mobile device fundamentals - niap-ccevs
TRANSCRIPT
MobileDeviceFundamentals
Version:3.22021-04-15
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2013-10-21
InitialRelease
1.1 2014-01-12
Typographicalchangesandadditionalclarificationsinapplicationnotes.RemovedassignmentfromFCS_TLS_EXT.1andlimitedtestingtothoseciphersuitesinbothFCS_TLS_EXT.1andFCS_TLS_EXT.2.
2.0 2015-09-14
IncludedchangesbasedonTechnicalRapidResponseTeamDecisions.Clarifiedmanyrequirementsandassuranceactivities.Mandatedobjectiverequirements:
ApplicationAccessControl(FDP_ACF_EXT.1.2)VPNInformationFlowControl(FDP_IFC_EXT.1)
Addednewobjectiverequirements:SuiteBcryptographyforIEEE802.11CertificateenrollmentProtectionofadditionalkeymaterialtypesHeapoverflowprotectionBluetoothrequirementsCryptographicoperationservicesforapplicationsRemoteAttestation(FPT_NOT_EXT.1)
Addedtransitiondatesforsomeobjectiverequirements.Includedhardware-isolatedREKandkeystorageselections.AllowedkeyderivationbyREK.ClarifiedFTP_ITC_EXT.1andaddedFDP_UPC_EXT.1.MandatedHTTPSandTLSforapplicationuse.(FDP_UPC_EXT.1)RemovedDual_EC_DRBGasanapprovedDRBG.AdoptednewTLSrequirements.MandatedTSFWipeuponauthenticationfailurelimitandrequirednumberofauthenticationfailuresbemaintainedacrossreboot.ClarifiedManagementClass.Includedmoredomainisolationdiscussionandtests.UpdatedAuditrequirementsandaddedAuditableEventstable.AddedSFRCategoryMappingTable.UpdatedUseCaseTemplates.MovedGlossarytoIntroduction.
3.0 2015-09-17
IncludedchangesbasedonTechnicalRapidResponseTeamDecisions.Clarifiedmanyrequirementsandassuranceactivities.Mandatedobjectiverequirements:
GenerationofAuditRecords(FAU_GEN.1)AuditStorageProtection(FAU_STG.1)AuditStorageOverwrite(FAU_STG.4)LockScreenDAR(FDP_DAR_EXT.2)DiscardBluetoothConnectionAttemptsfromBluetoothAddresseswithExistingConnection(FIA_BLT_EXT.3)JTAGDisablement(FPT_JTA)
Addednewobjectiverequirements:ApplicationBackupBiometricAuthenticationFactorAccessControlUserAuthenticationBluetoothEncryption
WLANclientrequirementsmovedtoExtendedPackageforWLANClient.AddedSFRstosupportBYODUseCaseBYODUseCaseUpdatedkeydestructionSFR
3.1 2017-04-05
IncludedchangesbasedonTechnicalRapidResponseTeamDecisionsandincorporatedTechnicalDecisions.Modifiedbiometricrequirements:
FIA_UAU.5-Addediris,face,voiceandveinassupportedmodalities,inadditiontofingerprint(allowedinversion3)FIA_BMG_EXT.1.1-ClarifiedAAtospecifythatvendorevidenceisacceptableandexpectationsofevidenceprovided.FIA_BMG_EXT.1.2-SAFARwaschangedtoanassignmentofaSAFARnogreaterthan1:500.FIA_AFL_EXT.1-Updatedtoalloweachbiometricmodalitytoutilizeanindividualorsharedcounter.
FCS_TLSC_EXT.1.1-RemovedTLSciphersuitesthatutilizedSHA1andupdatedoptionalciphersuitestobeuniformedacrossPPs.FCS_STG_EXT.2.2-Modifiedtorequirelongtermtrustedchannelkeymaterialbeencryptedbyanapprovedmethod.
FIA_UAU_EXT.1.1-Modifiedtoallowthelongtermtrustedchannelkeymaterialtobeavailablepriortopasswordbeingenteredatstart-up.
3.2 2021-04-15
RemovedTLSSFRsandutilizedTLSFunctionalPackageRemovedBluetoothSFRsandutilizedBluetoothModule.BluetoothSFRmovedtoImplementationDependent.FPT_TUD_EXT.2.4renumberedtoFPT_TUD_EXT.3.1.FPT_TUD_EXT.3renumberedtoFPT_TUD_EXT.4.FPT_TUD_EXT.4.1renumberedtoFPT_TUD_EXT.5.1.FPT_TUD_EXT.4.2renumberedtoFPT_TUD_EXT.6.1.
Contents
1 Introduction1.1 ObjectivesofDocument1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms
1.3 ScopeofDocument1.4 IntendedReadership1.5 TOEOverview1.6 TOEUsage
2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies
4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale
5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 Class:SecurityAudit(FAU)5.1.2 Class:CryptographicSupport(FCS)5.1.3 CryptographicStorage(FCS_STG)5.1.4 Class:UserDataProtection(FDP)5.1.5 Class:IdentificationandAuthentication(FIA)5.1.6 Class:SecurityManagement(FMT)5.1.7 Class:ProtectionoftheTSF(FPT)5.1.8 Class:TOEAccess(FTA)5.1.9 Class:TrustedPath/Channels(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale
5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTarget5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocumentation5.2.4 ClassALC:Life-cycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment
AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 Class:IdentificationandAuthentication(FIA)
A.2 ObjectiveRequirementsA.2.1 Class:SecurityAudit(FAU)A.2.2 Class:CryptographicSupport(FCS)A.2.3 Class:UserDataProtection(FDP)A.2.4 Class:IdentificationandAuthentication(FIA)A.2.5 Class:SecurityManagement(FMT)A.2.6 Class:ProtectionoftheTSF(FPT)A.2.7 Class:TOEAccess(FTA)
A.3 Implementation-basedRequirementsA.3.1 BluetoothA.3.1.1 Class:UserDataProtection(FDP)
AppendixB- Selection-basedRequirementsB.1 Class:CryptographicSupport(FCS)B.2 Class:UserDataProtection(FDP)B.3 Class:IdentificationandAuthentication(FIA)B.4 Class:ProtectionoftheTSF(FPT)
AppendixC- ImplicitlySatisfiedRequirementsAppendixD- EntropyDocumentationAndAssessmentD.1 DesignDescriptionD.2 EntropyJustificationD.3 OperatingConditionsD.4 HealthTesting
AppendixE- UseCaseTemplatesE.1 [USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuse
E.2 [USECASE2]Enterprise-owneddeviceforspecialized,high-securityuseE.3 [USECASE3]Personally-owneddeviceforpersonalandenterpriseuseE.4 [USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuse
AppendixF- InitializationVectorRequirementsforNIST-ApprovedCipherModesAppendixG- BiometricDerivationandExamplesG.1 ExperimentalSetupsAndErrorBarsInTestingFARAndFRRG.1.1 IntroductionG.1.2 TestingenvironmentthatcouldmeetFIA_BMG_EXT.1.1G.1.3 DerivingFalseAcceptRateG.1.4 DerivingFalseRejectRate
G.2 DerivationoftheRuleof3(andsimilarrules,forcompleteness)G.3 SAFARCalculationEquationsG.4 SAFARCalculationExample
AppendixH- AcknowledgementsAppendixI- AcronymsAppendixJ- Bibliography
1Introduction
1.1ObjectivesofDocumentThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofmobiledevicesintermsof[CC]andtodefinefunctionalandassurancerequirementsforsuchdevices.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
TargetofEvaluation(TOE)
Theproductunderevaluation.
1.2.2TechnicalTerms
AdaptiveTemplate
Atypeofauthenticationtemplatethatevolveswitheachsamplethatisverifiedandintroducedintothebiometricsdatabaseorgallery.
AddressSpaceLayoutRandomization(ASLR)
Ananti-exploitationfeature,whichloadsmemorymappingsintounpredictablelocations.ASLRmakesitmoredifficultforanattackertoredirectcontroltocodethattheyhaveintroducedintotheaddressspaceofaprocessorthekernel.
Administrator TheAdministratorisresponsibleformanagementactivities,includingsettingthepolicythatisappliedbytheenterpriseontheMobileDevice.ThisadministratorislikelytobeactingremotelyandcouldbetheMobileDeviceManagement(MDM)AdministratoractingthroughanMDMAgent.Ifthedeviceisunenrolled,theuseristheadministrator.
AuthenticationTemplate
Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.Suchtemplatesareusedduringbiometricauthenticationandverificationasthebasisforcomparison.Unlikeenrollmenttemplates,thesetemplatescanbeadaptive.
AuxiliaryBootModes
Auxiliarybootmodesarestatesinwhichthedeviceprovidespowertooneormorecomponentstoprovideaninterfacethatenablesanunauthenticatedusertointeractwitheitheraspecificcomponentorseveralcomponentsthatexistoutsideofthedevice’sfullyauthenticated,operationalstate.
BiometricAuthenticationFactor(BAF)
Authenticationfactor,whichusesbiometricsample,matchedtoabiometricauthenticationtemplatetohelpestablishidentity.
BiometricData
Digitaldatacreatedduringabiometricprocess.Itencompassesrawsensorobservations,biometricsamples,models,templates,and/orsimilarityscores,amongotherdata.Thisdataisusedtodescribetheinformationcollectedduringanenrollment,verification,oridentificationprocess,butdoesnotapplytoenduserinformationsuchasusername,password(unlesstiedtothebiometricmodality),demographicinformation,andauthorizations.
BiometricSample
Informationorcomputerdataobtainedfromabiometricsensordeviceorcapturedfromanindividualtothesensor.
BiometricSystem
Multipleindividualcomponents(suchassensor,matchingalgorithm,andresultdisplay)thatcombinetomakeafullyoperationalsystemcompletelycontainedwithintheTOE.Abiometricsystemisautomatedandcapableof:
1. Capturingabiometricsamplefromanenduser2. Extractingandprocessingthebiometricdatafromthatsample3. Generatingvarioustemplatesbasedonprocessingofthatsampleduringenrollment,
or,ifadaptive,duringverificationaswell4. Storingtheextractedinformationinadatabaseonthedevice5. Comparingthebiometricdatawithdatacontainedinoneormoreauthentication
templates6. Decidinghowwelltheymatchandindicatingwhetherornotanidentificationor
verificationofidentityhasbeenachieved.
CommonApplicationDeveloper
Applicationdevelopers(orsoftwarecompanies)oftenproducemanyapplicationsunderthesamename.Mobiledevicesoftenallowsharedresourcesbysuchapplicationswhereotherwiseresourceswouldnotbeshared.
CriticalSecurity
Security-relatedinformationwhosedisclosureormodificationcancompromisethesecurityofacryptographicmoduleand/orauthenticationsystem.
Parameter(CSP)
Data Program/applicationordatafilesthatarestoredortransmittedbyaserverorMobileDevice(MD).
DataEncryptionKey(DEK)
Akeyusedtoencryptdata-at-rest.
DeveloperModes
Developermodesarestatesinwhichadditionalservicesareavailabletoauserinordertoprovideenhancedsystemaccessfordebuggingofsoftware.
EncryptedSoftwareKeys
Thesekeysarestoredinthemainfilesystemencryptedbyanotherkeyandcanbechangedandsanitized.
EnrolledState ThestateinwhichtheMobileDeviceismanagedwithactivepolicysettingsfromtheadministrator.
Enrollment(Biometrics)
Theprocessofcollectingabiometricsamplefromanenduser,convertingitintoanenrollmentand/orauthenticationtemplate,andstoringitinthebiometricsystem’sdatabase.Ifanenrollmenttemplateisgenerated,itisusedduringtheenrollmentprocessforlatercomparisontootherenrollmenttemplatesalreadystored.Iftherearemultipleenrollmenttemplates,theymaybefused,averaged,orotherwise,inordertocreateauthenticationtemplates,whichareusedforlatercomparisoninverification.
EnrollmentTemplate
Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.Suchtemplatesaregeneratedduringtheenrollmentprocessandutilizedinvariousways(includingaveraging,fusion,etc.)inordertogenerateanauthenticationtemplate.
EnterpriseApplications
Applicationsthatareprovidedandmanagedbytheenterprise.
EnterpriseData
Enterprisedataisanydataresidingintheenterpriseservers,ortemporarilystoredonMobileDevicestowhichtheMobileDeviceuserisallowedaccessaccordingtosecuritypolicydefinedbytheenterpriseandimplementedbytheadministrator.
EphemeralKeys
Thesekeysarestoredinvolatilememory.
FalseAcceptRate(FAR)
Astatisticusedtomeasurebiometricperformancewhenoperatinginverification,definedasthepercentageoftimesasystemproducesafalseaccept,whichoccurswhenanindividualisincorrectlymatchedtoanotherindividual’sexistingbiometric.Forexample,MalloryclaimstobeAliceandthesystemverifiestheclaim.
FalseRejectRate(FRR)
Astatisticusedtomeasurebiometricperformanceinverification,definedasthepercentageoftimesthesystemproducesafalsereject.Afalserejectoccurswhenanindividualisnotmatchedtohisorherownexistingbiometrictemplate.Forexample,JohnclaimstobeJohn,butthesystemincorrectlydeniestheclaim.
Feature(s)(Biometrics)
Distinctivemathematicalcharacteristic(s)derivedfromabiometricsample,usedtogenerateenrollmentorauthenticationtemplates.
FileEncryptionKey(FEK)
ADEKusedtoencryptafileoradirectorwhenFileEncryptionisused.FEKsareuniquetoeachencryptedfileordirectory.
Hardware-IsolatedKeys
TheOScanonlyaccessthesekeysbyreference,ifatall,duringruntime.
HybridAuthentication
AhybridauthenticationfactorisonewhereauserhastosubmitacombinationofabiometricsampleandaPINorpasswordandbothtopass.Ifeitherfactorfails,theentireattemptfails.Theusershallnotbemadeawareofwhichfactorfailed,ifeitherfails.
ImmutableHardwareKey
Thesekeysarestoredashardware-protectedrawkeyandcannotbechangedorsanitized.
KeyChaining Themethodofusingmultiplelayersofencryptionkeystoprotectdata.Atoplayerkeyencryptsalowerlayerkey,whichencryptsthedata;thismethodcanhaveanynumberoflayers.
KeyEncryptionKey(KEK)
Akeyusedtoencryptotherkeys,suchasDEKsorstoragethatcontainskeys.
LivenessDetection
Atechniqueusedtoensurethatthebiometricsamplesubmittedisfromanenduser.Alivenessdetectionmethodcanhelpprotectthesystemagainstsometypesofspoofingattacks.
LockedState Poweredonbutmostfunctionalityisunavailableforuse.Userauthenticationisrequiredtoaccessfunctionality.
MDMAgent TheMDMAgentisinstalledonaMobileDeviceasanapplicationorispartoftheMobileDevice’sOS.TheMDMAgentestablishesasecureconnectionbacktotheMDMServercontrolledbytheadministrator.
MinutiaPoint Frictionridgecharacteristicsthatareusedtoindividualizeafingerprintimage.Minutiaarethepointswherefrictionridgesbegin,terminate,orsplitintotwoormoreridges.Inmanyfingerprintsystems,theminutiapointsarecomparedforrecognitionpurposes.
MobileDevice(MD)
Adevicewhichiscomposedofahardwareplatformanditssystemsoftware.Thedevicetypicallyprovideswirelessconnectivityandmayincludesoftwareforfunctionslikesecuremessaging,email,web,VPN(VirtualPrivateNetwork)connection,andVoIP(VoiceoverIP),foraccesstotheprotectedenterprisenetwork,enterprisedataandapplications,andforcommunicatingtootherMobileDevices.
MobileDeviceManagement(MDM)
Mobiledevicemanagement(MDM)productsallowenterprisestoapplysecuritypoliciestomobiledevices.Thissystemconsistsoftwoprimarycomponents:theMDMServerandtheMDMAgent.
MobileDeviceUser(User)
TheindividualauthorizedtophysicallycontrolandoperatetheMobileDevice.Dependingontheusecase,thiscanbethedeviceowneroranindividualauthorizedbythedeviceowner.
Modality(Biometrics)
Atypeorclassofbiometricsystem,suchasfingerprintrecognition,facialrecognition,irisrecognition,voicerecognition,signature/sign,andothers.
MutableHardwareKey
Thesekeysarestoredashardware-protectedrawkeyandcanbechangedorsanitized.
NISTFingerprintImageQuality(NFIQ)
Amachine-learningalgorithmthatreflectsthepredictivepositiveornegativecontributionofanindividualsampletotheoverallperformanceofafingerprintmatchingsystem.NFIQ1.0scoresarecalculatedonascalefrom1to5,whereNFIQ=1indicateshighqualitysamplesandNFIQ=5indicatespoorqualitysamples[NFIQ1.0].NFIQ2.0scoresarecalculatedonascalefrom0to100,whereNFIQ=0indicatespoorqualitysamplesandNFIQ=100indicateshighqualitysamples[NFIQ2.0].
OperatingSystem(OS)
Softwarethatrunsatthehighestprivilegelevelandcandirectlycontrolhardwareresources.ModernMobileDevicestypicallyhaveatleasttwoprimaryoperatingsystems:one,whichrunsontheapplicationprocessorandone,whichrunsonthecellularbasebandprocessor.TheOSoftheapplicationprocessorhandlesmostuserinteractionsandprovidestheexecutionenvironmentforapps.TheOSofthecellularbasebandprocessorhandlescommunicationswiththecellularnetworkandmaycontrolotherperipherals.ThetermOS,withoutcontext,maybeassumedtorefertotheOSoftheapplicationprocessor.
PINAuthenticationFactor
APINisasetofnumericoralphabeticcharactersthatmaybeusedinadditiontoabiometricfactortoprovideahybridauthenticationfactor.Atthistimeitisnotconsideredasastand-aloneauthenticationmechanism.APINisdistinctfromapasswordinthattheallowedcharactersetandrequiredlengthofaPINistypicallysmallerthanthatofapasswordasitisdesignedtobeinputquickly.
PasswordAuthenticationFactor
Atypeofauthenticationfactorrequiringtheusertoprovideasecretsetofcharacterstogainaccess.
PoweredOffState
ThedevicehasbeenshutdownsuchthatnoTOEfunctioncanbeperformed.
PresentationAttackDetection(PAD)
Atechniqueusedtoensurethatthebiometricsamplesubmittedisfromanenduser.Apresentationattackdetectionmethodcanhelpprotectthesystemagainstsometypesofspoofingattacks.
ProtectedData(PD)
Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.
RootEncryptionKey(REK)
Akeytiedtothedeviceusedtoencryptotherkeys.
Sensitivedata SensitivedatashallbeidentifiedintheTSSsectionoftheSecurityTarget(ST)bytheSTauthor.SensitivedataisasubsetoralloftheProtecteddata.Sensitivedatamayincludealluserorenterprisedataormaybespecificapplicationdatasuchasemails,messaging,documents,calendaritems,andcontacts.Sensitivedataisprotectedwhileinthelockedstate(FDP_DAR_EXT.2).
SoftwareKeys TheOSaccesstherawbytesofthesekeysduringruntime.
TSFData DatafortheoperationoftheTSFuponwhichtheenforcementoftherequirementsrelies.
Template(Biometrics)
Adigitalrepresentationofanindividual’sdistinctcharacteristics,representinginformationextractedfromabiometricsample.ThisPPfurtherdefinesenrollmenttemplatesandauthenticationtemplates.
Threshold Ausersettingforbiometricsystemsoperatinginverification.Thresholdsarealsousedinenrollmentifenrollmenttemplatesarecreatedandcomparedtoeachother.Theacceptanceorrejectionofbiometricdatainverificationisdependentonthematchscorefallingaboveorbelowthethreshold.Thethresholdisadjustablesothatthebiometricsystemcanbemoreorlessstrict,dependingontherequirementsofanygivenbiometricapplication.
TrustAnchorDatabase
AlistoftrustedrootCertificateAuthoritycertificates.
UnenrolledState
ThestateinwhichtheMobileDeviceisnotmanaged.
UnlockedState
Poweredonanddevicefunctionalityisavailableforuse.Impliesuserauthenticationhasoccurred(whensoconfigured).
Verification(Biometrics)
Ataskwherethebiometricsystemattemptstoconfirmanindividual’sclaimedidentitybycomparingasubmittedsampletooneormorepreviouslyenrolledauthenticationtemplates.
1.3ScopeofDocumentThescopeoftheProtectionProfilewithinthedevelopmentandevaluationprocessisdescribedintheCommonCriteriaforInformationTechnologySecurityEvaluation[CC].Inparticular,aPPdefinestheITsecurityrequirementsofagenerictypeofTOEandspecifiesthefunctionalandassurancesecuritymeasurestobeofferedbythatTOEtomeetstatedrequirements[CC].
1.4IntendedReadershipThetargetaudiencesofthisPPareMobileDevicedevelopers,CCconsumers,evaluatorsandschemes.
