetemplatesarenotsuitableforderivingkeyingmaterial.However,sourcebiometricdata(i.e.

fingerprintimageorfrictionridgepattern),thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(e.g.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatevaluescalculatedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns,etc.),andfinalmatchscoresareexamplesofcriticalsecurityparametersthatmustbedestroyedwhennolongerneeded.

KeydestructionproceduresareperformedinaccordancewithFCS_CKM_EXT.4.1.

Therearemultiplesituationsinwhichplaintextkeyingmaterialisnolongernecessary,includingwhentheTOEispoweredoff,whenthewipefunctionisperformed,whentrustedchannelsaredisconnected,whenkeyingmaterialisnolongerneededbythetrustedchannelpertheprotocol,andwhentransitioningtothelockedstate(forthosevaluesderivedfromthePasswordAuthenticationFactororthatkeymaterialwhichisprotectedbythepassword-derivedorbiometric-unlockedKEKaccordingtoFCS_STG_EXT.2–seeFigure3).Forkeys(orkeymaterialusedtoderivethosekeys)protectingsensitivedatareceivedinthelockedstate,"nolongerneeded"includes"whileinthelockedstate."

TrustedchannelsmayincludeTLS,HTTPS,DTLS,IPsecVPNs,BluetoothBR/EDR,andBluetoothLE.Theplaintextkeyingmaterialforthesechannelsincludes(butisnotlimitedto)mastersecrets,andSecurityAssociations(SAs).

IfREK(s)areprocessedinaseparateexecutionenvironmentonthesameApplicationProcessorastheOS,REKkeymaterialmustbeclearedfromRAMimmediatelyafteruse,andatleast,mustbewipedwhenthedeviceislocked,astheREKispartofthekeyhierarchyprotectingsensitivedata.


FCS_CKM_EXT.4:TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofplaintextkeymaterial(DEKs,software-basedkeystorage,KEKs,trustedchannelkeys,passwords,etc.)anditsgenerationandstoragelocation.

TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeymaterialiscleared(forexample,onsystempoweroff,onwipefunction,ondisconnectionoftrustedchannels,whennolongerneededbythetrustedchannelpertheprotocol,whentransitioningtothelockedstate,andpossiblyincludingimmediatelyafteruse,whileinthelockedstate,etc.).

Theevaluatorshallalsoverifythat,foreachtypeofkey,thetypeofclearingprocedurethatisperformed(cryptographicerase,overwritewithzeros,overwritewithrandompattern,orblockerase)islisted.Ifdifferenttypesofmemoryareusedtostorethematerialstobeprotected,theevaluatorshallchecktoensurethattheTSSdescribestheclearingprocedureintermsofthememoryinwhichthedataarestored.



Foreachsoftwareandfirmwarekeyclearingsituation(includingonsystempoweroff,onwipefunction,ondisconnectionoftrustedchannels,whennolongerneededbythetrustedchannelpertheprotocol,whentransitioningtothelockedstate,andpossiblyincludingimmediatelyafteruse,whileinthelockedstate)theevaluatorshallrepeatthefollowingtests.

Fortheseteststheevaluatorshallutilizeappropriatedevelopmentenvironment(e.g.aVirtualMachine)anddevelopmenttools(debuggers,simulators,etc.)totestthatkeysarecleared,includingallcopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessingwiththatkey.

Test1:AppliedtoeachkeyheldasplaintextinvolatilememoryandsubjecttodestructionbyoverwritebytheTOE(whetherornottheplaintextvalueissubsequentlyencryptedforstorageinvolatileornon-volatilememory).Inthecasewheretheonlyselectionmadeforthedestructionmethodkeywasremovalofpower,thenthistestisunnecessary.Theevaluatorshall:1. RecordthevalueofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep

#1.

3. CausetheTOEtoclearthekey.4. CausetheTOEtostoptheexecutionbutnotexit.5. CausetheTOEtodumptheentirememoryoftheTOEintoabinaryfile.6. SearchthecontentofthebinaryfilecreatedinStep#5forinstancesoftheknownkey

valuefromStep#1.7. BreakthekeyvaluefromStep#1into3similarsizedpiecesandperformasearch

usingeachpiece.

Steps1-6ensurethatthecompletekeydoesnotexistanywhereinvolatilememory.Ifacopyisfound,thenthetestfails.

Step7ensuresthatpartialkeyfragmentsdonotremaininmemory.Ifafragmentisfound,thereisaminusculechancethatitisnotwithinthecontextofakey(e.g.,somerandombitsthathappentomatch).IfthisisthecasethetestshouldberepeatedwithadifferentkeyinStep#1.Ifafragmentisfoundthetestfails.

Test2:Appliedtoeachkeyheldinnon-volatilememoryandsubjecttodestructionbyoverwritebytheTOE.Theevaluatorshallusespecialtools(asneeded),providedbytheTOEdeveloperifnecessary,toviewthekeystoragelocation:1. RecordthevalueofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep

#1.3. CausetheTOEtoclearthekey.4. Searchthenon-volatilememorythekeywasstoredinforinstancesoftheknownkey

valuefromStep#1.Ifacopyisfound,thenthetestfails.5. BreakthekeyvaluefromStep#1into3similarsizedpiecesandperformasearch

usingeachpiece.Ifafragmentisfoundthenthetestisrepeated(asdescribedfortest1above),andifafragmentisfoundintherepeatedtestthenthetestfails.

Test3:Appliedtoeachkeyheldasnon-volatilememoryandsubjecttodestructionbyoverwritebytheTOE.Theevaluatorshallusespecialtools(asneeded),providedbytheTOEdeveloperifnecessary,toviewthekeystoragelocation:1. RecordthestoragelocationofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep

#1.3. CausetheTOEtoclearthekey.4. ReadthestoragelocationinStep#1ofnon-volatilememorytoensuretheappropriate

patternisutilized.

Thetestsucceedsifcorrectpatternisusedtooverwritethekeyinthememorylocation.Ifthepatternisnotfoundthetestfails.

FCS_CKM_EXT.5TSFWipeFCS_CKM_EXT.5.1

TheTSFshallwipeallprotecteddataby[selection:CryptographicallyerasingtheencryptedDEKsand/ortheKEKsinnon-volatilememorybyfollowingtherequirementsinFCS_CKM_EXT.4.1,OverwritingallPDaccordingtothefollowingrules:

ForEEPROM,thedestructionshallbeexecutedbyasingledirectoverwriteconsistingofapseudorandompatternusingtheTSF’sRBG(asspecifiedinFCS_RBG_EXT.1,followedbyaread-verify.Forflashmemory,thatisnotwear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzerosfollowedbyaread-verify,byablockerasethaterasesthereferencetomemorythatstoresdataaswellasthedataitself].Forflashmemory,thatiswear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzeros,byablockerase].Fornon-volatilememoryotherthanEEPROMandflash,thedestructionshallbeexecutedbyasingledirectoverwritewitharandompatternthatischangedbeforeeachwrite.

].

ApplicationNote:Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.

FCS_CKM_EXT.5.2TheTSFshallperformapowercycleonconclusionofthewipeprocedure.


FCS_CKM_EXT.5:TSSTheevaluatorshallchecktoensuretheTSSdescribeshowthedeviceiswiped,thetypeofclearingprocedurethatisperformed(cryptographiceraseoroverwrite)and,ifoverwriteisperformed,theoverwriteprocedure(overwritewithzeros,overwritethreeormoretimesbyadifferentalternatingpattern,overwritewithrandompattern,orblockerase).

Ifdifferenttypesofmemoryareusedtostorethedatatobeprotected,theevaluatorshallchecktoensurethattheTSSdescribestheclearingprocedureintermsofthememoryinwhichthedataarestored(forexample,datastoredonflashareclearedbyoverwritingoncewithzeros,whiledatastoredontheinternalpersistentstoragedeviceareclearedbyoverwritingthreetimeswitharandompatternthatischangedbeforeeachwrite).

GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtoenableencryption,ifitisnotenabledbydefault.AdditionallytheevaluatorshallverifythattheAGDguidancedescribeshowtoinitiatethewipecommand.

TestsEvaluationActivityNote:ThefollowingtestmayrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Test1:Theevaluatorshallperformoneofthefollowingtests.Thetestbeforeandafterthewipecommandshallbeidentical.Thistestshallberepeatedforeachtypeofmemoryusedtostorethedatatobeprotected.

Test1.1:ForFile-basedMethods:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateauserdata(protecteddataorsensitivedata)file,forexample,byusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertoexaminethisdatastoredinmemory(forexample,byexaminingadecryptedfiles).TheevaluatorshallinitiatethewipecommandaccordingtotheAGDguidanceprovidedforFMT_SMF_EXT.1.TheevaluatorshalluseatoolprovidedbythedevelopertoexaminethesamedatalocationinmemorytoverifythatthedatahasbeenwipedaccordingtothemethoddescribedintheTSS(forexample,thefilesarestillencryptedandcannotbeaccessed).Test1.2:ForVolume-basedMethods:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateauniquedatastring,forexample,byusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertosearchdecrypteddatafortheuniquestring.TheevaluatorshallinitiatethewipecommandaccordingtotheAGDguidanceprovidedforFMT_SMF_EXT.1.TheevaluatorshalluseatoolprovidedbythedevelopertosearchforthesameuniquestringindecryptedmemorytoverifythatthedatahasbeenwipedaccordingtothemethoddescribedintheTSS(forexample,thefilesarestillencryptedandcannotbeaccessed).

Test2:Theevaluatorshallcausethedevicetowipeandverifythatthewipeconcludeswithapowercycle.

FCS_CKM_EXT.6SaltGenerationFCS_CKM_EXT.6.1

TheTSFshallgenerateallsaltsusingaRBGthatmeetsFCS_RBG_EXT.1.

ApplicationNote:Thisrequirementrefersonlytosaltgeneration.Intheexamplesgiven,asaltmaybeusedaspartofthescheme/algorithm.Requirementsonnoncesand/orephemeralkeysareprovidedelsewhere,ifneeded.Thelistbelowisprovidedforclarity,inordertogiveexamplesofwheretheTSFmaybegeneratingcryptographicsalts;itisnotexhaustivenorisitintendedtomandateimplementationofalloftheseschemes/algorithms.Cryptographicsaltsaregeneratedforvarioususesincluding:

RSASSA-PSSsignaturegenerationDSAsignaturegenerationECDSAsignaturegenerationDHstatickeyagreementschemePBKDFKeyAgreementSchemeinNISTSP800-56BAESGCM


FCS_CKM_EXT.6:TSSTheevaluatorshallverifythattheTSScontainsadescriptionregardingthesaltgeneration,includingwhichalgorithmsontheTOErequiresalts.TheevaluatorshallconfirmthatthesaltisgeneratedusinganRBGdescribedinFCS_RBG_EXT.1.ForPBKDFderivationofKEKs,thisevaluationactivitymaybeperformedinconjunctionwithFCS_CKM_EXT.3.2.



FCS_COP.1/ENCRYPTCryptographicOperationFCS_COP.1.1/ENCRYPT

TheTSFshallperformencryption/decryptioninaccordancewithaspecifiedcryptographicalgorithm:

AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)modeAES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),and[selection:

AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),noothermodes

]andcryptographickeysizes128-bitkeysizesand[selection:256-bitkeysizes,nootherkeysizes].

ApplicationNote:Forthefirstselection,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.128-bitCBCandCCMParerequiredinordertocomplywithWLANClientExtendedPackage.

NotethattocomplywiththeWLANClientEP,AESCCMP(whichusesAESinCCMasspecifiedinSP800-38C)withcryptographickeysizeof128bitsmustbeimplemented.IfCCMisonlyimplementedtosupportCCMPforWLAN,AES-CCMdoesnotneedbeselected.Optionally,AES-CCMP-256orAES-GCMP-256withcryptographickeysizeof256bitsmaybeimplemented.


FCS_COP.1/ENCRYPT:TSSTherearenoTSSevaluationactivitiesforthiscomponent.



AES-CBCTestsTest1:AES-CBCKnownAnswerTests

TherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngood

implementation.

Test1.1:KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.

Test1.2:KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.

Test1.3:KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.

Test1.4:KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].

TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.

Test2:AES-CBCMulti-BlockMessageTest

Theevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i<=10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.

Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i<=10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyandIVusingaknowngoodimplementation.

Test3:AES-CBCMonteCarloTests

Theevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:

#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]

Theciphertextcomputedinthe1000thiteration(i.e.CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.

Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.

AES-CCMTestsTest1:Theevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:

128bitand256bitkeys

Twopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).

Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.

Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.

Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.

Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:

Test1.1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.

Test1.2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.

Test1.3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.

Test1.4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.

Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.

Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresultoraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.

AES-GCMTestTheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:

128bitand256bitkeys

Twoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.

ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.

TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.

Test1:Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.

Test2:Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,

tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.


XTS-AESTestTest1:TheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:

256bit(forAES-128)and512bit(forAES-256)keys

Threedataunit(i.e.plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.

usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.

Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.

Test2:TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.

AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)TestTest1:TheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:

128and256bitkeyencryptionkeys(KEKs)

Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096bits).

usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.

Test2:Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.

Test3:Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:

Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).

Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).

Test4:Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.

FCS_COP.1/HASHCryptographicOperationFCS_COP.1.1/HASH

TheTSFshallperformcryptographichashinginaccordancewithaspecifiedcryptographicalgorithmSHA-1and[selection:SHA-256,SHA-384,SHA-512,nootheralgorithms]andmessagedigestsizes160and[selection:256,384,512bits,noothermessagedigestsizes]thatmeetthefollowing:FIPSPub180-4.

ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigital

signaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.ItisexpectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.

SHA-1iscurrentlyrequiredinordertocomplywiththeWLANClientExtendedPackage.VendorsarestronglyencouragedtoimplementupdatedprotocolsthatsupporttheSHA-2family;untilupdatedprotocolsaresupported,thisPPallowssupportforSHA-1implementationsincompliancewithSP800-131A.

Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionmustsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).

TheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyteorientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebitorientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.TheTSFmayimplementeitherbit-orientedorbyte-oriented;bothimplementationsarenotrequired.


FCS_COP.1/HASH:TSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.TheevalutatorshallcheckthattheTSSindicatesifthehashingfunctionisimplementedinbit-orientedand/orbyte-orientedmode.

GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.


TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebitorientedvs.thebyteorientedtestmacs.

Test1:ShortMessagesTest:Bit-orientedModeTheevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangessequentiallyfrom0tombits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Test2:ShortMessagesTest:Byte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Test3:SelectedLongMessagesTest:Bit-orientedModeTheevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1≤i≤m.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Test4:SelectedLongMessagesTest:Byte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1≤i≤m/8.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

Test5:PseudorandomlyGeneratedMessagesTest:Byte-orientedModeThistestisforbyteorientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1ofSHAVS.TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.

FCS_COP.1/SIGNCryptographicOperationFCS_COP.1.1/SIGN

TheTSFshallperformcryptographicsignatureservices(generationandverification)inaccordancewithaspecifiedcryptographicalgorithm[selection:

RSAschemesusingcryptographickeysizesof2048-bitorgreaterthatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",Section4,ECDSAschemesusing"NISTcurves"P-384and[selection:P-256,P-521,noothercurves]thatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",Section5

].

ApplicationNote:TheSTauthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.


FCS_COP.1/SIGN:TSSTherearenoTSSevaluationactivitiesforthiscomponent.



Test1:[conditional]If"ECDSAschemes..."isselectedinFCS_COP.1.1/SIGNTest1.1:ECDSAFIPS186-4SignatureGenerationTestForeachsupportedNISTcurve(i.e.P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickeyandtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.

Test1.2:ECDSAFIPS186-4SignatureVerificationTestForeachsupportedNISTcurve(i.e.P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.

Test2:[conditional]If"RSAschemes..."isselectedinFCS_COP.1.1/SIGNTest2.1:SignatureGenerationTestTheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistesttheevaluatormustgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.

TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.

Test2.2:SignatureVerificationTestTheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,and/orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.

TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.

FCS_COP.1/KEYHMACCryptographicOperationFCS_COP.1.1/KEYHMAC

TheTSFshallperformkeyed-hashmessageauthenticationinaccordancewithaspecifiedcryptographicalgorithmHMAC-SHA-1and[selection:HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,nootheralgorithms]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes160and[selection:256,384,512,noother]bitsthatmeetthefollowing:FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode",andFIPSPub180-4,"SecureHashStandard".

ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.HMAC-SHA-1iscurrentlyrequiredinordertocomplywiththeWLANClientEP.


FCS_COP.1/KEYHMAC:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.



Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.

FCS_COP.1/CONDITIONCryptographicOperationFCS_COP.1.1/CONDITION

TheTSFshallperformconditioninginaccordancewithaspecifiedcryptographicalgorithmHMAC-[selection:SHA-256,SHA-384,SHA-512]usingasalt,and[selection:PBKDF2with[assignment:numberofiterations]iterations,[assignment:keystretchingfuntion],nootherfunction]andoutputcryptographickeysizes[selection:128,256]thatmeetthefollowing:[selection:NISTSP800-132,nostandard].

ApplicationNote:ThekeycryptographickeysizesinthethirdselectionshouldbemadetocorrespondtotheKEKkeysizesselectedinFCS_CKM_EXT.3.

ThispasswordmustbeconditionedintoastringofbitsthatformsthesubmasktobeusedasinputintotheKEK.Conditioningcanbeperformedusingoneoftheidentifiedhashfunctionsandmayincludeakeystretchingfunction;themethodusedisselectedbytheSTauthor.Ifselected,NISTSP800-132requirestheuseofapseudo-randomfunction(PRF)consistingofHMACwithanapprovedhashfunction.TheSTauthorselectsthehashfunctionused,alsoincludestheappropriaterequirementsforHMACandthehashfunction.

AppendixAofNISTSP800-132recommendssettingtheiterationcountinordertoincreasethecomputationneededtoderiveakeyfromapasswordand,therefore,increasetheworkloadofperformingadictionaryattack.


FCS_COP.1/CONDITION:TSSTheevaluatorshallcheckthattheTSSdescribesthemethodbywhichthepasswordisfirstencodedandthenfedtotheSHAalgorithmandverifytheSHAalgorithmmatchesthefirst

selection.

Ifakeystretchingfunction,suchasPBKDF2,isselectedthesettingsforthealgorithm(padding,blocking,etc.)shallbedescribed.TheevaluatorshallverifythattheTSScontainsadescriptionofhowtheoutputofthehashfunctionorkeystretchingfunctionisusedtoformthesubmaskthatwillbeinputintothefunctionandisthesamelengthastheKEKasspecifiedinFCS_CKM_EXT.3.

IfanymanipulationofthekeyisperformedinformingthesubmaskthatwillbeusedtoformtheKEK,thatprocessshallbedescribedintheTSS.


TestsTherearenotestevaluationactivitiesforthiscomponent.Noexplicittestingoftheformationofthesubmaskfromtheinputpasswordisrequired.

FCS_HTTPS_EXT.1HTTPSProtocolFCS_HTTPS_EXT.1.1

TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.

FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLSasdefinedinthePackageforTransportLayerSecurity.

ApplicationNote:ThePackageforTransportLayerSecuritymustbeincludedintheST,withthefollowingselectionsmade:

FCS_TLS_EXT.1:TLSmustbeselectedClientmustbeselected

FCS_HTTPS_EXT.1.3TheTSFshallnotifytheapplicationand[selection:notestablishtheconnection,requestapplicationauthorizationtoestablishtheconnection,nootheraction]ifthepeercertificateisdeemedinvalid.

ApplicationNote:Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.

If"notestablishtheconnection"isselectedthen"withnoexceptions"mustbeselectedforFCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.If"requestapplicationauthorizationtoestablishtheconnection"isselectedthen"exceptwhenoverrideisauthorized"mustbeselectedforFCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.If"nootheraction"isselectedeitherselectioncanbemadeinFCS_TLSC_EXT.1.3.

FMT_SMF_EXT.1Function23configureswhethertoallow/disallowtheestablishmentofatrustedchannelifthepeercertificateisdeemedinvalid.


FCS_HTTPS_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTest1:TheevaluatorshallattempttoestablishanHTTPSconnectionwithawebserver,observethetrafficwithapacketanalyzer,andverifythattheconnectionsucceedsandthatthetrafficisidentifiedasTLSorHTTPS.

OthertestsareperformedinconjunctionwithtestinginthePackageforTransportLayerSecurity.

CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1,andtheevaluatorshallperformthefollowingtest:

Test2:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertification

pathresultsinanapplicationnotification.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatestotheTrustAnchorDatabaseneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthattheapplicationisnotifiedofthevalidationfailure.

FCS_IV_EXT.1InitializationVectorGenerationFCS_IV_EXT.1.1

TheTSFshallgenerateIVsinaccordancewithTable13:ReferencesandIVRequirementsforNIST-approvedCipherModes.

ApplicationNote:Table13liststherequirementsforcompositionofIVsaccordingtotheNISTSpecialPublicationsforeachciphermode.ThecompositionofIVsgeneratedforencryptionaccordingtoacryptographicprotocolisaddressedbytheprotocol.Thus,thisrequirementaddressesonlyIVsgeneratedforkeystorageanddatastorageencryption.


FCS_IV_EXT.1:TSSTheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethattheencryptionofallkeysisdescribedandtheformationoftheIVsforeachkeyencryptedbythesameKEKmeetsFCS_IV_EXT.1.



FCS_RBG_EXT.1RandomBitGenerationFCS_RBG_EXT.1.1

TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)].

FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,TSF-hardware-basednoisesource]withaminimumof[selection:128bits,256bits]ofentropyatleastequaltothegreatestsecuritystrength(accordingtoNISTSP800-57)ofthekeysandhashesthatitwillgenerate.

FCS_RBG_EXT.1.3TheTSFshallbecapableofprovidingoutputoftheRBGtoapplicationsrunningontheTSFthatrequestrandombits.

ApplicationNote:SP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthefunctionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirementorintheTSS.Whileanyoftheidentifiedhashfunctions(SHA-224,SHA-256,SHA-384,SHA-512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.

TheSTauthormustalsoensurethatanyunderlyingfunctionsareincludedinthebaselinerequirementsfortheTOE.

HealthtestingoftheDRBGsisperformedinconjunctionwiththeself-testsrequiredinFPT_TST_EXT.1.1.

FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheappropriatenumberofbitsofentropythatcorrespondstothegreatestsecuritystrengthofthealgorithmsincludedintheST.SecuritystrengthisdefinedinTables2and3ofNISTSP800-57A.Forexample,iftheimplementationincludes2048-bitRSA(securitystrengthof112bits),AES128(securitystrength128bits),andHMAC-SHA-256(securitystrength256bits),thentheSTauthorwouldselect256bits.

TheSTauthormayselecteithersoftwareorhardwarenoisesources.Ahardware

noisesourceisacomponentthatproducesdatathatcannotbeexplainedbyadeterministicrule,duetoitsphysicalnature.Inotherwords,ahardwarebasednoisesourcegeneratessequencesofrandomnumbersfromaphysicalprocessthatcannotbepredicted.Forexample,asampledringoscillatorconsistsofanoddnumberofinvertergateschainedintoaloop,withanelectricalpulsetravelingfrominvertertoinverteraroundtheloop.Theinvertersarenotclocked,sotheprecisetimerequiredforacompletecircuitaroundtheloopvariesslightlyasvariousphysicaleffectsmodifythesmalldelaytimeateachinverteronthelinetothenextinverter.Thisvarianceresultsinanapproximatenaturalfrequencythatcontainsdriftandjitterovertime.Theoutputoftheringoscillatorconsistsoftheoscillatingbinaryvaluesampledataconstantratefromoneoftheinverters–aratethatissignificantlyslowerthantheoscillator’snaturalfrequency.


FCS_RBG_EXT.1:DocumentationshallbeproducedandtheevaluatorshallperformtheactivitiesinaccordancewithAppendixD-EntropyDocumentationAndAssessment,the"ClarificationtotheEntropyDocumentationandAssessment".

TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Development,includesthesecurityfunctionsdescribedinFCS_RBG_EXT.1.3.

TSSTherearenoTSSevaluationactivitiesforthiscomponent.

GuidanceTheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRNGfunctionality.


Theevaluatorshallperform15trialsfortheRNGimplementation.IftheRNGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.

IftheRNGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated."generateoneblockofrandombits"meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).

IftheRNGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltoreseed.Thefinalvalueisadditionalinputtothesecondgeneratecall.

Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.

Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlength.Nonce:Ifanonceissupported(CTR_DRBGwithnoDerivationFunctiondoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe�seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupport,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.

FCS_SRV_EXT.1CryptographicAlgorithmServicesFCS_SRV_EXT.1.1

TheTSFshallprovideamechanismforapplicationstorequesttheTSFtoperformthefollowingcryptographicoperations:

Allmandatoryand[selection:selectedalgorithms,selectedalgorithmswiththeexceptionofECCovercurve25519-basedalgorithms]inFCS_CKM.2/LOCKEDThefollowingalgorithmsinFCS_COP.1/ENCRYPT:AES-CBC,[selection:AESKeyWrap,AESKeyWrapwithPadding,AES-GCM,AES-CCM,noothermodes]AllselectedalgorithmsinFCS_COP.1/SIGNAllmandatoryandselectedalgorithmsinFCS_COP.1/HASHAllmandatoryandselectedalgorithmsinFCS_COP.1/KEYHMAC[selection:

Allmandatoryand[selection:selectedalgorithms,selectedalgorithmswiththeexceptionofECCovercurve25519-basedalgorithms]inFCS_CKM.1,TheselectedalgorithmsinFCS_COP.1/CONDITION,Noothercryptographicoperations

]

ApplicationNote:ForeachofthelistedFCScomponentsinthebulletedlist,theintentisthattheTOEwillmakeavailableallalgorithmsspecifiedforthatcomponentintheST.Forexample,ifforFCS_COP.1/HASHtheSTauthorselectsSHA-256,thentheTOEwouldhavetomakeavailableaninterfacetoperformSHA-1(the"mandatory"portionofFCS_COP.1/HASH)andSHA-256(the"selected"portionofFCS_COP.1/HASH).

TheexceptionisforFCS_COP.1/ENCRYPT.TheTOEisnotrequiredtomakeavailableAES_CCMP,AES_XTS,AES_GCMP-256,orAES_CCMP_256eventhoughtheymaybeimplementedtoperformTSF-relatedfunctions.ItisacceptablefortheplatformtonotprovideAESKeyWrap(KW)andAESKeyWrapwithPadding(KWP)toapplicationsevenifselectedinFCS_COP.1/ENCRYPT.However,theSTauthorisexpectedtoselectAES-GCMand/orAES-CCMifitisselectedintheSTfortheFCS_COP.1/ENCRYPTcomponent.


FCS_SRV_EXT.1:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(cryptographicalgorithms)describedintheserequirements.



TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscryptographicoperationsbytheTSF.TheevaluatorshallverifythattheresultsfromtheoperationmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingthecryptographicoperationEvaluationActivitiesfortheotheralgorithmservicesrequirements.

5.1.3CryptographicStorage(FCS_STG)Thefollowingrequirementsdescribehowkeysareprotected.AllkeysmustultimatelybeprotectedbyaREK,andmayoptionallybeprotectedbytheuser’sauthenticationfactor.Eachkey’sconfidentialityandintegritymustbeprotected.ThissectionalsodescribesthesecurekeystorageservicestobeprovidedbytheMobileDeviceforusebyapplicationsandusers,applyingthesamelevelofprotectionforthesekeysaskeysinternaltotheOS.

FCS_STG_EXT.1CryptographicKeyStorageFCS_STG_EXT.1.1

TheTSFshallprovide[selection:mutablehardware,software-based]securekeystorageforasymmetricprivatekeysand[selection:symmetrickeys,persistentsecrets,nootherkeys].

ApplicationNote:AhardwarekeystorecanbeexposedtotheTSFthrougha

varietyofinterfaces,includingembeddedonthemotherboard,USB,microSD,andBluetooth.

Immutablehardwareisconsideredoutsideofthisrequirementandwillbecoveredelsewhere.

IfthesecurekeystorageisimplementedinsoftwarethatisprotectedasrequiredbyFCS_STG_EXT.2,theSTauthormustselect"software-based."If"software-based"isselected,theSTauthormustselect"allsoftware-basedkeystorage"inFCS_STG_EXT.2.

Supportforsecurekeystorageforallsymmetrickeysandpersistentsecretswillberequiredinfuturerevisions.

FCS_STG_EXT.1.2TheTSFshallbecapableofimportingkeys/secretsintothesecurekeystorageuponrequestof[selection:theuser,theadministrator]and[selection:applicationsrunningontheTSF,noothersubjects].

ApplicationNote:IftheSTauthorselectsonlyuser,theSTauthormustselectfunction9inFMT_MOF_EXT.1.1.

FCS_STG_EXT.1.3TheTSFshallbecapableofdestroyingkeys/secretsinthesecurekeystorageuponrequestof[selection:theuser,theadministrator].

ApplicationNote:IftheSTauthorselectsonlyuser,theSTauthormustselectfunction10inFMT_MOF_EXT.1.1.

FCS_STG_EXT.1.4TheTSFshallhavethecapabilitytoallowonlytheapplicationthatimportedthekey/secrettheuseofthekey/secret.Exceptionsmayonlybeexplicitlyauthorizedby[selection:theuser,theadministrator,acommonapplicationdeveloper].

ApplicationNote:IftheSTauthorselectsuseroradministrator,theSTauthormustalsoselectfunction34inFMT_SMF_EXT.1.1.IftheSTAuthorselectsonlyuser,theSTauthormustselectfunction34inFMT_MOF_EXT.1.1.

FCS_STG_EXT.1.5TheTSFshallallowonlytheapplicationthatimportedthekey/secrettorequestthatthekey/secretbedestroyed.Exceptionsmayonlybeexplicitlyauthorizedby[selection:theuser,theadministrator,acommonapplicationdeveloper].

ApplicationNote:IftheSTauthorselectsuseroradministrator,theSTauthormustalsoselectfunction35inFMT_SMF_EXT.1.1.IftheSTauthorselectsonlyuser,theSTauthormustselectfunction35inFMT_MOF_EXT.1.1.


FCS_STG_EXT.1:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(import,use,anddestruction)describedintheserequirements.TheAPIdocumentationshallincludethemethodbywhichapplicationsrestrictaccesstotheirkeys/secretsinordertomeetFCS_STG_EXT.1.4".

TSSTheevaluatorshallreviewtheTSStodeterminethattheTOEimplementstherequiredsecurekeystorage.TheevaluatorshallensurethattheTSScontainsadescriptionofthekeystoragemechanismthatjustifiestheselectionof"mutablehardware"or"software-based".

GuidanceTheevaluatorshallreviewtheAGDguidancetodeterminethatitdescribesthestepsneededtoimportordestroykeys/secrets.

TestsTheevaluatorshalltestthefunctionalityofeachsecurityfunction:

Test1:Theevaluatorshallimportkeys/secretsofeachsupportedtypeaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatgeneratesakey/secretofeachsupportedtypeandcallstheimportfunctions.Theevaluatorshallverifythatnoerrorsoccurduringimport.

Test2:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatusesanimportedkey/secret:

ForRSA,thesecretshallbeusedtosigndata.ForECDSA,thesecretshallbeusedtosigndata

Inthefutureadditionaltypeswillberequiredtobetested:Forsymmetricalgorithms,thesecretshallbeusedtoencryptdata.Forpersistentsecrets,thesecretshallbecomparedtotheimportedsecret.

Theevaluatorshallrepeatthistestwiththeapplication-importedkeys/secretsandadifferentapplication’simportedkeys/secrets.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtousethekey/secretimportedbytheuserorbyadifferentapplication:

Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletousethekey/secretasdescribed.Theevaluatorshallrepeatthetest,allowingtheapprovalstoverifythattheapplicationisabletousethekey/secretasdescribed.

IftheSTauthorhasselected"commonapplicationdeveloper",thistestisperformedbyeitherusingapplicationsfromdifferentdevelopersorappropriately(accordingtoAPIdocumentation)notauthorizingsharing.

Test3:Theevaluatorshalldestroykeys/secretsofeachsupportedtypeaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatdestroysanimportedkey/secret.

Theevaluatorshallrepeatthistestwiththeapplication-importedkeys/secretsandadifferentapplication’simportedkeys/secrets.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtodestroythekey/secretimportedbytheadministratororbyadifferentapplication:

Theevaluatorshalldenytheapprovalsandverifythattheapplicationisstillabletousethekey/secretasdescribed.Theevaluatorshallrepeatthetest,allowingtheapprovalsandverifyingthattheapplicationisnolongerabletousethekey/secretasdescribed.

IftheSTauthorhasselected"commonapplicationdeveloper",thistestisperformedbyeitherusingapplicationsfromdifferentdevelopersorappropriately(accordingtoAPIdocumentation)notauthorizingsharing.

FCS_STG_EXT.2EncryptedCryptographicKeyStorageFCS_STG_EXT.2.1

TheTSFshallencryptallDEKs,KEKs,[assignment:anylong-termtrustedchannelkeymaterial]and[selection:allsoftware-basedkeystorage,nootherkeys]byKEKsthatare[selection:

ProtectedbytheREKwith[selection:encryptionbyaREK,encryptionbyaKEKchainingfromaREK,encryptionbyaKEKthatisderivedfromaREK

],ProtectedbytheREKandthepasswordwith[selection:

encryptionbyaREKandthepassword-derivedKEK,encryptionbyaKEKchainingtoaREKandthepassword-derivedorbiometric-unlockedKEK,encryptionbyaKEKthatisderivedfromaREKandthepassword-derivedorbiometric-unlockedKEK

]].

ApplicationNote:TheSTauthormustselect"allsoftware-basedkeystorage"if"software-based"isselectedinFCS_STG_EXT.1.1.IftheSTauthorselects"mutablehardware"inFCS_STG_EXT.1.1,thesecurekeystorageisnotsubjecttothisrequirement.REKsarenotsubjecttothisrequirement.

AREKandthepassword-derivedKEKmaybecombinedtoformacombinedKEK(asdescribedinFCS_CKM_EXT.3)inordertomeetthisrequirement.

Software-basedkeystoragemustbeprotectedbythepasswordorbiometricandREK.

AllkeysmustultimatelybeprotectedbyaREK.Inparticular,Figure3hasKEKsprotectedaccordingtotheserequirements:DEK_1meetsthe"encryptionbyaREKandthepassword-derivedKEK"caseandwouldbeappropriateforsensitivedata,DEK_2meetsthe"encryptionbyaKEKchainingfromaREK"caseandwouldnotbeappropriateforsensitivedata,K_1meetsthe"encryptionbya

REK"caseandisnotconsideredasensitivekey,andK_2meetsthe"encryptionbyaKEKchainingtoaREKandthepassword-derivedorbiometric-unlockedKEK"caseandisconsideredasensitivekey.

Long-termtrustedchannelkeymaterialincludesWi-Fi(PSKs),IPsec(PSKsandclientcertificates)andBluetoothkeys.Thesekeysmustnotbeprotectedbythepassword,astheymaybenecessaryinthelockedstate.Forclarity,theSTauthormustassignanyLong-termtrustedchannelkeymaterialsupportedbytheTOE.Ataminimum,aTOEmustsupportatleastWi-FiandBluetoothkeys.

FCS_STG_EXT.2.2DEKs,KEKs,[assignment:anylong-termtrustedchannelkeymaterial]and[selection:allsoftware-basedkeystorage,nootherkeys]shallbeencryptedusingoneofthefollowingmethods:[selection:

usingaSP800-56Bkeyestablishmentscheme,usingAESinthe[selection:KeyWrap(KW)mode,KeyWrapwithPadding(KWP)mode,GCM,CCM,CBCmode]

].

ApplicationNote:TheSTauthorselectswhichkeyencryptionschemesareusedbytheTOE.ThisrequirementrefersonlytoKEKsasdefinedthisPPanddoesnotrefertothoseKEKsspecifiedinotherstandards.TheSTauthormustassignthesameLong-termtrustedchannelkeymaterialassignedinFCS_STG_EXT.2.1.


FCS_STG_EXT.2:TSSTheevaluatorshallreviewtheTSStodeterminethattheTSSincludeskeyhierarchydescriptionoftheprotectionofeachDEKfordata-at-rest,ofsoftware-basedkeystorage,oflong-termtrustedchannelkeys,andofKEKrelatedtotheprotectionoftheDEKs,long-termtrustedchannelkeys,andsoftware-basedkeystorage.ThisdescriptionmustincludeadiagramillustratingthekeyhierarchyimplementedbytheTOEinordertodemonstratethattheimplementationmeetsFCS_STG_EXT.2.ThedescriptionshallindicatehowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvokedtogenerateDEKs(FCS_CKM_EXT.2),thekeysize(FCS_CKM_EXT.2andFCS_CKM_EXT.3)foreachkey,howeachKEKisformed(generated,derived,orcombinedaccordingtoFCS_CKM_EXT.3),theintegrityprotectionmethodforeachencryptedkey(FCS_STG_EXT.3),andtheIVgenerationforeachkeyencryptedbythesameKEK(FCS_IV_EXT.1).Moredetailforeachtaskfollowsthecorrespondingrequirement.


GuidanceTherearenoguidanceevaluationactivitiesforthiselement.

TestsTherearenotestevaluationactivitiesforthiselement.TSSTheevaluatorshallexaminethekeyhierarchydescriptionintheTSSsectiontoverifythateachDEKandsoftware-storedkeyisencryptedaccordingtoFCS_STG_EXT.2.


TestsTherearenotestevaluationactivitiesforthiselement.

FCS_STG_EXT.3IntegrityofEncryptedKeyStorageFCS_STG_EXT.3.1

TheTSFshallprotecttheintegrityofanyencryptedDEKsandKEKsand[selection:long-termtrustedchannelkeymaterial,allsoftware-basedkeystorage,nootherkeys]by[selection:

[selection:GCM,CCM,KeyWrap,KeyWrapwithPadding]ciphermodeforencryptionaccordingtoFCS_STG_EXT.2,

ahash(FCS_COP.1/HASH)ofthestoredkeythatisencryptedbyakeyprotectedbyFCS_STG_EXT.2,akeyedhash(FCS_COP.1/KEYHMAC)usingakeyprotectedbyakeyprotectedbyFCS_STG_EXT.2,adigitalsignatureofthestoredkeyusinganasymmetrickeyprotectedaccordingtoFCS_STG_EXT.2,animmediateapplicationofthekeyfordecryptingtheprotecteddatafollowedbyasuccessfulverificationofthedecrypteddatawithpreviouslyknowninformation

].

ApplicationNote:TheSTauthormustassignthesameLong-termtrustedchannelkeymaterialassignedinFCS_STG_EXT.2.1.

FCS_STG_EXT.3.2TheTSFshallverifytheintegrityofthe[selection:hash,digitalsignature,MAC]ofthestoredkeypriortouseofthekey.

ApplicationNote:Thisrequirementisnotapplicabletoderivedkeysthatarenotstored.Itisnotexpectedthatasinglekeywillbeprotectedfromcorruptionbymultipleofthesemethods;however,aproductmayuseoneintegrity-protectionmethodforonetypeofkeyandadifferentmethodforothertypesofkeys.TheexplicitEvaluationActivitiesforeachoftheoptionswillbeaddressedineachoftherequirements(FCS_COP.1.1/HASH,FCS_COP.1.1/KEYHMAC).

KeyWrappingmustbeimplementedperSP800-38F.


FCS_STG_EXT.3:TSSTheevaluatorshallexaminethekeyhierarchydescriptionintheTSSsectiontoverifythateachencryptedkeyisintegrityprotectedaccordingtooneoftheoptionsinFCS_STG_EXT.3.




5.1.4Class:UserDataProtection(FDP)AsubsetoftheUserDataProtectionfocusesonprotectingData-At-Rest,namelyFDP_DAR_EXT.1andFDP_DAR_EXT.2.Threelevelsofdata-at-restprotectionareaddressed:TSFdata,ProtectedData(andkeys),andsensitivedata.Table6addressesthelevelofprotectionrequiredforeachlevelofdata-at-rest.

Table6:ProtectionofDataLevels

DataLevel ProtectionRequired

TSFData TSFdatadoesnotrequireconfidentiality,butdoesrequireintegrityprotection.(FPT_TST_EXT.2/PREKERNEL)

ProtectedData

Protecteddataisencryptedwhilepoweredoff.(FDP_DAR_EXT.1)

SensitiveData

Sensitivedataisencryptedwhileinthelockedstate,inadditiontowhilepoweredoff.(FDP_DAR_EXT.2)

Allkeys,protecteddata,andsensitivedatamustultimatelybeprotectedbytheREK.SensitivedatamustbeprotectedbythepasswordinadditiontotheREK.Inparticular,Figure3hasKEKsprotectedaccordingtotheserequirements:DEK_1wouldbeappropriateforsensitivedata,DEK_2wouldnotbeappropriateforsensitivedata,K_1isnotconsideredasensitivekey,andK_2isconsideredasensitivekey.