1.5TOEOverviewThisassurancestandardspecifiesinformationsecurityrequirementsforMobileDevicesforuseinanenterprise.AMobileDeviceinthecontextofthisassurancestandardisadevice,whichiscomposedofahardwareplatformanditssystemsoftware.Thedevicetypicallyprovideswirelessconnectivityandmayincludesoftwareforfunctionslikesecuremessaging,email,web,VPNconnection,andVoIP(VoiceoverIP),foraccesstotheprotectedenterprisenetwork,enterprisedataandapplications,andforcommunicatingtootherMobileDevices.
Figure1illustratesthenetworkoperatingenvironmentoftheMobileDevice.
Figure1:MobileDeviceNetworkEnvironment
Examplesofa"MobileDevice"thatshouldclaimconformancetothisProtectionProfileincludesmartphones,tabletcomputers,andotherMobileDeviceswithsimilarcapabilities.
TheMobileDeviceprovidesessentialservices,suchascryptographicservices,data-at-restprotection,andkeystorageservicestosupportthesecureoperationofapplicationsonthedevice.Additionalsecurityfeaturessuchassecuritypolicyenforcement,applicationmandatoryaccesscontrol,anti-exploitationfeatures,userauthentication,andsoftwareintegrityprotectionareimplementedinordertoaddressthreats.
ThisassurancestandarddescribestheseessentialsecurityservicesprovidedbytheMobileDeviceandservesasafoundationforasecuremobilearchitecture.Thewirelessconnectivityshallbevalidatedagainstthe
ExtendedPackageforWLANClient.IfthemobiledevicecontainsBluetoothfunctionality(i.e.,hasBluetoothhardware),theBluetoothconnectivityshallbeevaluatedagainstthePP-ModuleforBluetooth.AsillustratedinFigure2,itisexpectedthatatypicaldeploymentwouldalsoincludeeitherthird-partyorbundledcomponents.WhetherthesecomponentsarebundledaspartoftheMobileDevicebythemanufacturerordevelopedbyathird-party,theymustbeseparatelyvalidatedagainsttherelatedassurancestandardssuchasthePP-ModuleforMDMAgent,PP-ModuleforVPNClient,andPP-ModuleforVVoIP.Itistheresponsibilityofthearchitectoftheoverallsecuremobilearchitecturetoensurevalidationofthesecomponents.Additionalapplicationsthatmaycomepre-installedontheMobileDevicethatarenotvalidatedareconsideredtobepotentiallyflawed,butnotmalicious.Examplesincludeemailclientandwebbrowser.
Figure2:OptionalAdditionalMobileDeviceComponents
1.6TOEUsageTheMobileDevicemaybeoperatedinanumberofusecases.AppendixE-UseCaseTemplatesprovidesusecasetemplatesthatlistthoseselections,assignments,andobjectiverequirementsthatbestsupporttheusecasesidentifiedbythisProtectionProfile.Inadditiontoprovidingessentialsecurityservices,theMobileDeviceincludesthenecessarysecurityfunctionalitytosupportconfigurationsforthesevarioususecases.Eachusecasemayrequireadditionalconfigurationandapplicationstoachievethedesiredsecurity.Aselectionoftheseusecasesiselaboratedbelow.
Severaloftheusecasetemplatesincludeobjectiverequirementsthatarestronglydesiredfortheindicatedusecases.Readerscanexpectthoserequirementstobemademandatoryinafuturerevisionofthisprotectionprofile,andindustryshouldaimtoincludethatsecurityfunctionalityinproductsinthenear-term.
AsofpublicationofthisversionoftheProtectionProfile,meetingtherequirementsinSection5SecurityRequirementsisnecessaryforallusecases.
[USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuseandlimitedpersonaluse
Anenterprise-owneddeviceforgeneral-purposebusinessuseiscommonlycalledCorporatelyOwned,PersonallyEnabled(COPE).Thisusecaseentailsasignificantdegreeofenterprisecontroloverconfigurationand,possibly,softwareinventory.TheenterpriseelectstoprovideuserswithMobileDevicesandadditionalapplications(suchasVPNoremailclients)inordertomaintaincontroloftheirEnterprisedataandsecurityoftheirnetworks.UsersmayuseInternetconnectivitytobrowsetheweboraccesscorporatemailorrunenterpriseapplications,butthisconnectivitymaybeundersignificantcontroloftheenterprise.
[USECASE2]Enterprise-owneddeviceforspecialized,high-securityuse
Anenterprise-owneddevicewithintentionallylimitednetworkconnectivity,tightlycontrolledconfiguration,andlimitedsoftwareinventoryisappropriateforspecialized,high-securityusecases.Forexample,thedevicemaynotbepermittedconnectivitytoanyexternalperipherals.ItmayonlybeabletocommunicateviaitsWi-Fiorcellularradioswiththeenterprise-runnetwork,whichmaynotevenpermitconnectivitytotheInternet.Useofthedevicemayentailcompliancewithpoliciesthataremorerestrictivethanthoseinanygeneral-purposeusecase,yetmaymitigateriskstohighlysensitiveinformation.Asinthepreviouscase,theenterprisewilllookforadditionalapplicationsprovidingenterpriseconnectivityandservicestohaveasimilarlevelofassuranceastheplatform.
[USECASE3]Personally-owneddeviceforpersonalandenterpriseuse
Apersonally-owneddevice,whichisused,forbothpersonalactivitiesandenterprisedataiscommonlycalledBringYourOwnDevice(BYOD).Thedevicemaybeprovisionedforaccesstoenterpriseresourcesaftersignificantpersonalusagehasoccurred.Unlikeintheenterprise-ownedcases,theenterpriseislimitedinwhatsecuritypoliciesitcanenforcebecausetheuserpurchasedthedeviceprimarilyforpersonaluseandisunlikelytoacceptpoliciesthatlimitthefunctionalityofthedevice.However,becausetheenterpriseallowstheuserfull(ornearlyfull)accesstotheenterprisenetwork,theenterprisewillrequiretheirownsecuritycontrolstoensurethatenterpriseresourcesareprotectedfrompotentialthreatsposedbythepersonalactivitiesonthedevice.Thesecontrolscouldpotentiallybeenforcedbyaseparationmechanismbuilt-intothedeviceitselftodistinguishbetweenenterpriseandpersonalactivities,orbyathird-partyapplicationthatprovidesaccesstoenterpriseresourcesandleveragessecuritycapabilitiesprovidedbythemobiledevice.Basedupontheoperationalenvironmentandtheacceptableriskleveloftheenterprise,thosesecurity
functionalrequirementsoutlinedinSection5SecurityRequirementsofthisPPalongwiththeselectionsintheUseCase3templatedefinedinAppendixE-UseCaseTemplatesaresufficientforthesecureimplementationofthisBYODusecase.
[USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuse
Apersonally-owneddevice,whichisused,forbothpersonalactivitiesandenterprisedataiscommonlycalledBringYourOwnDevice(BYOD).Thisdevicemaybeprovisionedforlimitedaccesstoenterpriseresourcessuchasenterpriseemail.Becausetheuserdoesnothavefullaccesstotheenterpriseorenterprisedata,theenterprisemaynotneedtoenforceanysecuritypoliciesonthedevice.However,theenterprisemaywantsecureemailandwebbrowsingwithassurancethattheservicesbeingprovidedtothoseclientsbytheMobileDevicearenotcompromised.Basedupontheoperationalenvironmentandtheacceptableriskleveloftheenterprise,thosesecurityfunctionalrequirementsoutlinedinSection5SecurityRequirementsofthisPParesufficientforthesecureimplementationofthisBYODusecase.
2ConformanceClaimsConformanceStatement
AnSTmustclaimexactconformancetothisPP,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP.
PP-ModuleforVPNClient,Version2.2PP-ModuleforBluetooth,Version1.0PP-ModuleforMDMAgent,Version1.0
CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Revision5.
PPClaimThisPPdoesnotclaimconformancetoanyProtectionProfile.
PackageClaimThisPPisTLSPackageConformant.
3SecurityProblemDescription
3.1ThreatsMobiledevicesaresubjecttothethreatsoftraditionalcomputersystemsalongwiththoseentailedbytheirmobilenature.ThethreatsconsideredinthisProtectionProfilearethoseofnetworkeavesdropping,networkattacks,physicalaccess,maliciousorflawedapplications,persistentpresence,andbackupasdetailedinthefollowingsections.
T.NETWORK_EAVESDROPAnattackerispositionedonawirelesscommunicationschannelorelsewhereonthenetworkinfrastructure.AttackersmaymonitorandgainaccesstodataexchangedbetweentheMobileDeviceandotherendpoints.
T.NETWORK_ATTACKAnattackerispositionedonawirelesscommunicationschannelorelsewhereonthenetworkinfrastructure.AttackersmayinitiatecommunicationswiththeMobileDeviceoraltercommunicationsbetweentheMobileDeviceandotherendpointsinordertocompromisetheMobileDevice.Theseattacksincludemalicioussoftwareupdateofanyapplicationsorsystemsoftwareonthedevice.Theseattacksalsoincludemaliciouswebpagesoremailattachments,whichareusuallydeliveredtodevicesoverthenetwork.
T.PHYSICAL_ACCESSAnattacker,withphysicalaccess,mayattempttoaccessuserdataontheMobileDeviceincludingcredentials.Thesephysicalaccessthreatsmayinvolveattacks,whichattempttoaccessthedevicethroughexternalhardwareports,impersonatetheuserauthenticationmechanisms,throughitsuserinterface,andalsothroughdirectandpossiblydestructiveaccesstoitsstoragemedia.Note:Defendingagainstdevicere-useafterphysicalcompromiseisoutofscopeforthisProtectionProfile.
T.MALICIOUS_APPApplicationsloadedontotheMobileDevicemayincludemaliciousorexploitablecode.Thiscodecouldbeincludedintentionallyorunknowinglybythedeveloper,perhapsaspartofasoftwarelibrary.Maliciousappsmayattempttoexfiltratedatatowhichtheyhaveaccess.Theymayalsoconductattacksagainsttheplatform’ssystemsoftware,whichwillprovidethemwithadditionalprivilegesandtheabilitytoconductfurthermaliciousactivities.Maliciousapplicationsmaybeabletocontrolthedevice'ssensors(GPS,camera,microphone)togatherintelligenceabouttheuser'ssurroundingsevenwhenthoseactivitiesdonotinvolvedataresidentortransmittedfromthedevice.Flawedapplicationsmaygiveanattackeraccesstoperformnetwork-basedorphysicalattacksthatotherwisewouldhavebeenprevented
T.PERSISTENT_PRESENCEPersistentpresenceonadevicebyanattackerimpliesthatthedevicehaslostintegrityandcannotregainit.Thedevicehaslikelylostthisintegrityduetosomeotherthreatvector,yetthecontinuedaccessbyanattackerconstitutesanon-goingthreatinitself.Inthiscase,thedeviceanditsdatamaybecontrolledbyanadversaryaswellasbyitslegitimateowner.
3.2AssumptionsThespecificconditionslistedbelowareassumedtoexistintheTOE’sOperationalEnvironment.TheseincludebothpracticalrealitiesinthedevelopmentoftheTOEsecurityrequirementsandtheessentialenvironmentalconditionsontheuseoftheTOE.
A.CONFIGItisassumedthattheTOE’ssecurityfunctionsareconfiguredcorrectlyinamannertoensurethattheTOEsecuritypolicieswillbeenforcedonallapplicablenetworktrafficflowingamongtheattachednetworks.
A.NOTIFYItisassumedthatthemobileuserwillimmediatelynotifytheadministratoriftheMobileDeviceislostorstolen.
A.PRECAUTIONItisassumedthatthemobileuserexercisesprecautionstoreducetheriskoflossortheftoftheMobileDevice.
A.PROPER_USERMobileDeviceusersarenotwillfullynegligentorhostile,andusethedevicewithincomplianceofareasonableEnterprisesecuritypolicy.
3.3OrganizationalSecurityPoliciesThisdocumentdoesnotdefineanyadditionalOSPs.
4SecurityObjectives
4.1SecurityObjectivesfortheTOEO.PROTECTED_COMMS
Toaddressthenetworkeavesdropping(T.EAVESDROP)andnetworkattack(T.NETWORK)threatsdescribedinSection3.1Threats,concerningwirelesstransmissionofEnterpriseanduserdataandconfigurationdatabetweentheTOEandremotenetworkentities,conformantTOEswilluseatrustedcommunicationpath.TheTOEwillbecapableofcommunicatingusingone(ormore)ofthesestandardprotocols:IPsec,DTLS,TLS,HTTPS,orBluetooth.TheprotocolsarespecifiedbyRFCsthatofferavarietyofimplementationchoices.Requirementshavebeenimposedonsomeofthesechoices(particularlythoseforcryptographicprimitives)toprovideinteroperabilityandresistancetocryptographicattack.
WhileconformantTOEsmustsupportallofthechoicesspecifiedintheSTincludinganyoptionalSFRsdefinedinthisPP,theymaysupportadditionalalgorithmsandprotocols.Ifsuchadditionalmechanismsarenotevaluated,guidancemustbegiventotheadministratortomakeclearthefactthattheywerenotevaluated.
O.STORAGEToaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofaMobileDevice(T.PHYSICAL),conformantTOEswillusedata-at-restprotection.TheTOEwillbecapableofencryptingdataandkeysstoredonthedeviceandwillpreventunauthorizedaccesstoencrypteddata.
O.CONFIGToensureaMobileDeviceprotectsuserandenterprisedatathatitmaystoreorprocess,conformantTOEswillprovidethecapabilitytoconfigureandapplysecuritypoliciesdefinedbytheuserandtheEnterpriseAdministrator.IfEnterprisesecuritypoliciesareconfiguredthesemustbeappliedinprecedenceofuserspecifiedsecuritypolicies.
O.AUTHToaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofaMobileDevice(T.PHYSICAL),usersarerequiredtoenteranauthenticationfactortothedevicepriortoaccessingprotectedfunctionalityanddata.Somenon-sensitivefunctionality(e.g.,emergencycalling,textnotification)canbeaccessedpriortoenteringtheauthenticationfactor.Thedevicewillautomaticallylockfollowingaconfiguredperiodofinactivityinanattempttoensureauthorizationwillberequiredintheeventofthedevicebeinglostorstolen.
Authenticationoftheendpointsofatrustedcommunicationpathisrequiredfornetworkaccesstoensureattacksareunabletoestablishunauthorizednetworkconnectionstounderminetheintegrityofthedevice.
RepeatedattemptsbyausertoauthorizetotheTSFwillbelimitedorthrottledtoenforceadelaybetweenunsuccessfulattempts.
O.INTEGRITYToensuretheintegrityoftheMobileDeviceismaintainedconformantTOEswillperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.Theusershallbenotifiedofanyfailureoftheseself-tests.ThiswillprotectagainstthethreatT.PERSISTENT.
Toaddresstheissueofanapplicationcontainingmaliciousorflawedcode(T.FLAWAPP),theintegrityofdownloadedupdatestosoftware/firmwarewillbeverifiedpriortoinstallation/executionoftheobjectontheMobileDevice.Inaddition,theTOEwillrestrictapplicationstoonlyhaveaccesstothesystemservicesanddatatheyarepermittedtointeractwith.TheTOEwillfurtherprotectagainstmalicious
applicationsfromgainingaccesstodatatheyarenotauthorizedtoaccessbyrandomizingthememorylayout.
O.PRIVACYInaBYODenvironment(usecases3and4),apersonally-ownedmobiledeviceisusedforbothpersonalactivitiesandenterprisedata.Enterprisemanagementsolutionsmayhavethetechnicalcapabilitytomonitorandenforcesecuritypoliciesonthedevice.However,theprivacyofthepersonalactivitiesanddatamustbeensured.Inaddition,sincetherearelimitedcontrolsthattheenterprisecanenforceonthepersonalside,separationofpersonalandenterprisedataisneeded.ThiswillprotectagainsttheT.FLAWAPPandT.PERSISTENTthreats.
4.2SecurityObjectivesfortheOperationalEnvironmentThefollowingsecurityobjectivesfortheoperationalenvironmentassisttheOSincorrectlyprovidingitssecurityfunctionality.Thesetrackwiththeassumptionsabouttheenvironment.
OE.CONFIGTOEadministratorswillconfiguretheMobileDevicesecurityfunctionscorrectlytocreatetheintendedsecuritypolicy
OE.NOTIFYTheMobileUserwillimmediatelynotifytheadministratoriftheMobileDeviceislostorstolen.
OE.PRECAUTIONThemobiledeviceuserexercisesprecautionstoreducetheriskoflossortheftoftheMobileDevice.
OE.DATA_PROPER_USERAdministratorstakemeasurestoensurethatmobiledeviceusersareadequatelyvettedagainstmaliciousintentandaremadeawareoftheexpectationsforappropriateuseofthedevice.
4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.
Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP
SecurityObjectives Rationale
T.NETWORK_EAVESDROP O.PROTECTED_COMMS ThethreatT.NETWORK_EAVESDROPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.
O.CONFIG ThethreatT.NETWORK_EAVESDROPiscounteredbyO.CONFIGasthisprovidesasecureconfigurationofthemobiledevicetoprotectdatathatitprocesses.
O.AUTH ThethreatT.NETWORK_EAVESDROPiscounteredbyO.AUTHasthisprovidesauthenticationoftheendpointsofatrustedcommunicationpath.
T.NETWORK_ATTACK O.PROTECTED_COMMS ThethreatT.NETWORK_ATTACKiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.
O.CONFIG ThethreatT.NETWORK_ATTACKiscounteredbyO.CONFIGasthisprovidesasecureconfigurationofthemobiledevicetoprotectdatathatitprocesses.
O.AUTH ThethreatT.NETWORK_ATTACKiscounteredbyO.AUTHasthisprovidesauthenticationoftheendpointsofatrustedcommunicationpath.
T.PHYSICAL_ACCESS O.STORAGE ThethreatT.PHYSICAL_ACCESSiscounteredbyO.STORAGEasthisprovidesthecapabilitytoencryptalluserandenterprisedataandauthenticationkeystoensuretheconfidentialityofdatathatitstores.
O.AUTH ThethreatT.PHYSICAL_ACCESSiscounteredbyO.AUTHasthisprovidesthecapabilityto
authenticatetheuserpriortoaccessingprotectedfunctionalityanddata.
T.MALICIOUS_APP O.PROTECTED_COMMS ThethreatT.MALICIOUS_APPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingone(ormore)standardprotocolsasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.
O.CONFIG ThethreatT.MALICIOUS_APPiscounteredbyO.CONFIGasthisprovidesthecapabilitytoconfigureandapplysecuritypoliciestoensuretheMobileDevicecanprotectuserandenterprisedatathatitmaystoreorprocess.
O.AUTH ThethreatT.MALICIOUS_APPiscounteredbyO.AUTHasthisprovidesthecapabilitytoauthenticatetheuserandendpointsofatrustedpathtoensuretheyarecommunicatingwithanauthorizedentitywithappropriateprivileges.
O.INTEGRITY ThethreatT.MALICIOUS_APPiscounteredbyO.INTEGRITYasthisprovidesthecapabilitytoperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.
O.PRIVACY ThethreatT.MALICIOUS_APPiscounteredbyO.PRIVACYasthisprovidesseparationandprivacybetweenuseractivities.
T.PERSISTENT_PRESENCE O.INTEGRITY ThethreatT.PERSISTENT_PRESENCEiscounteredbyO.INTEGRITYasthisprovidesthecapabilitytoperformself-teststoensuretheintegrityofcriticalfunctionality,software/firmwareanddatahasbeenmaintained.
O.PRIVACY ThethreatT.PERSISTENT_PRESENCEiscounteredbyO.PRIVACYasthisprovidesseparationandprivacybetweenuseractivities.
A.CONFIG OE.CONFIG TheoperationalenvironmentobjectiveOE.CONFIGisrealizedthroughA.CONFIG.
A.NOTIFY OE.NOTIFY TheoperationalenvironmentobjectiveOE.NOTIFYisrealizedthroughA.NOTIFY.
A.PRECAUTION OE.PRECAUTION TheoperationalenvironmentobjectiveOE.PRECAUTIONisrealizedthroughA.PRECAUTION.
A.PROPER_USER OE.DATA_PROPER_USER TheoperationalenvironmentobjectiveOE.DATA_PROPER_USERisrealizedthroughA.PROPER_USER.
5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
5.1SecurityFunctionalRequirements
5.1.1Class:SecurityAudit(FAU)
FAU_GEN.1AuditDataGenerationFAU_GEN.1.1
TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:
1. Start-upandshutdownoftheauditfunctions2. Allauditableeventsforthe[notselected]levelofaudit3. Alladministrativeactions4. Start-upandshutdownoftheOS5. Insertionorremovalofremovablemedia6. SpecificallydefinedauditableeventsinTable27. [selection:Auditrecordsreaching[assignment:integervaluelessthan100]percentageofauditcapacity,SpecificallydefinedauditableeventsinTable3,[assignment:otherauditableeventsderivedfromthisProtectionProfile],[assignment:noadditionalauditableevents]]
Requirement AuditableEvents AdditionalAuditRecordContents
FAU_GEN.1 None.