Theserequirementsincludeacapabilityforencryptingsensitivedatareceivedwhileinthelockedstate,whichmaybeconsideredaseparatesub-categoryofsensitivedata.Thiscapabilitymaybemetbyakey

transportscheme(RSA)byusingapublickeytoencrypttheDEKwhileprotectingthecorrespondingprivatekeywithapassword-derivedorbiometric-unlockedKEK.

Thiscapabilitymayalsobemetbyakeyagreementscheme.Todoso,thedevicegeneratesadevice-widesensitivedataasymmetricpair(theprivatekeyofwhichisprotectedbyapassword-derivedorbiometric-unlockedKEK)andanasymmetricpairforthereceivedsensitivedatatobestored.Inordertostorethesensitivedata,thedevice-widepublickeyanddataprivatekeyareusedtogenerateasharedsecret,whichcanbeusedasaKEKoraDEK.Thedataprivatekeyandsharedsecretareclearedafterthedataisencryptedandthedatapublickeystored.Thus,nokeymaterialisavailableinthelockedstatetodecryptthenewlystoreddata.Uponunlock,thedevice-wideprivatekeyisdecryptedandisusedwitheachdatapublickeytoregeneratethesharedsecretanddecryptthestoreddata.Figure4,below,illustratesthisscheme.

Figure4:KeyAgreementSchemeforEncryptingReceivedSensitiveDataintheLockedState

FDP_ACF_EXT.1AccessControlforSystemServicesFDP_ACF_EXT.1.1

TheTSFshallprovideamechanismtorestrictthesystemservicesthatareaccessibletoanapplication.

ApplicationNote:Examplesofsystemservicestowhichthisrequirementappliesinclude:

obtaindatafromcameraandmicrophoneinputdevicesobtaincurrentdevicelocationretrievecredentialsfromsystem-widecredentialstoreretrievecontactslist/addressbookretrievestoredpicturesretrievetextmessagesretrieveemailsretrievedeviceidentifierinformationobtainnetworkaccess

FDP_ACF_EXT.1.2TheTSFshallprovideanaccesscontrolpolicythatprevents[selection:application,groupsofapplications]fromaccessing[selection:all,private]datastoredbyother[selection:application,groupsofapplications].Exceptionsmayonlybeexplicitlyauthorizedforsuchsharingby[selection:theuser,theadministrator,acommonapplicationdeveloper,noone].

ApplicationNote:ApplicationgroupsmaybedesignatedEnterpriseorPersonal.ApplicationsinstalledbytheuserdefaulttobeinginthePersonalapplicationgroupunlessotherwisedesignatedbytheadministratorinfunction43ofFMT_SMF_EXT.1.1.ApplicationsinstalledbytheadministratordefaulttobeingintheEnterpriseapplicationgroup(thiscategoryincludesapplications

thattheuserrequeststheadministratorinstall,forinstancebyselectingtheapplicationforinstallationthroughanenterpriseapplicationcatalog)unlessotherwisedesignatedbytheadministratorinfunction43ofFMT_SMF_EXT.1.1.Itisacceptableforthesameapplicationtohavemultipleinstancesinstalled,eachindifferentapplicationgroups.Privatedataisdefinedasdatathatisaccessibleonlybytheapplicationthatwroteit.Privatedataisdistinguishedfromdatathatanapplicationmay,bydesign,writetosharedstorageareas.

If"groupsofapplications"isselected,FDP_ACF_EXT.2mustbeincludedintheST.


FDP_ACF_EXT.1:TSSTheevaluatorshallensuretheTSSlistsallsystemservicesavailableforusebyanapplication.TheevaluatorshallalsoensurethattheTSSdescribeshowapplicationsinterfacewiththesesystemservices,andmeansbywhichthesesystemservicesareprotectedbytheTSF.

TheTSSshalldescribewhichofthefollowingcategorieseachsystemservicefallsin:

1. Noapplicationsareallowedaccess2. Privilegedapplicationsareallowedaccess3. Applicationsareallowedaccessbyuserauthorization4. Allapplicationsareallowedaccess

PrivilegedapplicationsincludeanyapplicationsdevelopedbytheTSFdeveloper.TheTSSshalldescribehowprivilegesaregrantedtothird-partyapplications.Forbothtypesofprivilegedapplications,theTSSshalldescribehowandwhentheprivilegesareverifiedandhowtheTSFpreventsunprivilegedapplicationsfromaccessingthoseservices.

Foranyservicesforwhichtheusermaygrantaccess,theevaluatorshallensurethattheTSSidentifieswhethertheuserispromptedforauthorizationwhentheapplicationisinstalled,orduringruntime.Theevaluatorshallensurethattheoperationaluserguidancecontainsinstructionsforrestrictingapplicationaccesstosystemservices.


TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Theevaluatorshallwrite,orthedevelopershallprovide,applicationsforthepurposesofthefollowingtests.

Test1:Foreachsystemservicetowhichnoapplicationsareallowedaccess,theevaluatorshallattempttoaccessthesystemservicewithatestapplicationandverifythattheapplicationisnotabletoaccessthatsystemservice.Test2:Foreachsystemservicetowhichonlyprivilegedapplicationsareallowedaccess,theevaluatorshallattempttoaccessthesystemservicewithanunprivilegedapplicationandverifythattheapplicationisnotabletoaccessthatsystemservice.Theevaluatorshallattempttoaccessthesystemservicewithaprivilegedapplicationandverifythattheapplicationcanaccesstheservice.Test3:Foreachsystemservicetowhichtheusermaygrantaccess,theevaluatorshallattempttoaccessthesystemservicewithatestapplication.Theevaluatorshallensurethateitherthesystemblockssuchaccessesorpromptsforuserauthorization.Thepromptforuserauthorizationmayoccuratruntimeoratinstallationtime,andshouldbeconsistentwiththebehaviordescribedintheTSS.Test4:ForeachsystemservicelistedintheTSSthatisaccessiblebyallapplications,theevaluatorshalltestthatanapplicationcanaccessthatsystemservice.

TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeswhichdatasharingispermittedbetweenapplications,whichdatasharingisnotpermitted,andhowdisallowedsharingisprevented.Itispossibletoselectboth"applications"and"groupsofapplications",inwhichcasetheTSSisexpectedtodescribethedatasharingpoliciesthatwouldbeappliedineachcase.


TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovide,twoapplications,onethatsavesdatacontainingauniquestringandtheother,whichattemptstoaccessthatdata.If"groupsofapplications"isselected,theapplicationsshallbeplacedintodifferentgroups.If"application"isselected,theevaluatorshallinstallthetwoapplications.If"privatedata"isselected,theapplicationshallnotwritetoadesignatedsharedstoragearea.Theevaluatorshallverifythatthesecondapplicationisunabletoaccessthestoreduniquestring.

If"theuser"isselected,theevaluatorshallgrantaccessastheuserandverifythatthesecondapplicationisabletoaccessthestoreduniquestring.

If"theadministrator"isselected,theevaluatorshallgrantaccessastheadministratorandverifythatthesecondapplicationisabletoaccessthestoreduniquestring.

If"acommonapplicationdeveloper"isselected,theevaluatorshallgrantaccesstoan,applicationwithacommonapplicationdevelopertothefirst,andverifythattheapplicationisabletoaccessthestoreduniquestring.

FDP_DAR_EXT.1ProtectedDataEncryptionFDP_DAR_EXT.1.1

Encryptionshallcoverallprotecteddata.

ApplicationNote:Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.

FDP_DAR_EXT.1.2EncryptionshallbeperformedusingDEKswithAESinthe[selection:XTS,CBC,GCM]modewithkeysize[selection:128,256]bits.

ApplicationNote:IVsmustbegeneratedinaccordancewithFCS_IV_EXT.1.1.


FDP_DAR_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTindicateswhichdataisprotectedbytheDARimplementationandwhatdataisconsideredTSFdata.Theevaluatorshallensurethatthisdataincludesallprotecteddata.

GuidanceTheevaluatorshallreviewtheAGDguidancetodeterminethatthedescriptionoftheconfigurationanduseoftheDARprotectiondoesnotrequiretheusertoperformanyactionsbeyondconfigurationandprovidingtheauthenticationcredential.TheevaluatorshallalsoreviewtheAGDguidancetodeterminethattheconfigurationdoesnotrequiretheusertoidentifyencryptiononaper-filebasis.

TestsEvaluationActivityNote:ThefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Test1:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateuserdata(non-system)eitherbycreatingafileorbyusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertoverifythatthisdataisencryptedwhentheproductispoweredoff,inconjunctionwithTest1forFIA_UAU_EXT.1.

FDP_DAR_EXT.2SensitiveDataEncryptionFDP_DAR_EXT.2.1

TheTSFshallprovideamechanismforapplicationstomarkdataandkeysassensitive.

ApplicationNote:Dataandkeysthathavebeenmarkedassensitivewillbesubjecttocertainrestrictions(throughotherrequirements)inboththelockedandunlockedstatesoftheMobileDevice.Thismechanismallowsanapplicationtochoosethosedataandkeysunderitscontroltobesubjecttothoserequirements.

Inthefuture,thisPPmayrequirethatalldataandkeycreatedbyapplicationswilldefaulttothe"sensitive"marking,requiringanexplicit"non-sensitive"markingratherthananexplicit"sensitive"marking.

FDP_DAR_EXT.2.2TheTSFshalluseanasymmetrickeyschemetoencryptandstoresensitivedatareceivedwhiletheproductislocked.

ApplicationNote:SensitivedataisencryptedaccordingtoFDP_DAR_EXT.1.2.TheasymmetrickeyschememustbeperformedinaccordancewithFCS_CKM.2/LOCKED.

Theintentofthisrequirementistoallowthedevicetoreceivesensitivedatawhilelockedandtostorethereceiveddatainsuchawayastopreventunauthorizedpartiesfromdecryptingitwhileinthelockedstate.Ifonlyasubsetofsensitivedatamaybereceivedinthelockedstate,thissubsetmustbedescribedintheTSS.

KeymaterialmustbeclearedwhennolongerneededaccordingtoFCS_CKM_EXT.4.Forkeys(orkeymaterialusedtoderivethosekeys)protectingsensitivedatareceivedinthelockedstate,"nolongerneeded"includes"whileinthelockedstate."Forexample,inthefirstkeyscheme,thisincludestheDEKprotectingthereceiveddataassoonasthedataisencrypted.Inthesecondkeyschemethisincludestheprivatekeyforthedataasymmetricpair,thegeneratedsharedsecret,andanygeneratedDEKs.Ofcourse,bothschemesrequirethataprivatekeyofanasymmetricpair(theRSAprivatekeyandthedevice-wideprivatekey,respectively)beclearedwhentransitioningtothelockedstate.

FDP_DAR_EXT.2.3TheTSFshallencryptanystoredsymmetrickeyandanystoredprivatekeyoftheasymmetrickey(s)usedfortheprotectionofsensitivedataaccordingtoFCS_STG_EXT.2.1selection2.

ApplicationNote:SymmetrickeysusedtoencryptsensitivedatawhiletheTSFisintheunlockedstatemustbeencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.Astoredprivatekeyoftheasymmetrickeyschemeforencryptingdatainthelockedstatemustbeencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.

FDP_DAR_EXT.2.4TheTSFshalldecryptthesensitivedatathatwasreceivedwhileinthelockedstateupontransitioningtotheunlockedstateusingtheasymmetrickeyschemeandshallre-encryptthatsensitivedatausingthesymmetrickeyscheme.


FDP_DAR_EXT.2:TSSTheevaluatorshallverifythattheTSSincludesadescriptionofwhichdatastoredbytheTSF(suchasbynativeapplications)istreatedassensitive.Thisdatamayincludeallorsomeuserorenterprisedataandmustbespecificregardingthelevelofprotectionofemail,contacts,calendarappointments,messages,anddocuments.

TheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismthatisprovidedforapplicationstousetomarkdataandkeysassensitive.Thisdescriptionshallalsocontaininformationreflectinghowdataandkeysmarkedinthismanneraredistinguishedfromdataandkeysthatarenot(forinstance,tagging,segregationina"special"areaofmemoryorcontainer,etc.).


TestsTest1:TheevaluatorshallenableencryptionofsensitivedataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshalltrytoaccessandcreatesensitivedata(asdefinedintheSTandeitherbycreatingafileorusinganapplicationtogeneratesensitivedata)inordertoverifythatnootheruserinteractionisrequired.

TSSTheevaluatorshallreviewtheTSSsectionoftheSTtodeterminethattheTSSincludesadescriptionoftheprocessofreceivingsensitivedatawhilethedeviceisinalockedstate.Theevaluatorshallalsoverifythatthedescriptionindicatesifsensitivedatathatmaybereceivedinthelockedstateistreateddifferentlythansensitivedatathatcannotbereceivedinthelocked

state.Thedescriptionshallincludethekeyschemeforencryptingandstoringthereceiveddata,whichmustinvolveanasymmetrickeyandmustpreventthesensitivedata-at-restfrombeingdecryptedbywipingallkeymaterialusedtoderiveorencryptthedata(asdescribedintheapplicationnote).Theintroductiontothissectionprovidestwodifferentschemesthatmeettherequirements,butothersolutionsmayaddressthisrequirement.


TestsTheevaluatorshallperformthetestsinFCS_CKM_EXT.4forallkeymaterialnolongerneededwhileinthelockedstateandshallensurethatkeysfortheasymmetricschemeareaddressedinthetestsperformedwhentransitioningtothelockedstate.TSSTheevaluatorshallverifythatthekeyhierarchysectionoftheTSSrequiredforFCS_STG_EXT.2.1includesthesymmetricencryptionkeys(DEKs)usedtoencryptsensitivedata.TheevaluatorshallensurethattheseDEKsareencryptedbyakeyencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.

TheevaluatorshallverifythattheTSSsectionoftheSTthatdescribestheasymmetrickeyschemeincludestheprotectionofanyprivatekeysoftheasymmetricpairs.TheevaluatorshallensurethatanyprivatekeysthatarenotwipedandarestoredbytheTSFarestoredencryptedbyakeyencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.




TSSTheevaluatorshallverifythattheTSSsectionoftheSTthatdescribestheasymmetrickeyschemeincludesadescriptionoftheactionstakenbytheTSFforthepurposesofDARupontransitioningtotheunlockedstate.Theseactionsshallminimallyincludedecryptingallreceiveddatausingtheasymmetrickeyschemeandre-encryptingwiththesymmetrickeyschemeusedtostoredatawhilethedeviceisunlocked.



FDP_IFC_EXT.1SubsetInformationFlowControlFDP_IFC_EXT.1.1

TheTSFshall[selection:provideaninterfacewhichallowsaVPNclienttoprotectallIPtrafficusingIPsec,provideaVPNclientwhichcanprotectallIPtrafficusingIPsecasdefinedinthePP-ModuleforVPNClient

]withtheexceptionofIPtrafficrequiredtoestablishtheVPNconnection.

ApplicationNote:Typically,thetrafficrequiredtoestablishtheVPNconnectionisreferredtoas"ControlPlane"traffic;whereas,theIPtrafficprotectedbytheIPsecVPNisreferredtoas"DataPlane"traffic.All"DataPlane"trafficmustflowthroughtheVPNconnectionandtheVPNmustnotsplit-tunnel.

IfnonativeIPsecclientisvalidatedorthird-partyVPNclientsmayalsoimplementtherequiredInformationFlowControl,thefirstoptionmustbeselected.Inthesecases,theTOEprovidesanAPItothird-partyVPNclientsthat

allowthemtoconfiguretheTOE’snetworkstacktoperformtherequiredInformationFlowControl.

TheSTauthormustselectthesecondoptioniftheTSFimplementsanativeVPNclient(IPsecisselectedinFTP_ITC_EXT.1).ThustheTSFmustbevalidatedagainstthePP-ModuleforVPNClientandtheSTauthormustalsoincludeFDP_IFC_EXT.1fromthePP-ModuleforVPNClient.

ItisoptionalfortheVPNclienttobeconfiguredtobealways-onperFMT_SMF_EXT.1Function45.Always-onmeanstheestablishmentofanIPsectrustedchanneltoallowanycommunicationbytheTSF.


FDP_IFC_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheroutingofIPtrafficthroughprocessesontheTSFwhenaVPNclientisenabled.TheevaluatorshallensurethatthedescriptionindicateswhichtrafficdoesnotgothroughtheVPNandwhichtrafficdoesandthataconfigurationexistsforeachbasebandprotocolinwhichonlythetrafficidentifiedbytheSTauthorasnecessaryforestablishingtheVPNconnection(IKEtrafficandperhapsHTTPSorDNStraffic)isnotencapsulatedbytheVPNprotocol(IPsec).TheevaluatorshallverifythattheTSSsectiondescribesanydifferencesintheroutingofIPtrafficwhenusinganysupportedbasebandprotocols(e.g.Wi-Fior,LTE).

GuidanceTheevaluatorshallverifythatone(ormore)ofthefollowingoptionsisaddressedbythedocumentation:

ThedescriptionaboveindicatesthatifaVPNclientisenabled,allconfigurationsrouteallDataPlanetrafficthroughthetunnelinterfaceestablishedbytheVPNclient.TheAGDguidancedescribeshowtheuserand/oradministratorcanconfiguretheTSFtomeetthisrequirement.TheAPIdocumentationincludesasecurityfunctionthatallowsaVPNclienttospecifythisrouting.

TestsTest1:IftheSTauthoridentifiesanydifferencesintheroutingbetweenWi-Fiandcellularprotocols,theevaluatorshallrepeatthistestwithabasestationimplementingoneoftheidentifiedcellularprotocols.

Step1:TheevaluatorshallenableaWi-FiconfigurationasdescribedintheAGDguidance(asrequiredbyFTP_ITC_EXT.1).TheevaluatorshalluseapacketsniffingtoolbetweenthewirelessaccesspointandanInternet-connectednetwork.Theevaluatorshallturnonthesniffingtoolandperformactionswiththedevicesuchasnavigatingtowebsites,usingprovidedapplications,andaccessingotherInternetresources.Theevaluatorshallverifythatthesniffingtoolcapturesthetrafficgeneratedbytheseactions,turnoffthesniffingtool,andsavethesessiondata.

Step2:TheevaluatorshallconfigureanIPsecVPNclientthatsupportstheroutingspecifiedinthisrequirement,andifnecessary,configurethedevicetoperformtheroutingspecifiedasdescribedintheAGDguidance.Theevaluatorshallturnonthesniffingtool,establishtheVPNconnection,andperformthesameactionswiththedeviceasperformedinthefirststep.Theevaluatorshallverifythatthesniffingtoolcapturestrafficgeneratedbytheseactions,turnoffthesniffingtool,andsavethesessiondata.

Step3:TheevaluatorshallexaminethetrafficfrombothsteponeandsteptwotoverifythatallDataPlanetrafficisencapsulatedbyIPsec.TheevaluatorshallexaminetheSecurityParameterIndex(SPI)valuepresentintheencapsulatedpacketscapturedinSteptwofromtheTOEtotheGatewayandshallverifythisvalueisthesameforallactionsusedtogeneratetrafficthroughtheVPN.NotethatitisexpectedthattheSPIvalueforpacketsfromtheGatewaytotheTOEisdifferentthantheSPIvalueforpacketsfromtheTOEtotheGateway.TheevaluatorshallbeawarethatIPtrafficonthecellularbasebandoutsideoftheIPsectunnelmaybeemanatingfromthebasebandprocessorandshallverifywiththemanufacturerthatanyidentifiedtrafficisnotemanatingfromtheapplicationprocessor.

Step4:TheevaluatorshallperformanICMPechofromtheTOEtotheIPaddressofanotherdeviceonthelocalwirelessnetworkandshallverifythatnopacketsaresentusingthesniffingtool.TheevaluatorshallattempttosendpacketstotheTOEoutsidetheVPNtunnel(i.e.notthroughtheVPNgateway),includingfromthelocalwirelessnetwork,andshallverifythattheTOEdiscardsthem.

FDP_STG_EXT.1UserDataStorageFDP_STG_EXT.1.1

TheTSFshallprovideprotectedstoragefortheTrustAnchorDatabase.


FDP_STG_EXT.1:TSSTheevaluatorshallensuretheTSSdescribestheTrustAnchorDatabaseimplementedthatcontaincertificatesusedtomeettherequirementsofthisPP.Thisdescriptionshallcontaininformationpertainingtohowcertificatesareloadedintothestore,andhowthestoreisprotectedfromunauthorizedaccess(forexample,UNIXpermissions)inaccordancewiththepermissionsestablishedinFMT_SMF_EXT.1andFMT_MOF_EXT.1.1.



FDP_UPC_EXT.1/APPSInter-TSFUserDataTransferProtection(Applications)FDP_UPC_EXT.1.1/APPS

TheTSFshallprovideameansfornon-TSFapplicationsexecutingontheTOEtouse

mutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS,

and[selection:mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity,IPsecasdefinedinthePP-ModuleforVPNClient,nootherprotocol

]toprovideaprotectedcommunicationchannelbetweenthenon-TSFapplicationandanotherITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.

ApplicationNote:Theintentofthisrequirementisthatoneoftheselectedprotocolsisavailableforusebyuserapplicationsrunningonthedeviceforuseinconnectingtodistant-endservicesthatarenotnecessarilypartoftheenterpriseinfrastructure.ItshouldbenotedthattheFTP_ITC_EXT.1requiresthatallTSFcommunicationsbeprotectedusingtheprotocolsindicatedinthatrequirement,sotheprotocolsrequiredbythiscomponentride"ontopof"thoselistedinFTP_ITC_EXT.1.

ItshouldalsobenotedthatsomeapplicationsarepartoftheTSF,andFTP_ITC_EXT.1requiresthatTSFapplicationsbeprotectedbyatleastoneoftheprotocolsinfirstselectioninFTP_ITC_EXT.1.Itisnotrequiredtohavetwodifferentimplementationsofaprotocol,ortwodifferentprotocols,tosatisfyboththisrequirement(fornon-TSFapps)andFTP_ITC_EXT.1(forTSFapps),aslongastheservicesspecifiedareprovided.

TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDeviceforusebynon-TSFapps.

TheTSFmustbevalidatedagainstrequirementsfromthePackageforTransportLayerSecurity,withthefollowingselectionsmade:

FCS_TLS_EXT.1:TLSisselectedClientisselected

FCS_TLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.Mutualauthenticationmustbeselected

FCS_TLSC_EXT.1.3Withnoexceptionsisselected.

If"mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayer

Security"isselected,theTSFmustbevalidatedagainstrequirementsfromthePackageforTransportLayerSecurity,withthefollowingselectionsmade:

FCS_TLS_EXT.1:DTLSisselectedclientisselected

FCS_DTLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.mutualauthenticationmustbeselected

FCS_DTLSC_EXT.1.3Withnoexceptionsisselected.

IftheSTauthorselectsIPsec,theTSFmustbevalidatedagainstthePP-ModuleforVirtualPrivateNetwork(VPN)Clients.

FDP_UPC_EXT.1.2/APPSTheTSFshallpermitthenon-TSFapplicationstoinitiatecommunicationviathetrustedchannel.


FDP_UPC_EXT.1/APPS:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(protectionchannel)describedintheserequirements,andverifythattheAPIsimplementedtosupportthisrequirementincludetheappropriatesettings/parameterssothattheapplicationcanbothprovideandobtaintheinformationneededtoassuremutualidentificationoftheendpointsofthecommunicationasrequiredbythiscomponent.

TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.

GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsnecessaryforconfiguringtheprotocol(s)selectedforusebytheapplications.


Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestsprotectedchannelservicesbytheTSF.TheevaluatorshallverifythattheresultsfromtheprotectedchannelmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingtheprotectedchannelEvaluationActivitiesfortheprotocolrequirements.Theevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorsshallensurethattheapplicationisabletoinitiatecommunicationswithanexternalITentityusingeachprotocolspecifiedintherequirement,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintext.

5.1.5Class:IdentificationandAuthentication(FIA)

FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1

TheTSFshallconsiderpasswordand[selection:fingerprint,iris,face,voice,vein,hybrid,noother]ascriticalauthenticationmechanisms.

ApplicationNote:Acriticalauthenticationmechanismisoneinwhichcountermeasuresaretriggered(i.e.wipeofthedevice)whenthemaximumnumberofunsuccessfulauthenticationattemptsisexceeded,renderingtheotherfactorsunavailable.

IfnoadditionalauthenticationmechanismsareselectedinFIA_UAU.5.1,then‘noother’mustbeselected.IfanadditionalauthenticationmechanismisselectedinFIA_UAU.5.1,thenitmustonlybeselectedinFIA_AFL_EXT.1.1if

surpassingtheauthenticationfailurethresholdforbiometricdatacausesacountermeasuretobetriggeredregardlessofthefailurestatusoftheotherauthenticationmechanisms.

IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmodeinterface),thiscomponentappliestoallavailableinterfaces.Forexample,apasswordisacriticalauthenticationmechanismregardlessofifitisbeingenteredattheDARdecryptioninterfaceoratalockscreeninterface.

FIA_AFL_EXT.1.2TheTSFshalldetectwhenaconfigurablepositiveintegerwithin[assignment:rangeofacceptablevaluesforeachauthenticationmechanism]of[selection:unique,non-unique]unsuccessfulauthenticationattemptsoccurrelatedtolastsuccessfulauthenticationforeachauthenticationmechanism.

ApplicationNote:Thepositiveinteger(s)isconfiguredaccordingtoFMT_SMF_EXT.1.1function2.

Anuniqueauthenticationattemptisdefinedasanyattempttoverifyapasswordorbiometricsample,inwhichtheinputisdifferentfromapreviousattempt.‘Unique’mustbeselectediftheauthenticationsystemincrementsthecounteronlyforuniqueunsuccessfulauthenticationattempts.Forexample,ifthesameincorrectpasswordisattemptedtwicetheauthenticationsystemincrementsthecounteronce.‘Non-unique’mustbeselectediftheauthenticationsystemincrementsthecounterforeachunsuccessfulauthenticationattempt,regardlessofiftheinputisunique.Forexample,ifthesameincorrectpasswordisattemptedtwicetheauthenticationsystemincrementsthecountertwice.

Ifhybridauthentication(i.e.acombinationofbiometricandpin/password)issupported,afailedauthenticationattemptcanbecountedasasingleattempt,evenifboththebiometricandpin/passwordwereincorrect.

IftheTOEsupportsmultipleauthenticationmechanismsperFIA_UAU.5.1,thiscomponentappliestoallauthenticationmechanisms.Itisacceptableforeachauthenticationmechanismtoutilizeanindependentcounterorformultipleauthenticationmechanismstoutilizeasharedcounter.TheinteractionbetweentheauthenticationfactorsinregardstotheauthenticationcountermustbeinaccordancewithFIA_UAU.5.2.

IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmodeinterface),thiscomponentappliestoallavailableinterfaces.However,itisacceptableforeachAuthenticationFactorinterfacetobeconfigurablewithadifferentnumberofunsuccessfulauthenticationattempts.

FIA_AFL_EXT.1.3TheTSFshallmaintainthenumberofunsuccessfulauthenticationattemptsthathaveoccurreduponpoweroff.

ApplicationNote:TheTOEmayimplementanAuthenticationFactorinterfacethatprecedesanotherAuthenticationFactorinterfaceinthebootsequence(forexample,avolumeDARdecryptioninterfacewhichprecedesthelockscreeninterface)beforetheusercanaccessthedevice.Inthissituation,becausetheusermustsuccessfullyauthenticatetothefirstinterfacetoaccessthesecond,thenumberofunsuccessfulauthenticationattemptsneednotbemaintainedforthesecondinterface.

FIA_AFL_EXT.1.4Whenthedefinednumberofunsuccessfulauthenticationattemptshasexceededthemaximumallowedforagivenauthenticationmechanism,allfutureauthenticationattemptswillbelimitedtootheravailableauthenticationmechanisms,unlessthegivenmechanismisdesignatedasacriticalauthenticationmechanism.

ApplicationNote:InaccordancewithFIA_AFL_EXT.1.3,thisrequirementalsoappliesaftertheTOEispoweredoffandpoweredbackon.

FIA_AFL_EXT.1.5Whenthedefinednumberofunsuccessfulauthenticationattemptsforthelastavailableauthenticationmechanismorsinglecriticalauthenticationmechanismhasbeensurpassed,theTSFshallperformawipeofallprotecteddata.

ApplicationNote:WipeisperformedinaccordancewithFCS_CKM_EXT.5.Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.

IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmode

interface),thiscomponentappliestoallavailableinterfaces.

FIA_AFL_EXT.1.6TheTSFshallincrementthenumberofunsuccessfulauthenticationattemptspriortonotifyingtheuserthattheauthenticationwasunsuccessful.

ApplicationNote:Thisrequirementistoensurethatifpoweriscuttothedevicedirectlyafteranauthenticationattempt,thecounterwillbeincrementedtoreflectthatattempt.


FIA_AFL_EXT.1:TSSTheevaluatorshallensurethattheTSSdescribesthatavaluecorrespondingtothenumberofunsuccessfulauthenticationattemptssincethelastsuccessfulauthenticationiskeptforeachAuthenticationFactorinterface.TheevaluatorshallensurethatthisdescriptionalsoincludesifandhowthisvalueismaintainedwhentheTOElosespower,eitherthroughagracefulpoweredofforanungracefullossofpower.Theevaluatorshallensurethatifthevalueisnotmaintained,theinterfaceisafteranotherinterfaceinthebootsequenceforwhichthevalueismaintained.

IftheTOEsupportsmultipleauthenticationmechanisms,theevaluatorshallensurethatthisdescriptionalsoincludeshowtheunsuccessfulauthenticationattemptsforeachmechanismselectedinFIA_UAU.5.1ishandled.TheevaluatorshallverifythattheTSSdescribesifeachauthenticationmechanismutilizesitsowncounterorifmultipleauthenticationmechanismsutilizeasharedcounter.Ifmultipleauthenticationmechanismsutilizeasharedcounter,theevaluatorshallverifythattheTSSdescribesthisinteraction.

TheevaluatorshallconfirmthattheTSSdescribeshowtheprocessusedtodetermineiftheauthenticationattemptwassuccessful.TheevaluatorshallensurethatthecounterwouldbeupdatedevenifpowertothedeviceiscutimmediatelyfollowingnotifyingtheTOEuseriftheauthenticationattemptwassuccessfulornot.

GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtheadministratorconfiguresthemaximumnumberofuniqueunsuccessfulauthenticationattempts.

TestsTest1:TheevaluatorshallconfigurethedevicewithallauthenticationmechanismsselectedinFIA_UAU.5.1.Theevaluatorshallperformthefollowingtestsforeachavailableauthenticationinterface:

Test1a:TheevaluatorshallconfiguretheTOE,accordingtotheAGDguidance,withamaximumnumberofunsuccessfulauthenticationattempts.Theevaluatorshallenterthelockedstateandenterincorrectpasswordsuntilthewipeoccurs.Theevaluatorshallverifythatthenumberofpasswordentriescorrespondstotheconfiguredmaximumandthatthewipeisimplemented.

Test1b:[conditional]IftheTOEsupportsmultipleauthenticationmechanismstheprevioustestshallberepeatedusingacombinationofauthenticationmechanismsconfirmingthatthecriticalauthenticationmechanismswillcausethedevicetowipeandthatwhenthemaximumnumberofunsuccessfulauthenticationattemptsforanon-criticalauthenticationmechanismisexceeded,thedevicelimitsauthenticationattemptstootheravailableauthenticationmechanisms.Ifmultipleauthenticationmechanismsutilizeasharedcounter,thentheevaluatorshallverifythatthemaximumnumberofunsuccessfulauthenticationattemptscanbereachedbyusingeachindividualauthenticationmechanismandacombinationofallauthenticationmechanismsthatsharethecounter.

Test2:Theevaluatorshallrepeattestone,butshallpoweroff(byremovingthebattery,ifpossible)theTOEbetweenunsuccessfulauthenticationattempts.Theevaluatorshallverifythatthetotalnumberofunsuccessfulauthenticationattemptsforeachauthenticationmechanismcorrespondstotheconfiguredmaximumandthatthecriticalauthenticationmechanismscausethedevicetowipe.Alternatively,ifthenumberofauthenticationfailuresisnotmaintainedfortheinterfaceundertest,theevaluatorshallverifythatuponbootingtheTOEbetweenunsuccessfulauthenticationattemptsanotherauthenticationfactorinterfaceispresentedbeforetheinterfaceundertest.

FIA_PMG_EXT.1PasswordManagementFIA_PMG_EXT.1.1

TheTSFshallsupportthefollowingforthePasswordAuthenticationFactor:

1. Passwordsshallbeabletobecomposedofanycombinationof[selection:upperandlowercaseletters,[assignment:acharactersetofatleast52characters]],numbers,andspecialcharacters:[selection:"!","@","#","$","%","^","&","*","(",")",[assignment:othercharacters]];

2. Passwordlengthupto[assignment:anintegergreaterthanorequalto14]charactersshallbesupported.

ApplicationNote:Whilesomecorporatepoliciesrequirepasswordsof14charactersorbetter,theuseofaREKforDARprotectionandkeystorageprotectionandtheanti-hammerrequirement(FIA_TRT_EXT.1)addressesthethreatofattackerswithphysicalaccessusingmuchsmallerandlesscomplexpasswords.

TheSTauthorselectsthecharacterset:eithertheupperandlowercaseBasicLatinlettersoranotherassignedcharactersetcontainingatleast52characters.Theassignedcharactersetmustbewelldefined:eitheraccordingtoaninternationalencodingstandard(suchasUnicode)ordefinedintheassignmentbytheSTauthor.TheSTauthoralsoselectsthespecialcharactersthataresupportedbyTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.


FIA_PMG_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.

GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitprovidesguidancetosecurityadministratorsonthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.Theevaluatorshallalsoperformthefollowingtests.Notethatoneormoreofthesetestscanbeperformedwithasingletestcase.

TestsTest1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecompositionsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.

FIA_TRT_EXT.1AuthenticationThrottlingFIA_TRT_EXT.1.1

TheTSFshalllimitautomateduserauthenticationattemptsby[selection:preventingauthenticationviaanexternalport,enforcingadelaybetweenincorrectauthenticationattempts]forallauthenticationmechanismsselectedinFIA_UAU.5.1.Theminimumdelayshallbesuchthatnomorethan10attemptscanbeattemptedper500milliseconds.

ApplicationNote:TheauthenticationthrottlingappliestoallauthenticationmechanismsselectedinFIA_UAU.5.1.TheuserauthenticationattemptsinthisrequirementareattemptstoguesstheAuthenticationFactor.Thedevelopercanimplementthetimingofthedelaysintherequirementsusingunequalorequaltimingofdelays.Theminimumdelayspecifiedinthisrequirementprovidesdefenseagainstbruteforcing.


FIA_TRT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesthemethodbywhichauthenticationattemptsarenotabletobeautomated.TheevaluatorshallensurethattheTSSdescribeseitherhowtheTSFdisablesauthenticationviaexternalinterfaces(otherthantheordinaryuserinterface)orhowauthenticationattemptsaredelayedinordertoslowautomatedentryandshallensurethatthisdelaytotalsatleast500millisecondsover10attemptsforallauthenticationmechanismsselectedinFIA_UAU.5.1.



FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1

TheTSFshallprovidepasswordand[selection:fingerprint,iris,face,voice,vein,hybrid,noothermechanism]tosupportuserauthentication.

ApplicationNote:TheTSFmustsupportaPasswordAuthenticationFactorandmayoptionallyimplementaBAF,intheformofafingerprint,iris,face,voiceand(finger/palm)vein.AhybridauthenticationfactoriswhereauserhastosubmitacombinationofPIN/passwordandbiometricsamplewherebothhavetopassandifeitherfailstheuserisnotmadeawareofwhichfactorfailed.

If"hybrid"isselected,abiometricmodalitydoesnotneedtobeselected,butshouldbeselectedifthebiometricauthenticationcanbeusedindependentofthehybridauthentication,i.e.withouthavingtoenteraPIN/password.

Ifabiometricmodalityor"hybrid"isselected,thenFIA_BMG_EXT.1andFDP_PBA_EXT.1mustbeincludedintheST.

If"usingaPINasanadditionalfactor"or"usingapasswordasanadditionalfactor"isselectedinFDP_PBA_EXT.1.1,then"hybrid"mustbeselected.

ThePasswordAuthenticationFactorisconfiguredaccordingtoFIA_PMG_EXT.1.

FIA_UAU.5.2TheTSFshallauthenticateanyuser'sclaimedidentityaccordingtothe[assignment:rulesdescribinghoweachauthenticationmechanismselectedinFIA_UAU.5.1providesauthentication].

ApplicationNote:RulesregardinghowtheauthenticationfactorsinteractintermsofunsuccessfulauthenticationarecoveredinFIA_AFL_EXT.1.


FIA_UAU.5:TSSTheevaluatorshallensurethattheTSSdescribeseachmechanismprovidedtosupportuserauthenticationandtherulesdescribinghowtheauthenticationmechanism(s)provideauthentication.

Specifically,forallauthenticationmechanismsspecifiedinFIA_UAU.5.1,theevaluatorshallensurethattheTSSdescribestherulesastohoweachauthenticationmechanismisused.Examplerulesarehowtheauthenticationmechanismauthenticatestheuser(i.e.howdoestheTSFverifythatthecorrectpasswordorbiometricsamplewasentered),theresultofasuccessfulauthentication(i.e.istheuserinputusedtoderiveorunlockakey)andwhichauthenticationmechanismcanbeusedatwhichauthenticationfactorinterfaces(i.e.iftherearetimes,forexample,afterareboot,thatonlyspecificauthenticationmechanismscanbeused).IfmultipleBAFsaresupportedperFIA_UAU.5.1,theinteractionbetweentheBAFsmustbedescribed.Forexample,whetherthemultipleBAFscanbeenabledatthesametime.

GuidanceTheevaluatorshallverifythatconfigurationguidanceforeachauthenticationmechanismisaddressedintheAGDguidance.

TestsTest1:ForeachauthenticationmechanismselectedinFIA_UAU.5.1,theevaluatorshallenablethatmechanismandverifythatitcanbeusedtoauthenticatetheuseratthespecifiedauthenticationfactorinterfaces.Test2:Foreachauthenticationmechanismrule,theevaluatorshallensurethattheauthenticationmechanism(s)behaveaccordingly.

FIA_UAU.6Re-AuthenticationFIA_UAU.6.1

TheTSFshallre-authenticatetheuserviathePasswordAuthenticationFactorundertheconditionsattemptedchangetoanysupportedauthenticationmechanisms.

ApplicationNote:Thepasswordauthenticationfactormustbeenteredbeforeeitherthepasswordorbiometricauthenticationfactor,ifselectedinFIA_UAU.5.1,canbechanged.

FIA_UAU.6.2TheTSFshallre-authenticatetheuserviaanauthenticationfactordefinedinFIA_UAU.5.1undertheconditionsTSF-initiatedlock,user-initiatedlock,[assignment:otherconditions].

ApplicationNote:DependingontheselectionsmadeinFIA_UAU.5.1,eitherthepassword(ataminimum),biometricauthenticationorhybridauthenticationmechanismscanbeusedtounlockthedevice.TSF-anduser-initiatedlockingisdescribedinFTA_SSL_EXT.1.


FIA_UAU.6:TSSTherearenoTSSevaluationactivitiesforthiselement.


TestsTest1:TheevaluatorshallconfiguretheTSFtousethePasswordAuthenticationFactoraccordingtotheAGDguidance.TheevaluatorshallchangePasswordAuthenticationFactoraccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingthefactortobechanged.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallconfiguretheTSFtousetheBAF,whichincludesconfiguringthePasswordAuthenticationFactor,accordingtotheAGDguidance.TheevaluatorshallchangetheBAFaccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingtheBAFtobechanged.Test3:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallconfiguretheTSFtousetheBAFandPINorpassword,whichincludesconfiguringthePasswordAuthenticationFactor,accordingtotheAGDguidance.TheevaluatorshallchangetheBAFandPINaccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingthefactortobechanged.

TSSTherearenoTSSevaluationactivitiesforthiselement.