FAU_STG.1 None.
FAU_STG.4 None.
FCS_CKM_EXT.1 [selection:generationofaREK,None].
Noadditionalinformation.
FCS_CKM_EXT.2 None.
FCS_CKM_EXT.3 None.
FCS_CKM_EXT.4 None.
FCS_CKM_EXT.5 [selection:Failureofthewipe,None].
Noadditionalinformation.
FCS_CKM_EXT.6 None.
FCS_CKM.1 [selection:Failureofkeygenerationactivityforauthenticationkeys,None].
Noadditionalinformation.
FCS_CKM.2/UNLOCKED None.
FCS_CKM.2/LOCKED None.
FCS_COP.1/ENCRYPT None.
FCS_COP.1/HASH None.
FCS_COP.1/SIGN None.
FCS_COP.1/KEYHMAC None.
FCS_COP.1/CONDITION None.
FCS_IV_EXT.1 None.
FCS_SRV_EXT.1 None.
FCS_STG_EXT.1 Importordestructionofkey.
Identityofkey.Roleandidentityofrequestor.
[selection:Exceptionstouseanddestructionrules,Nootherevents]
FCS_STG_EXT.2 None.
FCS_STG_EXT.3 Failuretoverifyintegrityofstoredkey.
Identityofkeybeingverified.
FDP_DAR_EXT.1 [selection:Failuretoencrypt/decryptdata,None].
Noadditionalinformation.
FDP_DAR_EXT.2 Failuretoencrypt/decryptdata.
Noadditionalinformation.
FDP_IFC_EXT.1 None.
FDP_STG_EXT.1 AdditionorremovalofcertificatefromTrustAnchorDatabase.
Subjectnameofcertificate.
FIA_PMG_EXT.1 None.
FIA_TRT_EXT.1 None.
FIA_UAU_EXT.1 None.
FIA_UAU.5 None.
FIA_UAU.7 None.
FIA_X509_EXT.1 FailuretovalidateX.509v3certificate.
Reasonforfailureofvalidation.
FMT_MOF_EXT.1 None.
FPT_AEX_EXT.1 None.
FPT_AEX_EXT.2 None.
FPT_AEX_EXT.3 None.
FPT_JTA_EXT.1 None.
FPT_KST_EXT.1 None.
FPT_KST_EXT.2 None.
FPT_KST_EXT.3 None.
FPT_NOT_EXT.1 [selection:MeasurementofTSFsoftware,None].
[selection:Integrityverificationvalue,Noadditionalinformation].
FPT_STM.1 None.
FPT_TST_EXT.1 Initiationofself-test.
[selection:Algorithmthatcausedthefailure,none]
Failureofself-test.
FPT_TST_EXT.2/PREKERNEL Start-upofTOE. Noadditionalinformation.
[selection:Detectedintegrityviolation,none]
[selection:TheTSFcodefilethatcausedtheintegrityviolation,Noadditionalinformation]
FPT_TUD_EXT.1 None.
FTA_SSL_EXT.1 None.
Table2:MandatoryAuditableEvents
Requirement AuditableEvents AdditionalAuditRecordContents
FAU_SAR.1 None.
FAU_SEL.1 Allmodificationstotheauditconfigurationthatoccurwhiletheauditcollectionfunctionsareoperating.
Noadditionalinformation.
FCS_CKM_EXT.7 None.
FCS_DTLS_EXT.1(TLSPackage)
Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.
FCS_HTTPS_EXT.1 Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.[selection:User’sauthorizationdecision,Noadditionalinformation].
FCS_RBG_EXT.1 Failureoftherandomizationprocess.
Noadditionalinformation.
FCS_RBG_EXT.2 None.
FCS_RBG_EXT.3 None.
FCS_SRV_EXT.2 None.
FCS_TLSC_EXT.1(TLSPackage)
Establishment/terminationofaTLSsession.
Non-TOEendpointofconnection.
FailuretoestablishaTLSsession.
Reasonforfailure.
Failuretoverifypresentedidentifier.
Presentedidentifierandreferenceidentifier.
FCS_TLSC_EXT.2(TLSPackage)
None.
FCS_TLSC_EXT.3(TLSPackage)
None.
FDP_ACF_EXT.1 None.
FDP_ACF_EXT.2 None.
FDP_ACF_EXT.3 None.
FDP_BCK_EXT.1 None.
FDP_PBA_EXT.1 None.
FDP_UPC_EXT.1/APPS Applicationinitiationoftrustedchannel.
Nameofapplication.Trustedchannelprotocol.Non-TOEendpointofconnection.
FDP_UPC_EXT.1/BLUETOOTH Applicationinitiationoftrustedchannel.
Nameofapplication.Trustedchannelprotocol.Non-TOEendpointofconnection.
FIA_AFL_EXT.1 Excessofauthenticationfailurelimit.
Authenticationfactorused.
FIA_BMG_EXT.1 None.
FIA_BMG_EXT.2 None.
FIA_BMG_EXT.3 None.
FIA_BMG_EXT.4 None.
FIA_BMG_EXT.5 None.
FIA_BMG_EXT.6 None.
FIA_UAU_EXT.2 Actionperformedbeforeauthentication.
Noadditionalinformation.
FIA_UAU.6 UserchangesPasswordAuthenticationFactor.
Noadditionalinformation.
FIA_UAU_EXT.4 None.
FIA_X509_EXT.2 Failuretoestablishconnectiontodeterminerevocationstatus.
Noadditionalinformation.
FIA_X509_EXT.3 None.
FIA_X509_EXT.4 GenerationofCertificateEnrollmentRequest.
IssuerandSubjectnameofESTServer.Methodofauthentication.IssuerandSubjectnameofcertificateusedtoauthenticate.ContentofCertificateRequestMessage.
Successorfailureofenrollment.
IssuerandSubjectnameofaddedcertificateorreasonforfailure.
UpdateofESTTrustAnchorDatabase
SubjectnameofaddedRootCA.
FIA_X509_EXT.5 None.
FMT_SMF_EXT.1 [selection:Initiationofpolicyupdate,none].
[selection:Policyname,none].
[selection:Changeofsettings,none]
[selection:Roleofuserthatchangedsetting,Valueofnewsetting,none].
[selection:Successorfailureoffunction,none]
[selection:Roleofuserthatperformedfunction,Functionperformed,Reasonforfailure,none].
Initiationofsoftwareupdate.
Versionofupdate.
Initiationofapplicationinstallationorupdate.
Nameandversionofapplication.
FMT_SMF_EXT.2 [selection:Unenrollment,Initiationofunenrollment,none]
[selection:IdentityofadministratorRemediationactionperformed,failureofacceptingcommandtounenroll,none]
FMT_SMF_EXT.3 None.
FPT_AEX_EXT.4 None.
FPT_AEX_EXT.5 None.
FPT_AEX_EXT.6 None.
FPT_AEX_EXT.7 None.
FPT_BBD_EXT.1 None.
FPT_BLT_EXT.1 None.
FPT_NOT_EXT.2 None.
FPT_TST_EXT.2/POSTKERNEL [selection:Detectedintegrityviolation,none]
[selection:TheTSFcodefilethatcausedtheintegrityviolation,Noadditionalinformation]
FPT_TST_EXT.3 None.
FPT_TUD_EXT.2 Successorfailureofsignatureverificationforsoftwareupdates.
Noadditionalinformation.
FPT_TUD_EXT.3 Successorfailureofsignatureverificationforapplications.
Noadditionalinformation.
FPT_TUD_EXT.4 None.
FPT_TUD_EXT.5 None.
FPT_TUD_EXT.6 None.
FTA_TAB.1 None.
FTP_ITC_EXT.1 Initiationandterminationoftrustedchannel.
Trustedchannelprotocol.Non-TOEendpointofconnection.
Table3:AdditionalAuditableEvents
ApplicationNote:AdministratoractionsaredefinedasfunctionslabeledasmandatoryforFMT_MOF_EXT.1.2(i.e.‘M-MM’inTable7).IftheTSFdoesnotsupportremovablemedia,number4isimplicitlymet.
TheTSFmustgenerateanauditrecordforalleventscontainedinTable2.GeneratingauditrecordsforeventsinTable3iscurrentlyobjective.ItisacceptabletoincludeindividualSFRsfromTable3intheST,withoutincludingtheentiretyofTable3.
Table2ApplicationNote:FPT_TST_EXT.1–Auditofself-testsisrequiredonlyatinitialstart-up.SincetheTOE"transitionstonon-operationalmode"uponfailureofaself-test,perFPT_NOT_EXT.1,thisisconsideredequivalentevidencetoanauditrecordforthefailureofaself-test.
FDP_DAR_EXT.1-"None"mustbeselected,iftheTOEutilizeswholevolumeencryptionforprotectedmemory,sinceitisnotfeasibletoauditwhentheencryption/decryptionfails.IftheTOEutilizesfile-basedencryptionforprotecteddataandauditswhenthisencryption/decryptionfails,thenthatauditableeventshallbeselected.
Table3ApplicationNote:IftheauditeventforFMT_SMF_EXT.1isincludedintheST,itisacceptablefortheinitiationofthesoftwareupdatetobeauditedwithoutindicatingtheoutcome(successorfailure)oftheupdate.
FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:
1. Dateandtimeoftheevent2. Typeofevent3. Subjectidentity4. Theoutcome(successorfailure)oftheevent5. AdditionalinformationinTable26. [selection:AdditionalinformationinTable3,noadditionalinformation]
ApplicationNote:Thesubjectidentityisusuallytheprocessname/ID.Theeventtypeisoftenindicatedbyaseveritylevel,forexample,‘info’,‘warning’,or‘error’.
If"noadditionalauditableevents"isselectedinthesecondselectionofFAU_GEN.1.1,then"noadditionalinformation"mustbeselected.
ForeachauditeventselectedfromTable3inFAU_GEN.1.1ifadditionalinformationisrequiredtoberecordedwithintheauditrecord,itshouldbeincludedinthisselection.
EvaluationActivities
FAU_GEN.1:TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypemustbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePPisdescribedandthatthedescriptionofthefieldscontainstheinformationrequiredinFAU_GEN.1.2.
GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPPincludingthoselistedintheManagementsection.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommandsarerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePP.TheevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurityrelevantwithrespecttothisPP.TheevaluatormayperformthisactivityaspartoftheactivitiesassociatedwithensuringtheAGD_OPEguidancesatisfiestherequirements.
TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedintheprovidedtableandadministrativeactions.Thisshouldincludeallinstancesofanevent.TheevaluatorshalltestthatauditrecordsaregeneratedfortheestablishmentandterminationofachannelforeachofthecryptographicprotocolscontainedintheST.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsspecifiedinFAU_GEN.1.2arecontainedineachauditrecord.
Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.Forexample,testingperformedtoensurethattheadministrativeguidanceprovidediscorrectverifiesthatAGD_OPE.1issatisfiedandshouldaddresstheinvocationoftheadministrativeactionsthatareneededtoverifytheauditrecordsaregeneratedasexpected.
FAU_STG.1AuditStorageProtectionFAU_STG.1.1
TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.
FAU_STG.1.2TheTSFshallbeabletopreventunauthorizedmodificationstothestoredauditrecordsintheaudittrail.
EvaluationActivities
FAU_STG.1:TSSTheevaluatorshallensurethattheTSSliststhelocationofalllogsandtheaccesscontrolsofthosefilessuchthatunauthorizedmodificationanddeletionareprevented.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
Tests
Test1:Theevaluatorshallattempttodeletetheaudittrailinamannerthattheaccesscontrolsshouldprevent(asanunauthorizeduser)andshallverifythattheattemptfails.Test2:Theevaluatorshallattempttomodifytheaudittrailinamannerthattheaccesscontrolsshouldprevent(asanunauthorizedapplication)andshallverifythattheattemptfails.
FAU_STG.4PreventionofAuditDataLossFAU_STG.4.1
TheTSFshalloverwritetheoldeststoredauditrecordsiftheaudittrailisfull.
EvaluationActivities
FAU_STG.4:TSSTheevaluatorshallexaminetheTSStoensurethatitdescribesthesizelimitsontheauditrecords,thedetectionofafullaudittrail,andtheaction(s)takenbytheTSFwhentheaudittrailisfull.Theevaluatorshallensurethattheaction(s)resultsinthedeletionoroverwriteoftheoldeststoredrecord.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
5.1.2Class:CryptographicSupport(FCS)Thissectiondescribeshowkeysaregenerated,derived,combined,releasedanddestroyed.Therearetwomajortypesofkeys:DEKsandKEKs.(AREKisconsideredaKEK.)DEKsareusedtoprotectdata(asintheDARprotectiondescribedinFDP_DAR_EXT.1andFDP_DAR_EXT.2).KEKsareusedtoprotectotherkeys–DEKs,otherKEKs,andothertypesofkeysstoredbytheuserorapplications.Thefollowingdiagramshowsanexamplekeyhierarchytoillustratetheconceptsofthisprofile.Thisexampleisnotmeantasanapproveddesign,butSTauthorswillbeexpectedtoprovideadiagramillustratingtheirkeyhierarchyinordertodemonstratethattheymeettherequirementsofthisprofile.PleasenoteifaBAFisselectedinFIA_UAU.5.1,theBAFshallbeillustratedinthekeyhierarchydiagram,toincludeadescriptionofwhenandhowtheBAFisusedtoreleasekeys.If"hybrid"isselectedinFIA_UAU.5.1,meaningthataPINorpasswordmustbeusedinconjunctionwiththeBAFthisinteractionshallbeincluded.
Figure3:AnIllustrativeKeyHierarchy
FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1
TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:
RSAschemesusingcryptographickeysizesof2048-bitorgreaterthatmeetFIPSPUB186-4,"DigitalSignatureStandard(DSS)",Appendix
B.3,ECCschemesusing[selection:
"NISTcurves"P-384and[selection:P-256,P-521,noothercurves]thatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",AppendixB.4,Curve25519schemesthatmeetthefollowing:RFC7748
],FFCschemesusing[selection:
cryptographickeysizesof2048-bitorgreaterthatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",AppendixB.1,Diffie-Hellmangroup14thatmeetthefollowing:RFC3526,"safe-prime"groupsthatmeetthefollowing:'NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography"'
]].
ApplicationNote:TheSTauthormustselectallkeygenerationschemesusedforkeyestablishmentandentityauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2/UNLOCKEDandselectedcryptographicprotocolsmustmatchtheselection.Whenkeygenerationisusedforentityauthentication,thepublickeymaybeassociatedwithanX.509v3certificate.
IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
Curve25519canonlybeusedforECDHandinconjunctionwithFDP_DAR_EXT.2.2.
EvaluationActivities
FCS_CKM.1:TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.
GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationscheme(s)andkeysize(s)forallusesdefinedinthisPP.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
KeyGenerationforFIPSPUB186-4RSASchemes
TheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.
KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:
1. RandomPrimes:ProvableprimesProbableprimes
2. PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobableprimesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes
TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatormustseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseed(s),
thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.
Ifpossible,theRandomProbableprimesmethodshouldalsobeverifiedagainstaknowngoodimplementationasdescribedabove.Otherwise,theevaluatorshallhavetheTSFgenerate10keyspairsforeachsupportedkeylengthnlenandverify:
n=p*qpandqareprobablyprimeaccordingtoMiller-RabintestsGCD(p-1,e)=1GCD(q-1,e)=12^16<e<2^256andeisanoddinteger|p-q|>2^(nlen/2–100)p>=squareroot(2)*(2^(nlen/2-1))q>=squareroot(2)*(2^(nlen/2-1))2^(nlen/2)<d<LCM(p-1,q-1)e*d=1modLCM(p-1,q-1)
KeyGenerationforFIPS186-4EllipticCurveCryptography(ECC)FIPS186-4ECCKeyGenerationTest
ForeachsupportedNISTcurve,i.e.P-256,P-384andP-521,theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.
FIPS186-4PublicKeyVerification(PKV)Test
ForeachsupportedNISTcurve,i.e.P-256,P-384andP-521,theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
KeyGenerationforCurve25519Theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.TheprivatekeyshallbegeneratedasspecifiedinRFC7748usinganapprovedrandombitgenerator(RBG)andshallbewritteninlittle-endianorder(leastsignificantbytefirst).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.
Note:AssumingthePKVfunctionofthegoodimplementationwill(usinglittle-endianorder):
a. confirmtheprivateandpublickeysare32-bytevaluesb. confirmthethreeleastsignificantbitsofthefirstbyteoftheprivatekeyarezeroc. confirmthemostsignificantbitofthelastbyteiszerod. confirmthesecondmostsignificantbitofthelastbyteisonee. calculatetheexpectedpublickeyfromtheprivatekeyandconfirmitmatchesthesupplied
publickey
Theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodify5ofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
KeyGenerationforFinite-FieldCryptography(FFC)TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.TheParametergenerationspecifies2ways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:
CryptographicandFieldPrimes:
PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes
andtwowaystogeneratethecryptographicgroupgeneratorg:
CryptographicGroupGenerator:
GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess
TheKeygenerationspecifies2waystogeneratetheprivatekeyx:
PrivateKey:
len(q)bitoutputofRBGwhere1<=x<=q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1<=x<=q-1
ThesecuritystrengthoftheRBGmustbeatleastthatofthesecurityofferedbytheFFCparameterset.
Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodand/orthegroupgeneratorgforaverifiableprocess,theevaluatormustseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.
Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationmustalsoconfirm
g!=0,1qdividesp-1g^qmodp=1g^xmodp=y
foreachFFCparametersetandkeypair.Diffie-HellmanGroup14andFFCSchemesusing"safe-prime"groupsTestingforFFCSchemesusingDiffie-Hellmangroup14and/or"safe-prime"groupsisdoneaspartoftestinginFCS_CKM.2/UNLOCKED.
FCS_CKM.2/UNLOCKEDCryptographicKeyEstablishmentFCS_CKM.2.1/UNLOCKED
TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod[selection:
RSA-basedkeyestablishmentschemesthatmeetthefollowing[selection:
NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,RSAES-PKCS1-v1_5asspecifiedinSection7.2ofRFC8017,"Public-KeyCryptographyStandards(PKCS)#1:RSACryptographySpecificationsVersion2.2"
],Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",KeyestablishmentschemesusingDiffie-Hellmangroup14thatmeetsthefollowing:RFC3526
].
ApplicationNote:TheSTauthormustselectallkeyestablishmentschemesusedfortheselectedcryptographicprotocolsandanyRSA-basedkeyestablishmentschemesthatmaybeusedtosatisfyFDP_DARorFCS_STG.Also,FCS_TLSC_EXT.1requiresciphersuitesthatuseRSA-basedkeyestablishmentschemes.
TheRSA-basedkeyestablishmentschemesaredescribedinSection9ofNISTSP800-56B;however,Section9reliesonimplementationofothersectionsinSP800-56B.IftheTOEonlyactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
TheellipticcurvesusedforthekeyestablishmentschememustcorrelatewiththecurvesspecifiedinFCS_CKM.1.1.
Thedomainparametersusedforthefinitefield-basedkeyestablishmentschemearespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.Thefinitefield-basedkeyestablishmentschemesthatconformtoNISTSP800-56ARevision3correspondtothe"safe-prime"groupsselectioninFCS_CKM.1.1.
EvaluationActivities
FCS_CKM.2/UNLOCKED:TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.
IfDiffie-Hellmangroup14isselectedfromFCS_CKM.2/UNLOCKED,theTSSshalldescribehowtheimplementationmeetsRFC3526Section3.
GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentscheme(s).
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
TheevaluatorshallverifytheimplementationofthekeyestablishmentschemessupportedbytheTOEusingtheapplicabletestsbelow.
SP800-56ARevision3KeyEstablishmentSchemesTheevaluatorshallverifyaTOE'simplementationofSP800-56ARevision3keyaestablishmentschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.
FunctionTest
TheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-keyagreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.
TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticand/orephemeral),theMACtag(s),andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEidfields.
IftheTOEdoesnotuseaKDFdefinedinSP800-56ARevision3,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.
TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.
Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.
ValidityTest
TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56ARevision3keyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomainparametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEidfields.
TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluator
willalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionand/orthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).
TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.
SP800-56BKeyEstablishmentSchemesTheevaluatorshallverifythattheTSSdescribeswhethertheTOEactsasasender,arecipient,orbothforRSA-basedkeyestablishmentschemes.