TestsTest1:TheevaluatorshallconfiguretheTSFtotransitiontothelockedstateafteratimeofinactivity(FMT_SMF_EXT.1)accordingtotheAGDguidance.TheevaluatorshallwaituntiltheTSFlocksandthenverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforetransitioningtotheunlockedstate.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest1verifyingthattheTSFrequirestheentryoftheBAFbeforetransitioningtotheunlockedstate.Test3:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest1verifyingthattheTSFrequirestheentryoftheBAFandPIN/passwordbeforetransitioningtotheunlockedstate.Test4:Theevaluatorshallconfigureuser-initiatedlockingaccordingtotheAGDguidance.TheevaluatorshalllocktheTSFandthenverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforetransitioningtotheunlockedstate.Test5:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest4verifyingthattheTSFrequirestheentryoftheBAFbeforetransitioningtotheunlockedstate.Test6:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest4verifyingthattheTSFrequirestheentryoftheBAFandPIN/passwordbeforetransitioningtotheunlockedstate.

FIA_UAU.7ProtectedAuthenticationFeedbackFIA_UAU.7.1

TheTSFshallprovideonlyobscuredfeedbacktothedevice’sdisplaytotheuserwhiletheauthenticationisinprogress.

ApplicationNote:ThisappliestoallauthenticationmethodsspecifiedinFIA_UAU.5.1.TheTSFmaybriefly(1secondorless)displayeachcharacterorprovideanoptiontoallowtheusertounmaskthepassword;however,thepasswordmustbeobscuredbydefault.

IfaBAFisselectedinFIA_UAU.5.1,theTSFmustnotdisplaysensitiveinformationregardingthebiometricthatcouldaidanadversaryinidentifyingand/orspoofingtherespectivebiometriccharacteristicsofagivenhumanuser.Whileitistruethatbiometricsamples,bythemselves,arenotsecret,theanalysisperformedbytherespectivebiometricalgorithms,aswellasoutputdatafromthesebiometricalgorithms,isconsideredsensitiveandmustbekeptsecret.Whereapplicable,theTSFmustnotrevealormakepublicthereason(s)forauthenticationfailure.


FIA_UAU.7:TSSTheevaluatorshallensurethattheTSSdescribesthemeansofobscuringtheauthenticationentry,forallauthenticationmethodsspecifiedinFIA_UAU.5.1.

GuidanceTheevaluatorshallverifythatanyconfigurationofthisrequirementisaddressedintheAGDguidanceandthatthepasswordisobscuredbydefault.

TestsTest1:Theevaluatorshallenterpasswordsonthedevice,includingatleastthePasswordAuthenticationFactoratlockscreen,andverifythatthepasswordisnotdisplayedonthedevice.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallauthenticatebyproducingabiometricsampleatlockscreen.Asthebiometricalgorithmsareperformed,theevaluatorshallverifythatsensitiveimages,audio,orotherinformationidentifyingtheuserarekeptsecretandarenotrevealedtotheuser.Additionally,theevaluatorshallproduceabiometricsamplethatfailstoauthenticateandverifythatthereason(s)forauthenticationfailure(usermismatch,lowsamplequality,etc.)arenotrevealedtotheuser.ItisacceptablefortheBAFtostatethatitwasunabletophysicallyreadthebiometricsample,forexample,ifthesensorisuncleanorthebiometricsamplewasremovedtooquickly.However,specificsregardingwhythepresentedbiometricsamplefailedauthenticationshallnotberevealedtotheuser.

FIA_UAU_EXT.1AuthenticationforCryptographicOperationFIA_UAU_EXT.1.1

TheTSFshallrequiretheusertopresentthePasswordAuthenticationFactorpriortodecryptionofprotecteddataandencryptedDEKs,KEKsand[selection:long-termtrustedchannelkeymaterial,allsoftware-basedkeystorage,nootherkeys]atstartup.

ApplicationNote:TheintentofthisrequirementistopreventdecryptionofprotecteddatabeforetheuserhasauthorizedtothedeviceusingthePasswordAuthenticationFactor.ThePasswordAuthenticationFactorisalsorequiredinorderderivethekeyusedtodecryptsensitivedata,whichincludessoftware-basedsecurekeystorage.


FIA_UAU_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheprocessfordecryptingprotecteddataandkeys.TheevaluatorshallensurethatthisprocessrequirestheusertoenteraPasswordAuthenticationFactorand,inaccordancewithFCS_CKM_EXT.3,derivesaKEK,whichisusedtoprotectthesoftware-basedsecurekeystorageand(optionally)DEK(s)forsensitivedata,inaccordancewithFCS_STG_EXT.2.


TestsThefollowingtestsmaybeperformedinconjunctionwithFDP_DAR_EXT.1andFDP_DAR_EXT.2.

EvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Test1:TheevaluatorshallenableencryptionofprotecteddataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatincludesauniquestringtreatedasprotecteddata.

Theevaluatorshallrebootthedevice,useatoolprovidedbydevelopertosearchfortheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcannotbefound.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbythedevelopertoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcanbefound.

Test2:[conditional]TheevaluatorshallrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallstoreakeyinthesoftware-basedsecurekeystorage.

Theevaluatorshalllockthedevice,useatoolprovidedbydevelopertoaccessthekeyamongstthestoreddata,andverifythatthekeycannotberetrievedoraccessed.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbydevelopertoaccessthekey,andverifythatthekeycanberetrievedoraccessed.

Test3:[conditional]TheevaluatorshallenableencryptionofsensitivedataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatincludesauniquestringtreatedassensitivedata.

Theevaluatorshalllockthedevice,useatoolprovidedbydevelopertoattempttoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcannotbefound.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbydevelopertoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcanberetrieved.

FIA_UAU_EXT.2TimingofAuthenticationFIA_UAU_EXT.2.1

TheTSFshallallow[selection:[assignment:listofactions],noactions]onbehalfoftheusertobeperformedbeforetheuserisauthenticated.

FIA_UAU_EXT.2.2TheTSFshallrequireeachusertobesuccessfullyauthenticatedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.

ApplicationNote:Thesecurityrelevantactionsallowedbyunauthorizedusersinlockedstatemustbelisted.AtaminimumtheactionsthatcorrespondtothefunctionsavailabletotheuserinFMT_SMF_EXT.1andareallowedbyunauthorizedusersinlockedstateshouldbelisted.Forexample,iftheusercanenable/disablethecameraperfunction5ofFMT_SMF_EXT.1andunauthorizeduserscantakeapicturewhenthedeviceisinlockedstate,thisactionmustbelisted.


FIA_UAU_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribestheactionsallowedbyunauthorizedusersinthelockedstate.


TestsTheevaluatorshallattempttoperformsomeactionsnotlistedintheselectionwhilethedeviceisinthelockedstateandverifythatthoseactionsdonotsucceed.

FIA_X509_EXT.1X.509ValidationofCertificatesFIA_X509_EXT.1.1

TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:RFC5280certificatevalidationandcertificatepathvalidation.ThecertificatepathmustterminatewithacertificateintheTrustAnchorDatabase.TheTSFshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidatetherevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,CRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:

CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ServercertificatespresentedforESTshallhavetheCMCRegistrationAuthority(RA)purpose(id-kp-cmcRAwithOID1.3.6.1.5.5.7.3.28)intheEKUfield.[conditional]ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningpurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.[conditional]

ApplicationNote:FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthormustselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.OCSPstaplingandOCSPmulti-staplingonlysupportTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLshouldbeclaimed.TheWLANClientEPtowhichaMDFTOEmustalsoconformrequiresthatcertificatesareusedforEAP-TLS;thisuserequiresthattheextendedKeyUsagerulesareverified.Certificatesmayoptionallybeusedfortrustedupdatesofsystemsoftwareandapplications(FPT_TUD_EXT.2)andforintegrityverification(FPT_TST_EXT.2(1))and,ifimplemented,mustbevalidatedtocontaintheCodeSigningpurposeextendedKeyUsage.

WhileFIA_X509_EXT.1.1requiresthattheTOEperformcertainchecksonthecertificatepresentedbyaTLSserver,therearecorrespondingchecksthattheauthenticationserverwillhavetoperformonthecertificatepresentedbytheclient;namelythattheextendedKeyUsagefieldoftheclientcertificateincludes“ClientAuthentication”andthatthekeyagreementbit(fortheDiffie-Hellmanciphersuites)orthekeyenciphermentbit(forRSAciphersuites)beset.CertificatesobtainedforusebytheTOEwillhavetoconformtotheserequirementsinordertobeusedintheenterprise.ThischeckisrequiredtosupportEAP-TLSfortheWLANClientEP.

FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.

ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedtotheTrustAnchorDatabase.


FIA_X509_EXT.1:TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.


TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServicesevaluationactivities,includingtheusecasesinFIA_X509_EXT.2.1andFIA_X509_EXT.3.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.Theevaluatorshallcreateachainofatleastfourcertificates:thenodecertificatetobetested,twoIntermediateCAs,andtheself-signedRootCA.

Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:

byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.

TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.

Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.

Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates-conditionalonwhetherCRL,OCSP,OSCPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,thenthefollowingtestsshallbeperformedforeachmethod:

Theevaluatorshalltestrevocationofthenodecertificate.

TheevaluatorshallalsotestrevocationoftheintermediateCAcertificate(i.e.theintermediateCAcertificateshouldberevokedbytherootCA).ForthetestoftheWLANusecase,onlypre-storedCRLsareused.IfOCSPstaplingperRFC6066istheonlysupportedrevocationmethod,thistestisomitted.

Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorthenattemptsthetestwithacertificatethathasbeenrevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthatthevalidationfunctionfails.

Test4:IfanyOCSPoptionisselected,theevaluatorshallconfiguretheOCSPserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitset,andverifythatvalidationoftheCRLfails.

Test5:Theevaluatorshallmodifyanybyteinthefirsteightbytesofthecertificateanddemonstratethatthecertificatefailstovalidate(thecertificatewillfailtoparsecorrectly).

Test6:Theevaluatorshallmodifyanybitinthelastbyteofthesignaturealgorithmofthecertificateanddemonstratethatthecertificatefailstovalidate(thesignatureonthecertificatewillnotvalidate).

Test7:Theevaluatorshallmodifyanybyteinthepublickeyofthecertificateanddemonstratethatthecertificatefailstovalidate(thesignatureonthecertificatewillnotvalidate).

Test8:Test8.1:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1(3)).Theevaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain.

Test8.2:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1(3)).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest8awithamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest8a,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.

FIA_X509_EXT.2X.509CertificateAuthentication

FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationformutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS[selection:IPsecinaccordancewiththePP-ModuleforVPNClient,mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity],and[selection:codesigningforsystemsoftwareupdates,codesigningformobileapplications,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses].

ApplicationNote:TheSTauthor’sfirstselectionmustmatchtheselectionofFDP_UPC_EXT.1.1/APPSandFTP_ITC_EXT.1.1.

Certificatesmayoptionallybeusedfortrustedupdatesofsystemsoftware(FPT_TUD_EXT.2.3)andmobileapplications(FPT_TUD_EXT.5.1)andforintegrityverification(FPT_TST_EXT.2/PREKERNEL).If"codesigningforsystemsoftwareupdates"or"codesigningformobileapplications"isselectedFPT_TUD_EXT.4.1mustbeincludedintheST.

IfFPT_TUD_EXT.5.1isincludedintheST,"codesigningformobileapplications"mustbeincludedintheselection.

FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminetherevocationstatusofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,allowtheusertochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].

ApplicationNote:TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.However,oftenaconnectionmustbeestablishedtoperformaverificationoftherevocationstatusofacertificate-eithertodownloadaCRLortoperformOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificateisvalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionmustdeterminethevalidity.Iftheadministrator-configuredoruser-configuredoptionisselected,theSTauthormustalsoselectfunction30inFMT_SMF_EXT.1.

TheTOEmaybehavedifferentlydependingonthetrustedchannel;forexample,inthecaseofWLANwhereconnectionsareunlikelytobeestablished,theTOEmayacceptthecertificateeventhoughcertificatesarenotacceptedforotherchannels.TheSTauthorshouldselectallapplicablebehaviors.


FIA_X509_EXT.2:TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.

TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Theevaluatorshallverifythatanydistinctionsbetweentrustedchannelsaredescribed.

GuidanceIftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.

TestsTheevaluatorshallperformthefollowingtestforeachtrustedchannel:

Test1:Theevaluatorshalldemonstratethatusingavalidcertificatethatrequirescertificatevalidationcheckingtobeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedinFIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.

FIA_X509_EXT.3RequestValidationofCertificatesFIA_X509_EXT.3.1

TheTSFshallprovideacertificatevalidationservicetoapplications.

FIA_X509_EXT.3.2TheTSFshallrespondtotherequestingapplicationwiththesuccessorfailureofthevalidation.

ApplicationNote:InordertocomplywithalloftherulesinFIA_X509_EXT.1,multipleAPIcallsmayberequired;allofthesecallsshouldbeclearlydocumented


FIA_X509_EXT.3:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunction(certificatevalidation)describedinthisrequirement.Thisdocumentationshallbeclearastowhichresultsindicatesuccessandfailure.



TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscertificatevalidationbytheTSF.TheevaluatorshallverifythattheresultsfromthevalidationmatchtheexpectedresultsaccordingtotheAPIdocumentation.Thisapplicationmaybeusedtoverifythatimport,removal,modification,andvalidationareperformedcorrectlyaccordingtothetestsrequiredbyFDP_STG_EXT.1,FTP_ITC_EXT.1,FMT_SMF_EXT.1,andFIA_X509_EXT.1.

5.1.6Class:SecurityManagement(FMT)BoththeuserandtheadministratormaymanagetheTOE.ThisadministratorislikelytobeactingremotelyandcouldbetheMobileDeviceManagement(MDM)AdministratoractingthroughanMDMAgent.

TheAdministratorisresponsibleformanagementactivities,includingsettingthepolicythatisappliedbytheenterpriseontheMobileDevice.Thesemanagementfunctionsarelikelytobeadifferentsetthanthosemanagementfunctionsprovidedtotheuser.ManagementfunctionsthatareprovidedtotheuserandnottheadministratorarelistedinFMT_MOF_EXT.1.1.ManagementfunctionsforwhichtheadministratormayadoptapolicythatrestrictstheuserfromperformingthatfunctionarelistedinFMT_MOF_EXT.1.2.

Table7comparesthemanagementfunctionsrequiredbythisProtectionProfileinthefollowingthreerequirements(FMT_MOF_EXT.1.1,FMT_MOF_EXT.1.2,andFMT_SMF_EXT.1).

FMT_MOF_EXT.1ManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1

TheTSFshallrestricttheabilitytoperformthefunctionsincolumn3ofTable7totheuser.

ApplicationNote:Thefunctionsthathavean"M"inthethirdcolumnaremandatoryforthiscomponent,thusarerestrictedtotheuser,meaningthattheadministratorcannotmanagethosefunctions.Thefunctionsthathavean"O"inthethirdcolumnareoptionalandmaybeselected;andthosefunctionswitha"-"inthethirdarenotapplicableandmaynotbeselected.TheSTauthorshouldselectthosesecuritymanagementfunctionsthatonlytheusermayperform(i.e.theonestheadministratormaynotperform).

TheSTauthormaynotselectthesamefunctioninbothFMT_MOF_EXT.1.1andFMT_MOF_EXT.1.2.Afunctioncannotcontainan"M"inbothcolumn3andcolumn5.

TheSTauthormayuseatableintheST,indicatingwithcleardemarcations(tobeaccompaniedbyanindex)thosefunctionsthatarerestrictedtotheuser(column3).TheSTauthorshoulditeratearowtoindicateanyvariationsintheselectablesub-functionsorassignedvalueswithrespecttothevaluesinthecolumns.

Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsoutsideaselectionmustbeimplementedinorderforthefunctiontobelisted.

FMT_MOF_EXT.1.2TheTSFshallrestricttheabilitytoperformthefunctionsincolumn5ofTable7totheadministratorwhenthedeviceisenrolledandaccordingtotheadministrator-configuredpolicy.

ApplicationNote:Aslongasthedeviceisenrolledinmanagement,theadministrator(oftheenterprise)mustbeguaranteedthatminimumsecurityfunctionsoftheenterprisepolicyareenforced.Furtherrestrictivepoliciescanbeappliedatanytimebytheuseronbehalfoftheuserorotheradministrators.

Thefunctionsthathavean"M"inthefifthcolumnaremandatoryforthiscomponent;thefunctionsthathavean"O"inthefifthcolumnareoptionalandmaybeselected;andthosefunctionswitha"-"inthefiftharenotapplicableandmaynotbeselected.

TheSTauthormaynotselectthesamefunctioninbothFMT_MOF_EXT.1.1andFMT_MOF_EXT.1.2.

TheSTauthorshouldselectthosesecuritymanagementfunctionsthattheadministratormayrestrict.TheSTauthormayuseatableintheST,indicatingwithcleardemarcations(tobeaccompaniedbyanindex)thosefunctionsthatareandarenotimplementedwithAPIsfortheadministrator(asincolumn4).Additionally,theSTauthorshoulddemarcatewhichfunctionstheuserispreventedfromaccessingorperforming(asincolumn5).TheSTauthorshoulditeratearowtoindicateanyvariationsintheselectablesub-functionsorassignedvalueswithrespecttothevaluesinthecolumns.

Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsoutsidetheselectionmustbeimplementedinorderforthefunctiontobelisted.


FMT_MOF_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesthosemanagementfunctionsthatmayonlybeperformedbytheuserandconfirmthattheTSSdoesnotincludeanAdministratorAPIforanyofthesemanagementfunctions.ThisactivitywillbeperformedinconjunctionwithFMT_SMF_EXT.1.


TestsTherearenotestevaluationactivitiesforthiscomponent.TSSTheevaluatorshallverifythattheTSSdescribesthosemanagementfunctionsthatmaybeperformedbytheAdministrator,toincludehowtheuserispreventedfromaccessing,performing,orrelaxingthefunction(ifapplicable),andhowapplications/APIsarepreventedfrommodifyingtheAdministratorconfiguration.TheTSSalsodescribesanyfunctionalitythatisaffectedbyadministrator-configuredpolicyandhow.ThisactivitywillbeperformedinconjunctionwithFMT_SMF_EXT.1.


TestsTest1:TheevaluatorshallusethetestenvironmenttodeploypoliciestoMobileDevices.

Test2:Theevaluatorshallcreatepolicieswhichcollectivelyincludeallmanagementfunctionswhicharecontrolledbythe(enterprise)administratorandcannotbeoverridden/relaxedbytheuserasdefinedinFMT_MOF_EXT.1.2.Theevaluatorshallapplythesepoliciestodevices,attempttooverride/relaxeachsettingbothastheuser(ifasettingisavailable)andasanapplication(ifanAPIisavailable),andensurethattheTSFdoesnotpermitit.Notethattheusermaystillapplyamorerestrictivepolicythanthatoftheadministrator.

Test3:AdditionaltestingoffunctionsprovidedtotheadministratorareperformedinconjunctionwiththetestingactivitiesforFMT_SMF_EXT.1.1.

FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1

TheTSFshallbecapableofperformingthefollowingmanagementfunctions:

Table7:ManagementFunctions

StatusMarkers:M-MandatoryO-Optional/Objective

# ManagementFunction Impl. UserOnly

Admin AdminOnly

1 1.configurepasswordpolicy:

a. minimumpasswordlengthb. minimumpasswordcomplexityc. maximumpasswordlifetime

2 2.configuresessionlockingpolicy:

a. screen-lockenabled/disabledb. screenlocktimeoutc. numberofauthenticationfailures

3 3.enable/disabletheVPNprotection:

a. acrossdevice

[selection:b.onaper-appbasis,

c.onaper-groupofapplicationsprocessesbasis,

d.noothermethod]

4 4.enable/disable[assignment:listofallradios]

5 5.enable/disable[assignment:listofaudioorvisualcollectiondevices]:

a. acrossdevice



d.noothermethod]

6 6.transitiontothelockedstate

7 7.TSFwipeofprotecteddata

8 8.configureapplicationinstallationpolicyby[selection:

a.restrictingthesourcesofapplications,

b.specifyingasetofallowedapplicationsbasedon

[assignment:applicationcharacteristics](anapplication

allowlist),c.denyinginstallationof

applications]

9 9.importkeys/secretsintothesecurekeystorage

10 10.destroyimportedkeys/secretsand[selection:nootherkeys/secrets,

[assignment:listofothercategoriesof

M - M M

M - M M

M O O O

M O O O

M O O O

M - M -

M - M -

M - M M

M O O -

M O O -

keys/secrets]]inthesecurekeystorage

11 11.importX.509v3certificatesintotheTrustAnchorDatabase

12 12.removeimportedX.509v3certificatesand[selection:nootherX.509v3

certificates,[assignment:listofothercategoriesofX.509v3certificates]]inthe

TrustAnchorDatabase

13 13.enrolltheTOEinmanagement

14 14.removeapplications

15 15.updatesystemsoftware

16 16.installapplications

17 17.removeEnterpriseapplications

18 18.enable/disabledisplaynotificationinthelockedstateof:[selection:

a.emailnotifications,b.calendarappointments,

c.contactassociatedwithphonecallnotification,

d.textmessagenotification,e.otherapplication-based

notifications,f.allnotifications

]

19 19.enabledata-atrestprotection

20 20.enableremovablemedia’sdata-at-restprotection

21 21.enable/disablelocationservices:

a. acrossdevice



d.noothermethod]

22 22.enable/disabletheuseof[selection:BiometricAuthenticationFactor,Hybrid

AuthenticationFactor]

23 23.configurewhethertoallow/disallowestablishmentofatrustedchannelifthepeer/servercertificateisdeemedinvalid.

24 24.enable/disablealldatasignalingover[assignment:listofexternallyaccessible

hardwareports]

25 25.enable/disable[assignment:listofprotocolswherethedeviceactsasa

server]

26 26.enable/disabledevelopermodes

27 27.enable/disablebypassoflocaluserauthentication

28 28.wipeEnterprisedata

29 29.approve[selection:import,removal]byapplicationsofX.509v3certificatesin

theTrustAnchorDatabase

30 30.configurewhethertoallow/disallowestablishmentofatrustedchanneliftheTSFcannotestablishaconnectionto

M - M O

M O O -

M O O O

M - M O

M - M O

M - M O

M - M -

M O O O

M O O O

M O O O

M O O O

M O O O

M O O O

O O O O

O O O O

O O O O

O O O O

O O O -

O O O O

O O O O

determinethevalidityofacertificate

31 31.enable/disablethecellularprotocolsusedtoconnecttocellularnetworkbase

stations

32 32.readauditlogskeptbytheTSF

33 33.configure[selection:certificate,public-key]usedtovalidatedigital

signatureonapplications

34 34.approveexceptionsforshareduseofkeys/secretsbymultipleapplications

35 35.approveexceptionsfordestructionofkeys/secretsbyapplicationsthatdidnot

importthekey/secret

36 36.configuretheunlockbanner

37 37.configuretheauditableitems

38 38.retrieveTSF-softwareintegrityverificationvalues

39 39.enable/disable[selection:USBmassstoragemode,

USBdatatransferwithoutuserauthentication,

USBdatatransferwithoutauthenticationoftheconnecting

system]

40 40.enable/disablebackupof[selection:allapplications,selectedapplications,

selectedgroupsofapplications,configurationdata]to[selection:locally

connectedsystem,remotesystem]

41 41.enable/disable[selection:Hotspotfunctionalityauthenticatedby[selection:pre-sharedkey,passcode,noauthentication],USBtetheringauthenticatedby[selection:pre-sharedkey,passcode,noauthentication]

]

42 42.approveexceptionsforsharingdatabetween[selection:applications,groups

ofapplications]

43 43.placeapplicationsintoapplicationgroupsbasedon[assignment:enterpriseconfigurationsettings]

44 44.unenrolltheTOEfrommanagement

45 45.enable/disabletheAlwaysOnVPNprotection:

a. acrossdevice



d.noothermethod]

46 46.revokeBiometrictemplate

47 47.[assignment:listofothermanagementfunctionstobeprovidedby

theTSF]

O O O O

O O O -

O O O O

O O O O

O O O O

O - O O

O - O O

O O O O

O O O O

O O O O

O O O O

O O O O

O O O O

O O O O

O O O O

O O O O

O O O O

ApplicationNote:Table7comparesthemanagementfunctionsrequiredbythisProtectionProfile.

ThefirstcolumnliststhemanagementfunctionsidentifiedinthePP.

Inthefollowingcolumns:‘M’meansMandatory‘O’meansOptional/Objective'-'meansthatnovalue(MorO)canbeassigned

Thesecondcolumn(FMT_SMF_EXT.1)indicateswhetherthefunctionistobeimplemented.TheSTauthorshouldselectwhichOptionalfunctionsareimplemented.

Thethirdcolumn(FMT_MOF_EXT.1.1)indicatesfunctionsthataretoberestrictedtotheuser(i.e.notavailabletotheadministrator).

Thefourthcolumn(Administrator)indicatesfunctionsthatareavailabletotheadministrator.Thefunctionsrestrictedtotheuser(column3)cannotalsobeavailabletotheadministrator.Functionsavailabletotheadministratorcanstillbeavailabletotheuser,aslongasthefunctionisnotrestrictedtotheadministrator(column5).Thus,iftheTOEmustofferthesefunctionstotheadministratortoperformthefourthcolumnmustbeselected.

Thefifthcolumn(FMT_MOF_EXT.1.2)indicateswhetherthefunctionistoberestrictedtotheadministratorwhenthedeviceisenrolledandtheadministratorappliestheindicatedpolicy.Ifthefunctionisrestrictedtotheadministratorthefunctionisnotavailabletotheuser.Thisdoesnotpreventtheuserfrommodifyingasettingtomakethefunctionstricter,buttheusercannotundotheconfigurationenforcedbytheadministrator.

TheSTauthormayuseatableintheST,listingonlythosefunctionsthatareimplemented.Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Forfunctionsthatareoptionalandcontainanassignmentorselection,atleastonevaluemustbeassigned/selectedtobeincludedintheST.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsmustbeimplementedinorderforthefunctiontobeincluded.Forfunctionswitha"per-appbasis"subfunctionandanassignment,theSTauthormustindicatewhichassignedfeaturesaremanageableonaper-appbasisandwhicharenotbyiteratingtherow.

Function-specificApplicationNotes:

Forfunctions3,5and21,thefunctionmustbeimplementedonadevice-widebasisbutmayalsobeimplementedonaper-appbasisoronaper-groupofapplicationsbasisinwhichtheconfigurationincludesthelistofapplicationsorgroupsofapplicationstowhichtheenable/disableapplies.

Function3addressesenablinganddisablingtheIPsecVPNonly.TheconfigurationoftheVPNClientitself(withinformationsuchasVPNGateway,certificates,andalgorithms)isaddressedbythePP-ModuleforVPNClient.Theadministratoroptionsshouldonlybelistediftheadministratorcanremotelyenable/disabletheVPNconnection.

Function3optionallyallowstheVPNtobeconfiguredper-apporper-groupsofapps.Ifthisconfigurationisselected,itdoesnotvoidFDP_IFC_EXT.1.InsteadFDP_IFC_EXT.1isappliedtotheapplicationorgroupofapplicationstheVPNisappliedto.Inotherwords,alltrafficdestinedfortheVPN-enabledapplicationorgroupofapplications,musttravelthroughtheVPN,buttrafficnotdestinedforthatapplicationorgroupofapplicationscantraveloutsidetheVPN.WhentheVPNisconfiguredacrossthedeviceFDP_IFC_EXT.1appliestoalltrafficandtheVPNmustnotsplittunnel.

Theassignmentinfunction4consistsofallradiospresentontheTSF,suchasWi-Fi,cellular,NFC,BluetoothBR/EDR,andBluetoothLE,whichcanbeenabledanddisabled.Inthefuture,ifbothBluetoothBR/EDRandBluetoothLEaresupported,theywillberequiredtobeenabledanddisabledseparately.Disablementofthecellularradiodoesnotimplythattheradiomaynotbeenabledinordertoplaceemergencyphonecalls;however,itisnotexpectedthatadevicein"airplanemode",whereallradiosaredisabled,willautomatically(withoutauthorization)turnonthecellularradiotoplaceemergencycalls.

Theassignmentinfunction5consistsofatleastoneaudioand/orvisualdevice,suchascameraandmicrophone,whichcanbeenabledanddisabledbyeithertheuseroradministrator.Disablementofthemicrophonedoesnotimplythat

themicrophonemaynotbeenabledinordertoplaceemergencyphonecalls.Ifcertaindevicesareabletoberestrictedtotheenterprise(eitherdevice-wide,per-apporper-groupofapplications)andothersareabletoberestrictedtousers,thenthisfunctionshouldbeiteratedinthetablewiththeappropriatetableentries.

Regardingfunctions4and5,disablementofaparticularradiooraudio/visualdevicemustbeeffectiveassoonastheTOEhaspower.DisablementmustalsoapplywhentheTOEisbootedintoauxiliarybootmodes,forexample,associatedwithupdatesorbackup.IftheTOEsupportsstatesinwhichsecuritymanagementpolicyisinaccessible,forexample,duetodata-at-restprotection,itisacceptabletomeetthisrequirementbyensuringthatthesedevicesaredisabledbydefaultwhileinthesestates.Thatthesedevicesaredisabledduringauxiliarybootmodesdoesnotimplythatthedevice(particularlythecellularradio)maynotbeenabledinordertoperformemergencyphonecalls.

WipeoftheTSF(function7)isperformedaccordingtoFCS_CKM_EXT.5.Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.

Theselectioninfunction8allowstheSTauthortoselectwhichmechanismsareavailabletotheadministratorthroughtheMDMAgenttorestricttheapplicationswhichtheusermayinstall.TheSTauthormuststateifapplicationallowlistisapplieddevice-wideorifitcanbespecifiedtoapplytoeithertheEnterpriseand/orPersonalapplications.

Iftheadministratorcanrestrictthesourcesfromwhichapplicationscanbeinstalled,theSTauthorselectsoptiona.Iftheadministratorcanspecifyaallowlistofallowedapplications,theSTauthorselectsoptionb.TheSTauthorshouldlistanyapplicationcharacteristics(e.g.name,version,ordeveloper)basedonwhichtheallowlistcanbeformed.Iftheadministratorcanpreventtheuserfrominstallingadditionalapplications,theSTauthorselectsc.

Inthefuture,function12mayrequiredestructionordisablingofanydefaulttrustedCAcertificates,exceptingthoseCAcertificatesnecessaryforcontinuedoperationoftheTSF,suchasthedeveloper’scertificate.Atthistime,theSTauthormustindicateintheassignmentwhetherpre-installedoranyothercategoryofX.509v3certificatesmayberemovedfromtheTrustAnchorDatabase.

Forfunction13,theenrollmentfunctionmaybeinstallinganMDMagentandincludesthepoliciestobeappliedtothedevice.Itisacceptablefortheuserapprovalnoticetorequiretheusertointentionallyopttoviewthepolicies(forexample,by"tapping"ona"View"icon)ratherthanlistingthepoliciesinfullinthenotice.

Forfunction15,theadministratorcapabilitytoupdatethesystemsoftwaremaybelimitedtocausingaprompttotheusertoupdateratherthantheabilitytoinitiatetheupdateitself.Astheadministratorislikelytobeactingremotely,he/shewouldbeunawareofinopportunesituations,suchaslowpower,whichmaycausetheupdatetofailandthedevicetobecomeinoperable.Theusercanrefusetoaccepttheupdateinsuchsituations.Itisexpectedthatsystemarchitectswillbecognizantofthislimitationandwillenforcenetworkaccesscontrolsinordertoenforceenterprise-criticalupdates.

Function16addressesbothinstallationandupdate.Thisprotectionprofiledoesnotdistinguishbetweeninstallationandupdateofapplicationsbecausemobiledevicestypicallycompletelyoverwritethepreviousinstallationwithanewinstallationduringanapplicationupdate.

Forfunction17,"Enterpriseapplications"arethoseapplicationsthatbelongtotheEnterpriseapplicationgroup.Applicationsinstalledbytheenterpriseadministrator(includingautomaticinstallationbytheadministratorafterbeingrequestedbytheuserfromacatalogofenterpriseapplications)arebydefaultplacedintheEnterpriseapplicationgroupunlessanexceptionhasbeenmadeinfunction43ofFMT_SMF_EXT.1.1.

Ifthedisplayofnotificationsinthelockedstateissupported,theconfigurationofthesenotifications(function18)mustbeincludedintheselection.

Function19mustbeincludedintheselectionifdata-at-restprotectionisnotnativelyenabled.

Function20isimplicitlymetiftheTSFdoesnotsupportremovablemedia.

Forfunction21,locationservicesincludelocationinformationgatheredfrom

GPS,cellular,andWi-Fi.

Function22isimplicitlymetiftheTOEdoesnotcontainaBAF.ThisselectionmustcorrespondwiththeselectionmadeinFIA_UAU.5.1.IfaBAFisselectedinFIA_UAU.5.1,"BiometricAuthenticationFactor"mustbeselectedandtheuseroradminmusthavetheoptiontodisabletheuseofit.IfmultipleBAFsareselectedinFIA_UAU.5.1,thisappliestoalldifferentmodalities.If"hybrid"isselectedinFIA_UAU.5.1itmustbeselectedandtheuseroradminmusthavetheoptiontodisabletheuseofit.

Forfunction23,theconfigurationcanbedifferentdependingonthespecifictrustedchannel.

Theassignmentinfunction24consistsofallexternallyaccessiblehardwareports,suchasUSB,theSDcard,andHDMI,whosedatatransfercapabilitiescanbeenabledanddisabledbyeithertheuseroradministrator.Disablementofdatatransferoveranexternalportmustbeeffectiveduringandafterbootintothenormaloperativemodeofthedevice.IftheTOEsupportsstatesinwhichconfiguredsecuritymanagementpolicyisinaccessible,forexample,duetodata-at-restprotection,itisacceptabletomeetthisrequirementbyensuringthatdatatransferisdisabledbydefaultwhileinthesestates.Eachoftheportsmaybeenabledordisabledseparately.Theconfigurationpolicyneednotdisableallportstogether.InthecaseofUSB,chagriningisstillallowedifdatatransfercapabilitieshavebeendisabled.

Theassignmentinfunction25consistsofallprotocolswheretheTSFactsasaserver,whichcanbeenabledanddisabledbyeithertheuseroradministrator.

Function26mustbeincludedintheselectionifdevelopermodesaresupportedbytheTSF.

Function27mustbeincludedintheselectionifbypassoflocaluserauthentication,suchasa"ForgotPassword",passwordhint,orremoteauthenticationfeature,issupported.

Function29mustbeincludedintheselectioniftheTSFallowsapplications,otherthantheMDMAgents,toimportorremoveX.509v3certificatesfromtheTrustAnchorDatabase.TheMDMAgentisconsideredtheadministrator.Thisfunctiondoesnotapplytoapplicationstrustingacertificateforitsownvalidations.Thefunctiononlyappliestosituationswheretheapplicationmodifiesthedevice-wideTrustAnchorDatabase,affectingthevalidationsperformedbytheTSFforotherapplications.Theuseroradministratormaybeprovidedtheabilitytogloballyallowordenyanyapplicationrequestsinordertomeetthisrequirement.

Function30mustbeincludedintheSTif"administrator-configuredoption"isselectioninFIA_X509_EXT.2.2.

Function33shouldbeincludedintheselectionifFPT_TUD_EXT.5.1isincludedintheSTandtheconfigurableoptionisselected.

Function34shouldbeincludedintheselectionifuseroradministratorisselectedinFCS_STG_EXT.1.4.

Function35shouldbeincludedintheselectionifuseroradministratorisselectedinFCS_STG_EXT.1.5.

Function36mustbeincludedintheselectionifFTA_TAB.1isincludedintheST.

Function37mustbeincludedintheselectionifFAU_SEL.1isincludedintheST.

Forfunction41,hotspotfunctionalityreferstotheconditioninwhichthemobiledeviceisservingasanaccesspointtootherdevices,nottheconnectionoftheTOEtoexternalhotspots.

Functions42and43correspondtoFDP_ACF_EXT.1.2.

Forfunction44,FMT_SMF_EXT.2.1specifiesactionstobeperformedwhentheTOEisunenrolledfrommanagement.

Forfunction45,mustbeincludedintheSTifIPsecisselectedinFTP_ITC_EXT.1andthenativeIPsecVPNclientcanbeconfiguredtobeAlways-On.Always-OnisdefinedaswhentheTOEhasanetworkconnectiontheVPNattemptstoconnect,alldataleavingthedeviceusestheVPNwhentheVPNisconnectedandnodataleavesthatdevicewhentheVPNisdisconnected.TheconfigurationoftheVPNClientitself(withinformationsuchasVPNGateway,certificates,andalgorithms)isaddressedbythePP-ModuleforVPNClient.


FMT_SMF_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesallmanagementfunctions,whatrole(s)canperformeachfunction,andhowthesefunctionsare(orcanbe)restrictedtotherolesidentifiedbyFMT_MOF_EXT.1.

Thefollowingactivitiesareorganizedaccordingtothefunctionnumberinthetable.TheseactivitiesincludeTSSEvaluationActivities,AGDEvaluationActivities,andtestactivities.

TestactivitiesspecifiedbelowshalltakeplaceinthetestenvironmentdescribedintheevaluationactivityforFPT_TUD_EXT.1.

GuidanceTheevaluatorshallconsulttheAGDguidancetoperformeachofthespecifiedtests,iteratingeachtestasnecessaryifboththeuserandadministratormayperformthefunction.TheevaluatorshallverifythattheAGDguidancedescribeshowtoperformeachmanagementfunction,includinganyconfigurationdetails.Foreachspecifiedmanagementfunctiontested,theevaluatorshallconfirmthattheunderlyingmechanismexhibitstheconfiguredsetting.

TestsFunction1TheevaluatorshallverifytheTSSdefinestheallowablepolicyoptions:therangeofvaluesforbothpasswordlengthandlifetime,andadescriptionofcomplexitytoincludecharactersetandcomplexitypolicies(e.g.,configurationandenforcementofnumberofuppercase,lowercase,andspecialcharactersperpassword).

Test1:TheevaluatorshallexercisetheTSFconfigurationastheadministratorandperformpositiveandnegativetests,withatleasttwovaluessetforeachvariablesetting,foreachofthefollowing:

minimumpasswordlengthminimumpasswordcomplexitymaximumpasswordlifetime

Function2TheevaluatorshallverifytheTSSdefinestherangeofvaluesforbothtimeoutperiodandnumberofauthenticationfailuresforallsupportedauthenticationmechanisms.

Test2:TheevaluatorshallexercisetheTSFconfigurationastheadministrator.Theevaluatorshallperformpositiveandnegativetests,withatleasttwovaluessetforeachvariablesetting,foreachofthefollowing:

screen-lockenabled/disabledscreenlocktimeoutnumberofauthenticationfailures(maybecombinedwithtestforFIA_AFL_EXT.1)

Function3Test3:Theevaluatorshallperformthefollowingtests:a. TheevaluatorshallexercisetheTSFconfigurationtoenabletheVPNprotection.These

configurationactionsmustbeusedforthetestingoftheFDP_IFC_EXT.1.1requirement.

b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetousetheVPNandtheothertonotusetheVPN.Theevaluatorshallexerciseeachapplication(attemptingtoaccessnetworkresources;forexample,bybrowsingdifferentwebsites)individuallywhilecapturingpacketsfromtheTOE.TheevaluatorshallverifyfromthepacketcapturethatthetrafficfromtheVPN-enabledapplicationisencapsulatedinIPsecandthatthetrafficfromtheVPN-disabledapplicationisnotencapsulatedinIPsec.

c. [conditional]If"per-groupsofapplicationbasis"isselected,theevaluatorshallcreatetwoapplicationsandtheapplicationsshallbeplacedintodifferentgroups.EnableoneapplicationgrouptousetheVPNandtheothertonotusetheVPN.Theevaluatorshallexerciseeachapplication(attemptingtoaccessnetworkresources;forexample,bybrowsingdifferentwebsites)individuallywhilecapturingpacketsfromtheTOE.TheevaluatorshallverifyfromthepacketcapturethatthetrafficfromtheapplicationintheVPN-enabledgroupisencapsulatedinIPsecandthatthetrafficfromtheapplicationintheVPN-disabledgroupisnotencapsulatedinIPsec.