IftheTOEactsasasender,thefollowingevaluationactivityshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withorwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSApublickey,theplaintextkeyingmaterial,anyadditionalinputparametersifapplicable,theMacKeyandMacTagifkeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformakeyestablishmentencryptionoperationontheTOEwiththesameinputs(incaseswherekeyconfirmationisincorporated,thetestshallusetheMacKeyfromthetestvectorinsteadoftherandomlygeneratedMacKeyusedinnormaloperation)andensurethattheoutputtedciphertextisequivalenttotheciphertextinthetestvector.
IftheTOEactsasareceiver,thefollowingevaluationactivitiesshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsFCS_CKM.2.1/LOCKEDfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withourwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSAprivatekey,theplaintextkeyingmaterial(KeyData),anyadditionalinputparametersifapplicable,theMacTagincaseswherekeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformthekeyestablishmentdecryptionoperationontheTOEandensurethattheoutputtedplaintextkeyingmaterial(KeyData)isequivalenttotheplaintextkeyingmaterialinthetestvector.Incaseswherekeyconfirmationisincorporated,theevaluatorshallperformthekeyconfirmationstepsandensurethattheoutputtedMacTagisequivalenttotheMacTaginthetestvector.
TheevaluatorshallensurethattheTSSdescribeshowtheTOEhandlesdecryptionerrors.InaccordancewithNISTSpecialPublication800-56B,theTOEmustnotrevealtheparticularerrorthatoccurred,eitherthroughthecontentsofanyoutputtedorloggederrormessageorthroughtimingvariations.IfKTS-OAEPissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.2.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.IfKTS-KEMKWSissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.3.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.
RSAES-PKCS1-v1_5KeyEstablishmentSchemesTheevaluatorshallverifythecorrectnessoftheTSF'simplementationofRSAES-PKCS1-v1_5byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesRSAES-PKCS1-v1_5.
Diffie-HellmanGroup14TheevaluatorshallverifythecorrectnessoftheTSF'simplementationofDiffie-Hellmangroup14byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesDiffie-HellmanGroup14.
FFCSchemesusing"safe-prime"groupsTheevaluatorshallverifythecorrectnessoftheTSF'simplementationof"safe-prime"groupsbyusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatuses"safe-prime"groups.Thistestmustbeperformedforeach"safe-prime"groupthateachprotocoluses.
FCS_CKM.2/LOCKEDCryptographicKeyEstablishmentFCS_CKM.2.1/LOCKED
TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:
RSA-basedkeyestablishmentschemesthatmeetthefollowing:NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:[selection:
NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography",RFC7748,"EllipticCurvesforSecurity"
],Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,"RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography"
]forthepurposesofencryptingsensitivedatareceivedwhilethedeviceislocked.
ApplicationNote:TheRSA-basedkeyestablishmentschemesaredescribedinSection9ofNISTSP800-56B;however,Section9reliesonimplementationofothersectionsinSP800-56B.IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
TheellipticcurvesusedforthekeyestablishmentschememustcorrelatewiththecurvesspecifiedinFCS_CKM.1.1.
Thedomainparametersusedforthefinitefield-basedkeyestablishmentschemearespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.
EvaluationActivities
FCS_CKM.2/LOCKED:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsThetestforSP800-56ARevision3andSP800-56BkeyestablishmentschemesisperformedinassociationwithFCS_CKM.2/UNLOCKED.
Curve25519KeyEstablishmentSchemes
TheevaluatorshallverifyaTOE'simplementationofthekeyagreementschemeusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecification.ThesecomponentsincludethecalculationofthesharedsecretKandthehashofK.
FunctionTest
TheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.ToconductthistesttheevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementroleandhashfunctioncombination,thetestershallgenerate10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.
TheevaluatorshallobtainthesharedsecretvalueK,andthehashofK.
TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalueKandcomparethehashgeneratedfromthisvalue.
ValidityTest
TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresults.Toconductthistest,theevaluatorgeneratesasetof30testvectorsconsistingofdatasetsincludingtheevaluator’spublickeysandtheTOE’spublic/privatekey
pairs.
TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueKorthehashofK.Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).
TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.
FCS_CKM_EXT.1CryptographicKeySupportFCS_CKM_EXT.1.1
TheTSFshallsupport[selection:immutablehardware,mutablehardware]REK(s)witha[selection:symmetric,asymmetric]keyofstrength[selection:112bits,128bits,192bits,256bits].
FCS_CKM_EXT.1.2EachREKshallbehardware-isolatedfromtheOSontheTSFinruntime.
FCS_CKM_EXT.1.3EachREKshallbegeneratedbyaRBGinaccordancewithFCS_RBG_EXT.1.
ApplicationNote:Eitherasymmetricorsymmetrickeysareallowed;theSTauthormakestheselectionappropriateforthedevice.Symmetrickeysmustbeofsize128or256bitsinordertocorrespondwithFCS_COP.1/ENCRYPT.AsymmetrickeysmaybeofanystrengthcorrespondingtoFCS_CKM.1.
Therawkeymaterialof"immutablehardware"REK(s)iscomputationallyprocessedbyhardwareandsoftwarecannotaccesstherawkeymaterial.Thusif"immutable-hardware"isselectedinFCS_CKM_EXT.1.1itimplicitlymeetsFCS_CKM_EXT.7.If"mutable-hardware"isselectedinFCS_CKM_EXT.1.1,FCS_CKM_EXT.7mustbeincludedintheST.
Thelackofapublic/documentedAPIforimportingorexportingtheREK,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.
TheRBGusedtogenerateaREKmaybeaRBGnativetothehardwarekeycontainerormaybeanoff-deviceRBG.Ifperformedbyanoff-deviceRBG,thedevicemanufacturermustnotbeabletoaccessaREKafterthemanufacturingprocesshasbeencompleted.TheEvaluationActivitiesforthesetwocasesdiffer.
EvaluationActivities
FCS_CKM_EXT.1:TSSTheevaluatorshallreviewtheTSStodeterminethataREKissupportedbytheTOE,thattheTSSincludesadescriptionoftheprotectionprovidedbytheTOEforaREK,andthattheTSSincludesadescriptionofthemethodofgenerationofaREK.
TheevaluatorshallverifythatthedescriptionoftheprotectionofaREKdescribeshowanyreading,import,andexportofthatREKisprevented.(Forexample,ifthehardwareprotectingtheREKisremovable,thedescriptionshouldincludehowotherdevicesarepreventedfromreadingtheREK.)TheevaluatorshallverifythattheTSSdescribeshowencryption/decryption/derivationactionsareisolatedsoastopreventapplicationsandsystem-levelprocessesfromreadingtheREKwhileallowingencryption/decryption/derivationbythekey.
TheevaluatorshallverifythatthedescriptionincludeshowtheOSispreventedfromaccessingthememorycontainingREKkeymaterial,whichsoftwareisallowedaccesstotheREK,howanyothersoftwareintheexecutionenvironmentispreventedfromreadingthatkeymaterial,andwhatothermechanismspreventtheREKkeymaterialfrombeingwrittentosharedmemorylocationsbetweentheOSandtheseparateexecutionenvironment.
IfkeyderivationisperformedusingaREK,theevaluatorshallensurethattheTSSdescriptionincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoFCS_CKM_EXT.3.2.
TheevaluatorshallverifythatthegenerationofaREKmeetstheFCS_RBG_EXT.1.1andFCS_RBG_EXT.1.2requirements:
IfREK(s)is/aregeneratedon-device,theTSSshallincludeadescriptionofthegenerationmechanismincludingwhattriggersageneration,howthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked,andwhetheraseparateinstanceoftheRBGisusedforREK(s).
IfREK(s)is/aregeneratedoff-device,theTSSshallincludeevidencethattheRBGmeetsFCS_RBG_EXT.1.ThiswilllikelynecessitateasecondsetofRBGdocumentationequivalenttothedocumentationprovidedfortheRBGEvaluationActivities.Inaddition,theTSSshalldescribethemanufacturingprocessthatpreventsthedevicemanufacturerfromaccessinganyREK(s).
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FCS_CKM_EXT.2CryptographicKeyRandomGenerationFCS_CKM_EXT.2.1
AllDEKsshallbe[selection:randomlygenerated,fromthecombinationofarandomlygeneratedDEKwithanotherDEKorsaltinawaythatpreservestheeffectiveentropyofeachfactorby[selection:usinganXORoperation,concatenatingthekeysandusingaKDF(asdescribedinSP800-108),concatenatingthekeysandusingaKDF(asdescribedinSP800-56C)]
]withentropycorrespondingtothesecuritystrengthofAESkeysizesof[selection:128,256]bits.
ApplicationNote:TheintentofthisrequirementistoensurethattheDEKcannotberecoveredwithlessworkthanafullexhaustofthekeyspaceforAES.ThekeygenerationcapabilityoftheTOEusesaRBGimplementedontheTOEdevice(FCS_RBG_EXT.1).Either128-bitor256-bit(orboth)areallowed;theSTauthormakestheselectionappropriateforthedevice.ADEKisusedinadditiontotheKEKsothatauthenticationfactorscanbechangedwithouthavingtore-encryptalloftheuserdataonthedevice.
TheSTauthorselectsallapplicableDEKgenerationtypesimplementedbytheTOE.
SP800-56Cspecifiesatwo-stepkeyderivationprocedurethatemploysanextraction-then-expansiontechniqueforderivingkeyingmaterialfromasharedsecretgeneratedduringakeyestablishmentscheme.TheRandomnessExtractionstepasdescribedinSection5ofSP800-56CisfollowedbyKeyExpansionusingthekeyderivationfunctionsdefinedinSP800-108(asdescribedinSection6ofSP800-56C).
EvaluationActivities
FCS_CKM_EXT.2:TSSTheevaluatorshallensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.
TheevaluatorshallalsoexaminethekeyhierarchysectionoftheTSStoensurethattheformationofallDEKsisdescribedandthatthekeysizesmatchthatdescribedbytheSTauthor.TheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethateachDEKisgeneratedorcombinedfromkeysofequalorgreatersecuritystrengthusingoneoftheselectedmethods.
IfthesymmetricDEKisgeneratedbyanRBG,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked.TheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeingrequestedisgreaterthanorequaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.IftheDEKisformedfromacombination,theevaluatorshallverifythattheTSSdescribesthemethodofcombinationandthatthismethodiseitheranXORoraKDFtojustifythattheeffectiveentropyofeachfactorispreserved.TheevaluatorshallalsoverifythateachcombinedvaluewasoriginallygeneratedfromanApprovedDRBGdescribedinFCS_RBG_EXT.1.If“concatenatingthekeysandusingaKDF(asdescribedin(SP800-56C)”isselected,theevaluatorshallensuretheTSSincludesadescriptionoftherandomnessextractionstep.
ThedescriptionmustincludehowanapproveduntruncatedMACfunctionisbeingusedforthe
randomnessextractionstepandtheevaluatormustverifytheTSSdescribesthattheoutputlength(inbits)oftheMACfunctionisatleastaslargeasthetargetedsecuritystrength(inbits)oftheparametersetemployedbythekeyestablishmentscheme(seeTables1-3ofSP800-56C).
ThedescriptionmustincludehowtheMACfunctionbeingusedfortherandomnessextractionstepisrelatedtothePRFusedinthekeyexpansionandverifytheTSSdescriptionincludesthecorrectMACfunction:
IfanHMAC-hashisusedintherandomnessextractionstep,thenthesameHMAC-hash(withthesamehashfunctionhash)isusedasthePRFinthekeyexpansionstep.IfanAES-CMAC(withkeylength128,192,or256bits)isusedintherandomnessextractionstep,thenAES-CMACwitha128-bitkeyisusedasthePRFinthekeyexpansionstep.ThedescriptionmustincludethelengthsofthesaltvaluesbeingusedintherandomnessextractionstepandtheevaluatorshallverifytheTSSdescriptionincludescorrectsaltlengths:IfanHMAC-hashisbeingusedastheMAC,thesaltlengthcanbeanyvalueuptothemaximumbitlengthpermittedforinputtothehashfunctionhash.IfanAES-CMACisbeingusedastheMAC,thesaltlengthshallbethesamelengthastheAESkey(i.e.128,192,or256bits).
(conditional)IfaKDFisused,theevaluatorshallensurethattheTSSincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoSP800-108orSP800-56C.
GuidanceTheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeinggeneratedorcombinedisidenticaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.
TestsIfaKDFisused,theevaluatorshallperformoneormoreofthefollowingteststoverifythecorrectnessofthekeyderivationfunction,dependingonthemode(s)thataresupported.Table4mapsthedatafieldstothenotationsusedinSP800-108andSP800-56C.
Table4:NotationsusedinSP800-108andSP800-56C
DataFields Notations
SP800-108 SP800-56C
Pseudorandomfunction PRF PRF
Counterlength r r
LengthofoutputofPRF h h
Lengthofderivedkeyingmaterial L L
Lengthofinputvalues llength llength
PseudorandominputvaluesI K1(keyderivationkey) Z(sharedsecret)
Pseudorandomsaltvalues n/a s
RandomnessextractionMAC n/a MAC
CounterModeTests:
Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueof
stringinputaftercounter.Thelength(I_length)oftheinputvaluesI.
ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation,valueofr,andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
FeedbackModeTests:
Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotzero-lengthIVsaresupported.Whetherornotacounterisused,andifso:
Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.
Thelength(I_length)oftheinputvaluesI.ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesIandpseudorandomsaltvalues.IftheKDFsupportszero-lengthIVs,fiveofthesetestvectorswillbeaccompaniedbypseudorandomIVsandtheotherfivewillusezero-lengthIVs.Ifzero-lengthIVsarenotsupported,eachtestvectorwillbeaccompaniedbyanpseudorandomIV.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.
Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
DoublePipelineIterationModeTests:
Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotacounterisused,andifso:
Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.
Thelength(I_length)oftheinputvaluesI.ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.
Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
FCS_CKM_EXT.3CryptographicKeyGenerationFCS_CKM_EXT.3.1
TheTSFshalluse[selection:asymmetricKEKsof[assignment:securitystrengthgreaterthanorequalto112bits]securitystrength,symmetricKEKsof[selection:128-bit,256-bit]securitystrengthcorrespondingtoatleastthesecuritystrengthofthekeysencryptedbytheKEK
].
ApplicationNote:TheSTauthorselectsallapplicableKEKtypesimplementedbytheTOE.
FCS_CKM_EXT.3.2TheTSFshallgenerateallKEKsusingoneofthefollowingmethods:
DerivetheKEKfromaPasswordAuthenticationFactoraccordingtoFCS_COP.1.1/CONDITIONand
[selection:GeneratetheKEKusinganRBGthatmeetsthisprofile(asspecifiedinFCS_RBG_EXT.1),GeneratetheKEKusingakeygenerationschemethatmeetsthisprofile(asspecifiedinFCS_CKM.1),CombinetheKEKfromotherKEKsinawaythatpreservestheeffectiveentropyofeachfactorby[selection:usinganXORoperation,concatenatingthekeysandusingaKDF(asdescribedinSP800-108),concatenatingthekeysandusingaKDF(asdescribedinSP800-56C),encryptingonekeywithanother]
].
ApplicationNote:TheconditioningofpasswordsisperformedinaccordancewithFCS_COP.1/CONDITION.
Itisexpectedthatkeygenerationderivedfromconditioning,usinganRBGorgenerationscheme,andthroughcombination,willeachbenecessarytomeettherequirementssetoutinthisdocument.Inparticular,Figure3hasKEKsofeachtype:KEK_3isgenerated,KEK_1isderivedfromaPasswordAuthenticationFactor,andKEK_2iscombinedfromtwoKEKs.InFigure3,KEK_3mayeitherbeasymmetrickeygeneratedfromanRBGoranasymmetrickeygeneratedusingakeygenerationschemeaccordingtoFCS_CKM.1.
Ifcombined,theSTauthorshalldescribewhichmethodofcombinationisusedinordertojustifythattheeffectiveentropyofeachfactorispreserved.
SP800-56Cspecifiesatwo-stepkeyderivationprocedurethatemploysanextraction-then-expansiontechniqueforderivingkeyingmaterialfromasharedsecretgeneratedduringakeyestablishmentscheme.TheRandomnessExtractionstepasdescribedinSection5ofSP800-56CisfollowedbyKeyExpansionusingthekeyderivationfunctionsdefinedinSP800-108(asdescribedinSection6ofSP800-56C).
EvaluationActivities
FCS_CKM_EXT.3:TSSTheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethattheformationofallKEKsaredescribedandthatthekeysizesmatchthatdescribedbytheSTauthor.TheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethateachkey(DEKs,software-basedkeystorage,andKEKs)isencryptedbykeysofequalorgreatersecuritystrengthusingoneoftheselectedmethods.
TheevaluatorshallreviewtheTSStoverifythatitcontainsadescriptionoftheconditioningusedtoderiveKEKs.Thisdescriptionmustincludethesizeandstoragelocationofsalts.ThisactivitymaybeperformedincombinationwiththatforFCS_COP.1/CONDITION.
(conditional)IfthesymmetricKEKisgeneratedbyanRBG,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvoked.TheevaluatorusesthedescriptionoftheRBGfunctionalityinFCS_RBG_EXT.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeysizebeingrequestedisgreaterthanorequaltothekeysizeandmodetobeusedfortheencryption/decryptionofthedata.
(conditional)IftheKEKisgeneratedaccordingtoanasymmetrickeyscheme,theevaluatorshallreviewtheTSStodeterminethatitdescribeshowthefunctionalitydescribedbyFCS_CKM.1isinvoked.TheevaluatorusesthedescriptionofthekeygenerationfunctionalityinFCS_CKM.1ordocumentationavailablefortheoperationalenvironmenttodeterminethatthekeystrengthbeingrequestedisgreaterthanorequalto112bits.
(conditional)IftheKEKisformedfromacombination,theevaluatorshallverifythattheTSSdescribesthemethodofcombinationandthatthismethodiseitheranXOR,aKDF,orencryption.
(conditional)IfaKDFisused,theevaluatorshallensurethattheTSSincludesadescriptionofthekeyderivationfunctionandshallverifythekeyderivationusesanapprovedderivationmodeandkeyexpansionalgorithmaccordingtoSP800-108.
(conditional)If"concatenatingthekeysandusingaKDF(asdescribedin(SP800-56C)"isselected,theevaluatorshallensuretheTSSincludesadescriptionoftherandomnessextractionstep.Thedescriptionmustinclude
HowanapproveduntruncatedMACfunctionisbeingusedfortherandomnessextractionstepandtheevaluatormustverifytheTSSdescribesthattheoutputlength(inbits)oftheMACfunctionisatleastaslargeasthetargetedsecuritystrength(inbits)oftheparametersetemployedbythekeyestablishmentscheme(seeTables1-3ofSP800-56C).HowtheMACfunctionbeingusedfortherandomnessextractionstepisrelatedtothePRFusedinthekeyexpansionandverifytheTSSdescriptionincludesthecorrectMACfunction:
IfanHMAC-hashisusedintherandomnessextractionstep,thenthesameHMAC-hash(withthesamehashfunctionhash)isusedasthePRFinthekeyexpansionstep.IfanAES-CMAC(withkeylength128,192,or256bits)isusedintherandomnessextractionstep,thenAES-CMACwitha128-bitkeyisusedasthePRFinthekeyexpansionstep.
ThelengthsofthesaltvaluesbeingusedintherandomnessextractionstepandtheevaluatorshallverifytheTSSdescriptionincludescorrectsaltlengths:
IfanHMAC-hashisbeingusedastheMAC,thesaltlengthcanbeanyvalueuptothemaximumbitlengthpermittedforinputtothehashfunctionhash.IfanAES-CMACisbeingusedastheMAC,thesaltlengthshallbethesamelengthastheAESkey(i.e.128,192,or256bits).
Theevaluatorshallalsoensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsIfaKDFisused,theevaluatorshallperformoneormoreofthefollowingteststoverifythecorrectnessofthekeyderivationfunction,dependingonthemode(s)thataresupported.Table5mapsthedatafieldstothenotationsusedinSP800-108andSP800-56C.
Table5:NotationsusedinSP800-108andSP800-56C
DataFields Notations
SP800-108 SP800-56C
Pseudorandomfunction PRF PRF
Counterlength r r
LengthofoutputofPRF h h
Lengthofderivedkeyingmaterial L L
Lengthofinputvalues I_length I_length
PseudorandominputvaluesI Z(sharedsecret)
K1(keyderivationkey)
Pseudorandomsaltvalues n/a s
RandomnessextractionMAC n/a MAC
CounterModeTests:
Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.
Thelength(I_length)oftheinputvaluesI.
ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation,valueofr,andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
FeedbackModeTests:Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:
Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotzero-lengthIVsaresupported.Whetherornotacounterisused,andifso:
Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.
Thelength(I_length)oftheinputvaluesI.
ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesIandpseudorandomsaltvalues.IftheKDFsupportszero-lengthIVs,fiveofthesetestvectorswillbeaccompaniedbypseudorandomIVsandtheotherfivewillusezero-lengthIVs.Ifzero-lengthIVsarenotsupported,eachtestvectorwillbeaccompaniedbyanpseudorandomIV.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.
Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
DoublePipelineIterationModeTests:Theevaluatorshalldeterminethefollowingcharacteristicsofthekeyderivationfunction:
Oneormorepseudorandomfunctionsthataresupportedbytheimplementation(PRF).Thelength(inbits)oftheoutputofthePRF(h).Minimumandmaximumvaluesforthelength(inbits)ofthederivedkeyingmaterial(L).ThesevaluescanbeequalifonlyonevalueofLissupported.Thesemustbeevenlydivisiblebyh.UptotwovaluesofLthatareNOTevenlydivisiblebyh.Whetherornotacounterisused,andifso:
Oneormoreofthevalues{8,16,24,32}thatequalthelengthofthebinaryrepresentationofthecounter(r).Locationofthecounterrelativetofixedinputdata:before,after,orinthemiddle.
Counterbeforefixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterafterfixedinputdata:fixedinputdatastringlength(inbytes),fixedinputdatastringvalue.Counterinthemiddleoffixedinputdata:lengthofdatabeforecounter(inbytes),lengthofdataaftercounter(inbytes),valueofstringinputbeforecounter,valueofstringinputaftercounter.
Thelength(I_length)oftheinputvaluesI.
ForeachsupportedcombinationofI_length,MAC,salt,PRF,counterlocation(ifacounterisused),valueofr(ifacounterisused),andvalueofL,theevaluatorshallgenerate10testvectorsthatincludepseudorandominputvaluesI,andpseudorandomsaltvalues.IfthereisonlyonevalueofLthatisevenlydivisiblebyh,theevaluatorshallgenerate20testvectorsforit.
Foreachtestvector,theevaluatorshallsupplythisdatatotheTOEinordertoproducethekeyingmaterialoutput.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
FCS_CKM_EXT.4KeyDestructionFCS_CKM_EXT.4.1
TheTSFshalldestroycryptographickeysinaccordancewiththespecifiedcryptographickeydestructionmethods:
byclearingtheKEKencryptingthetargetkeyinaccordancewiththefollowingrules
Forvolatilememory,thedestructionshallbeexecutedbyasingledirectoverwrite[selection:consistingofapseudo-randompatternusingtheTSF’sRBG,consistingofzeroes].Fornon-volatileEEPROM,thedestructionshallbeexecutedbyasingledirectoverwriteconsistingofapseudorandompatternusingtheTSF’sRBG(asspecifiedinFCS_RBG_EXT.1),followedbyaread-verify.Fornon-volatileflashmemory,thatisnotwear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzerosfollowedbyaread-verify,byablockerasethaterasesthereferencetomemorythatstoresdataaswellasthedataitself].Fornon-volatileflashmemory,thatiswear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzeros,byablockerase].Fornon-volatilememoryotherthanEEPROMandflash,thedestructionshallbeexecutedbyasingledirectoverwritewitharandompatternthatischangedbeforeeachwrite.
ApplicationNote:Theclearingindicatedaboveappliestoeachintermediatestorageareaforplaintextkey/cryptographiccriticalsecurityparameter(i.e.anystorage,suchasmemorybuffers,thatisincludedinthepathofsuchdata)uponthetransferofthekey/cryptographiccriticalsecurityparametertoanotherlocation.
Becauseplaintextkeymaterialisnotallowedtobewrittentonon-volatilememory(FPT_KST_EXT.1),thesecondselectiononlyappliestokeymaterialwrittentovolatilememory.
FCS_CKM_EXT.4.2TheTSFshalldestroyallplaintextkeyingmaterialandcriticalsecurityparameterswhennolongerneeded.
ApplicationNote:Forthepurposesofthisrequirement,plaintextkeyingmaterialreferstoauthenticationdata,passwords,secret/privatesymmetrickeys,privateasymmetrickeys,datausedtoderivekeys,valuesderivedfrompasswords,etc.IfaBAFisselectedinFIA_UAU.5.1theenrollmentorauthenticationtemplatesarenotsubjecttothisrequirement,sincetemplatesarenotsuitableforderivingkeyingmaterial.However,sourcebiometricdata(i.e.
fingerprintimageorfrictionridgepattern),thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(e.g.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatevaluescalculatedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns,etc.),andfinalmatchscoresareexamplesofcriticalsecurityparametersthatmustbedestroyedwhennolongerneeded.
KeydestructionproceduresareperformedinaccordancewithFCS_CKM_EXT.4.1.
Therearemultiplesituationsinwhichplaintextkeyingmaterialisnolongernecessary,includingwhentheTOEispoweredoff,whenthewipefunctionisperformed,whentrustedchannelsaredisconnected,whenkeyingmaterialisnolongerneededbythetrustedchannelpertheprotocol,andwhentransitioningtothelockedstate(forthosevaluesderivedfromthePasswordAuthenticationFactororthatkeymaterialwhichisprotectedbythepassword-derivedorbiometric-unlockedKEKaccordingtoFCS_STG_EXT.2–seeFigure3).Forkeys(orkeymaterialusedtoderivethosekeys)protectingsensitivedatareceivedinthelockedstate,"nolongerneeded"includes"whileinthelockedstate."
TrustedchannelsmayincludeTLS,HTTPS,DTLS,IPsecVPNs,BluetoothBR/EDR,andBluetoothLE.Theplaintextkeyingmaterialforthesechannelsincludes(butisnotlimitedto)mastersecrets,andSecurityAssociations(SAs).
IfREK(s)areprocessedinaseparateexecutionenvironmentonthesameApplicationProcessorastheOS,REKkeymaterialmustbeclearedfromRAMimmediatelyafteruse,andatleast,mustbewipedwhenthedeviceislocked,astheREKispartofthekeyhierarchyprotectingsensitivedata.
EvaluationActivities
FCS_CKM_EXT.4:TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofplaintextkeymaterial(DEKs,software-basedkeystorage,KEKs,trustedchannelkeys,passwords,etc.)anditsgenerationandstoragelocation.
TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeymaterialiscleared(forexample,onsystempoweroff,onwipefunction,ondisconnectionoftrustedchannels,whennolongerneededbythetrustedchannelpertheprotocol,whentransitioningtothelockedstate,andpossiblyincludingimmediatelyafteruse,whileinthelockedstate,etc.).
Theevaluatorshallalsoverifythat,foreachtypeofkey,thetypeofclearingprocedurethatisperformed(cryptographicerase,overwritewithzeros,overwritewithrandompattern,orblockerase)islisted.Ifdifferenttypesofmemoryareusedtostorethematerialstobeprotected,theevaluatorshallchecktoensurethattheTSSdescribestheclearingprocedureintermsofthememoryinwhichthedataarestored.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
Foreachsoftwareandfirmwarekeyclearingsituation(includingonsystempoweroff,onwipefunction,ondisconnectionoftrustedchannels,whennolongerneededbythetrustedchannelpertheprotocol,whentransitioningtothelockedstate,andpossiblyincludingimmediatelyafteruse,whileinthelockedstate)theevaluatorshallrepeatthefollowingtests.
Fortheseteststheevaluatorshallutilizeappropriatedevelopmentenvironment(e.g.aVirtualMachine)anddevelopmenttools(debuggers,simulators,etc.)totestthatkeysarecleared,includingallcopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessingwiththatkey.
Test1:AppliedtoeachkeyheldasplaintextinvolatilememoryandsubjecttodestructionbyoverwritebytheTOE(whetherornottheplaintextvalueissubsequentlyencryptedforstorageinvolatileornon-volatilememory).Inthecasewheretheonlyselectionmadeforthedestructionmethodkeywasremovalofpower,thenthistestisunnecessary.Theevaluatorshall:1. RecordthevalueofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep
#1.
3. CausetheTOEtoclearthekey.4. CausetheTOEtostoptheexecutionbutnotexit.5. CausetheTOEtodumptheentirememoryoftheTOEintoabinaryfile.6. SearchthecontentofthebinaryfilecreatedinStep#5forinstancesoftheknownkey
valuefromStep#1.7. BreakthekeyvaluefromStep#1into3similarsizedpiecesandperformasearch
usingeachpiece.
Steps1-6ensurethatthecompletekeydoesnotexistanywhereinvolatilememory.Ifacopyisfound,thenthetestfails.
Step7ensuresthatpartialkeyfragmentsdonotremaininmemory.Ifafragmentisfound,thereisaminusculechancethatitisnotwithinthecontextofakey(e.g.,somerandombitsthathappentomatch).IfthisisthecasethetestshouldberepeatedwithadifferentkeyinStep#1.Ifafragmentisfoundthetestfails.
Test2:Appliedtoeachkeyheldinnon-volatilememoryandsubjecttodestructionbyoverwritebytheTOE.Theevaluatorshallusespecialtools(asneeded),providedbytheTOEdeveloperifnecessary,toviewthekeystoragelocation:1. RecordthevalueofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep
#1.3. CausetheTOEtoclearthekey.4. Searchthenon-volatilememorythekeywasstoredinforinstancesoftheknownkey
valuefromStep#1.Ifacopyisfound,thenthetestfails.5. BreakthekeyvaluefromStep#1into3similarsizedpiecesandperformasearch
usingeachpiece.Ifafragmentisfoundthenthetestisrepeated(asdescribedfortest1above),andifafragmentisfoundintherepeatedtestthenthetestfails.
Test3:Appliedtoeachkeyheldasnon-volatilememoryandsubjecttodestructionbyoverwritebytheTOE.Theevaluatorshallusespecialtools(asneeded),providedbytheTOEdeveloperifnecessary,toviewthekeystoragelocation:1. RecordthestoragelocationofthekeyintheTOEsubjecttoclearing.2. CausetheTOEtoperformanormalcryptographicprocessingwiththekeyfromStep
#1.3. CausetheTOEtoclearthekey.4. ReadthestoragelocationinStep#1ofnon-volatilememorytoensuretheappropriate
patternisutilized.
Thetestsucceedsifcorrectpatternisusedtooverwritethekeyinthememorylocation.Ifthepatternisnotfoundthetestfails.
FCS_CKM_EXT.5TSFWipeFCS_CKM_EXT.5.1
TheTSFshallwipeallprotecteddataby[selection:CryptographicallyerasingtheencryptedDEKsand/ortheKEKsinnon-volatilememorybyfollowingtherequirementsinFCS_CKM_EXT.4.1,OverwritingallPDaccordingtothefollowingrules:
ForEEPROM,thedestructionshallbeexecutedbyasingledirectoverwriteconsistingofapseudorandompatternusingtheTSF’sRBG(asspecifiedinFCS_RBG_EXT.1,followedbyaread-verify.Forflashmemory,thatisnotwear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzerosfollowedbyaread-verify,byablockerasethaterasesthereferencetomemorythatstoresdataaswellasthedataitself].Forflashmemory,thatiswear-leveled,thedestructionshallbeexecuted[selection:byasingledirectoverwriteconsistingofzeros,byablockerase].Fornon-volatilememoryotherthanEEPROMandflash,thedestructionshallbeexecutedbyasingledirectoverwritewitharandompatternthatischangedbeforeeachwrite.
].
ApplicationNote:Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.
FCS_CKM_EXT.5.2TheTSFshallperformapowercycleonconclusionofthewipeprocedure.
EvaluationActivities
FCS_CKM_EXT.5:TSSTheevaluatorshallchecktoensuretheTSSdescribeshowthedeviceiswiped,thetypeofclearingprocedurethatisperformed(cryptographiceraseoroverwrite)and,ifoverwriteisperformed,theoverwriteprocedure(overwritewithzeros,overwritethreeormoretimesbyadifferentalternatingpattern,overwritewithrandompattern,orblockerase).
Ifdifferenttypesofmemoryareusedtostorethedatatobeprotected,theevaluatorshallchecktoensurethattheTSSdescribestheclearingprocedureintermsofthememoryinwhichthedataarestored(forexample,datastoredonflashareclearedbyoverwritingoncewithzeros,whiledatastoredontheinternalpersistentstoragedeviceareclearedbyoverwritingthreetimeswitharandompatternthatischangedbeforeeachwrite).
GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtoenableencryption,ifitisnotenabledbydefault.AdditionallytheevaluatorshallverifythattheAGDguidancedescribeshowtoinitiatethewipecommand.
TestsEvaluationActivityNote:ThefollowingtestmayrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:Theevaluatorshallperformoneofthefollowingtests.Thetestbeforeandafterthewipecommandshallbeidentical.Thistestshallberepeatedforeachtypeofmemoryusedtostorethedatatobeprotected.
Test1.1:ForFile-basedMethods:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateauserdata(protecteddataorsensitivedata)file,forexample,byusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertoexaminethisdatastoredinmemory(forexample,byexaminingadecryptedfiles).TheevaluatorshallinitiatethewipecommandaccordingtotheAGDguidanceprovidedforFMT_SMF_EXT.1.TheevaluatorshalluseatoolprovidedbythedevelopertoexaminethesamedatalocationinmemorytoverifythatthedatahasbeenwipedaccordingtothemethoddescribedintheTSS(forexample,thefilesarestillencryptedandcannotbeaccessed).Test1.2:ForVolume-basedMethods:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateauniquedatastring,forexample,byusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertosearchdecrypteddatafortheuniquestring.TheevaluatorshallinitiatethewipecommandaccordingtotheAGDguidanceprovidedforFMT_SMF_EXT.1.TheevaluatorshalluseatoolprovidedbythedevelopertosearchforthesameuniquestringindecryptedmemorytoverifythatthedatahasbeenwipedaccordingtothemethoddescribedintheTSS(forexample,thefilesarestillencryptedandcannotbeaccessed).
Test2:Theevaluatorshallcausethedevicetowipeandverifythatthewipeconcludeswithapowercycle.
FCS_CKM_EXT.6SaltGenerationFCS_CKM_EXT.6.1
TheTSFshallgenerateallsaltsusingaRBGthatmeetsFCS_RBG_EXT.1.
ApplicationNote:Thisrequirementrefersonlytosaltgeneration.Intheexamplesgiven,asaltmaybeusedaspartofthescheme/algorithm.Requirementsonnoncesand/orephemeralkeysareprovidedelsewhere,ifneeded.Thelistbelowisprovidedforclarity,inordertogiveexamplesofwheretheTSFmaybegeneratingcryptographicsalts;itisnotexhaustivenorisitintendedtomandateimplementationofalloftheseschemes/algorithms.Cryptographicsaltsaregeneratedforvarioususesincluding:
RSASSA-PSSsignaturegenerationDSAsignaturegenerationECDSAsignaturegenerationDHstatickeyagreementschemePBKDFKeyAgreementSchemeinNISTSP800-56BAESGCM
EvaluationActivities
FCS_CKM_EXT.6:TSSTheevaluatorshallverifythattheTSScontainsadescriptionregardingthesaltgeneration,includingwhichalgorithmsontheTOErequiresalts.TheevaluatorshallconfirmthatthesaltisgeneratedusinganRBGdescribedinFCS_RBG_EXT.1.ForPBKDFderivationofKEKs,thisevaluationactivitymaybeperformedinconjunctionwithFCS_CKM_EXT.3.2.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FCS_COP.1/ENCRYPTCryptographicOperationFCS_COP.1.1/ENCRYPT
TheTSFshallperformencryption/decryptioninaccordancewithaspecifiedcryptographicalgorithm:
AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)modeAES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),and[selection:
AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),noothermodes
]andcryptographickeysizes128-bitkeysizesand[selection:256-bitkeysizes,nootherkeysizes].
ApplicationNote:Forthefirstselection,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.128-bitCBCandCCMParerequiredinordertocomplywithWLANClientExtendedPackage.
NotethattocomplywiththeWLANClientEP,AESCCMP(whichusesAESinCCMasspecifiedinSP800-38C)withcryptographickeysizeof128bitsmustbeimplemented.IfCCMisonlyimplementedtosupportCCMPforWLAN,AES-CCMdoesnotneedbeselected.Optionally,AES-CCMP-256orAES-GCMP-256withcryptographickeysizeof256bitsmaybeimplemented.
EvaluationActivities
FCS_COP.1/ENCRYPT:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
AES-CBCTestsTest1:AES-CBCKnownAnswerTests
TherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngood
implementation.
Test1.1:KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.
Test1.2:KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.
Test1.3:KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.
Test1.4:KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.
Test2:AES-CBCMulti-BlockMessageTest
Theevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i<=10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.
Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i<=10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyandIVusingaknowngoodimplementation.
Test3:AES-CBCMonteCarloTests
Theevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:
#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]
Theciphertextcomputedinthe1000thiteration(i.e.CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.
Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.
AES-CCMTestsTest1:Theevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:
128bitand256bitkeys
Twopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).
Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.
Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.
Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.
Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:
Test1.1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.
Test1.2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.
Test1.3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.
Test1.4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.
Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.
Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresultoraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.
AES-GCMTestTheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:
128bitand256bitkeys
Twoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.
ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.
TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.
Test1:Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.
Test2:Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,
tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
XTS-AESTestTest1:TheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:
256bit(forAES-128)and512bit(forAES-256)keys
Threedataunit(i.e.plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.
usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.
Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.
Test2:TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.
AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)TestTest1:TheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:
128and256bitkeyencryptionkeys(KEKs)
Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096bits).
usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.
Test2:Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.
Test3:Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:
Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).
Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).
Test4:Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.
FCS_COP.1/HASHCryptographicOperationFCS_COP.1.1/HASH
TheTSFshallperformcryptographichashinginaccordancewithaspecifiedcryptographicalgorithmSHA-1and[selection:SHA-256,SHA-384,SHA-512,nootheralgorithms]andmessagedigestsizes160and[selection:256,384,512bits,noothermessagedigestsizes]thatmeetthefollowing:FIPSPub180-4.
ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigital
signaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.ItisexpectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.
SHA-1iscurrentlyrequiredinordertocomplywiththeWLANClientExtendedPackage.VendorsarestronglyencouragedtoimplementupdatedprotocolsthatsupporttheSHA-2family;untilupdatedprotocolsaresupported,thisPPallowssupportforSHA-1implementationsincompliancewithSP800-131A.
Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionmustsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).
TheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyteorientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebitorientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.TheTSFmayimplementeitherbit-orientedorbyte-oriented;bothimplementationsarenotrequired.
EvaluationActivities
FCS_COP.1/HASH:TSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.TheevalutatorshallcheckthattheTSSindicatesifthehashingfunctionisimplementedinbit-orientedand/orbyte-orientedmode.
GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebitorientedvs.thebyteorientedtestmacs.
Test1:ShortMessagesTest:Bit-orientedModeTheevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangessequentiallyfrom0tombits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Test2:ShortMessagesTest:Byte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Test3:SelectedLongMessagesTest:Bit-orientedModeTheevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1≤i≤m.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Test4:SelectedLongMessagesTest:Byte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1≤i≤m/8.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Test5:PseudorandomlyGeneratedMessagesTest:Byte-orientedModeThistestisforbyteorientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1ofSHAVS.TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
FCS_COP.1/SIGNCryptographicOperationFCS_COP.1.1/SIGN
TheTSFshallperformcryptographicsignatureservices(generationandverification)inaccordancewithaspecifiedcryptographicalgorithm[selection:
RSAschemesusingcryptographickeysizesof2048-bitorgreaterthatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",Section4,ECDSAschemesusing"NISTcurves"P-384and[selection:P-256,P-521,noothercurves]thatmeetthefollowing:FIPSPUB186-4,"DigitalSignatureStandard(DSS)",Section5
].
ApplicationNote:TheSTauthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.
EvaluationActivities
FCS_COP.1/SIGN:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
Test1:[conditional]If"ECDSAschemes..."isselectedinFCS_COP.1.1/SIGNTest1.1:ECDSAFIPS186-4SignatureGenerationTestForeachsupportedNISTcurve(i.e.P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickeyandtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.
Test1.2:ECDSAFIPS186-4SignatureVerificationTestForeachsupportedNISTcurve(i.e.P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
Test2:[conditional]If"RSAschemes..."isselectedinFCS_COP.1.1/SIGNTest2.1:SignatureGenerationTestTheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistesttheevaluatormustgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.
TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.
Test2.2:SignatureVerificationTestTheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,and/orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.
TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.
FCS_COP.1/KEYHMACCryptographicOperationFCS_COP.1.1/KEYHMAC
TheTSFshallperformkeyed-hashmessageauthenticationinaccordancewithaspecifiedcryptographicalgorithmHMAC-SHA-1and[selection:HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,nootheralgorithms]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes160and[selection:256,384,512,noother]bitsthatmeetthefollowing:FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode",andFIPSPub180-4,"SecureHashStandard".
ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.HMAC-SHA-1iscurrentlyrequiredinordertocomplywiththeWLANClientEP.
EvaluationActivities
FCS_COP.1/KEYHMAC:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.
FCS_COP.1/CONDITIONCryptographicOperationFCS_COP.1.1/CONDITION
TheTSFshallperformconditioninginaccordancewithaspecifiedcryptographicalgorithmHMAC-[selection:SHA-256,SHA-384,SHA-512]usingasalt,and[selection:PBKDF2with[assignment:numberofiterations]iterations,[assignment:keystretchingfuntion],nootherfunction]andoutputcryptographickeysizes[selection:128,256]thatmeetthefollowing:[selection:NISTSP800-132,nostandard].