Function4TheevaluatorshallverifythattheTSSincludesadescriptionofeachradioandanindicationofiftheradiocanbeenabled/disabledalongwithwhatrolecandoso.InadditiontheevaluatorshallverifythatthefrequencyrangesatwhicheachradiooperatesisincludedintheTSS.TheevaluatorshallverifythattheTSSincludesatwhatpointinthebootsequencetheradiosarepoweredonandindicatesiftheradiosareusedaspartofthe

initializationofthedevice.TheevaluatorshallconfirmthattheAGDguidancedescribeshowtoperformtheenable/disablefunctionforeachradio.

TheevaluatorshallensurethatminimalsignalleakageenterstheRFshieldedenclosure(i.e.Faradaybag,Faradaybox,RFshieldedroom)byperformingthefollowingsteps:

Step1:PlacetheantennaofthespectrumanalyzerinsidetheRFshieldedenclosure.

Step2:Enable"MaxHold"onthespectrumanalyzerandperformaspectrumsweepofthefrequencyrangebetween300MHz–6000MHz,inIKHzsteps(thisrangeshouldencompass802.11,802.15,GSM,UMTS,andLTE).ThisrangewillnotaddressNFC13.56MHz,anothertestshouldbesetupwithsimilarconstraintstoaddressNFC.

Ifpowerabove-90dBmisobserved,theFaradayboxhastoogreatofsignalleakageandshallnotbeusedtocompletethetestforFunction4.

Test4:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableanddisablethestateofeachradio(e.g.Wi-Fi,cellular,NFC,Bluetooth).Additionally,theevaluatorshallrepeatthestepsbelow,bootingintoanyauxiliarybootmodesupportedbythedevice.Foreachradio,theevaluatorshall:

Step1:PlacetheantennaofthespectrumanalyzerinsidetheRFshieldedenclosure.Configurethespectrumanalyzertosweepdesiredfrequencyrangefortheradiotobetested(basedonrangeprovidedintheTSS)).Theambientnoisefloorshallbesetto-110dBm.PlacetheTOEintotheRFshieldedenclosuretoisolatethemfromallotherRFtraffic.

Step2:TheevaluatorshallcreateabaselineoftheexpectedbehaviorofRFsignals.Theevaluatorshallpoweronthedevice,ensuretheradioinquestionisenabled,poweroffthedevice,enable"MaxHold"onthespectrumanalyzerandpoweronthedevice.Theevaluatorshallwait2minutesateachAuthenticationFactorinterfacepriortoenteringthenecessarypasswordtocompletethebootprocess,waiting5minutesafterthedeviceisfullybooted.TheevaluatorshallobservethatRFspikesarepresentattheexpecteduplinkchannelfrequency.Theevaluatorshallclearthe"MaxHold"onthespectrumanalyzer.

Step3:TheevaluatorshallverifytheabsenceofRFactivityfortheuplinkchannelwhentheradioinquestionisdisabled.Theevaluatorshallcompletethefollowingtestfivetimes.Theevaluatorshallpoweronthedevice,ensuretheradioinquestionisdisabled,poweroffthedevice,enable"MaxHold"onthespectrumanalyzerandpoweronthedevice.Theevaluatorshallwait2minutesateachAuthenticationFactorinterfacepriortoenteringthenecessarypasswordtocompletethebootprocess,waiting5minutesafterthedeviceisfullybooted.Theevaluatorshallclearthe"MaxHold"onthespectrumanalyzer.Iftheradiosareusedfordeviceinitialization,thenaspikeofRFactivityfortheuplinkchannelcanbeobservedinitiallyatdeviceboot.However,ifaspikeofRFactivityfortheuplinkchannelofthespecificradiofrequencybandisobservedafterthedeviceisfullybootedoratanAuthenticationFactorinterfaceitisdeemedthattheradioisenabled.

Function5TheevaluatorshallverifythattheTSSincludesadescriptionofeachcollectiondeviceandanindicationofifitcanbeenabled/disabledalongwithwhatrolecandoso.TheevaluatorshallconfirmthattheAGDguidancedescribeshowtoperformtheenable/disablefunction.

Test5:Theevaluatorshallperformthefollowingtest(s):a. TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnot

restrictedtotheadministrator,theuser,toenableanddisablethestateofeachaudioorvisualcollectiondevices(e.g.camera,microphone)listedbytheSTauthor.Foreachcollectiondevice,theevaluatorshalldisablethedeviceandthenattempttouseitsfunctionality.TheevaluatorshallreboottheTOEandverifythatdisabledcollectiondevicesmaynotbeusedduringorearlyinthebootprocess.Additionally,theevaluatorshallbootthedeviceintoeachavailableauxiliarybootmodeandverifythatthecollectiondevicecannotbeused.

b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetouseaccesstheA/VdeviceandtheothertonotaccesstheA/Vdevice.TheevaluatorshallexerciseeachapplicationattemptingtoaccesstheA/Vdeviceindividually.TheevaluatorshallverifythattheenabledapplicationisabletoaccesstheA/VdeviceandthedisabledapplicationisnotabletoaccesstheA/Vdevice.

c. [conditional]If"per-groupsofapplicationbasis"isselected,theevaluatorshallcreatetwoapplicationsandtheapplicationsshallbeplacedintodifferentgroups.EnableonegrouptoaccesstheA/VdeviceandtheothertonotaccesstheA/Vdevice.TheevaluatorshallexerciseeachapplicationattemptingtoaccesstheA/Vdeviceindividually.TheevaluatorshallverifythattheapplicationintheenabledgroupisabletoaccesstheA/VdeviceandtheapplicationinthedisabledgroupisnotabletoaccesstheA/Vdevice.

Function6Test6:TheevaluatorshallusethetestenvironmenttoinstructtheTSF,bothasauserandastheadministrator,tocommandthedevicetotransitiontoalockedstate,andverifythat

thedevicetransitionstothelockedstateuponcommand.

Function7Test7:TheevaluatorshallusethetestenvironmenttoinstructtheTSF,bothasauserandastheadministrator,tocommandthedevicetoperformawipeofprotecteddata.TheevaluatormustensurethatthismanagementsetupisusedwhenconductingtheEvaluationActivitiesinFCS_CKM_EXT.5.

Function8TheevaluatorshallverifytheTSSdescribestheallowableapplicationinstallationpolicyoptionsbasedontheselectionincludedintheST.Iftheapplicationallowlistisselected,theevaluatorshallverifythattheTSSincludesadescriptionofeachapplicationcharacteristicuponwhichtheallowlistmaybebased.

Test8:TheevaluatorshallexercisetheTSFconfigurationastheadministratortorestrictparticularapplications,sourcesofapplications,orapplicationinstallationaccordingtotheAGDguidance.Theevaluatorshallattempttoinstallunauthorizedapplicationsandensurethatthisisnotpossible.Theevaluatorshall,inconjunction,performthefollowingspecifictests:a. [conditional]Theevaluatorshallattempttoconnecttoanunauthorizedrepositoryin

ordertoinstallapplications.b. [conditional]Theevaluatorshallattempttoinstalltwoapplications(oneallowlisted,

andonenot)fromaknownallowedrepositoryandverifythattheapplicationnotontheallowlistisrejected.Theevaluatorshallalsoattempttoside-loadexecutablesorinstallationpackagesviaUSBconnectionstodeterminethatthewhitelistisstilladheredto

Function9&Function10TheevaluatorshallverifythattheTSSdescribeseachcategoryofkeys/secretsthatcanbeimportedintotheTSF’ssecurekeystorage.

Test9:ThetestofthesefunctionsisperformedinassociationwithFCS_STG_EXT.1.

Test10:ThetestofthesefunctionsisperformedinassociationwithFCS_STG_EXT.1.

Function11TheevaluatorshallreviewtheAGDguidancetodeterminethatitdescribesthestepsneededtoimport,modify,orremovecertificatesintheTrustAnchordatabase,andthattheusersthathaveauthoritytoimportthosecertificates(e.g.,onlyadministrator,orbothadministratorsandusers)areidentified.

Test11:TheevaluatorshallimportcertificatesaccordingtotheAGDguidanceastheuserand/orastheadministrator,asdeterminedbytheadministrativeguidance.Theevaluatorshallverifythatnoerrorsoccurduringimport.TheevaluatorshouldperformanactionrequiringuseoftheX.509v3certificatetoprovideassurancethatinstallationwascompletedproperly.

Function12TheevaluatorshallverifythattheTSSdescribeseachadditionalcategoryofX.509certificatesandtheirusewithintheTSF.

Test12:Theevaluatorshallremoveanadministrator-importedcertificateandanyothercategoriesofcertificatesincludedintheassignmentoffunction14fromtheTrustAnchorDatabaseaccordingtotheAGDguidanceastheuserandastheadministrator.

Function13TheevaluatorshallexaminetheTSStoensurethatitcontainsadescriptionofeachmanagementfunctionthatwillbeenforcedbytheenterpriseoncethedeviceisenrolled.TheevaluatorshallexaminetheAGDguidancetodeterminethatthissameinformationispresent.

Test13:Theevaluatorshallverifythatuserapprovalisrequiredtoenrollthedeviceintomanagement.

Function14TheevaluatorshallverifythattheTSSincludesanindicationofwhatapplications(e.g.,user-installedapplications,Administrator-installedapplications,orEnterpriseapplications)canberemovedalongwithwhatrolecandoso.TheevaluatorshallexaminetheAGDguidancetodeterminethatitdetails,foreachtypeofapplicationthatcanberemoved,theproceduresnecessarytoremovethoseapplicationsandtheirassociateddata.ForthepurposesofthisEvaluationActivity,"associateddata"referstodatathatarecreatedbytheappduringitsoperationthatdonotexistindependentoftheapp'sexistence,forinstance,configurationdata,ore-mailinformationthat’spartofane-mailclient.Itdoesnot,ontheotherhand,refertodatasuchaswordprocessingdocuments(forawordprocessingapp)orphotos(foraphotoorcameraapp).

Test14:TheevaluatorshallattempttoremoveapplicationsaccordingtotheAGDguidance

andverifythattheTOEnolongerpermitsuserstoaccessthoseapplicationsortheirassociateddata.

Function15Test15:TheevaluatorshallattempttoupdatetheTSFsystemsoftwarefollowingtheproceduresintheAGDguidanceandverifythatupdatescorrectlyinstallandthattheversionnumbersofthesystemsoftwareincrease.

Function16Test16:TheevaluatorshallattempttoinstallanapplicationfollowingtheproceduresintheAGDguidanceandverifythattheapplicationisinstalledandavailableontheTOE.

Function17Test17:TheevaluatorshallattempttoremoveanyEnterpriseapplicationsfromthedevicebyfollowingtheadministratorguidance.TheevaluatorshallverifythattheTOEnolongerpermitsuserstoaccessthoseapplicationsortheirassociateddata.

Function18TheevaluatorshallexaminetheAGDGuidancetodeterminethatitspecifies,foratleasteachcategoryofinformationselectedforFunction18,howtoenableanddisabledisplayinformationforthattypeofinformationinthelockedstate.

Test18:ForeachcategoryofinformationlistedintheAGDguidance,theevaluatorshallverifythatwhenthatTSFisconfiguredtolimittheinformationaccordingtotheAGD,theinformationisnolongerdisplayedinthelockedstate.

Function19Test19:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenablesystem-widedata-at-restprotectionaccordingtotheAGDguidance.TheevaluatorshallensurethatallEvaluationActivitiesforDAR(FDP_DAR)areconductedwiththedeviceinthisconfiguration.

Function20Test20:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableremovablemedia’sdata-at-restprotectionaccordingtotheAGDguidance.TheevaluatorshallensurethatallEvaluationActivitiesforDAR(FDP_DAR)areconductedwiththedeviceinthisconfiguration.

Function21Test21:Theevaluatorshallperformthefollowingtests.a. Theevaluatorshallenablelocationservicesdevice-wideandshallverifythatan

application(suchasamappingapplication)isabletoaccesstheTOE’slocationinformation.Theevaluatorshalldisablelocationservicesdevice-wideandshallverifythatanapplication(suchasamappingapplication)isunabletoaccesstheTOE’slocationinformation.

b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetouseaccessthelocationservicesandtheothertonotaccessthelocationservices.Theevaluatorshallexerciseeachapplicationattemptingtoaccesslocationservicesindividually.Theevaluatorshallverifythattheenabledapplicationisabletoaccessthelocationservicesandthedisabledapplicationisnotabletoaccessthelocationservices.

Function22Test22:TheevaluatorshallverifythattheTSSstatesiftheTOEsupportsaBAFand/orhybridauthentication.IftheTOEdoesnotincludeaBAFand/orhybridauthenticationthistestisimplicitlymet.a. [conditional]IfaBAFisselectedtheevaluatorshallverifythattheTSSdescribesthe

proceduretoenable/disabletheBAF.IftheTOEincludesmultipleBAFs,theevaluatorshallverifythattheTSSdescribeshowtoenable/disableeachBAF,specificallyifthedifferentmodalitiescanbeindividuallyenabled/disabled.TheevaluatorshallconfiguretheTOEtoalloweachsupportedBAFtoauthenticateandverifythatsuccessfulauthenticationcanbeachievedusingtheBAF.TheevaluatorshallconfiguretheTOEtodisabletheuseofeachsupportedBAFforauthenticationandconfirmthattheBAFcannotbeusedtoauthenticate.

b. [conditional]If"Hybrid"isselectedtheevaluatorshallverifythattheTSSdescribestheproceduretoenable/disablethehybrid(biometriccredentialandPIN/password)authentication.TheevaluatorshallconfiguretheTOEtoallowhybridauthenticationtoauthenticateandconfirmthatsuccessfulauthenticationcanbeachievedusingthehybridauthentication.TheevaluatorshallconfiguretheTOEtodisabletheuseofhybridauthenticationandconfirmthatthehybridauthenticationcannotbeusedtoauthenticate.

EvaluationActivityNote:Itshouldbenotedthatthefollowingfunctionsareoptionalcapabilities,ifthefunctionisimplemented,thenthefollowingEvaluationActivitiesshallbeperformed.Thenotationof"[conditional]besidethefunctionnumberindicatesthatifthefunctionisnotincludedintheST,thenthereisnoexpectationthattheevaluationactivity

beperformed.

Function23[conditional]Test23:ThetestofthisfunctionisperformedinconjunctionwithFIA_X509_EXT.2.2,FCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.

Function24[conditional]TheevaluatorshallverifythattheTSSincludesalistofeachexternallyaccessiblehardwareportandanindicationofifdatatransferoverthatportcanbeenabled/disabled.AGDguidancewilldescribehowtoperformtheenable/disablefunction.

Test24:TheevaluatorshallexercisetheTSFconfigurationtoenableanddisabledatatransfercapabilitiesovereachexternallyaccessiblehardwareports(e.g.USB,SDcard,HDMI)listedbytheSTauthor.Theevaluatorshallusetestequipmentfortheparticularinterfacetoensurethatnolow-levelsignalingisoccurringonallpinsusedfordatatransferwhentheyaredisabled.Foreachdisableddatatransfercapability,theevaluatorshallrepeatthistestbyrebootingthedeviceintothenormaloperationalmodeandverifyingthatthecapabilityisdisabledthroughoutthebootandearlyexecutionstageofthedevice.

Function25[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheTSFactsasaserverineachoftheprotocolslistedintheST,andthereasonforactingasaserver.

Test25:Theevaluatorshallattempttodisableeachlistedprotocolintheassignment.TheevaluatorshallverifythatremotedevicescannolongeraccesstheTOEorTOEresourcesusinganydisabledprotocols.

Function26[conditional]Test26:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableanddisableanydevelopermode.Theevaluatorshalltestthatdevelopermodeaccessisnotavailablewhenitsconfigurationisdisabled.Theevaluatorshallverifythedevelopermoderemainsdisabledduringdevicereboot.

Function27[conditional]TheevaluatorshallexaminetheAGDguidancetodeterminethatitdescribeshowtoenableanddisableany"ForgotPassword",passwordhint,orremoteauthentication(tobypasslocalauthenticationmechanisms)capability.

Test27:ForeachmechanismlistedintheAGDguidancethatprovidesa"ForgotPassword"featureorothermeanswherethelocalauthenticationprocesscanbebypassed,theevaluatorshalldisablethefeatureandensurethattheyarenotabletobypassthelocalauthenticationprocess.

Function28[conditional]Test28:TheevaluatorshallattempttowipeEnterprisedataresidentonthedeviceaccordingtotheadministratorguidance.Theevaluatorshallverifythatthedataisnolongeraccessiblebytheuser.

Function29[conditional]TheevaluatorshallverifythattheTSSdescribeshowapprovalforanapplicationtoperformtheselectedaction(import,removal)withrespecttocertificatesintheTrustAnchorDatabaseisaccomplished(e.g.,apop-up,policysetting,etc.).

TheevaluatorshallalsoverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesanysecurityfunctions(import,modification,ordestructionoftheTrustAnchorDatabase)allowedbyapplications.

Test29:Theevaluatorshallperformoneofthefollowingtests:a. [conditional]IfapplicationsmayimportcertificatestotheTrustAnchorDatabase,the

evaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatimportsacertificateintotheTrustAnchorDatabase.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtoimportthecertificate:

Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletoimportthecertificate.Failureofimportshallbetestedbyattemptingtovalidateacertificatethatchainstothecertificatewhoseimportwasattempted(asdescribedintheevaluationactivityforFIA_X509_EXT.1).Theevaluatorshallrepeatthetest,allowingtheapprovaltoverifythattheapplicationisabletoimportthecertificateandthatvalidationoccurs.

b. [conditional]IfapplicationsmayremovecertificatesintheTrustAnchorDatabase,theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatremovescertificatesfromtheTrustAnchorDatabase.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtoremovethecertificate:

Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletoremovethecertificate.Failureofremovalshallbetestedbyattemptingtovalidateacertificatethatchainstothecertificatewhoseremovalwasattempted

(asdescribedintheevaluationactivityforFIA_X509_EXT.1).Theevaluatorshallrepeatthetest,allowingtheapprovaltoverifythattheapplicationisabletoremove/modifythecertificateandthatvalidationnolongeroccurs.

Function30[conditional]Test30:ThetestofthisfunctionisperformedinconjunctionwithFIA_X509_EXT.2.2.

Function31[conditional]TheevaluatorshallensurethattheTSSdescribeswhichcellularprotocolscanbedisabled.TheevaluatorshallconfirmthattheAGDguidancedescribestheprocedurefordisablingeachcellularprotocolidentifiedintheTSS.

Test31:Theevaluatorshallattempttodisableeachcellularprotocolaccordingtotheadministratorguidance.Theevaluatorshallattempttoconnectthedevicetoacellularnetworkand,usingnetworkanalysistools,verifythatthedevicedoesnotallownegotiationofthedisabledprotocols.

Function32[conditional]Test32:Theevaluatorshallattempttoreadanydeviceauditlogsaccordingtotheadministratorguidanceandverifythatthelogsmayberead.ThistestmaybeperformedinconjunctionwiththeevaluationactivityofFAU_GEN.1.

Function33[conditional]Test33:ThetestofthisfunctionisperformedinconjunctionwithFPT_TUD_EXT.5.1.

Function34[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheapprovalforexceptionsforshareduseofkeys/secretsbymultipleapplicationsisaccomplished(e.g.,apop-up,policysetting,etc.).

Test34:ThetestofthisfunctionisperformedinconjunctionwithFCS_STG_EXT.1.

Function35[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheapprovalforexceptionsfordestructionofkeys/secretsbyapplicationsthatdidnotimportthekey/secretisaccomplished(e.g.,apop-up,policysetting,etc.).

Test35:ThetestofthisfunctionisperformedinconjunctionwithFCS_STG_EXT.1.

Function36[conditional]TheevaluatorshallverifythattheTSSdescribesanyrestrictionsinbannersettings(e.g.,characterlimitations).

Test36:ThetestofthisfunctionisperformedinconjunctionwithFTA_TAB.1.

Function37[conditional]Test37:ThetestofthisfunctionisperformedinconjunctionwithFAU_SEL.1.

Function38[conditional]Test38:ThetestofthisfunctionisperformedinconjunctionwithFPT_NOT_EXT.2.1.

Function39[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofhowdatatransferscanbemanagedoverUSB.

Test39:Theevaluatorshallperformthefollowingtestsbasedontheselectionsmadeinthetable:a. [conditional]TheevaluatorshalldisableUSBmassstoragemode,attachthedeviceto

acomputer,andverifythatthecomputercannotmounttheTOEasadrive.TheevaluatorshallreboottheTOEandrepeatthistestwithothersupportedauxiliarybootmodes.

b. [conditional]TheevaluatorshalldisableUSBdatatransferwithoutuserauthentication,attachthedevicetoacomputer,andverifythattheTOErequiresuserauthenticationbeforethecomputercanaccessTOEdata.TheevaluatorshallreboottheTOEandrepeatthistestwithothersupportedauxiliarybootmodes.

c. [conditional]TheevaluatorshalldisableUSBdatatransferwithoutconnectingsystemauthentication,attachthedevicetoacomputer,andverifythattheTOErequiresconnectingsystemauthenticationbeforethecomputercanaccessTOEdata.TheevaluatorshallthenconnecttheTOEtoanothercomputerandverifythatthecomputercannotaccessTOEdata.TheevaluatorshallthenconnecttheTOEtotheoriginalcomputerandverifythatthecomputercanaccessTOEdata.

Function40[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofavailablebackupmethodsthatcanbeenabled/disabled.If"selectedapplicationsorselectedgroupsofapplicationsareselectedtheTSSshallincludewhichapplicationsofgroupsofapplicationsbackupcanbe

enabled/disabled.

Test40:If"allapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythattheTOEcannotcompleteabackup.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythattheTOEcanperformabackup.

If"selectedapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythatfortheselectedapplicationtheTOEpreventsbackupfromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythatfortheselectedapplicationtheTOEcanperformabackup.

If"selectedgroupsofapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythatforagroupofapplicationstheTOEpreventsthebackupfromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifyforthegroupofapplicationtheTOEcanperformabackup.

If"configurationdata"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythattheTOEpreventsthebackupofconfigurationdatafromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythattheTOEcanperformabackupofconfigurationdata.

Function41[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofHotspotfunctionalityandUSBtetheringtoincludeanyauthenticationforthese.

Test41:TheevaluatorshallperformthefollowingtestsbasedontheselectionsinFunction41.a. [conditional]Theevaluatorshallenablehotspotfunctionalitywitheachoftheofthe

supportauthenticationmethods.Theevaluatorshallconnecttothehotspotwithanotherdeviceandverifythatthehotspotfunctionalityrequirestheconfiguredauthenticationmethod.

b. [conditional]TheevaluatorshallenableUSBtetheringfunctionalitywitheachoftheofthesupportauthenticationmethods.TheevaluatorshallconnecttotheTOEoverUSBwithanotherdeviceandverifythatthetetheringfunctionalityrequirestheconfiguredauthenticationmethod.

Function42[conditional]Test42:ThetestofthisfunctionisperformedinconjunctionwithFDP_ACF_EXT.1.2.

Function43[conditional]Test43:Theevaluatorshallsetapolicytocauseadesignatedapplicationtobeplacedintoaparticularapplicationgroup.Theevaluatorshalltheninstallthedesignatedapplicationandverifythatitwasplacedintothecorrectgroup.

Function44[conditional]Test44:TheevaluatorshallattempttounenrollthedevicefrommanagementandverifythatthestepsdescribedinFMT_SMF_EXT.2.1areperformed.ThistestshouldbeperformedinconjunctionwiththeFMT_SMF_EXT.2.1evaluationactivity.

Function45[conditional]Test45:TheevaluatorshallverifythattheTSScontainsguidancetoconfiguretheVPNasAlways-On.TheevaluatorshallconfiguretheVPNasAlways-Onandperformthefollowingtest.a. TheevaluatorshallverifythatwhentheVPNisconnectedalltrafficisroutedthrough

theVPN.ThistestisperformedinconjunctionwithFDP_IFC_EXT.1.1.b. TheevaluatorshallverifythatwhentheVPNisnotestablished,thatnotrafficleaves

thedevice.TheevaluatorshallensurethattheTOEhasnetworkconnectivityandthattheVPNisestablished.TheevaluatorshalluseapacketsniffingtooltocapturethetrafficleavingtheTOE.TheevaluatorshalldisabletheVPNconnectionontheserverside.Theevaluatorshallperformactionswiththedevicesuchasnavigatingtowebsites,usingprovidedapplications,andaccessingotherInternetresourcesandverifythatnotrafficleavesthedevice.

c. TheevaluatorshallverifythattheTOEhasnetworkconnectivityandthattheVPNisestablished.Theevaluatorshalldisablenetworkconnectivity(i.e.AirplaneMode)andverifythattheVPNdisconnects.Theevaluatorshallre-establishnetworkconnectivityandverifythattheVPNautomaticallyreconnects.

Function46[conditional]Test46:TheevaluatorshallverifythattheTSSdescribestheproceduretorevokeabiometriccredentialstoredontheTOE.TheevaluatorshallconfiguretheTOEtouseBAFandconfirmthatthebiometriccanbeusedtoauthenticatetothedevice.Theevaluatorshallrevokethebiometriccredential’sabilitytoauthenticatetotheTOEandconfirmthatthesameBAFcannotbeusedtoauthenticatetothedevice.

Function47TheevaluatorshallverifythattheTSSdescribesallassignedsecuritymanagementfunctionsandtheirintendedbehavior.

Test47:TheevaluatorshalldesignandperformteststodemonstratethatthefunctionmaybeconfiguredandthattheintendedbehaviorofthefunctionisenactedbytheTOE.

FMT_SMF_EXT.2SpecificationofRemediationActionsFMT_SMF_EXT.2.1

TheTSFshalloffer[selection:wipeofprotecteddata,wipeofsensitivedata,removeEnterpriseapplications,removealldevice-storedEnterpriseresourcedata,removeEnterprisesecondaryauthenticationdata,[assignment:listotheravailableremediationactions]]uponun-enrollmentand[selection:[assignment:otheradministrator-configuredtriggers],noothertriggers].

ApplicationNote:Un-enrollmentmayconsistofremovingtheMDMagentorremovingtheadministrator’spolicies.ThefunctionsintheselectionareremediationactionsthatTOEmayprovide(perhapsviaAPIs)totheadministrator(perhapsviaanMDMagent)thatmaybeperformeduponun-enrollment."Enterpriseapplications"referstoapplicationsthatareintheEnterpriseapplicationgroup."Enterpriseresourcedata"referstoallstoredEnterprisedataandtheseparateresourcesthatareavailabletotheEnterpriseapplicationgroup,perFDP_ACF_EXT.2.1.IfFDP_ACF_EXT.2.1isincludedintheST,then"removealldevice-storedEnterpriseresourcedata"mustbeselected,andisdefinedtobeallresourcesselectedinFDP_ACF_EXT.2.1.IfFIA_UAU_EXT.4.1isincludedintheST,then"removeEnterprisesecondaryauthenticationdata"mustbeselected.IfFIA_UAU_EXT.4.1isnotincludedintheST,then"removeEnterprisesecondaryauthenticationdata"cannotbeselected.EnterprisesecondaryauthenticationdataonlyreferstoanydatastoredontheTOEthatisspecificallyusedaspartofasecondaryauthenticationmechanismtoauthenticateaccesstoEnterpriseapplicationsandsharedresources.MaterialthatisusedfortheTOE’sprimaryauthenticationmechanismorotherpurposesnotrelatedtoauthenticationtoorprotectionofEnterpriseapplicationsorsharedresourcesshouldnotberemoved.

Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.If"wipeofprotecteddata"isselecteditisassumedthatthesensitivedataiswipedaswell.However,if"wipeofsensitivedata"isselected,itdoesnotimplythatallnon-TSFdata(protecteddata)iswiped.If"wipeofprotecteddata"or"wipeofsensitivedata"isselectedthewipemustbeinaccordancewithFCS_CKM_EXT.5.1.Thuscryptographicallywipingthedeviceisanacceptableremediationaction.


FMT_SMF_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribesallavailableremediationactions,whentheyareavailableforuse,andanyotheradministrator-configuredtriggers.TheevaluatorshallverifythattheTSSdescribeshowtheremediationactionsareprovidedtotheadministrator.


TestsTheevaluatorshallusethetestenvironmenttoiterativelyconfigurethedevicetoperformeachremediationactionintheselection.TheevaluatorshallconfiguretheremediationactionperhowtheTSSstatesitisprovidedtotheadministrator.ThetestenvironmentcouldbeaMDMagentapplication,butcanalsobeanapplicationwithadministratoraccess.

5.1.7Class:ProtectionoftheTSF(FPT)

FPT_AEX_EXT.1ApplicationAddressSpaceLayoutRandomizationFPT_AEX_EXT.1.1

TheTSFshallprovideaddressspacelayoutrandomizationASLRtoapplications.

FPT_AEX_EXT.1.2Thebaseaddressofanyuser-spacememorymappingwillconsistofatleast8unpredictablebits.

ApplicationNote:The8unpredictablebitsmaybeprovidedbytheTSFRBG(asspecifiedinFCS_RBG_EXT.1)butisnotrequired.


FPT_AEX_EXT.1:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribeshowthe8bitsaregeneratedandprovidesajustificationastowhythosebitsareunpredictable.


TestsEvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Test1:Theevaluatormustselect3appsincludedwiththeTSF.ThesemustincludeanywebbrowserormailclientincludedwiththeTSF.Foreachoftheseapps,theevaluatorshalllaunchthesameappontwoseparateMobileDevicesofthesametypeandcompareallmemorymappinglocations.Theevaluatormustensurethatnomemorymappingsareplacedinthesamelocationonbothdevices.

Iftherare(atmost1/256)chanceoccursthattwomappingsarethesameforasingleappandnotthesamefortheothertwoapps,theevaluatorshallrepeatthetestwiththatapptoverifythatinthesecondtestthemappingsaredifferent.

FPT_AEX_EXT.2MemoryPagePermissionsFPT_AEX_EXT.2.1

TheTSFshallbeabletoenforceread,write,andexecutepermissionsoneverypageofphysicalmemory.


FPT_AEX_EXT.2:TSSTheevaluatorshallensurethattheTSSdescribesofthememorymanagementunit(MMU),andensuresthatthisdescriptiondocumentstheabilityoftheMMUtoenforceread,write,andexecutepermissionsonallpagesofvirtualmemory.



FPT_AEX_EXT.3StackOverflowProtectionFPT_AEX_EXT.3.1

TSFprocessesthatexecuteinanon-privilegedexecutiondomainontheapplicationprocessorshallimplementstack-basedbufferoverflowprotection.

ApplicationNote:A"non-privilegedexecutiondomain"referstotheusermode(asopposedtokernelmode,forinstance)oftheprocessor.WhilenotallTSFprocessesmustimplementsuchprotection,itisexpectedthatmostoftheprocesses(toincludelibrariesusedbyTSFprocesses)doimplementbufferoverflowprotections.


FPT_AEX_EXT.3:TSSTheevaluatorshalldeterminethattheTSScontainsadescriptionofstack-basedbufferoverflowprotectionsimplementedintheTSFsoftwarewhichrunsinthenon-privilegedexecutionmodeoftheapplicationprocessor.Theexactimplementationofstack-basedbufferoverflowprotectionwillvarybyplatform.Exampleimplementationsmaybeactivatedthroughcompileroptionssuchas"-fstack-protector-all","-fstack-protector",and"/GS"flags.TheevaluatorshallensurethattheTSScontainsaninventoryofTSFbinariesandlibraries,indicatingthosethatimplementstack-basedbufferoverflowprotectionsaswellasthosethatdonot.TheTSSmustprovidearationale

forthosebinariesandlibrariesthatarenotprotectedinthismanner.



FPT_AEX_EXT.4DomainIsolationFPT_AEX_EXT.4.1

TheTSFshallprotectitselffrommodificationbyuntrustedsubjects.

FPT_AEX_EXT.4.2TheTSFshallenforceisolationofaddressspacebetweenapplications.

ApplicationNote:InadditiontotheTSFsoftware(e.g.,kernelimage,devicedrivers,trustedapplications)thatresidesinstorage,theexecutioncontext(e.g.,addressspace,processorregisters,per-processenvironmentvariables)ofthesoftwareoperatinginaprivilegedmodeoftheprocessor(e.g.,kernel),aswellasthecontextofthetrustedapplicationsistobeprotected.Inadditiontothesoftware,anyconfigurationinformationthatcontrolsorinfluencesthebehavioroftheTSFisalsotobeprotectedfrommodificationbyuntrustedsubjects.

Configurationinformationincludes,butisnotlimitedto,userandadministrativemanagementfunctionsettings,WLANprofiles,andBluetoothdatasuchastheservice-levelsecurityrequirementsdatabase.

Untrustedsubjectsincludeuntrustedapplications;unauthorizeduserswhohaveaccesstothedevicewhilepoweredoff,inascreen-lockedstate,orwhenbootedintoauxiliarybootmodes;and,unauthorizedusersoruntrustedsoftwareorhardwarewhichmayhaveaccesstothedeviceoverawiredinterface,eitherwhenthedeviceisinascreen-lockedstateorbootedintoauxiliarybootmodes.


FPT_AEX_EXT.4:TSSTheevaluatorshallensurethattheTSSdescribesthemechanismsthatareinplacethatpreventsnon-TSFsoftwarefrommodifyingtheTSFsoftwareorTSFdatathatgovernsthebehavioroftheTSF.Thesemechanismscouldrangefromhardware-basedmeans(e.g."executionrings"andmemorymanagementfunctionality);tosoftware-basedmeans(e.g.boundarycheckingofinputstoAPIs).TheevaluatordeterminesthatthedescribedmechanismsappearreasonabletoprotecttheTSFfrommodification.

TheevaluatorshallensuretheTSSdescribeshowtheTSFensuresthattheaddressspacesofapplicationsarekeptseparatefromoneanother.

TheevaluatorshallensuretheTSSdetailstheUSSDandMMIcodesavailablefromthedialeratthelockedstateorduringauxiliarybootmodesthatmayalterthebehavioroftheTSF.Theevaluatorshallensurethatthisdescriptionincludesthecode,theactionperformedbytheTSF,andajustificationthattheactionsperformeddonotmodifyuserorTSFdata.IfnoUSSDorMMIcodesareavailable,theevaluatorshallensurethattheTSSprovidesadescriptionofthemethodbywhichactionsprescribedbythesecodesareprevented.

TheevaluatorshallensuretheTSSdocumentsanyTSFdata(includingsoftware,executioncontext,configurationinformation,andauditlogs)whichmaybeaccessedandmodifiedoverawiredinterfaceinauxiliarybootmodes.Theevaluatorshallensurethatthedescriptionincludesdata,whichismodifiedinsupportofupdateorrestoreofthedevice.Theevaluatorshallensurethatthisdocumentationincludestheauxiliarybootmodesinwhichthedatamaybemodified,themethodsforenteringtheauxiliarybootmodes,thelocationofthedata,themannerinwhichdatamaybemodified,thedataformatandpackagingnecessarytosupportmodification,andsoftwareand/orhardwaretools,ifany,whicharenecessaryformodifyingthedata.

TheevaluatorshallensurethattheTSSprovidesadescriptionofthemeansbywhichunauthorizedandundetectedmodification(thatis,excludingcryptographicallyverifiedupdatesperFPT_TUD_EXT.2)oftheTSFdataoverthewiredinterfaceinauxiliarybootsmodesisprevented.Thelackofpubliclyavailabletoolsisnotsufficientjustification.Examplesofsufficientjustificationincludeauditingofchanges,cryptographicverificationintheformofadigitalsignatureorhash,disablingtheauxiliarybootmodes,andaccesscontrolmechanismsthatpreventwritingtofilesorflashingpartitions.

Guidance

Therearenoguidanceevaluationactivitiesforthiscomponent.

TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.Inaddition,thevendorprovidesalistoffiles(e.g.,systemfiles,libraries,configurationfiles,auditlogs)thatmakeuptheTSFdata.Thislistcouldbeorganizedbyfolders/directories(e.g.,/usr/sbin,/etc),aswellasindividualfilesthatmayexistoutsideoftheidentifieddirectories.

Test1:TheevaluatorshallcreateandloadanappontotheMobileDevice.Thisappshallattempttotraverseoverallfilesystemsandreportanylocationstowhichdatacanbewrittenoroverwritten.TheevaluatormustensurethatnoneoftheselocationsarepartoftheOSsoftware,devicedrivers,systemandsecurityconfigurationfiles,keymaterial,oranotheruntrustedapplication’simage/data.Forexample,itisacceptableforatrustedphotoeditorapptohaveaccesstothedatacreatedbythecameraapp,butacalculatorapplicationshallnothaveaccesstothepictures.

Test2:Foreachavailableauxiliarybootmode,theevaluatorshallattempttomodifyaTSFfileoftheirchoosingusingthesoftwareand/orhardwaretoolsdescribedintheTSS.Theevaluatorshallverifythatthemodificationfails.

FPT_JTA_EXT.1JTAGDisablementFPT_JTA_EXT.1.1

TheTSFshall[selection:disableaccessthroughhardware,controlaccessbyasigningkey]toJTAG.

ApplicationNote:ThisrequirementmeansthataccesstoJTAGmustbedisabledeitherthroughhardwareand/orrestrictedthroughtheuseofasigningkey.


FPT_JTA_EXT.1:TSSIf"disableaccessthroughhardware"isselected:TheevaluatorshallexaminetheTSStodeterminethelocationoftheJTAGportsontheTSF,toincludetheorderoftheports(i.e.DataIn,DataOut,Clock,etc.).

If"controlaccessbyasigningkey"isselected:TheevaluatorshallexaminetheTSStodeterminehowaccesstotheJTAGiscontrolledbyasigningkey.TheevaluatorshallexaminetheTSStodeterminewhentheJTAGcanbeaccessed,i.e.whathastheaccesstothesigningkey.


TestsEvaluationActivityNote:Thefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithchiplevelaccess.

If"disableaccessthroughhardware"isselected:TheevaluatorshallconnectapacketanalyzertotheJTAGports.TheevaluatorshallquerytheJTAGportforitsdeviceIDandconfirmthatthedeviceIDcannotberetrieved.

FPT_KST_EXT.1KeyStorageFPT_KST_EXT.1.1

TheTSFshallnotstoreanyplaintextkeymaterialinreadablenon-volatilememory.

ApplicationNote:TheintentionofthisrequirementisthattheTOEwillnotwriteplaintextkeyingmaterialtopersistentstorage.Forthepurposesofthisrequirement,keyingmaterialreferstoauthenticationdata,passwords,secret/privatesymmetrickeys,privateasymmetrickeys,datausedtoderivekeys,etc.Thesevaluesmustbestoredencrypted.

Thisrequirementalsoappliestoanyvaluederivedfrompasswords.Thus,the

TOEcannotstoreplaintextpasswordhashesforcomparisonpurposesbeforeprotecteddataisdecrypted,andtheTOEshouldusekeyderivationanddecryptiontoverifythePasswordAuthenticationFactor.

IfaBAFisselectedinFIA_UAU.5.1,keyingmaterialalsoreferstosourcebiometricdata(i.e.fingerprint),enrollmentandauthenticationtemplates,thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(i.e.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatecalculationsgeneratedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns,etc.),andfinalmatchscores.Anyimagesormetadataidentifyingtheuserforauthenticationshallbestoredencrypted.

If"hybrid"isselectedinFIA_UAU.5.1,inadditiontothekeyingmaterialincludedfortheBAF,mentionedinthepreviousparagraph,keyingmaterialalsoreferstothePIN/passwordusedaspartofthehybridauthentication.


FPT_KST_EXT.1:TSSTheevaluatorshallconsulttheTSSsectionoftheSTinperformingtheEvaluationActivitiesforthisrequirement.

Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonpower-upandpasswordauthenticationrelatingtothedecryptionofDEKs,storedkeys,anddata.

TheevaluatorshallensurethatthedescriptionalsocovershowthecryptographicfunctionsintheFCSrequirementsarebeingusedtoperformtheencryptionfunctions,includinghowtheKEKs,DEKs,andstoredkeysareunwrapped,saved,andusedbytheTOEsoastopreventplaintextfrombeingwrittentonon-volatilestorage.TheevaluatorshallensurethattheTSSdescribes,foreachpower-downscenariohowtheTOEensuresthatallkeysinnon-volatilestoragearenotstoredinplaintext.

TheevaluatorshallensurethattheTSSdescribeshowotherfunctionsavailableinthesystem(e.g.,regenerationofthekeys)ensurethatnounencryptedkeymaterialispresentinpersistentstorage.