ApplicationNote:ThekeycryptographickeysizesinthethirdselectionshouldbemadetocorrespondtotheKEKkeysizesselectedinFCS_CKM_EXT.3.
ThispasswordmustbeconditionedintoastringofbitsthatformsthesubmasktobeusedasinputintotheKEK.Conditioningcanbeperformedusingoneoftheidentifiedhashfunctionsandmayincludeakeystretchingfunction;themethodusedisselectedbytheSTauthor.Ifselected,NISTSP800-132requirestheuseofapseudo-randomfunction(PRF)consistingofHMACwithanapprovedhashfunction.TheSTauthorselectsthehashfunctionused,alsoincludestheappropriaterequirementsforHMACandthehashfunction.
AppendixAofNISTSP800-132recommendssettingtheiterationcountinordertoincreasethecomputationneededtoderiveakeyfromapasswordand,therefore,increasetheworkloadofperformingadictionaryattack.
EvaluationActivities
FCS_COP.1/CONDITION:TSSTheevaluatorshallcheckthattheTSSdescribesthemethodbywhichthepasswordisfirstencodedandthenfedtotheSHAalgorithmandverifytheSHAalgorithmmatchesthefirst
selection.
Ifakeystretchingfunction,suchasPBKDF2,isselectedthesettingsforthealgorithm(padding,blocking,etc.)shallbedescribed.TheevaluatorshallverifythattheTSScontainsadescriptionofhowtheoutputofthehashfunctionorkeystretchingfunctionisusedtoformthesubmaskthatwillbeinputintothefunctionandisthesamelengthastheKEKasspecifiedinFCS_CKM_EXT.3.
IfanymanipulationofthekeyisperformedinformingthesubmaskthatwillbeusedtoformtheKEK,thatprocessshallbedescribedintheTSS.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.Noexplicittestingoftheformationofthesubmaskfromtheinputpasswordisrequired.
FCS_HTTPS_EXT.1HTTPSProtocolFCS_HTTPS_EXT.1.1
TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.
FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLSasdefinedinthePackageforTransportLayerSecurity.
ApplicationNote:ThePackageforTransportLayerSecuritymustbeincludedintheST,withthefollowingselectionsmade:
FCS_TLS_EXT.1:TLSmustbeselectedClientmustbeselected
FCS_HTTPS_EXT.1.3TheTSFshallnotifytheapplicationand[selection:notestablishtheconnection,requestapplicationauthorizationtoestablishtheconnection,nootheraction]ifthepeercertificateisdeemedinvalid.
ApplicationNote:Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.
If"notestablishtheconnection"isselectedthen"withnoexceptions"mustbeselectedforFCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.If"requestapplicationauthorizationtoestablishtheconnection"isselectedthen"exceptwhenoverrideisauthorized"mustbeselectedforFCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.If"nootheraction"isselectedeitherselectioncanbemadeinFCS_TLSC_EXT.1.3.
FMT_SMF_EXT.1Function23configureswhethertoallow/disallowtheestablishmentofatrustedchannelifthepeercertificateisdeemedinvalid.
EvaluationActivities
FCS_HTTPS_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTest1:TheevaluatorshallattempttoestablishanHTTPSconnectionwithawebserver,observethetrafficwithapacketanalyzer,andverifythattheconnectionsucceedsandthatthetrafficisidentifiedasTLSorHTTPS.
OthertestsareperformedinconjunctionwithtestinginthePackageforTransportLayerSecurity.
CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1,andtheevaluatorshallperformthefollowingtest:
Test2:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertification
pathresultsinanapplicationnotification.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatestotheTrustAnchorDatabaseneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthattheapplicationisnotifiedofthevalidationfailure.
FCS_IV_EXT.1InitializationVectorGenerationFCS_IV_EXT.1.1
TheTSFshallgenerateIVsinaccordancewithTable13:ReferencesandIVRequirementsforNIST-approvedCipherModes.
ApplicationNote:Table13liststherequirementsforcompositionofIVsaccordingtotheNISTSpecialPublicationsforeachciphermode.ThecompositionofIVsgeneratedforencryptionaccordingtoacryptographicprotocolisaddressedbytheprotocol.Thus,thisrequirementaddressesonlyIVsgeneratedforkeystorageanddatastorageencryption.
EvaluationActivities
FCS_IV_EXT.1:TSSTheevaluatorshallexaminethekeyhierarchysectionoftheTSStoensurethattheencryptionofallkeysisdescribedandtheformationoftheIVsforeachkeyencryptedbythesameKEKmeetsFCS_IV_EXT.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FCS_RBG_EXT.1RandomBitGenerationFCS_RBG_EXT.1.1
TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)].
FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,TSF-hardware-basednoisesource]withaminimumof[selection:128bits,256bits]ofentropyatleastequaltothegreatestsecuritystrength(accordingtoNISTSP800-57)ofthekeysandhashesthatitwillgenerate.
FCS_RBG_EXT.1.3TheTSFshallbecapableofprovidingoutputoftheRBGtoapplicationsrunningontheTSFthatrequestrandombits.
ApplicationNote:SP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthefunctionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirementorintheTSS.Whileanyoftheidentifiedhashfunctions(SHA-224,SHA-256,SHA-384,SHA-512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.
TheSTauthormustalsoensurethatanyunderlyingfunctionsareincludedinthebaselinerequirementsfortheTOE.
HealthtestingoftheDRBGsisperformedinconjunctionwiththeself-testsrequiredinFPT_TST_EXT.1.1.
FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheappropriatenumberofbitsofentropythatcorrespondstothegreatestsecuritystrengthofthealgorithmsincludedintheST.SecuritystrengthisdefinedinTables2and3ofNISTSP800-57A.Forexample,iftheimplementationincludes2048-bitRSA(securitystrengthof112bits),AES128(securitystrength128bits),andHMAC-SHA-256(securitystrength256bits),thentheSTauthorwouldselect256bits.
TheSTauthormayselecteithersoftwareorhardwarenoisesources.Ahardware
noisesourceisacomponentthatproducesdatathatcannotbeexplainedbyadeterministicrule,duetoitsphysicalnature.Inotherwords,ahardwarebasednoisesourcegeneratessequencesofrandomnumbersfromaphysicalprocessthatcannotbepredicted.Forexample,asampledringoscillatorconsistsofanoddnumberofinvertergateschainedintoaloop,withanelectricalpulsetravelingfrominvertertoinverteraroundtheloop.Theinvertersarenotclocked,sotheprecisetimerequiredforacompletecircuitaroundtheloopvariesslightlyasvariousphysicaleffectsmodifythesmalldelaytimeateachinverteronthelinetothenextinverter.Thisvarianceresultsinanapproximatenaturalfrequencythatcontainsdriftandjitterovertime.Theoutputoftheringoscillatorconsistsoftheoscillatingbinaryvaluesampledataconstantratefromoneoftheinverters–aratethatissignificantlyslowerthantheoscillator’snaturalfrequency.
EvaluationActivities
FCS_RBG_EXT.1:DocumentationshallbeproducedandtheevaluatorshallperformtheactivitiesinaccordancewithAppendixD-EntropyDocumentationAndAssessment,the"ClarificationtotheEntropyDocumentationandAssessment".
TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Development,includesthesecurityfunctionsdescribedinFCS_RBG_EXT.1.3.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRNGfunctionality.
TestsEvaluationActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
Theevaluatorshallperform15trialsfortheRNGimplementation.IftheRNGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.
IftheRNGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated."generateoneblockofrandombits"meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).
IftheRNGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltoreseed.Thefinalvalueisadditionalinputtothesecondgeneratecall.
Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.
Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlength.Nonce:Ifanonceissupported(CTR_DRBGwithnoDerivationFunctiondoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe�seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupport,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.
FCS_SRV_EXT.1CryptographicAlgorithmServicesFCS_SRV_EXT.1.1
TheTSFshallprovideamechanismforapplicationstorequesttheTSFtoperformthefollowingcryptographicoperations:
Allmandatoryand[selection:selectedalgorithms,selectedalgorithmswiththeexceptionofECCovercurve25519-basedalgorithms]inFCS_CKM.2/LOCKEDThefollowingalgorithmsinFCS_COP.1/ENCRYPT:AES-CBC,[selection:AESKeyWrap,AESKeyWrapwithPadding,AES-GCM,AES-CCM,noothermodes]AllselectedalgorithmsinFCS_COP.1/SIGNAllmandatoryandselectedalgorithmsinFCS_COP.1/HASHAllmandatoryandselectedalgorithmsinFCS_COP.1/KEYHMAC[selection:
Allmandatoryand[selection:selectedalgorithms,selectedalgorithmswiththeexceptionofECCovercurve25519-basedalgorithms]inFCS_CKM.1,TheselectedalgorithmsinFCS_COP.1/CONDITION,Noothercryptographicoperations
]
ApplicationNote:ForeachofthelistedFCScomponentsinthebulletedlist,theintentisthattheTOEwillmakeavailableallalgorithmsspecifiedforthatcomponentintheST.Forexample,ifforFCS_COP.1/HASHtheSTauthorselectsSHA-256,thentheTOEwouldhavetomakeavailableaninterfacetoperformSHA-1(the"mandatory"portionofFCS_COP.1/HASH)andSHA-256(the"selected"portionofFCS_COP.1/HASH).
TheexceptionisforFCS_COP.1/ENCRYPT.TheTOEisnotrequiredtomakeavailableAES_CCMP,AES_XTS,AES_GCMP-256,orAES_CCMP_256eventhoughtheymaybeimplementedtoperformTSF-relatedfunctions.ItisacceptablefortheplatformtonotprovideAESKeyWrap(KW)andAESKeyWrapwithPadding(KWP)toapplicationsevenifselectedinFCS_COP.1/ENCRYPT.However,theSTauthorisexpectedtoselectAES-GCMand/orAES-CCMifitisselectedintheSTfortheFCS_COP.1/ENCRYPTcomponent.
EvaluationActivities
FCS_SRV_EXT.1:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(cryptographicalgorithms)describedintheserequirements.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscryptographicoperationsbytheTSF.TheevaluatorshallverifythattheresultsfromtheoperationmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingthecryptographicoperationEvaluationActivitiesfortheotheralgorithmservicesrequirements.
5.1.3CryptographicStorage(FCS_STG)Thefollowingrequirementsdescribehowkeysareprotected.AllkeysmustultimatelybeprotectedbyaREK,andmayoptionallybeprotectedbytheuser’sauthenticationfactor.Eachkey’sconfidentialityandintegritymustbeprotected.ThissectionalsodescribesthesecurekeystorageservicestobeprovidedbytheMobileDeviceforusebyapplicationsandusers,applyingthesamelevelofprotectionforthesekeysaskeysinternaltotheOS.
FCS_STG_EXT.1CryptographicKeyStorageFCS_STG_EXT.1.1
TheTSFshallprovide[selection:mutablehardware,software-based]securekeystorageforasymmetricprivatekeysand[selection:symmetrickeys,persistentsecrets,nootherkeys].
ApplicationNote:AhardwarekeystorecanbeexposedtotheTSFthrougha
varietyofinterfaces,includingembeddedonthemotherboard,USB,microSD,andBluetooth.
Immutablehardwareisconsideredoutsideofthisrequirementandwillbecoveredelsewhere.
IfthesecurekeystorageisimplementedinsoftwarethatisprotectedasrequiredbyFCS_STG_EXT.2,theSTauthormustselect"software-based."If"software-based"isselected,theSTauthormustselect"allsoftware-basedkeystorage"inFCS_STG_EXT.2.
Supportforsecurekeystorageforallsymmetrickeysandpersistentsecretswillberequiredinfuturerevisions.
FCS_STG_EXT.1.2TheTSFshallbecapableofimportingkeys/secretsintothesecurekeystorageuponrequestof[selection:theuser,theadministrator]and[selection:applicationsrunningontheTSF,noothersubjects].
ApplicationNote:IftheSTauthorselectsonlyuser,theSTauthormustselectfunction9inFMT_MOF_EXT.1.1.
FCS_STG_EXT.1.3TheTSFshallbecapableofdestroyingkeys/secretsinthesecurekeystorageuponrequestof[selection:theuser,theadministrator].
ApplicationNote:IftheSTauthorselectsonlyuser,theSTauthormustselectfunction10inFMT_MOF_EXT.1.1.
FCS_STG_EXT.1.4TheTSFshallhavethecapabilitytoallowonlytheapplicationthatimportedthekey/secrettheuseofthekey/secret.Exceptionsmayonlybeexplicitlyauthorizedby[selection:theuser,theadministrator,acommonapplicationdeveloper].
ApplicationNote:IftheSTauthorselectsuseroradministrator,theSTauthormustalsoselectfunction34inFMT_SMF_EXT.1.1.IftheSTAuthorselectsonlyuser,theSTauthormustselectfunction34inFMT_MOF_EXT.1.1.
FCS_STG_EXT.1.5TheTSFshallallowonlytheapplicationthatimportedthekey/secrettorequestthatthekey/secretbedestroyed.Exceptionsmayonlybeexplicitlyauthorizedby[selection:theuser,theadministrator,acommonapplicationdeveloper].
ApplicationNote:IftheSTauthorselectsuseroradministrator,theSTauthormustalsoselectfunction35inFMT_SMF_EXT.1.1.IftheSTauthorselectsonlyuser,theSTauthormustselectfunction35inFMT_MOF_EXT.1.1.
EvaluationActivities
FCS_STG_EXT.1:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(import,use,anddestruction)describedintheserequirements.TheAPIdocumentationshallincludethemethodbywhichapplicationsrestrictaccesstotheirkeys/secretsinordertomeetFCS_STG_EXT.1.4".
TSSTheevaluatorshallreviewtheTSStodeterminethattheTOEimplementstherequiredsecurekeystorage.TheevaluatorshallensurethattheTSScontainsadescriptionofthekeystoragemechanismthatjustifiestheselectionof"mutablehardware"or"software-based".
GuidanceTheevaluatorshallreviewtheAGDguidancetodeterminethatitdescribesthestepsneededtoimportordestroykeys/secrets.
TestsTheevaluatorshalltestthefunctionalityofeachsecurityfunction:
Test1:Theevaluatorshallimportkeys/secretsofeachsupportedtypeaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatgeneratesakey/secretofeachsupportedtypeandcallstheimportfunctions.Theevaluatorshallverifythatnoerrorsoccurduringimport.
Test2:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatusesanimportedkey/secret:
ForRSA,thesecretshallbeusedtosigndata.ForECDSA,thesecretshallbeusedtosigndata
Inthefutureadditionaltypeswillberequiredtobetested:Forsymmetricalgorithms,thesecretshallbeusedtoencryptdata.Forpersistentsecrets,thesecretshallbecomparedtotheimportedsecret.
Theevaluatorshallrepeatthistestwiththeapplication-importedkeys/secretsandadifferentapplication’simportedkeys/secrets.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtousethekey/secretimportedbytheuserorbyadifferentapplication:
Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletousethekey/secretasdescribed.Theevaluatorshallrepeatthetest,allowingtheapprovalstoverifythattheapplicationisabletousethekey/secretasdescribed.
IftheSTauthorhasselected"commonapplicationdeveloper",thistestisperformedbyeitherusingapplicationsfromdifferentdevelopersorappropriately(accordingtoAPIdocumentation)notauthorizingsharing.
Test3:Theevaluatorshalldestroykeys/secretsofeachsupportedtypeaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatdestroysanimportedkey/secret.
Theevaluatorshallrepeatthistestwiththeapplication-importedkeys/secretsandadifferentapplication’simportedkeys/secrets.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtodestroythekey/secretimportedbytheadministratororbyadifferentapplication:
Theevaluatorshalldenytheapprovalsandverifythattheapplicationisstillabletousethekey/secretasdescribed.Theevaluatorshallrepeatthetest,allowingtheapprovalsandverifyingthattheapplicationisnolongerabletousethekey/secretasdescribed.
IftheSTauthorhasselected"commonapplicationdeveloper",thistestisperformedbyeitherusingapplicationsfromdifferentdevelopersorappropriately(accordingtoAPIdocumentation)notauthorizingsharing.
FCS_STG_EXT.2EncryptedCryptographicKeyStorageFCS_STG_EXT.2.1
TheTSFshallencryptallDEKs,KEKs,[assignment:anylong-termtrustedchannelkeymaterial]and[selection:allsoftware-basedkeystorage,nootherkeys]byKEKsthatare[selection:
ProtectedbytheREKwith[selection:encryptionbyaREK,encryptionbyaKEKchainingfromaREK,encryptionbyaKEKthatisderivedfromaREK
],ProtectedbytheREKandthepasswordwith[selection:
encryptionbyaREKandthepassword-derivedKEK,encryptionbyaKEKchainingtoaREKandthepassword-derivedorbiometric-unlockedKEK,encryptionbyaKEKthatisderivedfromaREKandthepassword-derivedorbiometric-unlockedKEK
]].
ApplicationNote:TheSTauthormustselect"allsoftware-basedkeystorage"if"software-based"isselectedinFCS_STG_EXT.1.1.IftheSTauthorselects"mutablehardware"inFCS_STG_EXT.1.1,thesecurekeystorageisnotsubjecttothisrequirement.REKsarenotsubjecttothisrequirement.
AREKandthepassword-derivedKEKmaybecombinedtoformacombinedKEK(asdescribedinFCS_CKM_EXT.3)inordertomeetthisrequirement.
Software-basedkeystoragemustbeprotectedbythepasswordorbiometricandREK.
AllkeysmustultimatelybeprotectedbyaREK.Inparticular,Figure3hasKEKsprotectedaccordingtotheserequirements:DEK_1meetsthe"encryptionbyaREKandthepassword-derivedKEK"caseandwouldbeappropriateforsensitivedata,DEK_2meetsthe"encryptionbyaKEKchainingfromaREK"caseandwouldnotbeappropriateforsensitivedata,K_1meetsthe"encryptionbya
REK"caseandisnotconsideredasensitivekey,andK_2meetsthe"encryptionbyaKEKchainingtoaREKandthepassword-derivedorbiometric-unlockedKEK"caseandisconsideredasensitivekey.
Long-termtrustedchannelkeymaterialincludesWi-Fi(PSKs),IPsec(PSKsandclientcertificates)andBluetoothkeys.Thesekeysmustnotbeprotectedbythepassword,astheymaybenecessaryinthelockedstate.Forclarity,theSTauthormustassignanyLong-termtrustedchannelkeymaterialsupportedbytheTOE.Ataminimum,aTOEmustsupportatleastWi-FiandBluetoothkeys.
FCS_STG_EXT.2.2DEKs,KEKs,[assignment:anylong-termtrustedchannelkeymaterial]and[selection:allsoftware-basedkeystorage,nootherkeys]shallbeencryptedusingoneofthefollowingmethods:[selection:
usingaSP800-56Bkeyestablishmentscheme,usingAESinthe[selection:KeyWrap(KW)mode,KeyWrapwithPadding(KWP)mode,GCM,CCM,CBCmode]
].
ApplicationNote:TheSTauthorselectswhichkeyencryptionschemesareusedbytheTOE.ThisrequirementrefersonlytoKEKsasdefinedthisPPanddoesnotrefertothoseKEKsspecifiedinotherstandards.TheSTauthormustassignthesameLong-termtrustedchannelkeymaterialassignedinFCS_STG_EXT.2.1.
EvaluationActivities
FCS_STG_EXT.2:TSSTheevaluatorshallreviewtheTSStodeterminethattheTSSincludeskeyhierarchydescriptionoftheprotectionofeachDEKfordata-at-rest,ofsoftware-basedkeystorage,oflong-termtrustedchannelkeys,andofKEKrelatedtotheprotectionoftheDEKs,long-termtrustedchannelkeys,andsoftware-basedkeystorage.ThisdescriptionmustincludeadiagramillustratingthekeyhierarchyimplementedbytheTOEinordertodemonstratethattheimplementationmeetsFCS_STG_EXT.2.ThedescriptionshallindicatehowthefunctionalitydescribedbyFCS_RBG_EXT.1isinvokedtogenerateDEKs(FCS_CKM_EXT.2),thekeysize(FCS_CKM_EXT.2andFCS_CKM_EXT.3)foreachkey,howeachKEKisformed(generated,derived,orcombinedaccordingtoFCS_CKM_EXT.3),theintegrityprotectionmethodforeachencryptedkey(FCS_STG_EXT.3),andtheIVgenerationforeachkeyencryptedbythesameKEK(FCS_IV_EXT.1).Moredetailforeachtaskfollowsthecorrespondingrequirement.
Theevaluatorshallalsoensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.TSSTheevaluatorshallexaminethekeyhierarchydescriptionintheTSSsectiontoverifythateachDEKandsoftware-storedkeyisencryptedaccordingtoFCS_STG_EXT.2.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.