TheevaluatorshallreviewtheTSStodeterminethatitmakesacasethatkeymaterialisnotwrittenunencryptedtothepersistentstorage.

ForeachBAFselectedinFIA_UAU.5.1:

TheevaluatorshalldeterminethattheTSSalsocontainsadescriptionoftheactivitiesthathappenonbiometricauthentication,relatingtothedecryptionofDEKs,storedkeys,anddata.Inadditionhowthesystemensuresthatthebiometrickeyingmaterialisnotstoredunencryptedinpersistentstorage.



FPT_KST_EXT.2NoKeyTransmissionFPT_KST_EXT.2.1

TheTSFshallnottransmitanyplaintextkeymaterialoutsidethesecurityboundaryoftheTOE.

ApplicationNote:Theintentionofthisrequirementistopreventtheloggingofplaintextkeyinformationtoaservicethattransmitstheinformationoff-device.Forthepurposesofthisrequirement,keymaterialreferstokeys,passwords,andothermaterialthatisusedtoderivekeys.

IfaBAFisselectedinFIA_UAU.5.1,keyingmaterialalsoreferstosourcebiometricdata(i.e.fingerprint),enrollmentandauthenticationtemplates,thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(i.e.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatecalculationsgeneratedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns),andfinalmatchscores.

If"hybrid"isselectedinFIA_UAU.5.1,inadditiontothekeyingmaterialincludedfortheBAF,mentionedinthepreviousparagraph,keyingmaterialalsoreferstothePIN/passwordusedaspartofthehybridauthentication.

Inthefuture,thisrequirementwillapplytosymmetricandasymmetricprivatekeysstoredintheTOEsecurekeystoragewhereapplicationsareoutsidetheboundaryoftheTOE.Thus,theTSFwillberequiredtoprovidecryptographickeyoperations(signature,encryption,anddecryption)onbehalfofapplications(FCS_SRV_EXT.2.1)thathaveaccesstothosekeys.


FPT_KST_EXT.2:TSSTheevaluatorshallconsulttheTSSsectionoftheSTinperformingtheEvaluationActivitiesforthisrequirement.TheevaluatorshallensurethattheTSSdescribestheTOEsecurityboundary.Thecryptographicmodulemayverywellbeaparticularkernelmodule,theOperatingSystem,theApplicationProcessor,oruptotheentireMobileDevice.

Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonpower-upandpasswordauthenticationrelatingtothedecryptionofDEKs,storedkeys,anddata.

TheevaluatorshallensurethattheTSSdescribeshowotherfunctionsavailableinthesystem(e.g.,regenerationofthekeys)ensurethatnounencryptedkeymaterialistransmittedoutsidethesecurityboundaryoftheTOE.

TheevaluatorshallreviewtheTSStodeterminethatitmakesacasethatkeymaterialisnottransmittedoutsidethesecurityboundaryoftheTOE.

ForeachBAFselectedinFIA_UAU.5.1:

Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonbiometricauthentication,includinghowanyplaintextmaterial,includingcriticalsecurityparametersandresultsofbiometricalgorithms,areprotectedandaccessed.

TheevaluatorshallensurethattheTSSdescribeshowfunctionsavailableinthebiometricalgorithmsensurethatnounencryptedplaintextmaterial,includingcriticalsecurityparametersandintermediateresults,istransmittedoutsidethesecurityboundaryoftheTOEortootherfunctionsorsystemsthattransmitinformationoutsidethesecurityboundaryoftheTOE.



FPT_KST_EXT.3NoPlaintextKeyExportFPT_KST_EXT.3.1

TheTSFshallensureitisnotpossiblefortheTOEuser(s)toexportplaintextkeys.

ApplicationNote:PlaintextkeysincludeDEKs,KEKs,andallkeysstoredinthesecurekeystorage(FCS_STG_EXT.1).TheintentofthisrequirementistopreventtheplaintextkeysfrombeingexportedduringabackupauthorizedbytheTOEuseroradministrator.


FPT_KST_EXT.3:TSSTheSTauthorwillprovideastatementoftheirpolicyforhandlingandprotectingkeys.TheevaluatorshallchecktoensuretheTSSdescribesapolicyinlinewithnotexportingeitherplaintextDEKs,KEKs,orkeysstoredinthesecurekeystorage.



FPT_NOT_EXT.1Self-TestNotificationFPT_NOT_EXT.1.1

TheTSFshalltransitiontonon-operationalmodeand[selection:logfailuresintheauditrecord,notifytheadministrator,[assignment:otheractions],nootheractions]whenthefollowingtypesoffailuresoccur:

failuresoftheself-test(s)TSFsoftwareintegrityverificationfailures[selection:nootherfailures,[assignment:otherfailures]]


FPT_NOT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribescriticalfailuresthatmayoccurandtheactionstobetakenuponthesecriticalfailures.



Test1:Theevaluatorshalluseatoolprovidedbythedevelopertomodifyfilesandprocessesinthesystemthatcorrespondtocriticalfailuresspecifiedinthesecondlist.Theevaluatorshallverifythatcreatingthesecriticalfailurescausesthedevicetotaketheremediationactionsspecifiedinthefirstlist.

FPT_STM.1ReliableTimeStampsFPT_STM.1.1

TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.


FPT_STM.1:TSSTheevaluatorshallexaminetheTSStoensurethatitlistseachsecurityfunctionthatmakesuseoftime.TheTSSprovidesadescriptionofhowthetimeismaintainedandconsideredreliableinthecontextofeachofthetimerelatedfunctions.ThisdocumentationmustidentifywhethertheTSFusesaNTPserverorthecarrier’snetworktimeastheprimarytimesources.

GuidanceTheevaluatorexaminestheoperationalguidancetoensureitdescribeshowtosetthetime.

TestsTest1:Theevaluatorusestheoperationalguidetosetthetime.Theevaluatorshallthenuseanavailableinterfacetoobservethatthetimewassetcorrectly.

FPT_TST_EXT.1TSFCryptographicFunctionalityTestingFPT_TST_EXT.1.1

TheTSFshallrunasuiteofself-testsduringinitialstart-up(onpoweron)todemonstratethecorrectoperationofallcryptographicfunctionality.

ApplicationNote:Thisrequirementmaybemetbyperformingknownanswertestsand/orpair-wiseconsistencytests.Theself-testsmustbeperformedbeforethecryptographicfunctionalityisexercised(forexample,duringtheinitializationofaprocessthatutilizesthefunctionality).

Thecryptographicfunctionalityincludesthecryptographicoperationsin

FCS_COP,thekeygenerationfunctionsinFCS_CKM,andtherandombitgenerationinFCS_RBG_EXT.


FPT_TST_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiestheself-teststhatareperformedatstart-up.ThisdescriptionmustincludeanoutlineofthetestproceduresconductedbytheTSF(e.g.,ratherthansaying"memoryistested",adescriptionsimilarto"memoryistestedbywritingavaluetoeachmemorylocationandreadingitbacktoensureitisidenticaltowhatwaswritten"shallbeused).TheTSSmustincludeanyerrorstatesthattheyTSFmayenterwhenself-testsfail,andtheconditionsandactionsnecessarytoexittheerrorstatesandresumenormaloperation.TheevaluatorshallverifythattheTSSindicatestheseself-testsarerunatstart-upautomatically,anddonotinvolveanyinputsfromoractionsbytheuseroroperator.

Theevaluatorshallinspectthelistofself-testsintheTSSandverifythatitincludesalgorithmself-tests.Thealgorithmself-testswilltypicallybeconductedusingknownanswertests.



FPT_TST_EXT.2/PREKERNELTSFIntegrityChecking(Pre-Kernel)FPT_TST_EXT.2.1/PREKERNEL

TheTSFshallverifytheintegrityofthebootchainupthroughtheApplicationProcessorOSkernelstoredinmutablemediapriortoitsexecutionthroughtheuseof[selection:adigitalsignatureusinganimmutablehardwareasymmetrickey,animmutablehardwarehashofanasymmetrickey,animmutablehardwarehash,adigitalsignatureusingahardware-protectedasymmetrickey].

ApplicationNote:ThebootchainoftheTSFisthesequenceoffirmwareandsoftware,includingROM,bootloader(s),andkernel,whichultimatelyresultinloadingthekernelontheApplicationProcessor,regardlessofwhichprocessorexecutesthatcode.ExecutablecodethatwouldbeloadedafterthekerneliscoveredinFPT_TST_EXT.2/POSTKERNEL.

Inordertomeetthisrequirement,thehardwareprotectionmaybetransitiveinnature:ahardware-protectedpublickey,hashofanasymmetrickey,orhashmaybeusedtoverifythemutablebootloadercodewhichcontainsakeyorhashusedbythebootloadertoverifythemutableOSkernelcode,whichcontainsakeyorhashtoverifythenextlayerofexecutablecode,andsoon.

Thecryptographicmechanismusedtoverifythe(initial)mutableexecutablecodemustbeprotected,suchasbeingimplementedinhardwareorinread-onlymemory(ROM).


FPT_TST_EXT.2/PREKERNEL:TSSTheevaluatorshallverifythattheTSSsectionoftheSTincludesadescriptionofthebootprocedures,includingadescriptionoftheentirebootchain,ofthesoftwarefortheTSF’sApplicationProcessor.Theevaluatorshallensurethatbeforeloadingthebootloader(s)fortheoperatingsystemandthekernel,allbootloadersandthekernelsoftwareitselfiscryptographicallyverified.Foreachadditionalcategoryofexecutablecodeverifiedbeforeexecution,theevaluatorshallverifythatthedescriptionintheTSSdescribeshowthatsoftwareiscryptographicallyverified.

TheevaluatorshallverifythattheTSScontainsajustificationfortheprotectionofthecryptographickeyorhash,preventingitfrombeingmodifiedbyunverifiedorunauthenticatedsoftware.TheevaluatorshallverifythattheTSScontainsadescriptionoftheprotectionaffordedtothemechanismperformingthecryptographicverification.

TheevaluatorshallverifythattheTSSdescribeseachauxiliarybootmodeavailableontheTOEduringthebootprocedures.Theevaluatorshallverifythat,foreachauxiliarybootmode,adescriptionofthecryptographicintegrityoftheexecutedcodethroughthekernelisverifiedbeforeeachexecution.


TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Theevaluatorshallperformthefollowingtests:Test1:TheevaluatorshallperformactionstocauseTSFsoftwaretoloadandobservethattheintegritymechanismdoesnotflaganyexecutablesascontainingintegrityerrorsandthattheTOEproperlyboots.

Test2:TheevaluatorshallmodifyaTSFexecutablethatisintegrityprotectedandcausethatexecutabletobesuccessfullyloadedbytheTSF.TheevaluatorobservesthatanintegrityviolationistriggeredandtheTOEdoesnotboot.(Caremustbetakensothattheintegrityviolationisdeterminedtobethecauseofthefailuretoloadthemodule,andnotthefactthatthemodulewasmodifiedsothatitwasrenderedunabletorunbecauseitsformatwascorrupt).

Test3:[conditional]IftheSTauthorindicatesthattheintegrityverificationisperformedusingapublickey,theevaluatorshallverifythattheupdatemechanismincludesacertificatevalidationaccordingtoFIA_X509_EXT.1.TheevaluatorshalldigitallysigntheTSFexecutablewithacertificatethatdoesnothavetheCodeSigningpurposeintheextendedKeyUsagefieldandverifythatanintegrityviolationistriggered.TheevaluatorshallrepeatthetestusingacertificatethatcontainstheCodeSigningpurposeandverifythattheintegrityverificationsucceeds.Ideally,thetwocertificatesshouldbeidenticalexceptfortheextendedKeyUsagefield.

FPT_TUD_EXT.1TrustedUpdate:TSFVersionQueryFPT_TUD_EXT.1.1

TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionoftheTOEfirmware/software.

FPT_TUD_EXT.1.2TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionofthehardwaremodelofthedevice.

ApplicationNote:Thecurrentversionofthehardwaremodelofthedeviceisanidentifierthatissufficienttoindicate(intandemwithmanufacturerdocumentation)thehardwarewhichcomprisesthedevice.

FPT_TUD_EXT.1.3TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionofinstalledmobileapplications.

ApplicationNote:Thecurrentversionofmobileapplicationsisthenameandpublishedversionnumberofeachinstalledmobileapplication.


FPT_TUD_EXT.1:TheevaluatorshallestablishatestenvironmentconsistingoftheMobileDeviceandanysupportingsoftwarethatdemonstratesusageofthemanagementfunctions.Thiscanbetestsoftwarefromthedeveloper,areferenceimplementationofmanagementsoftwarefromthedeveloper,orothercommerciallyavailablesoftware.TheevaluatorshallsetuptheMobileDeviceandtheothersoftwaretoexercisethemanagementfunctionsaccordingtotheprovidedguidancedocumentation.



TestsTest1:UsingtheAGDguidanceprovided,theevaluatorshalltestthattheadministratorandusercanquery:

thecurrentversionoftheTSFoperatingsystemandanyfirmwarethatcanbeupdatedseparately

thehardwaremodeloftheTSFthecurrentversionofallinstalledmobileapplications

Theevaluatormustreviewmanufacturerdocumentationtoensurethatthehardwaremodelidentifierissufficienttoidentifythehardwarewhichcomprisesthedevice.

FPT_TUD_EXT.2TSFUpdateVerificationFPT_TUD_EXT.2.1

TheTSFshallverifysoftwareupdatestotheApplicationProcessorsystemsoftwareand[selection:[assignment:otherprocessorsystemsoftware],nootherprocessorsystemsoftware]usingadigitalsignatureverifiedbythemanufacturertrustedkeypriortoinstallingthoseupdates

ApplicationNote:ThedigitalsignaturemechanismisimplementedinaccordancewithFCS_COP.1.1/SIGN.

Atthistime,thisrequirementdoesnotrequireverificationofsoftwareupdatestothesoftwareoperatingoutsidetheApplicationProcessor.

Anychange,viaasupportedmechanism,tosoftwareresidinginnon-volatilestorageisdeemedasoftwareupdate.Thus,thisrequirementappliestoTSFsoftwareupdatesregardlessofhowthesoftwarearrivesorisdeliveredtothedevice.Thisincludesover-the-air(OTA)updatesaswellaspartitionimagescontainingsoftwarewhichmaybedeliveredtothedeviceoverawiredinterface.

FPT_TUD_EXT.2.2TheTSFshall[selection:neverupdate,updateonlybyverifiedsoftware]theTSFbootintegrity[selection:key,hash].

ApplicationNote:ThekeyorhashupdatedviathisrequirementisusedforverifyingsoftwarebeforeexecutioninFPT_TST_EXT.2/PREKERNEL.Thekeyorhashisverifiedasapartofthedigitalsignatureonanupdate,andthesoftwarewhichperformstheupdateofthekeyorhashisverifiedbyFPT_TST_EXT.2/PREKERNEL.

FPT_TUD_EXT.2.3TheTSFshallverifythatthedigitalsignatureverificationkeyusedforTSFupdates[selection:isvalidatedtoapublickeyintheTrustAnchorDatabase,matchesanimmutablehardwarepublickey].

ApplicationNote:TheSTauthormustindicatethemethodbywhichthesigningkeyforsystemsoftwareupdatesislimitedand,ifselectedinFPT_TUD_EXT.2.3,mustindicatehowthissigningkeyisprotectedbythehardware.

Ifcertificatesareused,certificatesarevalidatedforthepurposeofsoftwareupdatesinaccordancewithFIA_X509_EXT.1andshouldbeselectedinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.4.1mustbeincludedintheST.


FPT_TUD_EXT.2:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.Theevaluatorshallverifythatthedescriptionincludesadigitalsignatureverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythatallsoftwareandfirmwareinvolvedinupdatingtheTSFisdescribedand,ifmultiplestagesandsoftwareareindicated,thatthesoftware/firmwareresponsibleforeachstageisindicatedandthatthestage(s)whichperformsignatureverificationoftheupdateareidentified.

TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureisverifiedandthatthepublickeyusedtoverifythesignatureiseitherhardware-protectedorisvalidatedtochaintoapublickeyintheTrustAnchorDatabase.Ifhardware-protectionisselected,theevaluatorshallverifythatthemethodofhardware-protectionisdescribedandthattheSTauthorhasjustifiedwhythepublickeymaynotbemodifiedbyunauthorizedparties.

[conditional]IftheSTauthorindicatesthatsoftwareupdatestosystemsoftwarerunningonotherprocessorsisverified,theevaluatorshallverifythattheseotherprocessorsarelistedintheTSSandthatthedescriptionincludesthesoftwareupdatemechanismfortheseprocessors,ifdifferentthantheupdatemechanismforthesoftwareexecutingontheApplicationProcessor.

[conditional]IftheSTauthorindicatesthatthepublickeyisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheupdatemechanismincludesacertificatevalidationaccordingtoFIA_X509_EXT.1andacheckfortheCodeSigningpurposeintheextendedKeyUsage.


TestsTheevaluatorshallverifythatthedeveloperhasprovidedevidencethatthefollowingtestswereperformedforeachavailableupdatemechanism:

Test1:Thetestershalltrytoinstallanupdatewithoutthedigitalsignatureandshallverifythatinstallationfails.Thetestershallattempttoinstallanupdatewithdigitalsignature,andverifythatinstallationsucceeds.Test2:Thetestershalldigitallysigntheupdatewithakeydisallowedbythedeviceandverifythatinstallationfails.Thetestershallattempttoinstallanupdatesignedwiththeallowedkeyandverifythatinstallationsucceeds.Test3:[conditional]Thetestershalldigitallysigntheupdatewithaninvalidcertificateandverifythatupdateinstallationfails.Thetesterattempttoinstallanupdatethatwasdigitallysignedusingavalidcertificateandacertificatethatcontainsthepurposeandverifythattheupdateinstallationsucceeds.Test4:[conditional]Thetestershallrepeatthesetestforthesoftwareexecutingoneachprocessorlistedinthefirstselection.Thetestershallattempttoinstallanupdatewithoutthedigitalsignatureandshallverifythatinstallationfails.Thetestershallattempttoinstallanupdatewithdigitalsignature,andverifythatinstallationsucceeds.

FPT_TUD_EXT.3ApplicationSigningFPT_TUD_EXT.3.1

TheTSFshallverifymobileapplicationsoftwareusingadigitalsignaturemechanismpriortoinstallation.

ApplicationNote:ThisrequirementdoesnotnecessitateanX.509v3certificateorcertificatevalidation.X.509v3certificatesandcertificatevalidationareaddressedinFPT_TUD_EXT.5.1.


FPT_TUD_EXT.3:TSSTheevaluatorshallverifythattheTSSdescribeshowmobileapplicationsoftwareisverifiedatinstallation.Theevaluatorshallensurethatthismethodusesadigitalsignature.


TestsEvaluationActivityNote:Thefollowingtestdoesnothavetobetestedusingthecommercialapplicationstore.

Test1:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication.Theevaluatorshalltrytoinstallthisapplicationwithoutadigitallysignatureandshallverifythatinstallationfails.Theevaluatorshallattempttoinstalladigitallysignedapplication,andverifythatinstallationsucceeds.

5.1.8Class:TOEAccess(FTA)

FTA_SSL_EXT.1TSF-andUser-initiatedLockedStateFTA_SSL_EXT.1.1

TheTSFshalltransitiontoalockedstateafteratimeintervalofinactivity.

FTA_SSL_EXT.1.2TheTSFshalltransitiontoalockedstateafterinitiationbyeithertheuserortheadministrator.

FTA_SSL_EXT.1.3TheTSFshall,upontransitioningtothelockedstate,performthefollowingoperations:

a. clearingoroverwritingdisplaydevices,obscuringthepreviouscontents;b. [assignment:otheractionsperformedupontransitioningtothelocked

state].

ApplicationNote:ThetimeintervalofinactivityisconfiguredusingFMT_SMF_EXT.1function2.Theuser/administrator-initiatedlockisspecifiedinFMT_SMF_EXT.1function6.


FTA_SSL_EXT.1:TSSTheevaluatorshallverifytheTSSdescribestheactionsperformedupontransitioningtothelockedstate.

GuidanceTheevaluationshallverifythattheAGDguidancedescribesthemethodofsettingtheinactivityintervalandofcommandingalock.TheevaluatorshallverifythattheTSSdescribestheinformationallowedtobedisplayedtounauthorizedusers.

TestsTest1:TheevaluatorshallconfiguretheTSFtotransitiontothelockedstateafteratimeofinactivity(FMT_SMF_EXT.1)accordingtotheAGDguidance.TheevaluatorshallwaituntiltheTSFlocksandverifythatthedisplayisclearedoroverwrittenandthattheonlyactionsallowedinthelockedstateareunlockingthesessionandthoseactionsspecifiedinFIA_UAU_EXT.2.

Test2:TheevaluatorshallcommandtheTSFtotransitiontothelockedstateaccordingtotheAGDguidanceasboththeuserandtheadministrator.TheevaluatorshallwaituntiltheTSFlocksandverifythatthedisplayisclearedoroverwrittenandthattheonlyactionsallowedinthelockedstateareunlockingthesessionandthoseactionsspecifiedinFIA_UAU_EXT.2.

5.1.9Class:TrustedPath/Channels(FTP)

FTP_ITC_EXT.1TrustedChannelCommunicationFTP_ITC_EXT.1.1

TheTSFshalluse802.11-2012inaccordancewiththeExtendedPackageforWLANClients,802.1XinaccordancewiththeExtendedPackageforWLANClients,EAP-TLSinaccordancewiththeExtendedPackageforWLANClients,mutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity

and[selection:IPsecinaccordancewiththePP-ModuleforVPNClient,mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS

]protocolstoprovideacommunicationchannelbetweenitselfandanothertrustedITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.

ApplicationNote:TheintentofthemandatoryportionoftheaboverequirementistousethecryptographicprotocolsidentifiedintherequirementtoestablishandmaintainatrustedchannelbetweentheTOEandanaccesspoint,VPNGateway,orothertrustedITproduct.

TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDevice.

TheTSFmustbevalidatedagainsttheExtendedPackageforWLANClientstosatisfythemandatorytrustedchannelsof802.11-2012,802.1X,andEAP-TLS.

TosatisfythemandatorytrustedchannelofTLSandif"mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity"isselected,theTSFmustbevalidatedagainsttheTLSFunctionalPackage,withthefollowingselectionsmade:

FCS_TLS_EXT.1:eitherTLSorDTLSisselectedasappropriateclientisselected

FCS_TLSC_EXT.1.1orFCS_DTLSC_EXT.1.1(asappropriate):TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.Mutualauthenticationmustbeselected

FCS_TLSC_EXT.1.3orFCS_DTLSC_EXT.1.3(asappropriate):Withnoexceptionsisselected.

IftheSTauthorselectsIPsec,theTSFmustbevalidatedagainstthePP-ModuleforVPNClient.

AppendixB-Selection-BasedRequirementscontainstherequirementsforimplementingeachoftheotheroptionaltrustedchannelprotocols.TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.

Assuredidentificationofendpointsisperformedaccordingtotheauthenticationmechanismsusedbythelistedtrustedchannelprotocols.

FTP_ITC_EXT.1.2TheTSFshallpermittheTSFtoinitiatecommunicationviathetrustedchannel.

FTP_ITC_EXT.1.3TheTSFshallinitiatecommunicationviathetrustedchannelforwirelessaccesspointconnections,administrativecommunication,configuredenterpriseconnections,and[selection:OTAupdates,nootherconnections].


FTP_ITC_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthedetailsoftheTOEconnectingtoaccesspoints,VPNGateways,andothertrustedITproductsintermsofthecryptographicprotocolsspecifiedintherequirement,alongwithTOE-specificoptionsorproceduresthatmightnotbereflectedinthespecifications.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.

IfOTAupdatesareselected,theTSSshalldescribewhichtrustedchannelprotocolisinitiatedbytheTOEandisusedforupdates.

GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheconnectiontoaccesspoints,VPNGateways,andothertrustedITproducts.

TestsTheevaluatorshallalsoperformthefollowingtestsforeachprotocollisted:

Test1:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintextandthataprotocolanalyzeridentifiesthetrafficastheprotocolundertesting.

Test2:[conditional]IfIPsecisselected,theevaluatorshallensurethattheTOEisabletoinitiatecommunicationswithaVPNGateway,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.

Test3:[conditional]IfOTAupdatesareselected,theevaluatorshalltriggeranupdaterequestaccordingtotheoperationalguidanceandshallensurethatthecommunicationissuccessful.

Test4:Foranyotherselectedprotocol(nottestedinTest1,2,or3),theevaluatorshallensurethattheTOEisabletoinitiatecommunicationswithatrustedITproductusingtheprotocol,settinguptheconnectionasdescribedintheoperationalguidanceandensuringthatthecommunicationissuccessful.

5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:

Table8:SFRRationaleOBJECTIVE ADDRESSEDBY RATIONALE

O.PROTECTED_COMMS FCS_CKM.1,FCS_CKM.2/UNLOCKED, FCS_CKM.1supportsthe

FCS_CKM_EXT.8(BluetoothModule),FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_DTLSC_EXT.1(TLSPackage),FCS_DTLSC_EXT.2(TLSPackage),FCS_HTTPS_EXT.1,FCS_RBG_EXT.1,FCS_RBG_EXT.2(Objective),FCS_RBG_EXT.3(Objective),FCS_SRV_EXT.1,FCS_SRV_EXT.2(Objective),FCS_TLSC_EXT.1(TLSPackage),FCS_TLSC_EXT.2(TLSPackage),FCS_TLSC_EXT.3(TLSPackage),FDP_BLT_EXT.1,FDP_IFC_EXT.1,FDP_STG_EXT.1,FDP_UPC_EXT.1/APPS,FDP_UPC_EXT.1/BLUETOOTH,FIA_BLT_EXT.1(BluetoothModule),FIA_BLT_EXT.2(BluetoothModule),FIA_BLT_EXT.3(BluetoothModule),FIA_BLT_EXT.4(BluetoothModule),FIA_BLT_EXT.5(BluetoothModule),FIA_BLT_EXT.6(BluetoothModule),FIA_BLT_EXT.7(BluetoothModule),FIA_X509_EXT.1,FIA_X509_EXT.2,FIA_X509_EXT.3,FIA_X509_EXT.4(Objective),FIA_X509_EXT.5(Objective),FPT_BLT_EXT.1(Objective),FTP_BLT_EXT.1(BluetoothModule),FTP_BLT_EXT.2(BluetoothModule),FTP_BLT_EXT.3/BR(BluetoothModule),FTP_BLT_EXT.3/LE(BluetoothModule),FTP_ITC_EXT.1

objectivebydefiningthekeygenerationalgorithmsthatareusedforprotectedcommunications.FCS_CKM.2/UNLOCKEDsupportstheobjectivebydefiningthekeyestablishmentalgorithmsthatareusedforprotectedcommunications.FCS_CKM_EXT.8supportstheobjectivebyrequiringtheTSFtoperformkeyrotationforBluetoothtolimitthewindowofopportunityforanattackertodeterminethekeyvalue.FCS_COP.1/ENCRYPTsupportstheobjectivebyrequiringtheTSFtoimplementsymmetricencryptionalgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/HASHsupportstheobjectivebyrequiringtheTSFtoimplementhashalgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/SIGNsupportstheobjectivebyrequiringtheTSFtoimplementdigitalsignaturealgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/KEYHMACsupportstheobjectivebyrequiringtheTSFtoimplementHMACalgorithmsthatareusedinsupportofprotectedcommunications.FCS_DTLSC_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofDTLSasaclientifthisprotocolisusedforprotectedcommunications.FCS_DTLSC_EXT.2supportstheobjectivebydefiningtheTOE'simplementationofmutually-authenticatedDTLSasaclientifthisprotocolisusedforprotectedcommunications.FCS_HTTPS_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofHTTPSifthisprotocolisusedforprotectedcommunications.FCS_RBG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementdetermininsticrandombitgenerationalgorithmsthatareusedinsupportofprotectedcommunications.FCS_RBG_EXT.2supportstheobjectivebyrequiringtheTSFtosavetheDRBGstatebetweenrebootstoensureavailablityofthisservice.FCS_RBG_EXT.3supportstheobjectivebydefiningtheTSF's

implementationoftheSP800-90APersonalizationStringforapplicationsthatrequirethis.FCS_SRV_EXT.1supportstheobjectivebydefiningthecryptographicservicesthattheTSFmustmakeavailabletothird-partyapplications,whichincludesthosethatcansupportprotectedcommunications.FCS_SRV_EXT.2supportstheobjectivebyrequiringtheTSFtomakekeysinitssecurekeystorageavilableforuseinencryptionandsigningoperations.FCS_TLSC_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofTLSasaclientforprotectedcommunications.FCS_TLSC_EXT.2supportstheobjectivebydefiningtheTOE'simplementationofmutually-authenticatedTLSasaclientforprotectedcommunications.FCS_TLSC_EXT.3supportstheobjectivebyrequiringtheTSFtosupporttheTLSsignaturealgorithmsextensionaspartofestablishingTLSprotectedcommunications.FDP_BLT_EXT.1supportstheobjectivebylimitingtheapplicationsthatareauthorizedtousetheBluetoothinterface,whichmayincludeatrustedchannel.FDP_IFC_EXT.1supportstheobjectivebyrequiringtheTSFtohaveeitheritsownIPsecVPNclientorinterfacethatallowsathird-partyVPNclienttobedeployedonit.FDP_STG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementaprotectedkeystoragethatcanbeusedtoprotectpersistentkeysusedforprotectedcommunicationsfromdisclosure.FDP_UPC_EXT.1/APPSsupportstheobjectivebydefiningtheprotectedcommunicationschannelsthatitallowsthird-partyapplicationstoinvoke.FDP_UPC_EXT.1/BLUETOOTHsupportstheobjectivebydefiningtheBluetoothinterfacesthatitallowsthird-partyapplicationstoinvoke.FIA_BLT_EXT.1supportstheobjectivebyensuringthatBluetoothcommunicationsarenotinitiatedwithoutuserapproval.FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoimplementBluetooth

mutualauthenticaiton.FIA_BLT_EXT.3supportstheobjectivebypreventingBluetoothspoofingbyrejectingconnectionswithduplicatedeviceaddresses.FIA_BLT_EXT.4supportstheobjectivebydefiningtheTSF'simplementationofBluetoothSecureSimplePairing.FIA_BLT_EXT.5supportstheobjectivebyrequiringtheTSFtosupportSecureConnectionsOnlymodeforthesupportedBluetoothcommunicationchannels.FIA_BLT_EXT.6supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstofortrusteddevices.FIA_BLT_EXT.7supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstoforuntrusteddevices.FIA_X509_EXT.1supportstheobjectivebydefiningtherulestheTSFusestodetermineifapresentedX.509certificateisvalid.FIA_X509_EXT.2supportstheobjectivebyrequiringtheTSFtoenumerateitsusesofX.509certificates(includingprotectedcommunications)anditsbehaviorwhenacertificate'srevocationstatusisundetermined.FIA_X509_EXT.3supportstheobjectivebyrequiringtheTSFtoprovideacertificatevalidationservicetothird-partyapplications.FIA_X509_EXT.4supportstheobjectivebydefiningtheimplementationofESTasamethodbywhichtheTSFcanobtainanX.509certificateforitsownuse.FIA_X509_EXT.5supportstheobjectivebydefiningtheimplementationofCertificateRequestMessagesasamethodbywhichtheTSFcanobtainanX.509certificateforitsownuse.FPT_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtodisablecertainBluetoothprofileswhentheyareinactivesuchthatexplicituserauthorizationisrequiredtore-enablethem.FTP_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementencryptiontoprotectBluetooth

communicationsFTP_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtopreventdatatransmissionoverBluetoothifthepaireddeviceisnotusingencryption.FTP_BLT_EXT.3/BRsupportstheobjectivebydefiningtheminimumkeysizeforBluetoothBR/EDRcommunications.FTP_BLT_EXT.3/LEsupportstheobjectivebydefiningtheminimumkeysizeforBluetoothLEcommunications.FTP_ITC_EXT.1supportstheobjectivebydefiningtheprotectedcommunicationsprotocolsthattheTSFimplements.

O.STORAGE FCS_CKM.2/LOCKED,FCS_CKM_EXT.1,FCS_CKM_EXT.2,FCS_CKM_EXT.3,FCS_CKM_EXT.4,FCS_CKM_EXT.5,FCS_CKM_EXT.6,FCS_CKM_EXT.7(Sel-Based),FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_COP.1/CONDITION,FCS_IV_EXT.1,FCS_RBG_EXT.1,FCS_STG_EXT.1,FCS_STG_EXT.2,FCS_STG_EXT.3,FDP_ACF_EXT.3(Objective),FDP_DAR_EXT.1,FDP_DAR_EXT.2,FIA_UAU_EXT.1,FPT_KST_EXT.1,FPT_KST_EXT.2,FPT_KST_EXT.3,FPT_JTA_EXT.1

FCS_CKM_EXT.1supportstheobjectivebydefiningtheTOE'srootencryptionkeythatisusedtoprotectdataatrest.FCS_CKM_EXT.2supportstheobjectivebydefininghowtheTSFcreatesdataencryptionkeysthatareusedtoprotectdataatrest.FCS_CKM_EXT.3supportstheobjectivebydefiningthekeyencryptionkeystheTOEusestoprotectdataatrestandhowtheyarecreated.FCS_CKM_EXT.4supportstheobjectivebyrequiringtheTSFtodestroykeysandkeymaterialthatcouldotherwisebeusedtocompromisedataatrest.FCS_CKM_EXT.5supportstheobjectivebydefiningthemechanismtheTSFusestoperformawipeoperationthatsecurelydestroysdataatrest.FCS_CKM_EXT.6supportstheobjectivebyrequiringtheTSFtousesecuresaltswhenperformingcryptographicoperationsthatrequirethem.FCS_CKM_EXT.7supportstheobjectivebyensuringthattheTOE'srootencryptionkeycannotbedisclosed.FCS_COP.1/ENCRYPTsupportstheobjectivebydefiningasymmetricencryption/decryptionfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/HASHsupportstheobjectivebydefiningahashfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/SIGNsupportstheobjectivebydefiningadigitalsignaturefunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/KEYHMACsupportstheobjectiveby

defininganHMACfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/CONDITIONsupportstheobjectivebydefiningakeyderivationfunctionthatcanbeusedtoprotectdataatrest.FCS_IV_EXT.1supportstheobjectivebyensuringthatanyIVstheTSFgeneratesforAESkeysaregeneratedinanappropriatemannerbasedontherelevantstandards.FCS_RBG_EXT.1supportstheobjectivebydefiningrandombitgenerationfunctionthatcanbeusedtoprotectdataatrest.FCS_STG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementahardwareorsoftwarekeystoretoprotectkeydataatrest.FCS_STG_EXT.2supportstheobjectivebydefiningtheconfidentialitymechanismusedtoprotectstoredkeydatafromunauthorizeddisclosure.FCS_STG_EXT.3supportstheobjectivebydefiningtheintegritymechanismusedtoprotectstoredkeydatafromunauthorizedmodification.FDP_ACF_EXT.3supportstheobjectivebyensuringthattheTSFdoesnotpermitwriteandexecutepermissionsonstoreddatatobegrantedsimultaneously.FDP_DAR_EXT.1supportstheobjectivebyrequiringtheTSFtoencryptallsensitivedatausingdataencryptionkeys.FDP_DAR_EXT.2supportstheobjectivebyrequiringtheTSFtoprovideamechanismtomarkdataassensitivesothatitcansubjecttoencryption.FIA_UAU_EXT.1supportstheobjectivebyrequiringthepresentationofavalidauthorizationfactorinordertodecryptsensitivedataatrest.FPT_KST_EXT.1supportstheobjectivebyrequiringtheTSFtopreventthestorageofplaintextkeydatainreadablenon-volatilememory.FPT_KST_EXT.2supportstheobjectivebyrequiringtheTSFtopreventanytransmissionofplaintextkeymaterialoutsideoftheTOEboundary.FPT_KST_EXT.3supportstheobjectivebyrequiringtheTSFtopreventexportofanystoredplaintextkeys.FPT_JTA_EXT.1supportsthe

objectivebyrequiringtheTSFtoenforceaccesscontrolsagainstJTAGsothatthisinterfacecannotbeusedtodisclosedataatrest.

O.CONFIG FMT_MOF_EXT.1,FMT_SMF_EXT.1,FMT_SMF_EXT.2,FTA_TAB.1(Objective)

FMT_MOF_EXT.1supportstheobjectivebyspecifyingtheTSFmanagementfunctionsthatanenduserisauthorizedtoperform.FMT_SMF_EXT.1supportstheobjectivebydefiningtheTSFmanagementfunctionsandtheusersorrolesthatareauthorizedtoinvokethem.FMT_SMF_EXT.2supportstheobjectivebydefiningtheconfigurationactionsthattheTSFperformsautomaticallyuponunenrollmentfrommobiledevicemanagement.FTA_TAB.1supportstheobjectivebyrequiringtheTSFtodisplayawarningbannertousersthatgovernsauthorizedusageoftheTOE.

O.AUTH FDP_PBA_EXT.1(Sel-Based),FIA_AFL_EXT.1,FIA_BLT_EXT.1(BluetoothModule),FIA_BLT_EXT.2(BluetoothModule),FIA_BMG_EXT.1(Sel-Based)FIA_BMG_EXT.2(Objective),FIA_BMG_EXT.3(Objective),FIA_BMG_EXT.4(Objective),FIA_BMG_EXT.5(Objective),FIA_BMG_EXT.6(Objective),FIA_PMG_EXT.1,FIA_TRT_EXT.1,FIA_UAU_EXT.1,FIA_UAU_EXT.2,FIA_UAU_EXT.4(Optional),FIA_UAU.5,FIA_UAU.6,FIA_UAU.7,FIA_X509_EXT.2,FTA_SSL_EXT.1

FDP_PBA_EXT.1supportstheobjectivebydefiningthemechanismthattheTSFusestoprotectstoredbiometrictemplates.FIA_AFL_EXT.1supportstheobjectivebydefiningtheauthenticationmechanismsthataresubjecttolockoutbehaviorandhowtheTSFhandlesrepeatedfailedauthenticationattempts.FIA_BLT_EXT.1supportstheobjectivebyrequiringausertoauthorizeallBlueoothpairings.FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoenforcemutualauthenticationforBluetooth.FIA_BMG_EXT.1supportstheobjectivebydefiningtheminimumaccuracyofbiometricauthenticationmethodsthattheTSFmustsupport.FIA_BMG_EXT.2supportstheobjectivebyrequiringtheTSFtoenforceaminimumqualitystandardonthebiometricdatausedforenrollment.FIA_BMG_EXT.3supportstheobjectivebydefiningthequalitymetricsusedbytheTSFtoenforceminimumqualityforbiometricdata.FIA_BMG_EXT.4supportstheobjectivebyrequiringtheTSFtogenerateenrollmentandauthenticationtemplatesusingdatathatexceedsaminimumqualitythreshold.FIA_BMG_EXT.5supportstheobjectivebydefininghowthe

TSFhandlesbiometricdatathatdoesnotmatchexpectedparameters.FIA_BMG_EXT.6supportstheobjectivebyrequiringtheTSFtodetectspoofedbiometricdata.FIA_PMG_EXT.1supportstheobjectivebydefiningtheminimumqualitythresholdforpasswordsthattheTSFmustenforce.FIA_TRT_EXT.1supportstheobjectivebyenforcinganauthenticationthrottlingmechanismthatlimitstherateatwhichauthenticationattemptscanbemadetotheTOE.FIA_UAU_EXT.1supportstheobjectivebyrequiringtheTSFtobeprovidedwithavalidpasswordbeforeaccesstoprotecteddataisgranted.FIA_UAU_EXT.2supportstheobjectivebydefiningtheTOEfunctionsthatcanbeaccessedwithoutauthenticationsuchthatallotherservicesrequireauthentication.FIA_UAU_EXT.4supportstheobjectivebydefiningasecondaryauthenticationmechanismforEnterpriseresources.FIA_UAU.5supportstheobjectivebydefiningallauthenticationfactorstheTSFsupportsandrulesforhowtheseauthenticationfactorsareusedtogainaccesstotheTSF.FIA_UAU.6supportstheobjectivebyrequiringtheTSFtore-authenticateuserswiththeirpasswordpriortoallowingthemtochangeanyotherauthenticationdata.FIA_UAU.7supportstheobjectivebyensuringthatTSFdoesnotdiscloseuserauthenticationdataasitisbeinginputtotheTOE.FIA_X509_EXT.2supportstheobjectivebydefiningthefunctionsforwhichtheTSFusesX.509certificatesasanauthenticationmechanism.FTA_SSL_EXT.1supportstheobjectivebyrequiringtheTSFtoensurethatanidleusersessionisterminatedafteragivenperiodoftime.

O.INTEGRITY FAU_GEN.1,FAU_SAR.1(Objective),FAU_SEL.1(Objective),FAU_STG.1,FAU_STG.4,FCS_COP.1/HASH,FCS_COP.1/SIGN,FDP_ACF_EXT.1,FDP_ACF_EXT.3(Objective),FPT_AEX_EXT.1,FPT_AEX_EXT.2,FPT_AEX_EXT.3,FPT_AEX_EXT.4,FPT_AEX_EXT.5(Objective),FPT_AEX_EXT.6(Objective),FPT_AEX_EXT.7

FAU_GEN.1supportstheobjectivebyrequiringtheTSFtorecordactionsperformedagainstittoestablisharecordofpotentialmaliciousactivity.FAU_SAR.1supportstheobjectivebyrequiringtheTSFtoprovideamechanismto

(Objective),FPT_BBD_EXT.1(Objective),FPT_NOT_EXT.1,FPT_NOT_EXT.2(Objective),FPT_STM.1,FPT_TST_EXT.1,FPT_TST_EXT.2/PREKERNEL,FPT_TST_EXT.2/POSTKERNEL,FPT_TST_EXT.3(Sel-Based),FPT_TUD_EXT.1,FPT_TUD_EXT.2,FPT_TUD_EXT.3,FPT_TUD_EXT.4(Sel-Based),FPT_TUD_EXT.5(Objective),FPT_TUD_EXT.6(Objective)

reviewthestoredauditdatasoadministratorscandiagnosetherootcauseofmalicioususage.FAU_SEL.1supportstheobjectivebyallowingtheTSFtorestricttheauditrecordsthataregeneratedsothatrecordsunrelatedtopotentialmalicioususagecanbesuppressed.FAU_STG.1supportstheobjectivebyensuringthatamalicioususercannottamperwithauditrecordsbymodifyingordeletingthem.FAU_STG.4supportstheobjectivebyensuringtheavailabilityofauditrecords.FCS_COP.1/HASHsupportstheobjectivebyrequiringtheTSFtoimplementhashalgorithmsthatcanbeusedtoassertandverifyintegrity.FCS_COP.1/SIGNsupportstheobjectivebyrequiringtheTSFtoimplementdigitalsignaturealgorithmsthatcanbeusedtoassertandverifyintegrity.FDP_ACF_EXT.1supportstheobjectivebyrequiringtheTSFtomaintaintheintegrityofitssystemservicesbylimitingtheentitiesthatcanaccessthem.FDP_ACF_EXT.3supportstheobjectivebyrequiringtheTSFtoensurethatwritablefilescannotbeexecutedandviceversa,suchthatarbitrarycodeorscriptscannotbeexecutedtocompromisetheintegrityoftheTOE.FPT_AEX_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementASLRtopreventacompromiseoftheTSF.FPT_AEX_EXT.2supportstheobjectivebyrequiringtheTSFtoenforcepermissionsagainstmemorypagestopreventacompromiseoftheTSF.FPT_AEX_EXT.3supportstheobjectivebyrequiringtheTSFtoimplementstackoverflowprotectiontopreventacompromiseoftheTSF.FPT_AEX_EXT.4supportstheobjectivebyrequiringtheTSFtoenforceaddressspaceseparationtopreventacompromiseoftheTSF.FPT_AEX_EXT.5supportstheobjectivebyrequiringtheTSFtoimplementASLRtopreventacompromiseoftheTSF.FPT_AEX_EXT.6supportstheobjectivebyrequiringtheTSFtoensurethatwritablefilescannotbeexecutedandviceversa,suchthatarbitrarycodeorscriptscannotbeexecuted

tocompromisetheintegrityoftheTOE.FPT_AEX_EXT.7supportstheobjectivebyrequiringtheTSFtoimplementheapoverflowprotectiontopreventacompromiseoftheTSF.FPT_BBD_EXT.1supportstheobjectivebyensuringthatisolationbetweentheTOE'sbasebandprocessorandapplictaionprocessorisenforcedsothataccesstothebasebandprocessorisstrictlycontrolled.FPT_NOT_EXT.1supportstheobjectivebyrequiringtheTSFtotakesomeactiontopreventitsintegrityintheeventofvariousfailureconditions.FPT_NOT_EXT.2supportstheobjectivebyrequiringtheTSFtomakeitsintegrityverificationvaluesavailableforthepurposeofremoteattestation.FPT_STM.1supportstheobjectivebyensuringaccuratesystemtimedataisappliedtoauditlogs.FPT_TST_EXT.1supportstheobjectivebydefiningtheself-teststhattheTSFperformstovalidateitsownintegrity.FPT_TST_EXT.2/PREKERNELsupportstheobjectivebyrequiringtheTSFtoverifytheintegrityofitsbootchainpriortokernelload.FPT_TST_EXT.2/POSTKERNELsupportstheobjectivebyrequiringtheTSFtoverifytheintegrityofstoredexecutablecodepriortoitsexecution.FPT_TST_EXT.3supportstheobjectivebyrequiringtheTSFtoblockcodeexecutionifitscodesigningcertificateisinvalid.FPT_TUD_EXT.1supportstheobjectivebyallowinguserstodeterminetheversionoftheTOE'shardware,software/firmware,andinstalledapplications.FPT_TUD_EXT.2supportstheobjectivebyrequiringtheTSFtovalidatetheintegrityofsoftwareupdatespriortoinstallingthem.FPT_TUD_EXT.3supportstheobjectivebyrequiringtheTSFtovalidatetheintegrityofthird-partyapplicationspriortoinstallingthem.FPT_TUD_EXT.4supportstheobjectivebyrequiringtheTSFtoblockinstallationofcodeifitsassociatedcodesigningcertificateisinvalid.FPT_TUD_EXT.5supportsthe

objectivebyspecifyingtheX.509certificatethattheTSFusestoverifyapplicationspriortotheirinstallation.FPT_TUD_EXT.6supportstheobjectivebypreventingtheTSFfrombeingrolledbacktoanearlierversionthatmayhaveknownvulnerabilitiesthatweresubsequentlypatched.

O.PRIVACY FDP_ACF_EXT.1,FDP_ACF_EXT.2(Sel-Based),FDP_BCK_EXT.1(Objective),FMT_SMF_EXT.1,FMT_SMF_EXT.3(Objective)

FDP_ACF_EXT.1supportstheobjectivebyenforcingrestrictionsonservicesthatcouldcompromiseuserprivacyifaccessedinappropriately.FDP_ACF_EXT.2supportstheobjectivebyrequiringtheTSFtoprovideseparateuserdatastoresforapplicationgroupssothattheprivacyofthatdatacanbemaintained.FDP_BCK_EXT.1supportstheobjectivebyallowingdatatobeexcludedfrombackupoperationsthatcouldcompromiseuserprivacyifdisclosed.FMT_SMF_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementmanagementfunctionsthatcontroltheextenttowhichuserdataiscollectedanddisseminated.FMT_SMF_EXT.3supportstheobjectivebyrequiringtheTSFtoidentifyitsauthorizedadministratorssothatauserknowstheextenttowhichvariousadministratorshaveaccesstothedevice.

5.2SecurityAssuranceRequirementsTheSecurityObjectivesinSection4SecurityObjectiveswereconstructedtoaddressthreatsidentifiedinSection3SecurityProblemDescription.TheSecurityFunctionalRequirements(SFRs)inSection5.1SecurityFunctionalRequirementsareaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.

ThissectionliststhesetofSARsfromCCpart3thatarerequiredinevaluationsagainstthisPP.IndividualEvaluationActivitiestobeperformedarespecifiedbothinSection5.1SecurityFunctionalRequirementsaswellasinthissection.

ThegeneralmodelforevaluationofTOEsagainstSTswrittentoconformtothisPPisasfollows:

AftertheSThasbeenapprovedforevaluation,theITSEFwillobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCommonEvaluationMethodology(CEM)fortheASEandALCSARs.TheITSEFalsoperformstheEvaluationActivitiescontainedwithinSection5.1SecurityFunctionalRequirements,whichareintendedtobeaninterpretationoftheotherCEMevaluationrequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheEvaluationActivitiesthatarecapturedinSection5.1SecurityFunctionalRequirementsalsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.

TheTOESecurityAssuranceRequirementsareidentifiedinTable9.

Table9:SecurityAssuranceRequirements

AssuranceClass AssuranceComponents

SecurityTarget(ASE) ConformanceClaims(ASE_CCL.1)

ExtendedComponentsDefinition(ASE_ECD.1)

STIntroduction(ASE_INT.1)

SecurityObjectivesfortheOperationalEnvironment(ASE_OBJ.1)

StatedSecurityRequirements(ASE_REQ.1)

SecurityProblemDefinition(ASE_SPD.1)

TOESummarySpecification(ASE_TSS.1)

Development(ADV) BasicFunctionalSpecification(ADV_FSP.1)

GuidanceDocuments(AGD) OperationalUserGuidance(AGD_OPE.1)

PreparativeProcedures(AGD_PRE.1)

LifeCycleSupport(ALC) LabelingoftheTOE(ALC_CMC.1)

TOECMCoverage(ALC_CMS.1)

TimelySecurityUpdates(ALC_TSU_EXT)

Tests(ATE) IndependentTesting–Sample(ATE_IND.1)

VulnerabilityAssessment(AVA) VulnerabilitySurvey(AVA_VAN.1)

5.2.1ClassASE:SecurityTargetTheSTisevaluatedasperASEactivitiesdefinedintheCEMforASE_CCL.1,ASE_ECD.1,ASE_INT.1,ASE_OBJ.2,ASE_REQ.2,ASE_SPD.1,andASE_TSS.1.Inaddition,theremaybeEvaluationActivitiesspecifiedwithinSection5.1SecurityFunctionalRequirementsthatcallfornecessarydescriptionstobeincludedintheTSSthatarespecifictotheTOEtechnologytype.

5.2.2ClassADV:DevelopmentThedesigninformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTSSportionoftheST,andanyadditionalinformationrequiredbythisPPthatisnottobemadepublic.

ADV_FSP.1BasicFunctionalSpecificationThefunctionalspecificationdescribestheTOESecurityFunctionsInterface(TSFIs).Itisnotnecessarytohaveaformalorcompletespecificationoftheseinterfaces.Additionally,becauseTOEsconformingtothisPPwillnecessarilyhaveinterfacestotheOperationalEnvironmentthatarenotdirectlyinvokablebyTOEusers,thereislittlepointspecifyingthatsuchinterfacesbedescribedinandofthemselvessinceonlyindirecttestingofsuchinterfacesmaybepossible.ForthisPP,theactivitiesforthisfamilyshouldfocusonunderstandingtheinterfacespresentedintheTSSinresponsetothefunctionalrequirementsandtheinterfacespresentedintheAGDdocumentation.Noadditional"functionalspecification"documentationisnecessarytosatisfytheevaluationactivitiesspecified.

Theinterfacesthatneedtobeevaluatedarecharacterizedthroughtheinformationneededtoperformtheevaluationactivitieslisted,ratherthanasanindependent,abstractlist.

Developeractionelements:ADV_FSP.1.1D

Thedevelopershallprovideafunctionalspecification.

ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.

ApplicationNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomprisedoftheinformationcontainedintheAGD_OPE,AGD_PRE,andtheAPIinformationthatisprovidedtoapplicationdevelopers,includingtheAPIsthatrequireprivilegetoinvoke.

Thedevelopermayreferenceawebsiteaccessibletoapplicationdevelopersandtheevaluator.TheAPIdocumentationmustincludethoseinterfacesrequiredinthisprofile.TheAPIdocumentationmustclearlyindicatetowhichproductsandversionseachavailablefunctionapplies.

TheevaluationactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.

Contentandpresentationelements:ADV_FSP.1.3C

ThefunctionalspecificationshalldescribethepurposeandmethodofuseforeachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.4CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.

ADV_FSP.1.5CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.

ADV_FSP.1.6CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.

Evaluatoractionelements:ADV_FSP.1.7E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.

ADV_FSP.1.8ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.


ADV_FSP.1:TherearenospecificevaluationactivitiesassociatedwiththeseSARs,exceptensuringtheinformationisprovided.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.1SecurityFunctionalRequirements,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherevaluationactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.

5.2.3ClassAGD:GuidanceDocumentationTheguidancedocumentswillbeprovidedwiththeST.GuidancemustincludeadescriptionofhowtheITpersonnelverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.ThedocumentationshouldbeinaninformalstyleandreadablebytheITpersonnel.

GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes:

instructionstosuccessfullyinstalltheTSFinthatenvironmentinstructionstomanagethesecurityoftheTSFasaproductandasacomponentofthelargeroperationalenvironmentinstructionstoprovideaprotectedadministrativecapability

Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;requirementsonsuchguidancearecontainedintheevaluationactivitiesspecifiedwitheachrequirement.

AGD_OPE.1OperationalUserGuidance

Developeractionelements:AGD_OPE.1.1D

Thedevelopershallprovideoperationaluserguidance.

ApplicationNote:Theoperationaluserguidancedoesnothavetobecontainedinasingledocument.Guidancetousers,administratorsandapplicationdeveloperscanbespreadamongdocumentsorwebpages.Whereappropriate,theguidancedocumentationisexpressedintheeXtensibleConfigurationChecklistDescriptionFormat(XCCDF)tosupportsecurityautomation.

Ratherthanrepeatinformationhere,thedevelopershouldreviewtheevaluationactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorwillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.

Contentandpresentationelements:AGD_OPE.1.2C

Theoperationaluserguidanceshalldescribe,foreachuserrole,theuser-

accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.

ApplicationNote:Userandadministrator(e.g.,MDMagent),andapplicationdeveloperaretobeconsideredinthedefinitionofuserrole.

AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,foreachuserrole,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.

AGD_OPE.1.4CTheoperationaluserguidanceshalldescribe,foreachuserrole,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.

AGD_OPE.1.5CTheoperationaluserguidanceshall,foreachuserrole,clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.

AGD_OPE.1.6CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheOS(includingoperationfollowingfailureoroperationalerror),theirconsequences,andimplicationsformaintainingsecureoperation.

AGD_OPE.1.7CTheoperationaluserguidanceshall,foreachuserrole,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

AGD_OPE.1.8CTheoperationaluserguidanceshallbeclearandreasonable.

Evaluatoractionelements:AGD_OPE.1.9E



AGD_OPE.1:SomeofthecontentsoftheoperationalguidanceareverifiedbytheevaluationactivitiesinSection5.1SecurityFunctionalRequirementsandevaluationoftheTOEaccordingtothe[CEM].Thefollowingadditionalinformationisalsorequired.

Theoperationalguidanceshallcontainalistofnativelyinstalledapplicationsandanyrelevantversionnumbers.Ifanythirdpartyvendorsarepermittedtoinstallapplicationsbeforepurchasebytheenduserorenterprise,theseapplicationsshallalsobelisted.

TheoperationalguidanceshallcontaininstructionsforconfiguringthecryptographicengineassociatedwiththeevaluatedconfigurationoftheTOE.ItshallprovideawarningtotheadministratorthatuseofothercryptographicengineswasnotevaluatednortestedduringtheCCevaluationoftheTOE.

ThedocumentationmustdescribetheprocessforverifyingupdatestotheTOEbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocessincludesthefollowingsteps:

Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.

TheTOEwilllikelycontainsecurityfunctionalitythatdoesnotfallinthescopeofevaluationunderthisPP.Theoperationalguidanceshallmakeitcleartoanadministratorwhichsecurityfunctionalityiscoveredbytheevaluationactivities.

AGD_PRE.1PreparativeProcedures

Developeractionelements:AGD_PRE.1.1D

ThedevelopershallprovidetheTOE,includingitspreparativeprocedures.

ApplicationNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheevaluationactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.

Contentandpresentationelements:AGD_PRE.1.2C

ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper'sdeliveryprocedures.

AGD_PRE.1.3CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.

Evaluatoractionelements:AGD_PRE.1.4E


AGD_PRE.1.5ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheOScanbepreparedsecurelyforoperation.


AGD_PRE.1:Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatformsclaimedfortheTOEintheST.

5.2.4ClassALC:Life-cycleSupportAttheassurancelevelprovidedforTOEsconformanttothisPP,life-cyclesupportislimitedtoend-user-visibleaspectsofthelife-cycle,ratherthananexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocess.Thisisnotmeanttodiminishthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct;rather,itisareflectionontheinformationtobemadeavailableforevaluationatthisassurancelevel.

ALC_CMC.1LabelingoftheTOEThiscomponentistargetedatidentifyingtheTOEsuchthatitcanbedistinguishedfromotherproductsorversionsfromthesamevendorandcanbeeasilyspecifiedwhenbeingprocuredbyanenduser.

Developeractionelements:ALC_CMC.1.1D

ThedevelopershallprovidetheTOEandareferencefortheTOE.

Contentandpresentationelements:ALC_CMC.1.2C

TheTOEshallbelabeledwithauniquereference.

Evaluatoractionelements:ALC_CMC.1.3E



ALC_CMC.1:TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.Further,theevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.

ALC_CMS.1TOECMCoverageGiventhescopeoftheTOEanditsassociatedevaluationevidencerequirements,thiscomponent’sevaluationactivitiesarecoveredbytheevaluationactivitieslistedforALC_CMC.1.

Developeractionelements:ALC_CMS.1.1D

ThedevelopershallprovideaconfigurationlistfortheTOE.

Contentandpresentationelements:ALC_CMS.1.2C

Theconfigurationlistshallincludethefollowing:theTOEitself;andtheevaluationevidencerequiredbytheSARs.

ALC_CMS.1.3CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.

Evaluatoractionelements:ALC_CMS.1.4E


ApplicationNote:The"evaluationevidencerequiredbytheSARs"inthisPPislimitedtotheinformationintheSTcoupledwiththeguidanceprovidedtoadministratorsandusersundertheAGDrequirements.ByensuringthattheTOEisspecificallyidentifiedandthatthisidentificationisconsistentintheSTandintheAGDguidance(asdoneintheevaluationactivityforALC_CMC.1),theevaluatorimplicitlyconfirmstheinformationrequiredbythiscomponent.

Life-cyclesupportistargetedaspectsofthedeveloper’slife-cycleandinstructionstoprovidersofapplicationsforthedeveloper’sdevices,ratherthananin-depthexaminationoftheTSFmanufacturer’sdevelopmentandconfigurationmanagementprocess.Thisisnotmeanttodiminishthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct;rather,it’sareflectionontheinformationtobemadeavailableforevaluation.


ALC_CMS.1:Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironment(s)areinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.

TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.

ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheend-userdevicesareupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,carriers(s))andthestepsthatareperformed(e.g.,developertesting,carriertesting),includingworst-casetimeperiods,beforeanupdateismadeavailabletothepublic.

Developeractionelements:ALC_TSU_EXT.1.1D

ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.

Contentandpresentationelements:ALC_TSU_EXT.1.2C

ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware.

Note:Thesoftwaretobedescribedincludestheoperatingsystemsoftheapplicationprocessorandthebasebandprocessor,aswellasanyfirmwareandapplications.TheprocessdescriptionincludestheTOEdeveloperprocessesaswellasanythird-party(carrier)processes.Theprocessdescriptionincludeseachdeploymentmechanism(e.g.,over-the-airupdates,per-carrierupdates,downloadedupdates).

ALC_TSU_EXT.1.3CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.

Note:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,mobilecarrier)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.

ALC_TSU_EXT.1.4CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.

Note:Thereportingmechanismcouldincludewebsites,emailaddresses,aswellasameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).

ALC_TSU_EXT.1.5CThedescriptionshallincludewhereuserscanseekinformationabouttheavailabilityofnewupdatesincludingdetails(e.g.CVEidentifiers)ofthespecificpublicvulnerabilitiescorrectedbyeachupdate.

Note:Thepurposeofprovidingthisinformationissothatusersandenterprisescandeterminewhichdevicesaresusceptibletopubliclyknownvulnerabilitiessothattheycanmakeappropriateriskdecisions,suchaslimitingaccesstoenterpriseresourcesuntilupdatesareinstalled.

Evaluatoractionelements:ALC_TSU_EXT.1.6E



ALC_TSU_EXT.1:TheevaluatorshallverifythattheTSScontainsadescriptionofthetimelysecurityupdateprocessusedbythedevelopertocreateanddeploysecurityupdates.TheevaluatorshallverifythatthisdescriptionaddressestheTOEOS,thefirmware,andbundledapplications,each.Theevaluatorshallalsoverifythat,inadditiontotheTOEdeveloper’sprocess,anycarrierorotherthird-partyprocessesarealsoaddressedinthedescription.Theevaluatorshallalsoverifythateachmechanismfordeploymentofsecurityupdatesisdescribed.

Theevaluatorshallverifythat,foreachdeploymentmechanismdescribedfortheupdateprocess,theTSSlistsatimebetweenpublicdisclosureofavulnerabilityandpublicavailabilityofthesecurityupdatetotheTOEpatchingthisvulnerability,toincludeanythird-partyorcarrierdelaysindeployment.Theevaluatorshallverifythatthistimeisexpressedinanumberorrangeofdays.

Theevaluatorshallverifythatthisdescriptionincludesthepubliclyavailablemechanisms(includingeitheranemailaddressorwebsite)forreportingsecurityissuesrelatedtotheTOE.Theevaluatorshallverifythatthedescriptionofthismechanismincludesamethodforprotectingthereporteitherusingapublickeyforencryptingemailoratrustedchannelforawebsite.

Theevaluatorshallverifythatthedescriptionincludeswhereuserscanseekinformationabouttheavailabilityofnewsecurityupdatesincludingdetailsofthespecificpublicvulnerabilitiescorrectedbyeachupdate.TheevaluatorshallverifythatthedescriptionincludestheminimumamountoftimethattheTOEisexpectedtobesupportedwithsecurityupdates,andtheprocessbywhichuserscanseekinformationaboutwhentheTOEisnolongerexpectedtoreceivesecurityupdates.

5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsoftheevaluationprocessisthetestreportasspecifiedinthefollowingrequirements.

SincemanyoftheAPIsarenotexposedattheuserinterface(e.g.,touchscreen),theabilitytostimulatethenecessaryinterfacesrequiresadeveloper’stestenvironment.Thistestenvironmentwillallowtheevaluator,forexample,toaccessAPIsandviewfilesysteminformationthatisnotavailableonconsumerMobileDevices.

ATE_IND.1IndependentTesting–Conformance

TestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperational)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1SecurityFunctionalRequirementsbeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2SecurityAssuranceRequirements.TheEvaluationActivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.

Developeractionelements:ATE_IND.1.1D

ThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:ATE_IND.1.2C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:ATE_IND.1.3E


ATE_IND.1.4ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.


ATE_IND.1:Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.Thetestplancoversallofthetestingactionscontainedinthe[CEM]andthebodyofthisPP’sEvaluationActivities.Whileitisnotnecessarytohaveonetestcasepertestlistedinanevaluationactivity,theevaluatormustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.

Thetestplanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.

Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorisexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)shouldbeprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofthecryptographicenginetobeused.ThecryptographicalgorithmsimplementedbythisenginearethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).

Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa"fail"and"pass"result(andthesupportingdetails),andnotjustthe"pass"result.

5.2.6ClassAVA:VulnerabilityAssessmentForthecurrentgenerationofthisprotectionprofile,theevaluationlabisexpectedtosurveyopensourcestodiscoverwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,theevaluatorwillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.Thisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffutureprotectionprofiles.

AVA_VAN.1VulnerabilitySurvey

Developeractionelements:

AVA_VAN.1.1DThedevelopershallprovidetheTOEfortesting.

Contentandpresentationelements:AVA_VAN.1.2C

TheTOEshallbesuitablefortesting.

Evaluatoractionelements:AVA_VAN.1.3E


AVA_VAN.1.4ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.

ApplicationNote:PublicdomainsourcesincludetheCommonVulnerabilitiesandExposures(CVE)dictionaryforpublicly-knownvulnerabilities.

AVA_VAN.1.5ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.


AVA_VAN.1:Theevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationtofindvulnerabilitiesthathavebeenfoundinmobiledevicesandtheimplementedcommunicationprotocolsingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.

Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicability,ortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.

AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.

Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP.

Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.

Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.

A.1StrictlyOptionalRequirements

A.1.1Class:IdentificationandAuthentication(FIA)

FIA_UAU_EXT.4SecondaryUserAuthenticationFIA_UAU_EXT.4.1

TheTSFshallprovideasecondaryauthenticationmechanismforaccessingEnterpriseapplicationsandresources.ThesecondaryauthenticationmechanismshallcontrolaccesstotheEnterpriseapplicationandsharedresourcesandshallbeincorporatedintotheencryptionofprotectedandsensitivedatabelongingtoEnterpriseapplicationsandsharedresources.

ApplicationNote:FortheBYODusecase,Enterpriseapplicationsanddatamustbeprotectedusingadifferentpasswordthantheuserauthenticationtogainaccesstothepersonalapplicationsanddata,ifconfigured.

ThisrequirementmustbeincludedintheSTiftheTOEimplementsacontainersolution,inwhichthereisaseparateauthentication,toseparateuserandEnterpriseapplicationsandresources.

FIA_UAU_EXT.4.2TheTSFshallrequiretheusertopresentthesecondaryauthenticationfactorpriortodecryptionofEnterpriseapplicationdataandEnterprisesharedresourcedata.

ApplicationNote:ThisrequirementmustbeselectedifFIA_UAU_EXT.4.1isselected.TheintentofthisrequirementistopreventdecryptionofprotectedEnterpriseapplicationdataandEnterprisesharedresourcedatabeforetheuserhasauthenticatedtothedeviceusingthesecondaryauthenticationfactor.EnterprisesharedresourcedataconsistsoftheFDP_ACF_EXT.2.1selections.


FIA_UAU_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiselement.


TestsTheEvaluationActivitiesforanyselectedrequirementsrelatedtodeviceauthenticationmustbeseparatelyperformedforthesecondaryauthenticationmechanism(inadditiontoactivitiesperformedfortheprimaryauthenticationmechanism).Therequirementsare:FIA_UAU.6,FIA_PMG_EXT.1,FIA_TRT_EXT.1,FIA_UAU.7,FIA_UAU_EXT.2,FTA_SSL_EXT.1,FCS_STG_EXT.2,FMT_SMF_EXT.1/FMT_MOF_EXT.1#1,#2,#8,#21,and#36.

Additionally,FIA_AFL_EXT.1mustbemet,exceptthatinFIA_AFL_EXT.1.2theseparatetestisperformedwiththetext"wipeofallprotecteddata"changedto"wipeofallEnterpriseapplicationdataandallEnterprisesharedresourcedata."

TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheprocessfordecryptingEnterpriseapplicationdataandsharedresourcedata.TheevaluatorshallensurethatthisprocessrequirestheusertoenteranAuthenticationFactorand,inaccordancewithFCS_CKM_EXT.3,derivesaKEKwhichisusedtoprotectthesoftware-basedsecurekeystorageand(optionally)DEK(s)forsensitivedata,inaccordancewithFCS_STG_EXT.2.



A.2ObjectiveRequirements

A.2.1Class:SecurityAudit(FAU)

FAU_SAR.1AuditReviewFAU_SAR.1.1

TheTSFshallprovidetheadministratorwiththecapabilitytoreadallauditedeventsandrecordcontentsfromtheauditrecords.

ApplicationNote:Theadministratormusthaveaccesstoreadtheauditrecord,perhapsthroughanAPIorviaanMDMAgent,whichtransfersthelocalrecordsstoredontheTOEtotheMDMServerwheretheenterpriseadministratormayviewthem.IfthisrequirementisincludedintheST,function32mustbeincludedintheselectionofFMT_SMF_EXT.1.

FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.


FAU_SAR.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTheevaluationactivityforthisrequirementisperformedinconjunctionwithtestforfunction32ofFMT_SMF_EXT.1.

FAU_SEL.1SelectiveAuditFAU_SEL.1.1

TheTSFshallbeabletoselectthesetofeventstobeauditedfromthesetofallauditableeventsbasedonthefollowingattributes[selection:

eventtype,successofauditablesecurityevents,failureofauditablesecurityevents,[assignment:otherattributes]

].

ApplicationNote:Theintentofthisrequirementistoidentifyallcriteriathatcanbeselectedtotriggeranauditevent.ThiscanbeconfiguredthroughaninterfaceontheTSFforauseroradministratortoinvoke.FortheSTauthor,theassignmentisusedtolistanyadditionalcriteriaor"none".


FAU_SEL.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.

GuidanceTheevaluatorshallreviewtheadministrativeguidancetoensurethattheguidanceitemizesalleventtypes,aswellasdescribesallattributesthataretobeselectableinaccordancewiththerequirement,toincludethoseattributeslistedintheassignment.Theadministrativeguidanceshallalsocontaininstructionsonhowtosetthepre-selectionaswellasexplainthesyntax(ifpresent)formulti-valuepre-selection.Theadministrativeguidanceshallalsoidentifythoseauditrecordsthatarealwaysrecorded,regardlessoftheselectioncriteriacurrentlybeingenforced.

TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:Foreachattributelistedintherequirement,theevaluatorshalldeviseatesttoshowthatselectingtheattributecausesonlyauditeventswiththatattribute(orthosethatarealwaysrecorded,asidentifiedintheadministrativeguidance)toberecorded.

Test2:[conditional]IftheTSFsupportsspecificationofmorecomplexauditpre-selectioncriteria(e.g.,multipleattributes,logicalexpressionsusingattributes)thentheevaluatorshalldevisetestsshowingthatthiscapabilityiscorrectlyimplemented.Theevaluatorshallalso,inthetestplan,provideashortnarrativejustifyingthesetoftestsasrepresentativeandsufficienttoexercisethecapability.

A.2.2Class:CryptographicSupport(FCS)

FCS_RBG_EXT.2RandomBitGeneratorStatePreservationFCS_RBG_EXT.2.1

TheTSFshallsavethestateofthedeterministicRBGatpower-off,andshallusethisstateasinputtothedeterministicRBGatstartup.

ApplicationNote:Thecapabilitytoaddthestatesavedatpower-offasinputtotheRBGpreventsanRBGthatisslowtogatherentropyfromproducingthesameoutputregularlyandacrossreboots.Sincethereisnoguaranteeoftheprotectionsprovidedwhenthestateisstored(orarequirementforanysuchprotection),itisassumedthatthestateis'known',andthereforecannotcontributeentropytotheRBG,butcanintroduceenoughvariationthattheinitialRBGvaluesarenotpredictableandexploitable.


FCS_RBG_EXT.2:TSSTheevaluationactivityforthisrequirementiscapturedintheRBGdocumentationforAppendixD-EntropyDocumentationAndAssessment.Theevaluatorshallverifythatthedocumentationdescribeshowthestateisgeneratedsoastobeavailableforthenextstartup,howthestateisusedasinputtotheDRBG,andanyprotectionmeasuresusedforthestatewhiletheTOEispoweredoff.



FCS_RBG_EXT.3SupportforPersonalizationStringFCS_RBG_EXT.3.1

TheTSFshallallowapplicationstoadddatatothedeterministicRBGusingthePersonalizationStringasdefinedinSP800-90A.

ApplicationNote:AsspecifiedinSP800-90A,theTSFmustnotcountdatainputfromanapplicationtowardstheentropyrequiredbyFCS_RBG_EXT.1.Thus,theTSFmustnotallowtheonlyinputtotheRBGseedtobefromanapplication.


FCS_RBG_EXT.3:TheevaluatorshallverifythatthisfunctionisincludedasaninterfacetotheRBGinthedocumentationrequiredbyAppendixD-EntropyDocumentationAndAssessmentandthatthe

behavioroftheRBGfollowingacalltothisinterfaceisdescribed.TheevaluatorshallalsoverifythatthedocumentationoftheRBGdescribestheconditionsofuseandpossiblevaluesforthePersonalizationStringinputtotheSP800-90AspecifiedDRBG.



TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovide,anapplicationthataddsdatatotheRBGviathePersonalizationString.Theevaluatorshallverifythattherequestsucceeds.

FCS_SRV_EXT.2CryptographicAlgorithmServicesFCS_SRV_EXT.2.1

TheTSFshallprovideamechanismforapplicationstorequesttheTSFtoperformthefollowingcryptographicoperations:

AlgorithmsinFCS_COP.1/ENCRYPTAlgorithmsinFCS_COP.1/SIGN

bykeysstoredinthesecurekeystorage.

ApplicationNote:TheTOEwill,therefore,berequiredtoperformcryptographicoperationsonbehalfofapplicationsusingthekeysstoredintheTOE’ssecurekeystorage.


FCS_SRV_EXT.2:TheevaluatorshallverifythattheAPIdocumentationforthesecurekeystorageincludesthecryptographicoperationsbythestoredkeys.



TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscryptographicoperationsofstoredkeysbytheTSF.TheevaluatorshallverifythattheresultsfromtheoperationmatchtheexpectedresultsaccordingtotheAPIdocumentation.TheevaluatorshallusetheseAPIstotestthefunctionalityofthesecurekeystorageaccordingtotheEvaluationActivitiesinFCS_STG_EXT.1.

A.2.3Class:UserDataProtection(FDP)

FDP_ACF_EXT.3SecurityAttributeBasedAccessControlFDP_ACF_EXT.3.1

TheTSFshallenforceanaccesscontrolpolicythatprohibitsanapplicationfromgrantingbothwriteandexecutepermissiontoafileonthedeviceexceptfor[selection:filesstoredintheapplication'sprivatedatafolder,noexceptions].


FDP_ACF_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsEvaluationActivityNote:ThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Test1:Theevaluatorshallwrite,orthedevelopershallprovide,anapplicationthatattemptstostoreafilewithbothwriteandexecutepermissions.Iftheselectionis"noexceptions",thentheevaluatorshallverifythatthisactionfailsandthatthepermissionsonthefilearenotsimultaneouslywriteandexecute.Iftheselectionis"application'sprivatedatafolder",thentheevaluatorshallensurethattheattempttostorethefileisoutsideoftheapplication'sprivatedatafolder.Test2:TheevaluatorshalltraversethefilesystemexaminingthepermissiononeachTSFfiletoverifythatnofilehasbothwriteandexecutepermissionsset.Iftheselectionis"application'sprivatedatafolder",thenonlyfilesoutsideofthisfolderneedtobeexaminedbytheevaluatorforthistest.

FDP_BCK_EXT.1ApplicationBackupFDP_BCK_EXT.1.1

TheTSFshallprovideamechanismforapplicationstomark[selection:allapplicationdata,selectedapplicationdata]tobeexcludedfromdevicebackups.

ApplicationNote:DevicebackupsincludeanymechanismbuiltintotheTOEthatallowsstoredapplicationdatatobeextractedoveraphysicalportorsentoverthenetwork,butdoesnotincludeanyfunctionalityimplementedbyaspecificapplicationitselfiftheapplicationisnotincludedintheTOE.Thelackofapublic/documentedAPIforperformingbackups,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.


FDP_BCK_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsIf"allapplicationdata"isselected,theevaluatorshallinstallanapplicationthathasmarkedallofitsapplicationdatatobeexcludedfrombackups.Theevaluatorshallcausedatatobeplacedintotheapplication’sstoragearea.Theevaluatorshallattempttobackuptheapplicationdataandverifythatthebackupfailsorthattheapplication’sdatawasnotincludedinthebackup.

If"selectedapplicationdata"isselected,theevaluatorshallinstallanapplicationthathasmarkedselectedapplicationdatatobeexcludedfrombackups.Theevaluatorshallcausedatacoveredby"selectedapplicationdata"tobeplacedintotheapplication’sstoragearea.Theevaluatorshallattempttobackupthatselectedapplicationdataandverifythateitherthebackupfailsorthattheselecteddataisexcludedfromthebackup.

FDP_BLT_EXT.1LimitationofBluetoothDeviceAccessFDP_BLT_EXT.1.1

TheTSFshalllimittheapplicationsthatmaycommunicatewithaparticularpairedBluetoothdevice.

ApplicationNote:NoteveryapplicationwithprivilegestouseBluetoothshouldbepermittedtocommunicatewitheverypairedBluetoothdevice.Forexample,theTSFmaychoosetorequirethatonlytheapplicationthatinitiatedthecurrentconnectionmaycommunicatewiththedevice,oritmaystrictlytiethepaireddevicetothefirstapplicationthatmakesasocketconnectiontothedevicefollowinginitialpairing.Additionally,formoreflexibility,theTSFmaychoosetoprovidetheuserwithawaytoselectwhichapplicationsonthedevicemaycommunicatewithorobservecommunicationswitheachpairedBluetoothdevice.


FDP_BLT_EXT.1:TSS

TheevaluatorshallensurethattheTSSdescribesthemechanismusedtopreventunrestrictedaccesstopairedBluetoothdevices(and/ortheircommunicationdata)byeveryapplicationwithaccesstotheBluetoothsystemserviceontheTOE.TheevaluatorshallverifythatthismethodeitherrestrictsaccesstoasingleapplicationorprovidesexplicitcontroloftheapplicationsthatmaycommunicatewiththepairedBluetoothdevice.

GuidanceTheevaluatorshallverifythattheAGDcontainsthestepstoconfigurewhichapplicationsareallowedtocommunicatewithagivenBluetoothperipheral.

TestsTheevaluatorshallestablishaBluetoothconnectionwithanyperipheral.TheevaluatorshallverifythatanapplicationthatisallowedtocommunicatewiththeBluetoothperipheralisabletoandthatanapplicationthatisnotallowedtocommunicatewiththatBluetoothperipheralisunabletocommunicatewiththeperipheral.

A.2.4Class:IdentificationandAuthentication(FIA)

FIA_BMG_EXT.2BiometricEnrollmentFIA_BMG_EXT.2.1

TheTSFshallonlyusebiometricsamplesofsufficientqualityforenrollment.Sampledatashallhave[assignment:qualitymetricscorrespondingtoeachbiometricmodality].

ApplicationNote:Differentbiometricmodalitiesutilizedifferentqualitystandards.ThequalitystandardfortheeachBAFselectedinFIA_UAU.5shouldbelistedintheassignment.Forexample,fingerprintmayutilizetheNFIQstandardwhereNFIQ1.0scoresof1,2,or3arerequiredforuseinhardwarePIV,where1isthehighestqualitystandard.NFIQ2.0isanewerversionoftheNFIQstandardthathasnotseenwidespreadadoptionasofthepublicationofthisPPbutisbeingconsideredbythescientificcommunityaswellasbyindustry.Samplesusedtocreatetheauthenticationtemplate/profileatenrollmentmustbemutuallyconsistent.Aftertheauthenticationtemplatehasbeencreated,itmustbetestedtodeterminewhetherornotitisofsufficientqualityandifnot,morequalitysamplesmustbeaddeduntilitisofsufficientquality.


FIA_BMG_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribeshowthequalityofsamplesusedtocreatetheauthenticationtemplateatenrollmentareverified.Aswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.

GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtoenrollauserforeachbiometricmodalitysupported.

TestsTheevaluatorshallinputbiometricsamplesforenrollment.Uponinputtingbiometricsamplesafixednumberoftimesasspecifiedintheprompts,oneormoreauthenticationtemplateswillbegenerated.Theevaluatorshallverifythatthedeviceonlyacceptssamplesofsufficientqualityorrequestsadditionalsamplesiftheauthenticationtemplateisnotofsufficientquality.Forallqualitymetrics,theevaluatorshallensurethatbiometricsamplesachievingaworsequalityscorethantheprescribedthresholdarerejected.

FIA_BMG_EXT.3BiometricVerificationFIA_BMG_EXT.3.1

TheTSFshallonlyusebiometricsamplesofsufficientqualityforverification.Assuch,sampledatashallhave[assignment:qualitymetricscorrespondingtoeachbiometricmodality].

ApplicationNote:Differentbiometricmodalitiesutilizedifferentqualitystandards.ThequalitystandardfortheeachBAFselectedinFIA_UAU.5shouldbelistedintheassignment.Forexample,fingerprintmayutilizetheNFIQstandardwhereNFIQ1.0scoresof1,2,or3arerequiredforuseinhardwarePIV,where1isthehighestqualitystandard.NFIQ2.0isanewerversionoftheNFIQstandardthathasnotseenwidespreadadoptionasofthepublicationof

thisPPbutisbeingconsideredbythescientificcommunityaswellasbyindustry.