FCS_STG_EXT.3IntegrityofEncryptedKeyStorageFCS_STG_EXT.3.1
TheTSFshallprotecttheintegrityofanyencryptedDEKsandKEKsand[selection:long-termtrustedchannelkeymaterial,allsoftware-basedkeystorage,nootherkeys]by[selection:
[selection:GCM,CCM,KeyWrap,KeyWrapwithPadding]ciphermodeforencryptionaccordingtoFCS_STG_EXT.2,
ahash(FCS_COP.1/HASH)ofthestoredkeythatisencryptedbyakeyprotectedbyFCS_STG_EXT.2,akeyedhash(FCS_COP.1/KEYHMAC)usingakeyprotectedbyakeyprotectedbyFCS_STG_EXT.2,adigitalsignatureofthestoredkeyusinganasymmetrickeyprotectedaccordingtoFCS_STG_EXT.2,animmediateapplicationofthekeyfordecryptingtheprotecteddatafollowedbyasuccessfulverificationofthedecrypteddatawithpreviouslyknowninformation
].
ApplicationNote:TheSTauthormustassignthesameLong-termtrustedchannelkeymaterialassignedinFCS_STG_EXT.2.1.
FCS_STG_EXT.3.2TheTSFshallverifytheintegrityofthe[selection:hash,digitalsignature,MAC]ofthestoredkeypriortouseofthekey.
ApplicationNote:Thisrequirementisnotapplicabletoderivedkeysthatarenotstored.Itisnotexpectedthatasinglekeywillbeprotectedfromcorruptionbymultipleofthesemethods;however,aproductmayuseoneintegrity-protectionmethodforonetypeofkeyandadifferentmethodforothertypesofkeys.TheexplicitEvaluationActivitiesforeachoftheoptionswillbeaddressedineachoftherequirements(FCS_COP.1.1/HASH,FCS_COP.1.1/KEYHMAC).
KeyWrappingmustbeimplementedperSP800-38F.
EvaluationActivities
FCS_STG_EXT.3:TSSTheevaluatorshallexaminethekeyhierarchydescriptionintheTSSsectiontoverifythateachencryptedkeyisintegrityprotectedaccordingtooneoftheoptionsinFCS_STG_EXT.3.
Theevaluatorshallalsoensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
5.1.4Class:UserDataProtection(FDP)AsubsetoftheUserDataProtectionfocusesonprotectingData-At-Rest,namelyFDP_DAR_EXT.1andFDP_DAR_EXT.2.Threelevelsofdata-at-restprotectionareaddressed:TSFdata,ProtectedData(andkeys),andsensitivedata.Table6addressesthelevelofprotectionrequiredforeachlevelofdata-at-rest.
Table6:ProtectionofDataLevels
DataLevel ProtectionRequired
TSFData TSFdatadoesnotrequireconfidentiality,butdoesrequireintegrityprotection.(FPT_TST_EXT.2/PREKERNEL)
ProtectedData
Protecteddataisencryptedwhilepoweredoff.(FDP_DAR_EXT.1)
SensitiveData
Sensitivedataisencryptedwhileinthelockedstate,inadditiontowhilepoweredoff.(FDP_DAR_EXT.2)
Allkeys,protecteddata,andsensitivedatamustultimatelybeprotectedbytheREK.SensitivedatamustbeprotectedbythepasswordinadditiontotheREK.Inparticular,Figure3hasKEKsprotectedaccordingtotheserequirements:DEK_1wouldbeappropriateforsensitivedata,DEK_2wouldnotbeappropriateforsensitivedata,K_1isnotconsideredasensitivekey,andK_2isconsideredasensitivekey.
Theserequirementsincludeacapabilityforencryptingsensitivedatareceivedwhileinthelockedstate,whichmaybeconsideredaseparatesub-categoryofsensitivedata.Thiscapabilitymaybemetbyakey
transportscheme(RSA)byusingapublickeytoencrypttheDEKwhileprotectingthecorrespondingprivatekeywithapassword-derivedorbiometric-unlockedKEK.
Thiscapabilitymayalsobemetbyakeyagreementscheme.Todoso,thedevicegeneratesadevice-widesensitivedataasymmetricpair(theprivatekeyofwhichisprotectedbyapassword-derivedorbiometric-unlockedKEK)andanasymmetricpairforthereceivedsensitivedatatobestored.Inordertostorethesensitivedata,thedevice-widepublickeyanddataprivatekeyareusedtogenerateasharedsecret,whichcanbeusedasaKEKoraDEK.Thedataprivatekeyandsharedsecretareclearedafterthedataisencryptedandthedatapublickeystored.Thus,nokeymaterialisavailableinthelockedstatetodecryptthenewlystoreddata.Uponunlock,thedevice-wideprivatekeyisdecryptedandisusedwitheachdatapublickeytoregeneratethesharedsecretanddecryptthestoreddata.Figure4,below,illustratesthisscheme.
Figure4:KeyAgreementSchemeforEncryptingReceivedSensitiveDataintheLockedState
FDP_ACF_EXT.1AccessControlforSystemServicesFDP_ACF_EXT.1.1
TheTSFshallprovideamechanismtorestrictthesystemservicesthatareaccessibletoanapplication.
ApplicationNote:Examplesofsystemservicestowhichthisrequirementappliesinclude:
obtaindatafromcameraandmicrophoneinputdevicesobtaincurrentdevicelocationretrievecredentialsfromsystem-widecredentialstoreretrievecontactslist/addressbookretrievestoredpicturesretrievetextmessagesretrieveemailsretrievedeviceidentifierinformationobtainnetworkaccess
FDP_ACF_EXT.1.2TheTSFshallprovideanaccesscontrolpolicythatprevents[selection:application,groupsofapplications]fromaccessing[selection:all,private]datastoredbyother[selection:application,groupsofapplications].Exceptionsmayonlybeexplicitlyauthorizedforsuchsharingby[selection:theuser,theadministrator,acommonapplicationdeveloper,noone].
ApplicationNote:ApplicationgroupsmaybedesignatedEnterpriseorPersonal.ApplicationsinstalledbytheuserdefaulttobeinginthePersonalapplicationgroupunlessotherwisedesignatedbytheadministratorinfunction43ofFMT_SMF_EXT.1.1.ApplicationsinstalledbytheadministratordefaulttobeingintheEnterpriseapplicationgroup(thiscategoryincludesapplications
thattheuserrequeststheadministratorinstall,forinstancebyselectingtheapplicationforinstallationthroughanenterpriseapplicationcatalog)unlessotherwisedesignatedbytheadministratorinfunction43ofFMT_SMF_EXT.1.1.Itisacceptableforthesameapplicationtohavemultipleinstancesinstalled,eachindifferentapplicationgroups.Privatedataisdefinedasdatathatisaccessibleonlybytheapplicationthatwroteit.Privatedataisdistinguishedfromdatathatanapplicationmay,bydesign,writetosharedstorageareas.
If"groupsofapplications"isselected,FDP_ACF_EXT.2mustbeincludedintheST.
EvaluationActivities
FDP_ACF_EXT.1:TSSTheevaluatorshallensuretheTSSlistsallsystemservicesavailableforusebyanapplication.TheevaluatorshallalsoensurethattheTSSdescribeshowapplicationsinterfacewiththesesystemservices,andmeansbywhichthesesystemservicesareprotectedbytheTSF.
TheTSSshalldescribewhichofthefollowingcategorieseachsystemservicefallsin:
1. Noapplicationsareallowedaccess2. Privilegedapplicationsareallowedaccess3. Applicationsareallowedaccessbyuserauthorization4. Allapplicationsareallowedaccess
PrivilegedapplicationsincludeanyapplicationsdevelopedbytheTSFdeveloper.TheTSSshalldescribehowprivilegesaregrantedtothird-partyapplications.Forbothtypesofprivilegedapplications,theTSSshalldescribehowandwhentheprivilegesareverifiedandhowtheTSFpreventsunprivilegedapplicationsfromaccessingthoseservices.
Foranyservicesforwhichtheusermaygrantaccess,theevaluatorshallensurethattheTSSidentifieswhethertheuserispromptedforauthorizationwhentheapplicationisinstalled,orduringruntime.Theevaluatorshallensurethattheoperationaluserguidancecontainsinstructionsforrestrictingapplicationaccesstosystemservices.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Theevaluatorshallwrite,orthedevelopershallprovide,applicationsforthepurposesofthefollowingtests.
Test1:Foreachsystemservicetowhichnoapplicationsareallowedaccess,theevaluatorshallattempttoaccessthesystemservicewithatestapplicationandverifythattheapplicationisnotabletoaccessthatsystemservice.Test2:Foreachsystemservicetowhichonlyprivilegedapplicationsareallowedaccess,theevaluatorshallattempttoaccessthesystemservicewithanunprivilegedapplicationandverifythattheapplicationisnotabletoaccessthatsystemservice.Theevaluatorshallattempttoaccessthesystemservicewithaprivilegedapplicationandverifythattheapplicationcanaccesstheservice.Test3:Foreachsystemservicetowhichtheusermaygrantaccess,theevaluatorshallattempttoaccessthesystemservicewithatestapplication.Theevaluatorshallensurethateitherthesystemblockssuchaccessesorpromptsforuserauthorization.Thepromptforuserauthorizationmayoccuratruntimeoratinstallationtime,andshouldbeconsistentwiththebehaviordescribedintheTSS.Test4:ForeachsystemservicelistedintheTSSthatisaccessiblebyallapplications,theevaluatorshalltestthatanapplicationcanaccessthatsystemservice.
TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeswhichdatasharingispermittedbetweenapplications,whichdatasharingisnotpermitted,andhowdisallowedsharingisprevented.Itispossibletoselectboth"applications"and"groupsofapplications",inwhichcasetheTSSisexpectedtodescribethedatasharingpoliciesthatwouldbeappliedineachcase.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovide,twoapplications,onethatsavesdatacontainingauniquestringandtheother,whichattemptstoaccessthatdata.If"groupsofapplications"isselected,theapplicationsshallbeplacedintodifferentgroups.If"application"isselected,theevaluatorshallinstallthetwoapplications.If"privatedata"isselected,theapplicationshallnotwritetoadesignatedsharedstoragearea.Theevaluatorshallverifythatthesecondapplicationisunabletoaccessthestoreduniquestring.
If"theuser"isselected,theevaluatorshallgrantaccessastheuserandverifythatthesecondapplicationisabletoaccessthestoreduniquestring.
If"theadministrator"isselected,theevaluatorshallgrantaccessastheadministratorandverifythatthesecondapplicationisabletoaccessthestoreduniquestring.
If"acommonapplicationdeveloper"isselected,theevaluatorshallgrantaccesstoan,applicationwithacommonapplicationdevelopertothefirst,andverifythattheapplicationisabletoaccessthestoreduniquestring.
FDP_DAR_EXT.1ProtectedDataEncryptionFDP_DAR_EXT.1.1
Encryptionshallcoverallprotecteddata.
ApplicationNote:Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.
FDP_DAR_EXT.1.2EncryptionshallbeperformedusingDEKswithAESinthe[selection:XTS,CBC,GCM]modewithkeysize[selection:128,256]bits.
ApplicationNote:IVsmustbegeneratedinaccordancewithFCS_IV_EXT.1.1.
EvaluationActivities
FDP_DAR_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTindicateswhichdataisprotectedbytheDARimplementationandwhatdataisconsideredTSFdata.Theevaluatorshallensurethatthisdataincludesallprotecteddata.
GuidanceTheevaluatorshallreviewtheAGDguidancetodeterminethatthedescriptionoftheconfigurationanduseoftheDARprotectiondoesnotrequiretheusertoperformanyactionsbeyondconfigurationandprovidingtheauthenticationcredential.TheevaluatorshallalsoreviewtheAGDguidancetodeterminethattheconfigurationdoesnotrequiretheusertoidentifyencryptiononaper-filebasis.
TestsEvaluationActivityNote:ThefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:TheevaluatorshallenableencryptionaccordingtotheAGDguidance.Theevaluatorshallcreateuserdata(non-system)eitherbycreatingafileorbyusinganapplication.Theevaluatorshalluseatoolprovidedbythedevelopertoverifythatthisdataisencryptedwhentheproductispoweredoff,inconjunctionwithTest1forFIA_UAU_EXT.1.
FDP_DAR_EXT.2SensitiveDataEncryptionFDP_DAR_EXT.2.1
TheTSFshallprovideamechanismforapplicationstomarkdataandkeysassensitive.
ApplicationNote:Dataandkeysthathavebeenmarkedassensitivewillbesubjecttocertainrestrictions(throughotherrequirements)inboththelockedandunlockedstatesoftheMobileDevice.Thismechanismallowsanapplicationtochoosethosedataandkeysunderitscontroltobesubjecttothoserequirements.
Inthefuture,thisPPmayrequirethatalldataandkeycreatedbyapplicationswilldefaulttothe"sensitive"marking,requiringanexplicit"non-sensitive"markingratherthananexplicit"sensitive"marking.
FDP_DAR_EXT.2.2TheTSFshalluseanasymmetrickeyschemetoencryptandstoresensitivedatareceivedwhiletheproductislocked.
ApplicationNote:SensitivedataisencryptedaccordingtoFDP_DAR_EXT.1.2.TheasymmetrickeyschememustbeperformedinaccordancewithFCS_CKM.2/LOCKED.
Theintentofthisrequirementistoallowthedevicetoreceivesensitivedatawhilelockedandtostorethereceiveddatainsuchawayastopreventunauthorizedpartiesfromdecryptingitwhileinthelockedstate.Ifonlyasubsetofsensitivedatamaybereceivedinthelockedstate,thissubsetmustbedescribedintheTSS.
KeymaterialmustbeclearedwhennolongerneededaccordingtoFCS_CKM_EXT.4.Forkeys(orkeymaterialusedtoderivethosekeys)protectingsensitivedatareceivedinthelockedstate,"nolongerneeded"includes"whileinthelockedstate."Forexample,inthefirstkeyscheme,thisincludestheDEKprotectingthereceiveddataassoonasthedataisencrypted.Inthesecondkeyschemethisincludestheprivatekeyforthedataasymmetricpair,thegeneratedsharedsecret,andanygeneratedDEKs.Ofcourse,bothschemesrequirethataprivatekeyofanasymmetricpair(theRSAprivatekeyandthedevice-wideprivatekey,respectively)beclearedwhentransitioningtothelockedstate.
FDP_DAR_EXT.2.3TheTSFshallencryptanystoredsymmetrickeyandanystoredprivatekeyoftheasymmetrickey(s)usedfortheprotectionofsensitivedataaccordingtoFCS_STG_EXT.2.1selection2.
ApplicationNote:SymmetrickeysusedtoencryptsensitivedatawhiletheTSFisintheunlockedstatemustbeencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.Astoredprivatekeyoftheasymmetrickeyschemeforencryptingdatainthelockedstatemustbeencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.
FDP_DAR_EXT.2.4TheTSFshalldecryptthesensitivedatathatwasreceivedwhileinthelockedstateupontransitioningtotheunlockedstateusingtheasymmetrickeyschemeandshallre-encryptthatsensitivedatausingthesymmetrickeyscheme.
EvaluationActivities
FDP_DAR_EXT.2:TSSTheevaluatorshallverifythattheTSSincludesadescriptionofwhichdatastoredbytheTSF(suchasbynativeapplications)istreatedassensitive.Thisdatamayincludeallorsomeuserorenterprisedataandmustbespecificregardingthelevelofprotectionofemail,contacts,calendarappointments,messages,anddocuments.
TheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismthatisprovidedforapplicationstousetomarkdataandkeysassensitive.Thisdescriptionshallalsocontaininformationreflectinghowdataandkeysmarkedinthismanneraredistinguishedfromdataandkeysthatarenot(forinstance,tagging,segregationina"special"areaofmemoryorcontainer,etc.).
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTest1:TheevaluatorshallenableencryptionofsensitivedataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshalltrytoaccessandcreatesensitivedata(asdefinedintheSTandeitherbycreatingafileorusinganapplicationtogeneratesensitivedata)inordertoverifythatnootheruserinteractionisrequired.
TSSTheevaluatorshallreviewtheTSSsectionoftheSTtodeterminethattheTSSincludesadescriptionoftheprocessofreceivingsensitivedatawhilethedeviceisinalockedstate.Theevaluatorshallalsoverifythatthedescriptionindicatesifsensitivedatathatmaybereceivedinthelockedstateistreateddifferentlythansensitivedatathatcannotbereceivedinthelocked
state.Thedescriptionshallincludethekeyschemeforencryptingandstoringthereceiveddata,whichmustinvolveanasymmetrickeyandmustpreventthesensitivedata-at-restfrombeingdecryptedbywipingallkeymaterialusedtoderiveorencryptthedata(asdescribedintheapplicationnote).Theintroductiontothissectionprovidestwodifferentschemesthatmeettherequirements,butothersolutionsmayaddressthisrequirement.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTheevaluatorshallperformthetestsinFCS_CKM_EXT.4forallkeymaterialnolongerneededwhileinthelockedstateandshallensurethatkeysfortheasymmetricschemeareaddressedinthetestsperformedwhentransitioningtothelockedstate.TSSTheevaluatorshallverifythatthekeyhierarchysectionoftheTSSrequiredforFCS_STG_EXT.2.1includesthesymmetricencryptionkeys(DEKs)usedtoencryptsensitivedata.TheevaluatorshallensurethattheseDEKsareencryptedbyakeyencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.
TheevaluatorshallverifythattheTSSsectionoftheSTthatdescribestheasymmetrickeyschemeincludestheprotectionofanyprivatekeysoftheasymmetricpairs.TheevaluatorshallensurethatanyprivatekeysthatarenotwipedandarestoredbytheTSFarestoredencryptedbyakeyencryptedwith(orchaintoaKEKencryptedwith)theREKandpassword-derivedorbiometric-unlockedKEK.
Theevaluatorshallalsoensurethatthedocumentationoftheproduct'sencryptionkeymanagementisdetailedenoughthat,afterreading,theproduct'skeymanagementhierarchyisclearandthatitmeetstherequirementstoensurethekeysareadequatelyprotected.Theevaluatorshallensurethatthedocumentationincludesbothanessayandoneormorediagrams.NotethatthismayalsobedocumentedasseparateproprietaryevidenceratherthanbeingincludedintheTSS.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.
TSSTheevaluatorshallverifythattheTSSsectionoftheSTthatdescribestheasymmetrickeyschemeincludesadescriptionoftheactionstakenbytheTSFforthepurposesofDARupontransitioningtotheunlockedstate.Theseactionsshallminimallyincludedecryptingallreceiveddatausingtheasymmetrickeyschemeandre-encryptingwiththesymmetrickeyschemeusedtostoredatawhilethedeviceisunlocked.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.
FDP_IFC_EXT.1SubsetInformationFlowControlFDP_IFC_EXT.1.1
TheTSFshall[selection:provideaninterfacewhichallowsaVPNclienttoprotectallIPtrafficusingIPsec,provideaVPNclientwhichcanprotectallIPtrafficusingIPsecasdefinedinthePP-ModuleforVPNClient
]withtheexceptionofIPtrafficrequiredtoestablishtheVPNconnection.
ApplicationNote:Typically,thetrafficrequiredtoestablishtheVPNconnectionisreferredtoas"ControlPlane"traffic;whereas,theIPtrafficprotectedbytheIPsecVPNisreferredtoas"DataPlane"traffic.All"DataPlane"trafficmustflowthroughtheVPNconnectionandtheVPNmustnotsplit-tunnel.
IfnonativeIPsecclientisvalidatedorthird-partyVPNclientsmayalsoimplementtherequiredInformationFlowControl,thefirstoptionmustbeselected.Inthesecases,theTOEprovidesanAPItothird-partyVPNclientsthat
allowthemtoconfiguretheTOE’snetworkstacktoperformtherequiredInformationFlowControl.
TheSTauthormustselectthesecondoptioniftheTSFimplementsanativeVPNclient(IPsecisselectedinFTP_ITC_EXT.1).ThustheTSFmustbevalidatedagainstthePP-ModuleforVPNClientandtheSTauthormustalsoincludeFDP_IFC_EXT.1fromthePP-ModuleforVPNClient.
ItisoptionalfortheVPNclienttobeconfiguredtobealways-onperFMT_SMF_EXT.1Function45.Always-onmeanstheestablishmentofanIPsectrustedchanneltoallowanycommunicationbytheTSF.
EvaluationActivities
FDP_IFC_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheroutingofIPtrafficthroughprocessesontheTSFwhenaVPNclientisenabled.TheevaluatorshallensurethatthedescriptionindicateswhichtrafficdoesnotgothroughtheVPNandwhichtrafficdoesandthataconfigurationexistsforeachbasebandprotocolinwhichonlythetrafficidentifiedbytheSTauthorasnecessaryforestablishingtheVPNconnection(IKEtrafficandperhapsHTTPSorDNStraffic)isnotencapsulatedbytheVPNprotocol(IPsec).TheevaluatorshallverifythattheTSSsectiondescribesanydifferencesintheroutingofIPtrafficwhenusinganysupportedbasebandprotocols(e.g.Wi-Fior,LTE).