FIA_BMG_EXT.3:TSSTheevaluatorshallverifythattheTSSdescribeshowthequalityofsamplesusedtoverifyauthenticationareverified.Aswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.Theevaluatorshallenrollauserforeachbiometricmodalitysupported.Theevaluatorwilltheninputbiometricsamplesforverificationandensurethatthedeviceonlyacceptssamplesofsufficientquality.Theevaluatorshallensurethatbiometricsamplesachievingaworsequalityscorethantheprescribedthresholdarerejected.



FIA_BMG_EXT.4BiometricTemplatesFIA_BMG_EXT.4.1

TheTSFshallonlygenerateanduseenrollmenttemplatesand/orauthenticationtemplatesofsufficientqualityforanysubsequentauthenticationfunctions.

ApplicationNote:Ifthevendorneedstodevelopanauthenticationtemplateusingmultipleenrollmentsamples,theymustallbemutuallyconsistentandcorrespondtothebiometriccharacteristicsofasingleuserandsource.Forthepurposesofthisrequirement,enrollmenttemplatesaretemplatesconstructedfromsampledata,whileauthenticationtemplatesaregeneratedbasedonsampledataand/orenrollmenttemplatesandstoredformatching/biometricverificationpurposes.Oneormoretemplatescouldbegeneratedduringenrollmentwithouttheuserknowinghowmany.

Authenticationtemplatesmaynothavestandardqualitymetrics,butvendorand/orlabsstillneedtoensurethatsuchtemplateshaveasufficientfeaturesetavailabletoprovideadesiredidentityassurancelevel.Examplesincludeminimumnumberoffingerprintminutiae.


FIA_BMG_EXT.4:TSSTheevaluatorshallverifythattheTSSdescribeshowthesamplesusedtocreatetheauthenticationtemplateatenrollmentaremutuallyconsistentandhowthemutualconsistencyisvalidated,bothintermsofthemethodofvalidationaswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.

Theevaluatorshallinputbiometricsamplesforenrollment.Indoingso,theevaluatorshallverifytheenrollmenttemplatesgeneratedareofsufficientquality.Uponinputtingbiometricsamplesafixednumberoftimesasspecifiedintheprompts,theevaluatorshalladditionallyverifythatanyenrollmentandauthenticationtemplatesgeneratedareofsufficientquality.Thatis,theyshallallbemutuallyconsistentandcorrespondtothebiometriccharacteristicsofasingleuserandsource(e.g.thesamefingerfromthesameperson).



FIA_BMG_EXT.5HandlingUnusualBiometricTemplatesFIA_BMG_EXT.5.1

Thematchingalgorithmshallhandleproperlyformattedenrollmenttemplatesand/orauthenticationtemplates,especiallythosewithunusualdataproperties,appropriately.Ifsuchtemplatescontainincorrectsyntax,areoflowquality,orcontainenrollmentdataconsideredunrealisticforagivenmodality,thentheyshallberejectedbythematchingalgorithmandanerrorcodeshallbereported.

ApplicationNote:Whileitisimportanttohaveproperlyformattedenrollmentorauthenticationtemplates,itisequallyimportantforthematchingalgorithmtocorrectlyhandleenrollmentand/orauthenticationtemplatesthathaveunusualdatapropertiesorareoflowquality.Ifthematchingalgorithmdetectstemplatesthatareoflowquality,havelownumbersofbitsofcomplexity,ormaintainunusualdataproperties,itmustreturnanerrorcodeorotherindicationinordertoprotectthesystemfrompossiblespoofingordenial-of-serviceattacks.Forthepurposesofthisrequirement,enrollmenttemplatesaretemplatesconstructedfromsampledata,whileauthenticationtemplatesarestoredformatching/biometricverificationpurposes.

Examplesofunusualdatapropertiesthatmaycausefingerprintenrollmenttemplaterejectioninclude,butarenotlimitedto,minutiacountsthataretoohighortoolow,directionfieldmapsthatdonotcorrespondtorealfingerprintridgeflowmaps,alldetectedminutiacrowdedtotheextremeedgesoftheimagearea,andridgewidthsthataretoowideortoonarrow.

Accordingly,ifanenrollmenttemplateand/orauthenticationtemplatemeetsthestructuralrequirementsbutwithoutpropersyntax,thematchingalgorithmmustsimilarlyreturnanerrorcodeorotherindicationtosimilareffect.


FIA_BMG_EXT.5:TSSTheevaluatorshallverifythattheTSShowthematchingalgorithmaddressesproperlyformattedtemplateswithunusualdataproperties,incorrectsyntax,orlowquality.Theevaluatorshallensurethattheseclaimsaresoundthroughappropriatetestingbasedontestprogramsprovidedbythevendor.



FIA_BMG_EXT.6SpoofDetectionsforBiometricsFIA_BMG_EXT.6.1

TheTSFshallperformPresentationAttackDetectiontestinguptotheattackpotentialof[selection:basic,intermediate,advanced]attacks,foreachbiometricmodalitiesselectedinFIA_UAU.5.1oneachenrollmentandauthenticationattempt,rejectingdetectedspoofs.WhenanauthenticationattemptfailsduetoPADtesting,theTSFshallnotindicatetotheuserthereasonforfailuretoauthenticate.

ApplicationNote:PresentationAttackDetection(PAD)isalsoknownaslivenessdetectionorspoofdetection.IfmultiplemodalitiesareselectedinFIA_UAU.5.1,thenthisSFRmustbeiteratedforeachmodality.Foreachmodality,onlyoneattackstrengthmustbeselected.

BecausePresentationAttackDetection(PAD)isanopen-endedproblemmuchlikevulnerabilitytesting,itisneithercost-effectivenorfeasibletocreateacompletelistofattackvectorsandperformtestingonallofthemduringthetimeframeforCCevaluations.Suchalistwouldbeever-changing,andunlikecodevulnerabilities(i.e.CVEs),theequipment,skill,time,andcostrequiredtotesthighlysophisticatedattacksishighlyinfeasibleforatestinglabgiventhecurrenttimeframeforCCevaluations.Nevertheless,itisaknownriskthathasbeendocumentedbyresearchersforyears.

Therefore,vendorsareresponsibleforprovidingtheirowndocumentationspecifyingthemeasurestheTSFtakestomitigatepresentationattacksandtheappropriatepen-testing(forexample,redteamingandblueteaming)performedasproof.

Tobespecific,basicattacks(includingbasicandenhanced-basic[IBPC])refertoattacksinliteratureoflowskillthatcanbeperformedonalimitedbudget.Thisincludes,butisnotlimitedto,playbackattacksofaspokenutteranceusingadifferentmobiledeviceforvoiceauthentication,takingaphotographofafingerprintorfacialandsubmittingittothesensor,amongotherexamples.

Intermediate(ormoderate[IBPC])attackscaninclude,butarenotlimitedto,creatingafoamfingertothwartfingerprintdetectionandusingahigherqualityplaybackdevicetothwartlivenessdetection.

Advanced(includinghighandbeyondhigh[IBPC])attackscaninclude,butarenotlimitedto,creatingasynthetichandwiththegivenfingerprintusinganexpensive3D-printerandforcingsomeonetorevealone’scredentialsthroughcoercionorthreatsthatmaycauseharm(wheredetectionofduressisrequired).Manyoftheseattacktechniquesmaybesensitiveorgovernmentclassified.


FIA_BMG_EXT.6:TSSThetestingmethodologyspecifiedinISO19989Informationtechnology—Securityevaluationofpresentationattackdetectionforbiometrics[ISO19989]istobeusedtodeterminetheefficacyofthePADfortheselectedattackpotential.


TestsEvaluationActivityNote:ISO19989isindraftstatusatthetimeofpublicationofthisPP.OncetheISOstandardispublished,itshallbeusedtomeettheevaluationactivityforthisrequirement.Henniger,Scheuermann,andKniess[IBPC],provideadescriptionofattackpotentialcalculationwithexamples.UntilsuchtimeasISO19989ispublished,thevendorshallprovidetothelabadescriptionofthePADprocessingimplementedintheTSF,testproceduresusedtovalidatesuccessfuloperationofPAD,andtestdatawithresultsofthePADvalidationtesting.Thelabmayanalyzethetestproceduresanddatatovalidatevendortestresultsor,optionally,mayconductitsowntesting.

Ifthelabperformsitsowntesting,itishighlyrecommendedthatthevendorprovidesspooftestingtools,asitisnotexpectedforthelabtocreateatestprocedureformodalitiesoutsideofestablishedstandardsandeasilyimplementedprocedures.Labscanalsoexpeditethetestingprocessbypurchasingtheappropriatespoofkitsandrecipesfromspecializedbiometricstestinglabs.

FIA_X509_EXT.4X.509CertificateEnrollmentFIA_X509_EXT.4.1

TheTSFshallusetheEnrollmentoverSecureTransport(EST)protocolasspecifiedinRFC7030torequestcertificateenrollmentusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2.

FIA_X509_EXT.4.2TheTSFshallbecapableofauthenticatingESTrequestsusinganexistingcertificateandcorrespondingprivatekeyasspecifiedbyRFC7030Section3.3.2.

FIA_X509_EXT.4.3TheTSFshallbecapableofauthenticatingESTrequestsusingHTTPBasicAuthenticationwithausernameandpasswordasspecifiedbyRFC7030Section3.2.3.

FIA_X509_EXT.4.4TheTSFshallperformauthenticationoftheESTserverusinganExplicitTrustAnchorfollowingtherulesdescribedinRFC7030,section3.6.1.

ApplicationNote:ESTalsousesHTTPSasspecifiedinFCS_HTTPS_EXT.1toestablishasecureconnectiontoanESTserver.TheseparateTrustAnchorDatabasededicatedtoESToperationsisdescribedasExplicitTrustAnchorsinRFC7030.

FIA_X509_EXT.4.5TheTSFshallbecapableofrequestingserver-providedprivatekeysasspecifiedinRFC7030Section4.4.

FIA_X509_EXT.4.6TheTSFshallbecapableofupdatingitsEST-specificTrustAnchorDatabaseusingthe"RootCAKeyUpdate"processdescribedinRFC7030Section4.1.3.

FIA_X509_EXT.4.7TheTSFshallgenerateaCertificateRequestMessageforESTasspecifiedinRFC2986andbeabletoprovidethefollowinginformationintherequest:publickeyand[selection:device-specificinformation,CommonName,Organization,OrganizationalUnit,Country].

ApplicationNote:Thepublickeyreferencedisthepublickeyportionofthe

public-privatekeypairgeneratedbytheTOEasspecifiedinFCS_CKM.1.

FIA_X509_EXT.4.8TheTSFshallvalidatethechainofcertificatesfromtheRootCAcertificateintheTrustAnchorDatabasetotheESTServerCAcertificateuponreceivingaCACertificatesResponse.


FIA_X509_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiscomponent.

GuidanceTheevaluatorshallchecktoensurethattheoperationalguidancecontainsinstructionsonrequestingcertificatesfromanESTserver,includinggeneratingaCertificateRequestMessage.

TestsTheevaluatorshallalsoperformthefollowingtests.OthertestsareperformedinconjunctionwiththeevaluationactivitylistedinthePackageforTransportLayerSecurity.

Test1:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserverusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2,authenticatingthecertificaterequesttotheserverusinganexistingcertificateandprivatekeyasdescribedbyRFC7030Section3.3.2.TheevaluatorshallconfirmthattheresultingcertificateissuccessfullyobtainedandinstalledintheTOEkeystore.

Test2:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserverusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2,authenticatingthecertificaterequesttotheserverusingausernameandpasswordasdescribedbyRFC7030Section3.2.3.TheevaluatorshallconfirmthattheresultingcertificateissuccessfullyobtainedandinstalledintheTOEkeystore.

Test3:TheevaluatorshallmodifytheESTservertoreturnacertificatecontainingadifferentpublickeythanthekeyincludedintheTOE’scertificaterequest.TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserver.TheevaluatorshallconfirmthattheTOEdoesnotaccepttheresultingcertificatesincethepublickeyintheissuedcertificatedoesnotmatchthepublickeyinthecertificaterequest.

Test4:TheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentaservercertificatetotheTOEthatispresentintheTOEgeneralTrustAnchorDatabasebutnotitsEST-specificTrustAnchorDatabase.TheevaluatorshallcausetheTOEtorequestcertificateenrollmentfromtheESTserver.Theevaluatorshallverifythattherequestisnotsuccessful.

Test5:TheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentaninvalidcertificate.TheevaluatorshallcausetheTOEtorequestcertificateenrollmentfromtheESTserver.TheevaluatorshallverifythattherequestisnotsuccessfulTheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheCMCRApurposeandverifythatrequeststotheESTserverfail.ThetestershallrepeatthetestusingavalidcertificateandacertificatethatcontainstheCMCRApurposeandverifythatthecertificateenrollmentrequestssucceed.

Test6:TheevaluatorshalluseapacketsniffingtoolbetweentheTOEandanESTserver.TheevaluatorshallturnonthesniffingtoolandcausetheTOEtorequestcertificateenrollmentfromanESTserver.TheevaluatorshallverifythattheESTprotocolinteractionoccursoveraTransportLayerSecurity(TLS)protectedconnection.TheevaluatorisnotexpectedtodecrypttheconnectionbutratherobservethatthepacketsconformtotheTLSprotocolformat.

Test7:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestaserver-providedprivatekeyandcertificatefromanESTserver.TheevaluatorshallconfirmthattheresultingprivatekeyandcertificatearesuccessfullyobtainedandinstalledintheTOEkeystore.

Test8:TheevaluatorshallmodifytheESTserverto,inresponsetoaserver-providedprivatekeyandcertificaterequest,returnaprivatekeythatdoesnotcorrespondwiththepublickeyinthereturnedcertificate.TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestaserver-providedprivatekeyandcertificate.TheevaluatorshallconfirmthattheTOEdoesnotaccepttheresultingprivatekeyandcertificatesincetheprivatekeyandpublickeydonotcorrespond.

Test9:TheevaluatorshallconfiguretheESTservertoprovidea"RootCAKeyUpdate"as

describedinRFC7030Section4.1.3.TheevaluatorshallcausetheTOEtorequestCAcertificatesfromtheESTserverandshallconfirmthattheEST-specificTrustAnchorDatabaseisupdatedwiththenewtrustanchor.

Test10:TheevaluatorshallconfiguretheESTservertoprovidea"RootCAKeyUpdate"asdescribedinRFC7030Section4.1.3,butshallmodifypartoftheNewWithOldcertificate’sgeneratedsignature.TheevaluatorshallcausetheTOEtorequestCAcertificatesfromtheESTserverandshallconfirmthattheEST-specificTrustAnchorDatabaseisnotupdatedwiththenewtrustanchorsincethesignaturedidnotverify.

Test11:TheevaluatorshallusetheoperationalguidancetocausetheTOEtogenerateacertificaterequestmessage.TheevaluatorshallcapturethegeneratedmessageandensurethatitconformstotheformatspecifiedbyRFC2986.Theevaluatorshallconfirmthatthecertificaterequestprovidesthepublickeyandotherrequiredinformation,includinganynecessaryuser-inputinformation.

FIA_X509_EXT.5X.509CertificateRequestsFIA_X509_EXT.5.1

TheTSFshallgenerateaCertificateRequestMessageasspecifiedinRFC2986andbeabletoprovidethefollowinginformationintherequest:publickeyand[selection:device-specificinformation,CommonName,Organization,OrganizationalUnit,Country].

ApplicationNote:ThepublickeyreferencedinFIA_X509_EXT.5.1isthepublickeyportionofthepublic-privatekeypairgeneratedbytheTOEasspecifiedinFCS_CKM.1.ThetrustedchannelrequirementsdonotapplytocommunicationwiththeCAforthecertificaterequest/responsemessages.

AsEnrollmentoverSecureTransport(EST)isanewstandardthathasnotyetbeenwidelyadopted,thisrequirementisincludedasaninterimobjectiverequirementinordertoallowdeveloperstodistinguishthoseproductswhichhavedohavetheabilitytogenerateCertificateRequestMessagesbutdonotyetimplementEST.

FIA_X509_EXT.5.2TheTSFshallvalidatethechainofcertificatesfromtheRootCAuponreceivingtheCACertificateResponse.


FIA_X509_EXT.5:TSSIftheSTauthorselects"device-specificinformation",theevaluatorshallverifythattheTSScontainsadescriptionofthedevice-specificfieldsusedincertificaterequests.

GuidanceTheevaluatorshallchecktoensurethattheoperationalguidancecontainsinstructionsongeneratingaCertificateRequestMessage.IftheSTauthorselects"CommonName","Organization","OrganizationalUnit",or"Country",theevaluatorshallensurethatthisguidanceincludesinstructionsforestablishingthesefieldsbeforecreatingthecertificaterequestmessage.

TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorshallusetheoperationalguidancetocausetheTOEtogenerateacertificaterequestmessage.Theevaluatorshallcapturethegeneratedmessageandensurethatitconformstotheformatspecified.Theevaluatorshallconfirmthatthecertificaterequestprovidesthepublickeyandotherrequiredinformation,includinganynecessaryuser-inputinformation.

Test2:Theevaluatorshalldemonstratethatvalidatingacertificateresponsemessagewithoutavalidcertificationpathresultsinthefunctionfailing.TheevaluatorshallthenloadacertificateorcertificatesastrustedCAsneededtovalidatethecertificateresponsemessage,anddemonstratethatthefunctionsucceeds.Theevaluatorshallthendeleteoneofthecertificates,andshowthatthefunctionfails.

A.2.5Class:SecurityManagement(FMT)

FMT_SMF_EXT.3CurrentAdministrator

FMT_SMF_EXT.3.1TheTSFshallprovideamechanismthatallowsuserstoviewalistofcurrentlyauthorizedadministratorsandthemanagementfunctionsthateachadministratorisauthorizedtoperform.


FMT_SMF_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTheevaluatorshallcausetheTOEtobeenrolledintomanagement.Theevaluatorshalltheninvokethismechanismandverifytheabilitytoviewthatthedevicehasbeenenrolled,andviewthemanagementfunctionsthattheadministratorisauthorizedtoperform.

A.2.6Class:ProtectionoftheTSF(FPT)

FPT_AEX_EXT.5KernelAddressSpaceLayoutRandomizationFPT_AEX_EXT.5.1

TheTSFshallprovideaddressspacelayoutrandomization(ASLR)tothekernel.

FPT_AEX_EXT.5.2Thebaseaddressofanykernel-spacememorymappingwillconsistof[assignment:numbergreaterthanorequalto4]unpredictablebits.

ApplicationNote:TheunpredictablebitsmaybeprovidedbytheTSFRBG(asspecifiedinFCS_RBG_EXT.1).


FPT_AEX_EXT.5:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribeshowthebitsaregeneratedandprovidesajustificationastowhythosebitsareunpredictable.



Test1:TheevaluatorshallreboottheTOEsixtimes.Foreachofthesereboots,theevaluatorshallexaminememorymappinglocationsofthekernel.Theevaluatormustensurethatforatleastfiverebootsthememorymappingsarenotplacedinthesamelocationonbothdevices.

FPT_AEX_EXT.6WriteorExecuteMemoryPagePermissionsFPT_AEX_EXT.6.1

TheTSFshallpreventwriteandexecutepermissionsfrombeingsimultaneouslygrantedtoanypageofphysicalmemory[selection:withnoexceptions,[assignment:specificexceptions]].

ApplicationNote:Memoryusedforjust-in-time(JIT)compilationisanticipatedasanexceptioninthisrequirement;ifso,theSTauthormustaddresshowthisexceptionispermitted.Itisexpectedthatthememorymanagementunitwilltransitionthesystemtoanon-operationalstateifanyviolationisdetectedinkernelmemoryspace.


FPT_AEX_EXT.6:TSSTheevaluatorshallensurethattheTSSdescribeshowtheoperatingsystemoftheapplicationprocessorpreventsallprocessesexecutinginanon-privilegedexecutiondomainfromachievingwriteandexecutepermissionsonanypageofmemory(withonlyspecifiedexceptions).TheevaluatorshallensurethattheTSSdescribeshowsuchprocessesareunabletorequestpagesofmemorywithsuchpermissions,andhowtheyareunabletochangepermissionstobothwriteandexecuteonanypagesalreadyallocatedtothem.



FPT_AEX_EXT.7HeapOverflowProtectionFPT_AEX_EXT.7.1

TheTSFshallincludeheap-basedbufferoverflowprotectionsintheruntimeenvironmentitprovidestoprocessesthatexecuteontheapplicationprocessor.

ApplicationNote:Theseheap-basedbufferoverflowprotectionsareexpectedtoensuretheintegrityofheapmetadatasuchasmemoryaddressesoroffsetsrecordedbytheheapimplementationtomanagememoryblocks.Thisincludeschunkheaders,look-asidelists,andotherdatastructuresusedtotrackthestateandlocationofmemoryblocksmanagedbytheheap.


FPT_AEX_EXT.7:TSSTheevaluatorshallverifythattheTSSenumeratestheheapimplementationsprovidedtouserspaceprocesses.TheevaluatorshallensurethattheTSSlistsalltypesofheapmetadataandidentifieshowtheintegrityofeachtypeofmetadataisensured.TheevaluatorshallensurethattheTSSidentifiesallfieldswithineachtypeofmetadataandidentifieshowtheintegrityofthesefieldsisensured.TheevaluatorshallverifythattheTSSidentifiesthemannerinwhichanerrorconditionisenteredwhenaheapoverflowisdetectedandtheresultingactionstakenbytheTSF.


TestsForeachheapimplementation,theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication,whichallocatesmemoryfromtheheapandthenwritesarbitrarydatasignificantlybeyondtheendoftheallocatedbuffer.Theevaluatorshallattempttoexecutethisapplicationandverifythatthewriteisnotallowed.

FPT_BBD_EXT.1ApplicationProcessorMediationFPT_BBD_EXT.1.1

TheTSFshallpreventcodeexecutingonanybasebandprocessor(BP)fromaccessingapplicationprocessor(AP)resourcesexceptwhenmediatedbytheAP.

ApplicationNote:Theseresourcesinclude:Volatileandnon-volatilememoryControlofanddatafromintegratedandnon-integratedperipherals(e.g.USBcontrollers,touchscreencontrollers,LCDcontroller,codecs)Controlofanddatafromintegratedandnon-integratedI/Osensors(e.g.camera,light,microphone,GPS,accelerometers,geomagneticfieldsensors)

Mobiledevicesarebecomingincreasinglycomplexhavinganapplicationprocessorthatrunsanoperatingsystemanduserapplicationsandseparatebasebandprocessor(s)thathandlecellularandotherwirelessnetworkconnectivity.

TheapplicationprocessorwithinmostmodernMobileDevicesisasystemonachip(SoC)thatintegrates,forexample,CPU/GPUcoresandmemory

interfaceelectronicsintoasingle,power-efficientpackage.Basebandprocessorsarebecomingincreasinglycomplexthemselvesdeliveringvoiceencodingalongsidemultipleindependentradios(LTE,Wi-Fi,Bluetooth,FM,GPS)inasinglepackagecontainingmultipleCPUsandDSPs.

Thus,thebasebandprocessor(s)intheserequirementsincludesuchintegratedSoCsandincludeanyradioprocessors(integratedornot)ontheMobileDevice.

Allotherrequirementsmostly,exceptwherenoted,applytofirmware/softwareontheapplicationprocessor,butfuturerequirements(notably,allIntegrity,AccessControl,andAnti-Exploitationrequirements)willapplytoapplicationprocessorsandbasebandprocessors.


FPT_BBD_EXT.1:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribesatahighlevelhowtheprocessorsontheMobileDeviceinteract,includingwhichbusprotocolstheyusetocommunicate,anyotherdevicesoperatingonthatbus(peripheralsandsensors),andidentificationofanysharedresources.TheevaluatorshallverifythatthedesigndescribedintheTSSdoesnotpermitanyBPsfromaccessinganyoftheperipheralsandsensorsorfromaccessingmainmemory(volatileandnon-volatile)usedbytheAP.Inparticular,theevaluatorshallensurethatthedesignpreventsmodificationofexecutablememoryoftheAPbytheBP.



FPT_BLT_EXT.1LimitationofBluetoothProfileSupportFPT_BLT_EXT.1.1

TheTSFshalldisablesupportfor[assignment:listofBluetoothprofiles]BluetoothprofileswhentheyarenotcurrentlybeingusedbyanapplicationontheMobileDevice,andshallrequireexplicituseractiontoenablethem.

ApplicationNote:SomeBluetoothservicesincurmoreseriousconsequencesifunauthorizedremotedevicesgainaccesstothem.SuchservicesshouldbeprotectedbymeasureslikedisablingsupportfortheassociatedBluetoothprofileunlessitisactivelybeingusedbyanapplicationontheMobileDevice(inordertopreventdiscoverybyaServiceDiscoveryProtocolsearch),andthenrequiringexplicituseractiontoenablethoseprofilesinordertousetheservices.Itmaybefurtherappropriatetorequireadditionaluseractionbeforegrantingaremotedeviceaccesstothatservice.

Forexample,itmaybeappropriatetodisabletheOBEXPushProfileuntilauserontheMobileDevicepushesabuttoninanapplicationindicatingreadinesstotransferanobject.Aftercompletionoftheobjecttransfer,supportfortheOBEXprofileshouldbesuspendeduntilthenexttimetheuserrequestsitsuse.


FPT_BLT_EXT.1:TSSTheevaluatorshallensurethattheTSSlistsallBluetoothprofilesthataredisabledwhilenotinusebyanapplicationandwhichneedexplicituseractioninordertobecomeenabled.


TestsTheevaluatorshallperformthefollowingtests:

Test1:WhiletheserviceisnotinactiveusebyanapplicationontheTOE,theevaluatorshallattempttodiscoveraserviceassociatedwitha"protected"Bluetoothprofile(asspecifiedbytherequirement)ontheTOEviaaServiceDiscoveryProtocolsearch.TheevaluatorshallverifythattheservicedoesnotappearintheServiceDiscoveryProtocolsearchresults.Next,theevaluatorshallattempttogainremoteaccesstotheservicefroma

devicethatdoesnotcurrentlyhaveatrusteddevicerelationshipwiththeTOE.Theevaluatorshallverifythatthisattemptfailsduetotheunavailabilityoftheserviceandprofile.

Test2:TheevaluatorshallrepeatTest1withadevicethatcurrentlyhasatrusteddevicerelationshipwiththeTOEandverifythatthesamebehaviorisexhibited.

FPT_NOT_EXT.2Self-TestNotificationFPT_NOT_EXT.2.1

TheTSFshall[selection:audit,providetheadministratorwith]TSF-softwareintegrityverificationvalues.

ApplicationNote:Thesenotificationsaretypicallycalledremoteattestationandtheseintegrityvaluesaretypicallycalledmeasurements.Theintegrityvaluesarecalculatedfromhashesofcriticalmemoryandvalues,includingexecutablecode.TheSTauthormustselectwhetherthesevaluesareloggedasapartofFAU_GEN.1.1orareprovidedtotheadministrator.

FPT_NOT_EXT.2.2TheTSFshallcryptographicallysignallintegrityverificationvalues.

ApplicationNote:TheintentofthisrequirementistoprovideassurancetotheadministratorthattheresponsesprovidedarefromtheTOEandhavenotbeenmodifiedorspoofedbyaman-in-the-middlesuchasanetwork-basedadversaryoramaliciousMDMAgent.


FPT_NOT_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribeswhichcriticalmemoryismeasuredfortheseintegrityvaluesandhowthemeasurementisperformed(includingwhichTOEsoftwareperformsthesegeneratesthesevalues,howthatsoftwareaccessesthecriticalmemory,andwhichalgorithmsareused).

GuidanceIftheintegrityvaluesareprovidedtotheadministrator,theevaluatorshallverifythattheAGDguidancecontainsinstructionsforretrievingthesevaluesandinformationforinterpretingthem.Forexample,ifmultiplemeasurementsaretaken,whatthosemeasurementsareandhowchangestothosevaluesrelatetochangesinthedevicestate.

TestsEvaluationActivityNote:ThefollowingtestmayrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.

Theevaluatorshallrepeatthefollowingtestforeachmeasurement:Test1:Theevaluatorshallbootthedeviceinanapprovedstateandrecordthemeasurementtaken(eitherfromthelogorbyusingtheadministrativeguidancetoretrievethevalueviaanMDMAgent).Theevaluatorshallmodifythecriticalmemoryorvaluethatismeasured.Theevaluatorshallbootthedeviceandverifythatthemeasurementchanged.

TSSTheevaluatorshallverifythattheTSSdescribeswhichkeytheTSFusestosigntheresponsestoqueriesandthecertificateusedtoproveownershipofthekey,andthemethodofassociatingthecertificatewithaparticulardevicemanufacturerandmodel.


TestsTheevaluatorshallperformthefollowingtest:

Test1:Theevaluatorshallwrite,orthedevelopershallprovide,amanagementapplicationthatquerieseithertheauditlogsorthemeasurements.TheevaluatorshallverifythattheresponsestothesequeriesaresignedandverifythesignaturesagainsttheTOE’scertificate.

FPT_TST_EXT.2/POSTKERNELTSFIntegrityChecking(Post-Kernel)FPT_TST_EXT.2.1/POSTKERNEL

TheTSFshallverifytheintegrityof[selection:allexecutablecode,[assignment:subsetofexecutablecode]]storedinmutablemediapriortoitsexecutionthroughtheuseof[selection:adigitalsignatureusinganimmutablehardwareasymmetrickey,animmutablehardwarehashofanasymmetrickey,animmutablehardwarehash,adigitalsignatureusingahardware-protectedasymmetrickey,hardware-protectedhash].

ApplicationNote:Allexecutablecodecoveredinthisrequirementisexecutedafterthekernelisloaded.

If"allexecutablecodeinmutablemedia"isverified,implementationinhardwareorinread-onlymemoryisanaturallogicalconsequence.

Atthistime,theverificationofsoftwareexecutedonotherprocessorsstoredinmutablemediaisnotrequired;however,itmaybeaddedinthefirstassignment.Ifallexecutablecode(includingbootloader(s),kernel,devicedrivers,pre-loadedapplications,user-loadedapplications,andlibraries)isverified,"allexecutablecodestoredinmutablemedia"shouldbeselected.


FPT_TST_EXT.2/POSTKERNEL:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTheevaluationactivityshallbecompletedinconjunctionwithFPT_TST_EXT.2/PREKERNELforallexecutablecodespecified.

FPT_TUD_EXT.5ApplicationVerificationFPT_TUD_EXT.5.1

TheTSFshallbydefaultonlyinstallmobileapplicationscryptographicallyverifiedby[selection:abuilt-inX.509v3certificate,aconfiguredX.509v3certificate].

ApplicationNote:Thebuilt-incertificateisinstalledbythemanufacturereitherattimeofmanufactureorasapartofsystemupdates.TheconfiguredcertificateusedtoverifythesignatureissetaccordingtoFMT_SMF_EXT.1function33.


FPT_TUD_EXT.5:TSSTheevaluatorshallverifythattheTSSdescribeshowmobileapplicationsoftwareisverifiedatinstallation.Theevaluatorshallensurethatthismethodusesadigitalsignaturebyacodesigningcertificate.


TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication.Theevaluatorshalltrytoinstallthisapplicationwithoutadigitallysignatureandshallverifythatinstallationfails.Theevaluatorshallattempttoinstallanapplicationdigitallysignedwithanappropriatecertificate,andverifythatinstallationsucceeds.

Test2:Theevaluatorshalldigitallysigntheapplicationwithaninvalidcertificateandverifythatapplicationinstallationfails.TheevaluatorshalldigitallysigntheapplicationwithacertificatethatdoesnothavetheCodeSigningpurposeandverifythatapplicationinstallationfails.ThistestmaybeperformedinconjunctionwiththeEvaluationActivitiesforFIA_X509_EXT.1.

Test3:Ifnecessary,theevaluatorshallconfigurethedevicetolimitthepublickeysthatcansignapplicationsoftwareaccordingtotheAGDguidance.Theevaluatorshalldigitallysigntheapplicationwithacertificatedisallowedbythedeviceorconfigurationandverifythatapplicationinstallationfails.Theevaluatorshallattempttoinstallanapplicationdigitallysignedwithanauthorizedcertificateandverifythatapplicationinstallationsucceeds.

FPT_TUD_EXT.6TrustedUpdateVerificationFPT_TUD_EXT.6.1

TheTSFshallverifythatsoftwareupdatestotheTSFareacurrentorlaterversionthanthecurrentversionoftheTSF.

ApplicationNote:Alaterversionhasalargerversionnumber.Themethodfordistinguishingnewersoftwareversionsfromolderversionsisdeterminedbythemanufacturer.


FPT_TUD_EXT.6:TSSTheevaluatorshallverifythattheTSSdescribesthemechanismthatpreventstheTSFfrominstallingsoftwareupdatesthatareanolderversionthatthecurrentlyinstalledversion.


TestsTheevaluatorshallrepeatthefollowingteststocoverallallowedsoftwareupdatemechanismsasdescribedintheTSS.Forexample,iftheupdatemechanismreplacesanentirepartitioncontainingmanyseparatecodefiles,theevaluatordoesnotneedtorepeatthetestforeachindividualfile.

Test1:Theevaluatorshallattempttoinstallanearlierversionofsoftware(asdeterminedbythemanufacturer).Theevaluatorshallverifythatthisattemptfailsbycheckingtheversionidentifiersorcryptographichashesoftheprivilegedsoftwareagainstthosepreviouslyrecordedandcheckingthatthevalueshavenotchanged.

Test2:Theevaluatorshallattempttoinstallacurrentorlaterversionandshallverifythattheupdatesucceeds.

A.2.7Class:TOEAccess(FTA)

FTA_TAB.1DefaultTOEAccessBannersFTA_TAB.1.1

Beforeestablishingausersession,theTSFshalldisplayanadvisorywarningmessageregardingunauthorizeduseoftheTOE.

ApplicationNote:Thisrequirementmaybemetwiththeconfigurationofeithertextoranimagecontainingthetextofthedesiredmessage.TheTSFmustminimallydisplaythisinformationatstartup,butmayalsodisplaytheinformationateveryunlock.ThebannerisconfiguredaccordingtoFMT_SMF_EXT.1function36.


FTA_TAB.1:TSSTheTSSshalldescribewhenthebannerisdisplayed.


TestsTheevaluatorshallalsoperformthefollowingtest:

Test1:Theevaluatorfollowstheoperationalguidancetoconfigureanoticeandconsent

warningmessage.TheevaluatorshallthenstartuporunlocktheTSF.TheevaluatorshallverifythatthenoticeandconsentwarningmessageisdisplayedineachinstancedescribedintheTSS.

A.3Implementation-basedRequirements

A.3.1BluetoothIftheTOEincludesBluetoothhardware,thefollowingSFRsmustbeclaimed:IfthisisimplementedbytheTOE,thefollowingrequirementsmustbeincludedintheST:

FDP_UPC_EXT.1/BLUETOOTH

A.3.1.1Class:UserDataProtection(FDP)

FDP_UPC_EXT.1/BLUETOOTHInter-TSFUserDataTransferProtection(Bluetooth)FDP_UPC_EXT.1.1/BLUETOOTH

TheTSFshallprovideameansfornon-TSFapplicationsexecutingontheTOEtouse

BluetoothBR/EDRinaccordancewiththePP-ModuleforBluetooth,and[selection:

BluetoothLEinaccordancewiththePP-ModuleforBluetooth,nootherprotocol

]toprovideaprotectedcommunicationchannelbetweenthenon-TSFapplicationandanotherITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.

ApplicationNote:IftheTOEincludesBluetoothhardware,thisrequirementmustbeincludedintheST.TheintentofthisrequirementisthatBluetoothBR/EDRandoptionallyBluetoothLEisavailableforusebyuserapplicationsrunningonthedeviceforuseinconnectingtodistant-endservicesthatarenotnecessarilypartoftheenterpriseinfrastructure.TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDeviceforusebynon-TSFapps.

TheTSFmustbevalidatedagainstrequirementsfromthePP-ModuleforBluetooth.ItshouldbenotedthattheFTP_ITC_EXT.1requiresthatallTSFcommunicationsbeprotectedusingtheprotocolsindicatedinthatrequirement,sotheprotocolsrequiredbythiscomponentride"ontopof"thoselistedinFTP_ITC_EXT.1.

FDP_UPC_EXT.1.2/BLUETOOTHTheTSFshallpermitthenon-TSFapplicationstoinitiatecommunicationviathetrustedchannel.


FDP_UPC_EXT.1/BLUETOOTH:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(protectionchannel)describedintheserequirements,andverifythattheAPIsimplementedtosupportthisrequirementincludetheappropriatesettings/parameterssothattheapplicationcanbothprovideandobtaintheinformationneededtoassuremutualidentificationoftheendpointsofthecommunicationasrequiredbythiscomponent.

TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.

GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsnecessaryforconfiguringtheprotocol(s)selectedforusebytheapplications.


Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestsprotectedchannelservicesbytheTSF.TheevaluatorshallverifythattheresultsfromtheprotectedchannelmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingtheprotectedchannelEvaluationActivitiesfortheprotocolrequirements.Theevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorsshallensurethattheapplicationisabletoinitiatecommunicationswithanexternalITentityusingeachprotocolspecifiedintherequirement,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintext.

AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.

B.1Class:CryptographicSupport(FCS)

FCS_CKM_EXT.7CryptographicKeySupport(REK)

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFCS_CKM_EXT.1.1.

FCS_CKM_EXT.7.1AREKshallnotbeabletobereadfromorexportedfromthehardware.

ApplicationNote:If"mutable-hardware"isselectedinFCS_CKM_EXT.1.1,FCS_CKM_EXT.7mustbeincludedintheST.Notethatif"immutable-hardware"isselectedinFCS_CKM_EXT.1.1itimplicitlymeetsFCS_CKM_EXT.7.

Thelackofapublic/documentedAPIforimportingorexporting,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.


FCS_CKM_EXT.7:TSSTheevaluationactivityforthiscomponentisperformedinconjunctionwiththeevaluationactivityforFCS_CKM_EXT.1.



B.2Class:UserDataProtection(FDP)

FDP_ACF_EXT.2AccessControlforSystemResources

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFDP_ACF_EXT.1.2.

FDP_ACF_EXT.2.1TheTSFshallprovideaseparate[selection:addressbook,calendar,keystore,accountcredentialdatabase,[assignment:listofadditionalresources]]foreachapplicationgroupandonlyallowapplicationswithinthatprocessgrouptoaccesstheresource.Exceptionsmayonlybeexplicitlyauthorizedforsuchsharingby[selection:theuser,theadministrator,noone].

ApplicationNote:If"groupsofapplications"isselectedinFDP_ACF_EXT.1.2,FDP_ACF_EXT.2mustbeincludedintheST.


FDP_ACF_EXT.2:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


Tests

Foreachselectedresource,theevaluatorshallcausedatatobeplacedintotheEnterprisegroup’sinstanceofthatsharedresource.TheevaluatorshallinstallanapplicationintothePersonalgroupthatattemptstoaccessthesharedresourceinformationandverifythatitcannotaccesstheinformation.

FDP_PBA_EXT.1StorageofCriticalBiometricParameters

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1.

FDP_PBA_EXT.1.1TheTSFshallprotecttheauthenticationtemplate[selection:usingaPINasanadditionalfactor,usingapasswordasanadditionalfactor,[assignment:othercircumstances]].

ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FDP_PBA_EXT.1.1mustbeincludedintheST.If"hybrid"isselectedinFIA_UAU.5.1,then"usingaPINasanadditionalfactor"or"usingapasswordasanadditionalfactor"mustbeselected.If"hybrid"isnotselectedinFIA_UAU.5.1,thentheauthenticationtemplatemustbesecuredbyothermeans,whichshouldbespecifiedintheassignment.Sincecompromisedauthenticationtemplatescanbeusedingeneratingpresentation/spoofattacks,itisimportanttoutilizesecuremethodsforprotectingthem.


FDP_PBA_EXT.1:TSSTheevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenduringbiometricauthentication.

TheevaluatorshallensurethattheauthenticationtemplateisprotectedeitherusingaPINorbyothersecuremeans,asspecifiedbythevendor.



B.3Class:IdentificationandAuthentication(FIA)

FIA_BMG_EXT.1AccuracyofBiometricAuthentication

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1.

FIA_BMG_EXT.1.1Theone-attemptBAFFalseAcceptRate(FAR)for[assignment:biometricmodalityselectedinFIA_UAU.5.1]shallnotexceed[assignment:claimedFARnogreaterthan1:100]withaone-attemptBAFFalseRejectRate(FRR)nottoexceed1in[assignment:claimedFRRnogreaterthan1:10].

ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FIA_BMG_EXT.1.1mustbeincludedintheST.TheassignmentmustbecompletedforeachbiometricmodalityselectedinFIA_UAU.5.1.IfmultiplebiometricmodalitiesareselectedinFIA_UAU.5.1,itisacceptableforeachmodalitytohaveadifferentFARandFRR.

TheFalseAcceptRate(FAR)isthemeasureofthelikelihoodthatthebiometricwillincorrectlyacceptanauthenticationattemptbyanunauthorizeduser.Asystem'sFARtypicallyisstatedastheproportionofverificationtransactionswithwrongfulclaimsofidentitythatareincorrectlyconfirmed.

TheFalseRejectRate(FRR)isthemeasureofthelikelihoodthatthebiometricsecuritysystemwillincorrectlyrejectanauthenticationattemptbyanauthorizeduser.Asystem'sFRRtypicallyisstatedastheproportionofverificationtransactionswithtruthfulclaimsofidentitythatareincorrectlydenied.

Pleasenotethatwithouttheuseofhybridauthentication,multipleauthenticationattemptsforaBAFthatisclaimedtohaveaone-attemptFARbetween1:100and1:500inclusivewillnotproduceanacceptableSAFARinmeetingFIA_BMG_EXT.1.2.Moregenerally,dependingonthenumberofauthenticationattemptsallowedfortheBAF,theclaimedFARmustbestrong(orequivalently,low)enoughsothattheSAFARchoseninFIA_BMG_EXT.1.2canbemetwithinthe1%marginmandated.

Generallytestingenvironmentsforabiometricsysteminamobiledevicearebasedonasinglelegitimateuserenrollingandtestsubjectsattempttoauthenticate.SinceathoroughevaluationforFARandFRRmeetingalltheconditionsofstatisticalindependenceisnotfeasibleinthetimeframeofCCevaluationsandinagreementwithISO/IEC19795,theuseofofflinetestingisacceptableevenifthiscausesthebiometricsystemtodeviateslightlyfromtheevaluatedconfiguration.Additionally,fullcross-comparison(i.e.alltestsubjectsarecomparedtonon-self)isacceptable.

Detailedexplanationscorrespondingtothetestingenvironmentsthatareacceptable,toincludethenumberoftrialsneeded,canbefoundinSectionG.1ExperimentalSetupsAndErrorBarsInTestingFARAndFRR.

FIA_BMG_EXT.1.2TheoverallSystemAuthenticationFalseAcceptRate(SAFAR)shallbenogreaterthan1in[assignment:aSAFARnogreaterthan1:500]withina1%margin.

ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FIA_BMG_EXT.1.2mustbeincludedintheST.

SystemAuthenticationFalseAcceptRate(SAFAR)isdefinedbythecombinationofindividualerrorratesforeachauthenticationfactorandattemptsusedforaccesstoasinglesessiononthedevice.

Accessingasinglesessionmayinvolveasingleauthenticationfactor,inwhichcasetheSAFARforasingleattemptwillbeequaltothefalseacceptrate(FAR)ofthatauthenticationfactorandtheSAFARfornattemptswillbe

,assumingindependence.

Accessingasinglesessiononthedevicemayinvolvetheabilitytousemultipleauthenticationfactors.Itmaybethecasethatonlyoneauthenticationfactorisneededtoaccessasinglesessiononthedevice(i.e.bothapasswordandaBAFcanbeused,butonlyoneisneeded)orthatbothauthenticationfactorsareneededtoaccessasinglesessiononthedevice(i.e.boththeBAFandaPINmustbeentered).ThefullequationsforcalculatingtheSAFARcanbefoundinSectionG.3SAFARCalculationEquations.Afullyworked-outexamplethatappliestheequationsinSectionG.3SAFARCalculationEquationsforcalculatingtheSAFARcanbefoundinSectionG.4SAFARCalculationExample.

Theworst-casescenariomustbeusedtocalculatetheSAFAR.ThustheauthenticationfactorwiththehighestFARmustbeusedforthemaximumnumberofauthenticationattemptsallowedforthatfactor.Ifanyauthenticationattemptsremain,thentheauthenticationfactorwiththesecondhighestFARisusedforthemaximumnumberofauthenticationattemptsallowedforthatfactorandsoon.Forexample,theTOEsupportsapasswordandaBAF,theFARfortheBAFishigherthantheFARforthepasswordandeachauthenticationfactorutilizesasharedcounterperFIA_AFL_EXT.1.Thentheworst-casescenarioistheBAFisutilizedforthemaximumnumberofauthenticationattemptsallowedfortheBAF.Foranyremainingauthenticationattemptsallowedthepasswordisutilized.

AnotherexampleistheTOEsupportsapasswordandtwoBAFs,wheretheBAFshavedifferentFARs,withbothFARsbeinghigherthanthepasswordFAR.Thentheworst-casescenarioisthattheBAFwiththehighestFARisusedforthemaximumnumberofauthenticationattemptsallowedforthatBAF,followedbythesecondBAFifanyauthenticationattemptsareallowedforthatBAF.Ifanyauthenticationattemptsremain,thenthepasswordisutilizedforthoseattempts.

The1%marginisincludedforcaseswhereaBAFisnotacriticalauthenticationfactorandthusbothBAFandpasswordcanbeusedinasessionwithoutexceedingthedeclaredSAFAR.


FIA_BMG_EXT.1:

TSSTheevaluatorshallverifythattheTSScontainsevidencesupportingthetestingandcalculationscompletedtodeterminetheFARandFRR.AppendixG-BiometricDerivationandExamplesprovidesguidancetohowthistestingcouldbecompletedandtowhaterrorbarsareexpectedwhentheRuleof3isapplied.TheevaluatorshallconsultAppendixG-BiometricDerivationandExamplesasareference,butshouldnottreatitasamandate.TheevaluatorshallverifythattheTSScontainsevidenceofwhetheronlineorofflinetestingwasused.Ifofflinetestingwascompleted,evidencedescribingthedifferencesbetweenthebiometricsystemusedfortestingandtheTOEintheevaluatedconfiguration,ifanymustbeincluded.

ThefollowingdocumentationisnotrequiredtobepartoftheTSS-itmaybesubmittedasaseparateproprietarydocument.Theevaluatorshallverifytheevidenceincludeshowmanyimposterswereusedfortestingandthatthetestingdescribeshowimpostersarecomparedtoenrolledusers,forexample,ifmultipledevicesforonlinetestingorfullcross-comparisonforofflinetestingwasused.AdequatedocumentationisrequiredtodemonstratethattestingwascompletedtosupporttheclaimedFARandFRR.


TestsTherearenotestevaluationactivitiesforthiselement.TSSTheevaluatorshallverifythattheTSSindicateswhichSAFARtheTOEistargetingandcontainsevidencesupportingthecalculations,perSectionG.3SAFARCalculationEquations,completedtodeterminetheSAFAR.TheevaluatorshallverifythattheTSScontainsevidenceofhowtheauthenticationfactorsinteract,perFIA_UAU.5.2andFIA_AFL_EXT.1.TheevaluatorshallverifythattheTSS,containsthecombination(s)ofauthenticationfactorsneededtomeettheSAFAR,andthenumberofattemptsforeachauthenticationfactortheTOEisconfiguredtoallow.AdequatedocumentationisrequiredtodemonstratethecalculationscompletedtosupporttheclaimedSAFAR.



B.4Class:ProtectionoftheTSF(FPT)

FPT_TST_EXT.3TSFIntegrityTesting

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1.

FPT_TST_EXT.3.1TheTSFshallnotexecutecodeifthecodesigningcertificateisdeemedinvalid.

ApplicationNote:Certificatesmayoptionallybeusedforcodesigningforintegrityverification(FPT_TST_EXT.2.1/PREKERNEL).If"codesigningforintegrityverification"isselectedinFIA_X509_EXT.2.1,FPT_TST_EXT.3.1mustbeincludedintheST.

Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.


FPT_TST_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTestingforthiselementisperformedinconjunctionwiththeEvaluationActivitiesfor

FPT_TST_EXT.2.1/PREKERNEL.

FPT_TUD_EXT.4TrustedUpdateVerification

Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FIA_X509_EXT.2.1.

FPT_TUD_EXT.4.1TheTSFshallnotinstallcodeifthecodesigningcertificateisdeemedinvalid.

ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.2.3)andofmobileapplications(FPT_TUD_EXT.5.1).ThiselementmustbeincludedintheSTifcertificatesareusedforeitherupdateelement.Ifeither"codesigningforsystemsoftwareupdates"or"codesigningformobileapplications"isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.4.1mustbeincludedintheST.

Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.


FPT_TUD_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiscomponent.


TestsTestingforthiselementisperformedinconjunctionwiththeEvaluationActivitiesforFPT_TUD_EXT.2andFPT_TUD_EXT.5.

AppendixC-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisProtectionProfile.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainsttheProtectionProfileprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.

Requirement RationaleforSatisfaction

FAU_SEL.1-SelectiveAudit

FAU_SEL.1hasadependencyonFMT_MTD.1sinceconfigurationofauditdataisasubsetofmanagingTSFdata.ThisdependencyismetbytheextendedSFRFMT_SMF_EXT.1,whichdefines"configuretheauditableitems"asamanagementfunctionandspecifiestherolesthatmayperformthis,consistentwithhowFMT_MTD.1wouldtypicallysatisfythedependency.

FCS_CKM.1-CryptographicKeyGeneration

FCS_CKM.1hasadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFgenerates.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurpose.

FCS_CKM.1-CryptographicKeyGeneration

FCS_CKM.1hasadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFgenerates.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.

FCS_CKM.2-CryptographicKeyEstablishment

BothiterationsofFCS_CKM.2haveadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFestablishes.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.

FCS_COP.1-CryptographicOperation

AlliterationsofFCS_COP.1haveadependencyonFCS_CKM.4forthesubsequentdestructionofanyresidualkeymaterialtheTSFcreatesaspartoftheoperation.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.

FIA_UAU.7-ProtectedAuthenticationFeedback

FIA_UAU.7hasadependencyonFIA_UAU.1sinceprotectedauthenticationfeedbackisnotpossiblewithoutanauthenticationmechanism.ThisdependencyismetbytheextendedSFRFIA_UAU_EXT.1,whichservesthesamepurposeasitsCCPart2equivalent.

AppendixD-EntropyDocumentationAndAssessmentThedocumentationoftheentropysourceshouldbedetailedenoughthat,afterreading,theevaluatorwillthoroughlyunderstandtheentropysourceandwhyitcanbereliedupontoprovideentropy.Thisdocumentationshouldincludemultipledetailedsections:designdescription,entropyjustification,operatingconditions,andhealthtesting.ThisdocumentationisnotrequiredtobepartoftheTSS.

D.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.

Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.

Ifimplemented,thedesigndescriptionshallincludeadescriptionofhowthird-partyapplicationscanaddentropytotheRBG.AdescriptionofanyRBGstatesavingbetweenpower-offandpower-onshallbeincluded.

D.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.

Theentropyjustificationshallnotincludeanydataaddedfromanythird-partyapplicationorfromanystatesavingbetweenrestarts.

D.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.

D.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.

AppendixE-UseCaseTemplatesThefollowingusecasetemplateslistthoseselections,assignments,andobjectiverequirementsthatbestsupporttheusecasesidentifiedbythisProtectionProfile.NotethatthetemplatesassumethatallSFRslistedinSection5.1SecurityFunctionalRequirementsareincludedintheST,notjustthoselistedinthetemplates.ThesetemplatesanddeviationsfromthetemplateshouldbeidentifiedintheSecurityTargettoassistcustomerswithmakingrisk-basedpurchasingdecisions.ProductsthatdonotmeetthesetemplatesarenotprecludedfromuseinthescenariosidentifiedbythisProtectionProfile.

Severaloftheusecasestemplatesincludeobjectiverequirementsthatarestronglydesiredfortheindicatedusecases.Readerscanexpectthoserequirementstobemademandatoryinafuturerevisionofthisprotectionprofile,andindustryshouldaimtoincludethatsecurityfunctionalityinproductsinthenear-term.

Whereselectionsforaparticularrequirementarenotidentifiedinausecasetemplate,allavailableselectionsareequallyapplicabletotheusecase.

E.1[USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuseTable10:Enterprise-OwnedTemplate

Requirement Action

FCS_STG_EXT.1.4 Donotselect"theuser."

FMT_MOF_EXT.1.2Function21 IncludeintheST.

FMT_MOF_EXT.1.2Function25 IncludeinST.AssignpersonalHotspotconnections(iffeatureexists).

FMT_MOF_EXT.1.2Function36 IncludeinST.

FMT_MOF_EXT.1.2Function39 IncludeinST.Select"USBMassstoragemode."

FMT_MOF_EXT.1.2Function41 IncludeinST.Select"USBtethering."

FMT_SMF_EXT.1.1Function25 IncludeinST.AssignpersonalHotspotconnections(iffeatureexists).

FMT_SMF_EXT.1.1Function36 IncludeinST.

FMT_SMF_EXT.1.1Function39 IncludeinST.Select"USBMassstoragemode."

FMT_SMF_EXT.1.1Function41 IncludeinST.Selectbothoptions.

FPT_BBD_EXT.1.1 IncludeinST.

FPT_TST_EXT.2.1/POSTKERNEL IncludeinSTandSelect"allexecutablecodestoredinmutablemedia."

FPT_TUD_EXT.5.1 IncludeinST.

FTA_TAB.1.1 IncludeinST.

E.2[USECASE2]Enterprise-owneddeviceforspecialized,high-securityuseTable11:HighSecurityTemplate

Requirement Action

FCS_CKM.1.1 SelectRSAwithkeysizeof3072orselectECCschemes.

FCS_CKM.2.1/UNLOCKED SelectECCschemes,ifECCschemesareselectedinFCS_CKM.1.1.

FCS_CKM.2.1/LOCKED Select"RSAschemes"orselect"ECCschemesthatmeetNISTSP800-56ARevision3".

FCS_CKM_EXT.1.1 If"symmetric"isselectedthen"256bits"mustbeselected.If"asymmetric"isselectedandRSAschemeisselectedinFCS_CKM.1.1then"128bits"canbeselected.If"asymmetric"isselectedandECCschemeisselectedinFCS_CKM.1.1,then"192bits"canbeselected.

FCS_CKM_EXT.2.1 Select256bits.

FCS_CKM_EXT.3.1 IfasymmetricKEKsisselectedandRSAschemeisselectedinFCS_CKM.1.1thenassign128bitssecuritystrength.IfasymmetricKEKsisselectedandECCschemeisselectedinFCS_CKM.1.1thenassign192bitssecuritystrength.IfsymmetricKEKsisselected,select256bitsecuritystrength.

FCS_COP.1.1/ENCRYPT Select256bits.

FCS_COP.1.1/HASH SelectSHA-384.

FCS_COP.1.1/SIGN Assignakeysizeof3072forRSAorselectECDSAschemes.

FCS_COP.1.1/CONDITION Select256bits.

FCS_RBG_EXT.1.2 Select256bits.

FCS_TLSC_EXT.1.1(TLSPackage)

SelectTLS_RSA_WITH_AES_256_GCM_SHA384orTLS_ECDHE_ECDSA_WITHAES_256_GCM_SHA384.

FCS_TLSC_EXT.2.1(TLSPackage)

Selectsecp384r1,ifincludedinST(ifECCschemesareselectedinFCS_CKM.1.1).

FDP_DAR_EXT.1.2 Select256bits.

FIA_X509_EXT.2.2 Selecteither"allowtheadministratortochoose..."or"notacceptthecertificate".

FMT_MOF_EXT.1.2Function3

IncludeinST.


AssignallradiosonTSF.


AssignallaudioorvisualcollectiondevicesonTSF.


IncludeinST.


IncludeinST.


IncludeinST.


IncludeinST(ifIPsecisselectedinFTP_ITC_EXT.1).

FMT_SMF_EXT.1.1Function12

AssignallX.509v3certificatesintheTrustAnchorDatabase.


Select"f.allnotifications".


IncludeinST.AssignatleastUSB.


IncludeinST.AssignallprotocolswheretheTSFactsasaserver.


IncludeinST.

FMT_SMF_EXT.2.1 Select"wipeofprotecteddata"and"wipeofsensitivedata".

FAU_SAR.1.1 IncludeinST.

FAU_SAR.1.2 IncludeinST.

FAU_SEL.1.1 IncludeinST.Select"eventtype","successofauditablesecurityevents",and"failureofauditablesecurityevents".

FCS_SRV_EXT.2.1 IncludeinST.

FPT_AEX_EXT.5.1 IncludeinST.

FPT_AEX_EXT.5.2 IncludeinST.

FPT_BBD_EXT.1.1 IncludeinST.

FTA_TAB.1.1 IncludeinST.

E.3[USECASE3]Personally-owneddeviceforpersonalandenterpriseuseTable12:BYODTemplate

Requirement Action

FMT_SMF_EXT.1.1Function3 Select"b.onaper-appbasis","c.onaper-groupsofapplicationbasis"orboth

FMT_SMF_EXT.1.1Function5 Select"b.onaper-appbasis","c.onaper-groupsofapplicationbasis"orboth


IncludeinST.


IncludeinST.


IncludeinST(M-M-)

FMT_SMF_EXT.2.1 Select"RemoveEnterpriseApplications"

FDP_ACF_EXT.1.2 Select"GroupsofApplications"

FDP_ACF_EXT.2.1 IncludeinST.

E.4[USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuseAtthistimenorequirementsorselectionsarerecommendedforthisusecase.

AppendixF-InitializationVectorRequirementsforNIST-ApprovedCipherModesTable13:ReferencesandIVRequirementsforNIST-approvedCipherModes

CipherMode Reference IVRequirements

ElectronicCodebook(ECB) SP800-38A

NoIV

Counter(CTR) SP800-38A

"InitialCounter"shallbenon-repeating.Nocountervalueshallberepeatedacrossmultiplemessageswiththesamesecretkey.

CipherBlockChaining(CBC) SP800-38A

IVsshallbeunpredictable.RepeatingIVsleakinformationaboutwhetherthefirstoneormoreblocksaresharedbetweentwomessages,soIVsshouldbenon-repeatinginsuchsituations.

OutputFeedback(OFB) SP800-38A

IVsshallbenon-repeatingandshallnotbegeneratedbyinvokingthecipheronanotherIV.

CipherFeedback(CFB) SP800-38A

IVsshouldbenon-repeatingasrepeatingIVsleakinformationaboutthefirstplaintextblockandaboutcommonsharedprefixesinmessages.

XEX(XOREncryptXOR)TweakableBlockCipherwithCiphertextStealing(XTS)

SP800-38E

NoIV.Tweakvaluesshallbenon-negativeintegers,assignedconsecutively,andstartingatanarbitrarynon-negativeinteger.

Cipher-basedMessageAuthenticationCode(CMAC)

SP800-38B

NoIV

KeyWrapandKeyWrapwithPadding

SP800-38F

NoIV

CounterwithCBC-MessageAuthenticationCode(CCM)

SP800-38C

NoIV.Noncesshallbenon-repeating.

GaloisCounterMode(GCM) SP800-38D

IVshallbenon-repeating.ThenumberofinvocationsofGCMshallnotexceed foragivensecretkeyunlessanimplementationonlyuses96-bitIVs(defaultlength).

AppendixG-BiometricDerivationandExamplesG.1ExperimentalSetupsAndErrorBarsInTestingFARAndFRR

G.1.1IntroductionForthepurposesofthisPP,FIA_BMG_EXT.1requirestestingforFAR,FRRandSAFARifaBAFisincludedintheTOE.InthisversionofthePPitisexpectedthatthevendorwillprovideevidencetotheevaluatorofthetestingcompletedtosupporttheclaimedFARandFRR.ThisAppendixprovidesaguidetohowthistestingcouldbedoneandtowhaterrorbarsareexpectedwhentheRuleof3isapplied.ThisguideshouldbetreatedasareferenceandnotasaNIAPmandate,requirement,orsetofmandatesorrequirements.

G.1.2TestingenvironmentthatcouldmeetFIA_BMG_EXT.1.1InperformingtestsforFARandFRR,ISO/IEC19795-1recommendsthatvendorsortestinglabsusethelargesttestpopulationthatcanbereasonablymanaged.Generally,testingenvironmentsformobiledevicesarebaseduponindividualdeviceswiththeirownlocalauthenticationtemplates/profileswherethesubmittedbiometricsamplesaredestroyedaftersubmission.ItisinfeasibletomeetthegiventimeframeforCCevaluationsofmobiledevicesifofflinetestingisnotsupported.Eitheronlineorofflinetestingisacceptable.ThenumberoftestsubjectsneededtosupportaclaimedFARandFRR,willdependonifonlineorofflinetestingisusedduetohowthesubjectsarecompared.

Ifonlinetestingisutilized,itisexpectedthatthetestingisconducteddirectlyontheTOE.ThelegitimateuserwillenrollontheTOEandalltestsubjectswillbecomparedtoonlythelegitimateuser.ThusifthetargetFARis1:100,atleast300independentsamplesshallbeusedcorrespondingto300usersandatleast300independenttrialsarerequiredintestingthisFAR.ItisacceptablethatmultipleTOEs,eachwithadifferentlegitimateuser,couldbeusedtoreducethenumberoftestsubjectsneededforonlinetesting.Withtheassumptionthatthetestsubjectsarecomparedagainstalllegitimateusersandnolegitimateusersarecountedastestsubjects,ifNDdevicesareused,thenumberoftestsubjectsneededcanbedividedbyND.

Ifofflinetestingisused,itisexpectedthatthebiometricsystemusedfortestingwillnotbeintheevaluatedconfigurationoftheTOEtoallowforafullcross-comparison,inwhichthebiometricsamplefromthetestsubjectsiscomparedwitheverynon-selftemplate.Itisexpected,thatthebiometricsystemusedfortestingwillcollectsamplesandgeneratetemplatesexactlythesameasthebiometricsystemintheTOE.However,eventhoughthecomparisontodetermineifavalidsampleisprovided(i.e.matchingalgorithm)shouldremainthesame,itisacceptableifthebiometricsystemismodifiedtocompleteafullcross-comparison.PerISO/IEC19795,thesecomparisonswillnotbestatisticallyindependent,butthisapproachisstatisticallyunbiased.Additionally,offlinetestingwithafullcross-comparisongreatlyreducesthenumberoftestsubjectsneeded.IfthereareNUusers,thenumberofavailableindividualindependentcomparisonswillbeNU*(NU-1)/2.ThusifthetargetFARis1:10000,only246testsubjectsareneededifofflinetestingofafullcross-comparisonisused.

G.1.3DerivingFalseAcceptRateToexpediteapprovalwhilemaintainingastatisticallyvalidresult,itisrequiredforthevendororindependentlabtoperformtestingusingthreetimesthesamplesize,ataminimum,i.e.the"Ruleof3"forthenumberoftrials.

Threetimesthesamplesizecorrespondsto90%confidenceandc=0.95(rounded,worst-case),wherecisapercentage/fractionoftheintendedfalseerrorrate(eitherFARorFRR)forwhichtheerrorbariscalculated.

TheparametersassociatedwiththeRuleof3arederivedbytreatingabiometrictest,consistingofmanycomparisons,asaseriesofBernoullitrials.

Asshowninthetablesbelow,theerrorbarmaybelargeifahigherfalseerrorrateisdeclared.

Thetablebelowassumesonlinetestingusingasingledevice,thusasinglelegitimateuser.

Table14:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforonlinetesting,givenRuleof3

FalseErrorRate

Falseerrorrates,90%confidence,c=0.95

Numberoferrors(rounded)

Numberoftestsubjectsneeded

1%(1:100) 1%±0.95% 3 297

0.1%(1:1000) 0.1%±0.095% 3 2995

0.01%(1:10000)

0.01%±0.0095% 3 29977

0.001%(1:100000)

0.001%±0.00095% 3 299797

0.0001% 0.0001%±0.000095% 3 2997998

(1:1000000)

ThetablebelowassumesthatNDdevicesareusedforonlinetesting.

Table15:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforonlinetestingwithNDdevices,givenRuleof3

FalseErrorRate




1%(1:100) 1%±0.95% 3 297/ND

0.1%(1:1000) 0.1%±0.095% 3 2995/ND

0.01%(1:10000)

0.01%±0.0095% 3 29977/ND

0.001%(1:100000)

0.001%±0.00095% 3 299797/ND

0.0001%(1:1000000)

0.0001%±0.000095% 3 2997998/ND

Thetablebelowassumesofflinetestingusingafullcross-comparison.

Table16:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforofflinetestingandfullcross-comparison,givenRuleof3

FalseErrorRate




1%(1:100) 1%±0.95% 3 25

0.1%(1:1000) 0.1%±0.095% 3 78

0.01%(1:10000)

0.01%±0.0095% 3 246

0.001%(1:100000)

0.001%±0.00095% 3 776

0.0001%(1:1000000)

0.0001%±0.000095% 3 2450

G.1.4DerivingFalseRejectRateAswithFalseAcceptRate,itisrequiredforthevendororlabtoperformtestingusingthreetimesthesamplesize,ataminimum,i.e.the"Ruleof3".Threetimesthesamplesizecorrespondsto90%confidenceandc=0.95(rounded,worst-case),wherecisapercentage/fractionoftheintendedfalseerrorrate(eitherFARorFRR)forwhichtheerrorbariscalculated.

Asshowninthetablebelow,theerrorbarmaybelargeifahigherfalseerrorrateisdeclared:

Table17:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneeded,givenRuleof3

FalseErrorRate




10%(1:10) 10%±9.5% 3 27

5%(1:20) 5%±4.75% 3 57

2%(1:50) 2%±1.9% 3 147

1%(1:100) 1%±0.95% 3 297

G.2DerivationoftheRuleof3(andsimilarrules,forcompleteness)AbiometrictestcanbetreatedasaseriesofBernoullitrialsforwhichabinomialdistributionofthenumber

ofsuccessesandfailuresisassumed.Whencalculatinganerrorintervalforwhichabinomialdistributionisassumed,oneconfidenceinterval(denotedIconf)thatiswidelyusedisthestandardWaldinterval,expressedinEquation(1)as:

wherep=X/nisthesampleproportionofsuccesses(orerrorinthiscase),zα/2isthe100(1–α/2)thpercentileofthestandardnormaldistribution,andnisthenumberoftrials.

AlthoughintervalssuchastheWilson,Agresti-Coull,andJeffreysintervalsarerecommendedbyBrownetal.,biometricstestinginpracticerestsonthederivationoftheRuleof30basedontheWalddistribution[BROWN].However,becauseofthelargesamplesize,numberoftestsubjects,andnumberoftrialsrequiredfortheRuleof30,thisPPmandatestheRuleof3tomaketestingmorefeasible.

Insimplerform,thisreferstoaconfidenceintervalwitherrorEexpressedas:

Rearrangingtheequationtoexpressthenumberoftrials,n,intermsoferrorE,thisexpressionbecomes:

Inpractice,Eisexpressedasaproportionoftheerrorprobabilityas:

Thus,nfinallybecomes:

Fora90%confidenceinterval,zα/2=1.6449,whilefora95%confidenceinterval,zα/2=1.96.

Thusitiseasytoseethatfora90%confidenceintervalwithc=0.95:

whichconfirmstheruleof3andcompletesourderivation.

G.3SAFARCalculationEquationsAnumberofequationscanbeusedincalculatingSAFAR.Afully-workedexamplethatappliestheequationsbelowcanbefoundinSectionG.4SAFARCalculationExample.

TheSAFARforasingleauthenticationfactoriscalculatedas .

ThusletSAFARibetheSAFARfortheithauthenticationfactorwhereniisthenumberofauthenticationattemptsallowedforthegivenfactor,treatedindividuallyasaseparateauthenticationsystem,whichcanbeexpressedas

assumingeachattemptisindependent.

Ifmultipleauthenticationfactorsarerequired(withalltopass),i.e.passwordplusbiometricfactor,theSAFARforasingleattemptwillbetheproductofeachindividualfactor’sfalseacceptrate,assumingeachattemptisindependent.

Thus,forahybridcombinationofmPIN/passwordandbiometricfactors(denotedwithindexj)withniattemptsallowed,treatedcollectivelyasanindividualauthenticationfactorinaseparateauthenticationsystem,theSAFARcanbeexpressedas:

assumingeachattemptisindependent.BecausethisiscurrentlyassociatedwithaPIN/passwordandbiometrics,m=2inthiscase.

Whenordered,letSAFAR(k)betheSAFARfortheauthenticationfactorwiththelargestSAFAR,andSAFAR(1)betheSAFARfortheauthenticationfactorwiththesmallestSAFAR,i.e.SAFAR(1)≤SAFAR(s)≤…≤SAFAR(k-1)≤SAFAR(k).

Assuch,thefollowingequationsforSAFARutilizingmultiplefactorsfollow(usingtheworstSAFARs):

Iftheuserhasachoiceofmultipleauthenticationfactorswithachoiceofonlyoneauthenticationfactorinagivensession(i.e.allauthenticationfactorsareconsideredcriticalandausercannotswitchbetweenauthenticationfactors),theoverallSAFARwillbeequaltoSAFAR(k),assumingeachattemptisindependent.

Iftheuserhasachoiceofmultipleauthenticationfactorsandcanchoosetoattemptauthenticationusingmorethanonefactorwithsuccessrequiringanyfactortopassandniattemptsallowedperfactor)foragivensession,theSAFARforkavailableauthenticationfactorswillbe

assumingeachattemptisindependent.Iftherearecriticalfactors,thehighestSAFARcorrespondingtotheworst-casesetofchoicesshallbereported.

Iftheuserhasthechoiceofanumberofauthenticationfactorsfromwhichtheusermustchoosemfactors,allofwhichmustpasswithnattemptsperfactorallowed,theSAFARforasinglecombinationofmfactorswillbe

assumingeachattemptisindependent.Ifm<kavailablefactors,theworst-caseofall combinationsoffactorsbecomestheoverallSAFAR.

G.4SAFARCalculationExamplePasswordandfingerprintauthenticationexample:

Supposetheoverallauthenticationsystemconsistsoftwoauthenticationfactors:afourcharacterpasswordfactorallowingfortenattemptsandafingerprintbiometricfactorwithanFARof1:1000allowingforfiveattempts.

Passwordsutilizetheminimumcharactersetof63characters,plusoneadditionalacceptedcharacter,makingit64.Assumeeachattemptisindependent.

a. WhatistheSAFARofeachindividualauthenticationfactor,treatedseparately?b. Iftheusercanonlyauthenticateusingasingleauthenticationfactor,assumingallauthenticationfactors

availablearecriticalandthereisnopossibilityfortheusertoswitchbetweenauthenticationfactors,whatistheoverallSAFAR?

c. Iftheusercanauthenticateusinganyauthenticationfactorinanauthenticationsession,andnoneareconsideredcriticalfactors,whatistheoverallSAFAR?

d. Iftheconditionsarethesameasinc)butpasswordisnowacriticalauthenticationfactorthatwillcauseadevicewipe,whatistheoverallSAFAR?

e. Ifthepasswordfactorandfingerprintbiometricfactorarebothrequiredwiththenumberofattemptsforfingerprintincreasedtoten,whatistheoverallSAFAR?Whatistheriskifauthenticationfeedbackisprovidedforeachmodality(i.e.fingerprintfailedorpasswordfailed)?

f. f)Ifthepassword/PINfactorandfingerprintbiometricfactorarebothcombinedintoahybridfactor(bothmustbeusedandtheonlyauthenticationfeedbackallowedisvalidloginorinvalidlogin)forentrywithtenattemptsallowedforthehybridfactor,whatistheoverallSAFAR?Whyisthisscenariomoresecurethane)?

Solution:

a. TheSAFARforafour-characterpasswordallowingfortenattempts,utilizinga64characterset,is:

TheSAFARforafingerprintbiometricfactorwithanFARof1:1000,allowingforfiveattempts,is:

$$SAFAR_{\left(fingerprint|5attempts\right)}=1-\left(1-FAR\right)^{attempts}

SAFAR_{\left(fingerprint|5attempts\right)}=1-\left(1-10^{-3}\right)^{5}=4.990*10^{-3}\left(rounded\right)$$

b. Iftheuserisonlyallowedtopickonefactor,theoverallSAFARisthatoftheweakestone,whichis

c. Iftheusercanauthenticateusinganyauthenticationfactorinanauthenticationsession,theoverallSAFARis:

d. Iftheconditionsarethesameasinc)butwithpasswordasacriticalfactor,theworst-casescenarioisthesameasinc)inthatthepasswordfactorispickedlast,thus

e. Ifpasswordandfingerprintarenowrequiredfactors,theSAFARforfingerprinthastoberecalculatedfortenattempts:

SincetheSAFARforpasswordwithtenattemptsallowedisknown,itthenfollowsthat:

Theriskofprovidingauthenticationfeedbackisthatifeitherauthenticationfactoriscompromised,thesamesamplecanthenbeusedbytheadversaryforeveryauthenticationafter,thusreducingtheSAFARforthesystemtothatoftheotherauthenticationfactor.

f. Ifpassword/PINandfingerprintarenowcombinedintoasinglehybridfactor,theSAFARisasfollows:

Thisismoresecurethane)becausenotonlyaretherelessattemptsoverallbeforethemaximumcountisexceeded(10insteadof20),theadversarywouldnotknowifasamplesubmittedforeitherfactorresultsinauthenticationunlessthepresentationofbothfactorsresultsinsuccessfulauthentication.

AppendixH-AcknowledgementsThisprotectionprofilewasdevelopedbytheMobilityTechnicalCommunitywithrepresentativesfromindustry,U.S.Governmentagencies,CommonCriteriaTestLaboratories,andinternationalCommonCriteriaschemes.TheNationalInformationAssurancePartnershipwishestoacknowledgeandthankthemembersofthisgroupwhosededicatedeffortscontributedsignificantlytothepublication.Theseorganizationsinclude:

U.S.GovernmentDefenseInformationSystemsAgency(DISA)InformationAssuranceDirectorate(IAD)NationalInformationAssurancePartnership(NIAP)NationalInstituteofStandardsandTechnology(NIST)

InternationalCommonCriteriaSchemesAustralasianInformationSecurityEvaluationProgram(AISEP)CanadianCommonCriteriaEvaluationandCertificationScheme(CSEC)Information-technologyPromotionAgency,Japan(IPA)UKITSecurityEvaluationandCertificateScheme(NCSC)

IndustryApple,Inc.BlackBerryLGElectronics,Inc.MicrosoftCorporationMotorolaSolutionsSamsungElectronicsCo.,Ltd.OtherMembersoftheMobilityTechnicalCommunity

CommonCriteriaTestLaboratoriesEWA-Canada,Ltd.GossamerSecuritySolutions

AppendixI-Acronyms

Acronym Meaning

AEAD AuthenticatedEncryptionwithAssociatedData

AES AdvancedEncryptionStandard

ANSI AmericanNationalStandardsInstitute

AP ApplicationProcessor

API ApplicationProgrammingInterface

ASLR AddressSpaceLayoutRandomization

BAF BiometricAuthenticationFactor

BP BasebandProcessor

BR/EDR (Bluetooth)BasicRate/EnhancedDataRate

Base-PP BaseProtectionProfile

CA CertificateAuthority

CBC CipherBlockChaining

CC CommonCriteria

CCM CounterwithCBC-MessageAuthenticationCode

CCMP CCMProtocol

CEM CommonEvaluationMethodology

CMC CertificateManagementoverCryptographicMessageSyntax(CMS)

CPU CentralProcessingUnit

CRL CertificateRevocationList

CSP CriticalSecurityParameter

DAR DataAtRest

DEK DataEncryptionKey

DEP DataExecutionPrevention

DH Diffie-Hellman

DNS DomainNameSystem

DSA DigitalSignatureAlgorithm

DTLS DatagramTransportLayerSecurity

EAP ExtensibleAuthenticationProtocol

EAPOL EAPOverLAN

ECDH EllipticCurveDiffieHellman

ECDSA EllipticCurveDigitalSignatureAlgorithm

EEPROM ElectricallyErasableProgrammableRead-OnlyMemory

EST EnrollmentoverSecureTransport

FAR FalseAcceptRate

FEK FileEncryptionKey

FIPS FederalInformationProcessingStandards

FM FrequencyModulation

FQDN FullyQualifiedDomainName

FRR FalseRejectRate

GCM GaloisCounterMode

GPS GlobalPositioningSystem

GPU GraphicsProcessingUnit

HDMI HighDefinitionMultimediaInterface

HMAC Keyed-HashMessageAuthenticationCode

HTTPS HyperTextTransferProtocolSecure

IEEE InstituteofElectricalandElectronicsEngineers

IP InternetProtocol

IPC Inter-ProcessCommunication

IPsec InternetProtocolSecurity

KEK KeyEncryptionKey

LE (Bluetooth)LowEnergy

LTE LongTermEvolution

MD MobileDevice

MDM MobileDeviceManagement

MMI Man-MachineInterface

MMS MultimediaMessagingService

NFC NearFieldCommunication

NFIQ NISTFingerprintImageQuality

NIST NationalInstituteofStandardsandTechnology

NX NeverExecute

OCSP OnlineCertificateStatusProtocol

OE OperationalEnvironment

OID ObjectIdentifier

OS OperatingSystem

OTA OvertheAir

PAD PresentationAttackDetection

PAE PortAccessEntity

PBKDF Password-BasedKeyDerivationFunction

PD ProtectedData

PMK PairwiseMasterKey

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

PTK PairwiseTemporalKey

RA RegistrationAuthority

RBG RandomBitGenerator

REK RootEncryptionKey

ROM Read-onlymemory

RSA RivestShamirAdlemanAlgorithm

SAR SecurityAssuranceRequirement

SFR SecurityFunctionalRequirement

SHA SecureHashAlgorithm

SMS ShortMessagingService

SPI SecurityParameterIndex

SSH SecureShell

SSID ServiceSetIdentifier

ST SecurityTarget

TLS TransportLayerSecurity

TOE TargetofEvaluation

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

URI UniformResourceIdentifier

USB UniversalSerialBus

USSD UnstructuredSupplementaryServiceData

VPN VirtualPrivateNetwork

XCCDF eXtensibleConfigurationChecklistDescriptionFormat

XTS XEX(XOREncryptXOR)TweakableBlockCipherwithCiphertextStealing

AppendixJ-Bibliography

Identifier Title

[ANSI409.1]

ANSI/CITS409.1-2005.BiometricsPerformanceTestingandReporting—Part1:PrinciplesandFindings."AnnexB.ANSI/CITS,2005.

[BROWN] IntervalEstimationforaBinomialProportion.Brown,Cai,andDasGupta.

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.

[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2012-09-004,Version3.1,Revision5,April2017.

[IBPC] Onsecurityevaluationoffingerprintrecognitionsystems--IBPCPresentation.,Henniger,Scheuermann,andKniess.InternationalBiometricPerformanceTestingConference(IBPC),2010.RetrievedJune12,2015.

[ISO19989]

ISO/IECNP19989:EvaluationofpresentationattackdetectionforbiometricsInternationalOrganizationforStandardization(ISO),2014.

[NFIQ1.0]

NISTFingerprintImageQualityandrelationtoPIV,Tabassi,Elham.NISTInformationTechnologyLaboratory,2005.RetrievedJune13,2015.

[NFIQ2.0]

BiometricQuality:Thepushtowardszeroerrorbiometrics.,Tabassi,Elhametal.InternationalBiometricsPerformanceConference(IBPC),2016.RetrievedMay30,2016.

[NIST] TheNISTspeakerrecognitionevaluation—Overview,methodology,systems,results,perspective,Doddington,Przybocki,Martin,andReynolds.SpeechCommunication31:Elsevier,2000,RetrievedJune10,2015.

http://projecteuclid.org/download/pdf_1/euclid.ss/1009213286

http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf



http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5.pdf

https://www.nist.gov/document/hennigerolafibpc-presentationpdf

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=66801

http://biometrics.nist.gov/cs_links/standard/archived/workshops/workshop1/presentations/Tabassi-Image-Quality.pdf

http://biometrics.nist.gov/cs_links/ibpc2016/presentations/ibpc2016_may04/13_tabassi_ibpc2016_nfiq_4May2016.pdf

http://www.isca-speech.org/archive_open/archive_papers/odyssey/pres/odys_doddington_p.pdf