GuidanceTheevaluatorshallverifythatone(ormore)ofthefollowingoptionsisaddressedbythedocumentation:
ThedescriptionaboveindicatesthatifaVPNclientisenabled,allconfigurationsrouteallDataPlanetrafficthroughthetunnelinterfaceestablishedbytheVPNclient.TheAGDguidancedescribeshowtheuserand/oradministratorcanconfiguretheTSFtomeetthisrequirement.TheAPIdocumentationincludesasecurityfunctionthatallowsaVPNclienttospecifythisrouting.
TestsTest1:IftheSTauthoridentifiesanydifferencesintheroutingbetweenWi-Fiandcellularprotocols,theevaluatorshallrepeatthistestwithabasestationimplementingoneoftheidentifiedcellularprotocols.
Step1:TheevaluatorshallenableaWi-FiconfigurationasdescribedintheAGDguidance(asrequiredbyFTP_ITC_EXT.1).TheevaluatorshalluseapacketsniffingtoolbetweenthewirelessaccesspointandanInternet-connectednetwork.Theevaluatorshallturnonthesniffingtoolandperformactionswiththedevicesuchasnavigatingtowebsites,usingprovidedapplications,andaccessingotherInternetresources.Theevaluatorshallverifythatthesniffingtoolcapturesthetrafficgeneratedbytheseactions,turnoffthesniffingtool,andsavethesessiondata.
Step2:TheevaluatorshallconfigureanIPsecVPNclientthatsupportstheroutingspecifiedinthisrequirement,andifnecessary,configurethedevicetoperformtheroutingspecifiedasdescribedintheAGDguidance.Theevaluatorshallturnonthesniffingtool,establishtheVPNconnection,andperformthesameactionswiththedeviceasperformedinthefirststep.Theevaluatorshallverifythatthesniffingtoolcapturestrafficgeneratedbytheseactions,turnoffthesniffingtool,andsavethesessiondata.
Step3:TheevaluatorshallexaminethetrafficfrombothsteponeandsteptwotoverifythatallDataPlanetrafficisencapsulatedbyIPsec.TheevaluatorshallexaminetheSecurityParameterIndex(SPI)valuepresentintheencapsulatedpacketscapturedinSteptwofromtheTOEtotheGatewayandshallverifythisvalueisthesameforallactionsusedtogeneratetrafficthroughtheVPN.NotethatitisexpectedthattheSPIvalueforpacketsfromtheGatewaytotheTOEisdifferentthantheSPIvalueforpacketsfromtheTOEtotheGateway.TheevaluatorshallbeawarethatIPtrafficonthecellularbasebandoutsideoftheIPsectunnelmaybeemanatingfromthebasebandprocessorandshallverifywiththemanufacturerthatanyidentifiedtrafficisnotemanatingfromtheapplicationprocessor.
Step4:TheevaluatorshallperformanICMPechofromtheTOEtotheIPaddressofanotherdeviceonthelocalwirelessnetworkandshallverifythatnopacketsaresentusingthesniffingtool.TheevaluatorshallattempttosendpacketstotheTOEoutsidetheVPNtunnel(i.e.notthroughtheVPNgateway),includingfromthelocalwirelessnetwork,andshallverifythattheTOEdiscardsthem.
FDP_STG_EXT.1UserDataStorageFDP_STG_EXT.1.1
TheTSFshallprovideprotectedstoragefortheTrustAnchorDatabase.
EvaluationActivities
FDP_STG_EXT.1:TSSTheevaluatorshallensuretheTSSdescribestheTrustAnchorDatabaseimplementedthatcontaincertificatesusedtomeettherequirementsofthisPP.Thisdescriptionshallcontaininformationpertainingtohowcertificatesareloadedintothestore,andhowthestoreisprotectedfromunauthorizedaccess(forexample,UNIXpermissions)inaccordancewiththepermissionsestablishedinFMT_SMF_EXT.1andFMT_MOF_EXT.1.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FDP_UPC_EXT.1/APPSInter-TSFUserDataTransferProtection(Applications)FDP_UPC_EXT.1.1/APPS
TheTSFshallprovideameansfornon-TSFapplicationsexecutingontheTOEtouse
mutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS,
and[selection:mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity,IPsecasdefinedinthePP-ModuleforVPNClient,nootherprotocol
]toprovideaprotectedcommunicationchannelbetweenthenon-TSFapplicationandanotherITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.
ApplicationNote:Theintentofthisrequirementisthatoneoftheselectedprotocolsisavailableforusebyuserapplicationsrunningonthedeviceforuseinconnectingtodistant-endservicesthatarenotnecessarilypartoftheenterpriseinfrastructure.ItshouldbenotedthattheFTP_ITC_EXT.1requiresthatallTSFcommunicationsbeprotectedusingtheprotocolsindicatedinthatrequirement,sotheprotocolsrequiredbythiscomponentride"ontopof"thoselistedinFTP_ITC_EXT.1.
ItshouldalsobenotedthatsomeapplicationsarepartoftheTSF,andFTP_ITC_EXT.1requiresthatTSFapplicationsbeprotectedbyatleastoneoftheprotocolsinfirstselectioninFTP_ITC_EXT.1.Itisnotrequiredtohavetwodifferentimplementationsofaprotocol,ortwodifferentprotocols,tosatisfyboththisrequirement(fornon-TSFapps)andFTP_ITC_EXT.1(forTSFapps),aslongastheservicesspecifiedareprovided.
TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDeviceforusebynon-TSFapps.
TheTSFmustbevalidatedagainstrequirementsfromthePackageforTransportLayerSecurity,withthefollowingselectionsmade:
FCS_TLS_EXT.1:TLSisselectedClientisselected
FCS_TLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.Mutualauthenticationmustbeselected
FCS_TLSC_EXT.1.3Withnoexceptionsisselected.
If"mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayer
Security"isselected,theTSFmustbevalidatedagainstrequirementsfromthePackageforTransportLayerSecurity,withthefollowingselectionsmade:
FCS_TLS_EXT.1:DTLSisselectedclientisselected
FCS_DTLSC_EXT.1.1:TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.mutualauthenticationmustbeselected
FCS_DTLSC_EXT.1.3Withnoexceptionsisselected.
IftheSTauthorselectsIPsec,theTSFmustbevalidatedagainstthePP-ModuleforVirtualPrivateNetwork(VPN)Clients.
FDP_UPC_EXT.1.2/APPSTheTSFshallpermitthenon-TSFapplicationstoinitiatecommunicationviathetrustedchannel.
EvaluationActivities
FDP_UPC_EXT.1/APPS:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(protectionchannel)describedintheserequirements,andverifythattheAPIsimplementedtosupportthisrequirementincludetheappropriatesettings/parameterssothattheapplicationcanbothprovideandobtaintheinformationneededtoassuremutualidentificationoftheendpointsofthecommunicationasrequiredbythiscomponent.
TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.
GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsnecessaryforconfiguringtheprotocol(s)selectedforusebytheapplications.
TestsEvaluationActivityNote:ThefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestsprotectedchannelservicesbytheTSF.TheevaluatorshallverifythattheresultsfromtheprotectedchannelmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingtheprotectedchannelEvaluationActivitiesfortheprotocolrequirements.Theevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorsshallensurethattheapplicationisabletoinitiatecommunicationswithanexternalITentityusingeachprotocolspecifiedintherequirement,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintext.
5.1.5Class:IdentificationandAuthentication(FIA)
FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1
TheTSFshallconsiderpasswordand[selection:fingerprint,iris,face,voice,vein,hybrid,noother]ascriticalauthenticationmechanisms.
ApplicationNote:Acriticalauthenticationmechanismisoneinwhichcountermeasuresaretriggered(i.e.wipeofthedevice)whenthemaximumnumberofunsuccessfulauthenticationattemptsisexceeded,renderingtheotherfactorsunavailable.
IfnoadditionalauthenticationmechanismsareselectedinFIA_UAU.5.1,then‘noother’mustbeselected.IfanadditionalauthenticationmechanismisselectedinFIA_UAU.5.1,thenitmustonlybeselectedinFIA_AFL_EXT.1.1if
surpassingtheauthenticationfailurethresholdforbiometricdatacausesacountermeasuretobetriggeredregardlessofthefailurestatusoftheotherauthenticationmechanisms.
IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmodeinterface),thiscomponentappliestoallavailableinterfaces.Forexample,apasswordisacriticalauthenticationmechanismregardlessofifitisbeingenteredattheDARdecryptioninterfaceoratalockscreeninterface.
FIA_AFL_EXT.1.2TheTSFshalldetectwhenaconfigurablepositiveintegerwithin[assignment:rangeofacceptablevaluesforeachauthenticationmechanism]of[selection:unique,non-unique]unsuccessfulauthenticationattemptsoccurrelatedtolastsuccessfulauthenticationforeachauthenticationmechanism.
ApplicationNote:Thepositiveinteger(s)isconfiguredaccordingtoFMT_SMF_EXT.1.1function2.
Anuniqueauthenticationattemptisdefinedasanyattempttoverifyapasswordorbiometricsample,inwhichtheinputisdifferentfromapreviousattempt.‘Unique’mustbeselectediftheauthenticationsystemincrementsthecounteronlyforuniqueunsuccessfulauthenticationattempts.Forexample,ifthesameincorrectpasswordisattemptedtwicetheauthenticationsystemincrementsthecounteronce.‘Non-unique’mustbeselectediftheauthenticationsystemincrementsthecounterforeachunsuccessfulauthenticationattempt,regardlessofiftheinputisunique.Forexample,ifthesameincorrectpasswordisattemptedtwicetheauthenticationsystemincrementsthecountertwice.
Ifhybridauthentication(i.e.acombinationofbiometricandpin/password)issupported,afailedauthenticationattemptcanbecountedasasingleattempt,evenifboththebiometricandpin/passwordwereincorrect.
IftheTOEsupportsmultipleauthenticationmechanismsperFIA_UAU.5.1,thiscomponentappliestoallauthenticationmechanisms.Itisacceptableforeachauthenticationmechanismtoutilizeanindependentcounterorformultipleauthenticationmechanismstoutilizeasharedcounter.TheinteractionbetweentheauthenticationfactorsinregardstotheauthenticationcountermustbeinaccordancewithFIA_UAU.5.2.
IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmodeinterface),thiscomponentappliestoallavailableinterfaces.However,itisacceptableforeachAuthenticationFactorinterfacetobeconfigurablewithadifferentnumberofunsuccessfulauthenticationattempts.
FIA_AFL_EXT.1.3TheTSFshallmaintainthenumberofunsuccessfulauthenticationattemptsthathaveoccurreduponpoweroff.
ApplicationNote:TheTOEmayimplementanAuthenticationFactorinterfacethatprecedesanotherAuthenticationFactorinterfaceinthebootsequence(forexample,avolumeDARdecryptioninterfacewhichprecedesthelockscreeninterface)beforetheusercanaccessthedevice.Inthissituation,becausetheusermustsuccessfullyauthenticatetothefirstinterfacetoaccessthesecond,thenumberofunsuccessfulauthenticationattemptsneednotbemaintainedforthesecondinterface.
FIA_AFL_EXT.1.4Whenthedefinednumberofunsuccessfulauthenticationattemptshasexceededthemaximumallowedforagivenauthenticationmechanism,allfutureauthenticationattemptswillbelimitedtootheravailableauthenticationmechanisms,unlessthegivenmechanismisdesignatedasacriticalauthenticationmechanism.
ApplicationNote:InaccordancewithFIA_AFL_EXT.1.3,thisrequirementalsoappliesaftertheTOEispoweredoffandpoweredbackon.
FIA_AFL_EXT.1.5Whenthedefinednumberofunsuccessfulauthenticationattemptsforthelastavailableauthenticationmechanismorsinglecriticalauthenticationmechanismhasbeensurpassed,theTSFshallperformawipeofallprotecteddata.
ApplicationNote:WipeisperformedinaccordancewithFCS_CKM_EXT.5.Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.
IftheTOEimplementsmultipleAuthenticationFactorinterfaces(forexample,aDARdecryptioninterface,alockscreeninterface,anauxiliarybootmode
interface),thiscomponentappliestoallavailableinterfaces.
FIA_AFL_EXT.1.6TheTSFshallincrementthenumberofunsuccessfulauthenticationattemptspriortonotifyingtheuserthattheauthenticationwasunsuccessful.
ApplicationNote:Thisrequirementistoensurethatifpoweriscuttothedevicedirectlyafteranauthenticationattempt,thecounterwillbeincrementedtoreflectthatattempt.
EvaluationActivities
FIA_AFL_EXT.1:TSSTheevaluatorshallensurethattheTSSdescribesthatavaluecorrespondingtothenumberofunsuccessfulauthenticationattemptssincethelastsuccessfulauthenticationiskeptforeachAuthenticationFactorinterface.TheevaluatorshallensurethatthisdescriptionalsoincludesifandhowthisvalueismaintainedwhentheTOElosespower,eitherthroughagracefulpoweredofforanungracefullossofpower.Theevaluatorshallensurethatifthevalueisnotmaintained,theinterfaceisafteranotherinterfaceinthebootsequenceforwhichthevalueismaintained.
IftheTOEsupportsmultipleauthenticationmechanisms,theevaluatorshallensurethatthisdescriptionalsoincludeshowtheunsuccessfulauthenticationattemptsforeachmechanismselectedinFIA_UAU.5.1ishandled.TheevaluatorshallverifythattheTSSdescribesifeachauthenticationmechanismutilizesitsowncounterorifmultipleauthenticationmechanismsutilizeasharedcounter.Ifmultipleauthenticationmechanismsutilizeasharedcounter,theevaluatorshallverifythattheTSSdescribesthisinteraction.
TheevaluatorshallconfirmthattheTSSdescribeshowtheprocessusedtodetermineiftheauthenticationattemptwassuccessful.TheevaluatorshallensurethatthecounterwouldbeupdatedevenifpowertothedeviceiscutimmediatelyfollowingnotifyingtheTOEuseriftheauthenticationattemptwassuccessfulornot.
GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtheadministratorconfiguresthemaximumnumberofuniqueunsuccessfulauthenticationattempts.
TestsTest1:TheevaluatorshallconfigurethedevicewithallauthenticationmechanismsselectedinFIA_UAU.5.1.Theevaluatorshallperformthefollowingtestsforeachavailableauthenticationinterface:
Test1a:TheevaluatorshallconfiguretheTOE,accordingtotheAGDguidance,withamaximumnumberofunsuccessfulauthenticationattempts.Theevaluatorshallenterthelockedstateandenterincorrectpasswordsuntilthewipeoccurs.Theevaluatorshallverifythatthenumberofpasswordentriescorrespondstotheconfiguredmaximumandthatthewipeisimplemented.
Test1b:[conditional]IftheTOEsupportsmultipleauthenticationmechanismstheprevioustestshallberepeatedusingacombinationofauthenticationmechanismsconfirmingthatthecriticalauthenticationmechanismswillcausethedevicetowipeandthatwhenthemaximumnumberofunsuccessfulauthenticationattemptsforanon-criticalauthenticationmechanismisexceeded,thedevicelimitsauthenticationattemptstootheravailableauthenticationmechanisms.Ifmultipleauthenticationmechanismsutilizeasharedcounter,thentheevaluatorshallverifythatthemaximumnumberofunsuccessfulauthenticationattemptscanbereachedbyusingeachindividualauthenticationmechanismandacombinationofallauthenticationmechanismsthatsharethecounter.
Test2:Theevaluatorshallrepeattestone,butshallpoweroff(byremovingthebattery,ifpossible)theTOEbetweenunsuccessfulauthenticationattempts.Theevaluatorshallverifythatthetotalnumberofunsuccessfulauthenticationattemptsforeachauthenticationmechanismcorrespondstotheconfiguredmaximumandthatthecriticalauthenticationmechanismscausethedevicetowipe.Alternatively,ifthenumberofauthenticationfailuresisnotmaintainedfortheinterfaceundertest,theevaluatorshallverifythatuponbootingtheTOEbetweenunsuccessfulauthenticationattemptsanotherauthenticationfactorinterfaceispresentedbeforetheinterfaceundertest.
FIA_PMG_EXT.1PasswordManagementFIA_PMG_EXT.1.1
TheTSFshallsupportthefollowingforthePasswordAuthenticationFactor:
1. Passwordsshallbeabletobecomposedofanycombinationof[selection:upperandlowercaseletters,[assignment:acharactersetofatleast52characters]],numbers,andspecialcharacters:[selection:"!","@","#","$","%","^","&","*","(",")",[assignment:othercharacters]];
2. Passwordlengthupto[assignment:anintegergreaterthanorequalto14]charactersshallbesupported.
ApplicationNote:Whilesomecorporatepoliciesrequirepasswordsof14charactersorbetter,theuseofaREKforDARprotectionandkeystorageprotectionandtheanti-hammerrequirement(FIA_TRT_EXT.1)addressesthethreatofattackerswithphysicalaccessusingmuchsmallerandlesscomplexpasswords.
TheSTauthorselectsthecharacterset:eithertheupperandlowercaseBasicLatinlettersoranotherassignedcharactersetcontainingatleast52characters.Theassignedcharactersetmustbewelldefined:eitheraccordingtoaninternationalencodingstandard(suchasUnicode)ordefinedintheassignmentbytheSTauthor.TheSTauthoralsoselectsthespecialcharactersthataresupportedbyTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.
EvaluationActivities
FIA_PMG_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitprovidesguidancetosecurityadministratorsonthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.Theevaluatorshallalsoperformthefollowingtests.Notethatoneormoreofthesetestscanbeperformedwithasingletestcase.
TestsTest1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecompositionsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.
FIA_TRT_EXT.1AuthenticationThrottlingFIA_TRT_EXT.1.1
TheTSFshalllimitautomateduserauthenticationattemptsby[selection:preventingauthenticationviaanexternalport,enforcingadelaybetweenincorrectauthenticationattempts]forallauthenticationmechanismsselectedinFIA_UAU.5.1.Theminimumdelayshallbesuchthatnomorethan10attemptscanbeattemptedper500milliseconds.
ApplicationNote:TheauthenticationthrottlingappliestoallauthenticationmechanismsselectedinFIA_UAU.5.1.TheuserauthenticationattemptsinthisrequirementareattemptstoguesstheAuthenticationFactor.Thedevelopercanimplementthetimingofthedelaysintherequirementsusingunequalorequaltimingofdelays.Theminimumdelayspecifiedinthisrequirementprovidesdefenseagainstbruteforcing.
EvaluationActivities
FIA_TRT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesthemethodbywhichauthenticationattemptsarenotabletobeautomated.TheevaluatorshallensurethattheTSSdescribeseitherhowtheTSFdisablesauthenticationviaexternalinterfaces(otherthantheordinaryuserinterface)orhowauthenticationattemptsaredelayedinordertoslowautomatedentryandshallensurethatthisdelaytotalsatleast500millisecondsover10attemptsforallauthenticationmechanismsselectedinFIA_UAU.5.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1
TheTSFshallprovidepasswordand[selection:fingerprint,iris,face,voice,vein,hybrid,noothermechanism]tosupportuserauthentication.
ApplicationNote:TheTSFmustsupportaPasswordAuthenticationFactorandmayoptionallyimplementaBAF,intheformofafingerprint,iris,face,voiceand(finger/palm)vein.AhybridauthenticationfactoriswhereauserhastosubmitacombinationofPIN/passwordandbiometricsamplewherebothhavetopassandifeitherfailstheuserisnotmadeawareofwhichfactorfailed.
If"hybrid"isselected,abiometricmodalitydoesnotneedtobeselected,butshouldbeselectedifthebiometricauthenticationcanbeusedindependentofthehybridauthentication,i.e.withouthavingtoenteraPIN/password.
Ifabiometricmodalityor"hybrid"isselected,thenFIA_BMG_EXT.1andFDP_PBA_EXT.1mustbeincludedintheST.
If"usingaPINasanadditionalfactor"or"usingapasswordasanadditionalfactor"isselectedinFDP_PBA_EXT.1.1,then"hybrid"mustbeselected.
ThePasswordAuthenticationFactorisconfiguredaccordingtoFIA_PMG_EXT.1.
FIA_UAU.5.2TheTSFshallauthenticateanyuser'sclaimedidentityaccordingtothe[assignment:rulesdescribinghoweachauthenticationmechanismselectedinFIA_UAU.5.1providesauthentication].
ApplicationNote:RulesregardinghowtheauthenticationfactorsinteractintermsofunsuccessfulauthenticationarecoveredinFIA_AFL_EXT.1.
EvaluationActivities
FIA_UAU.5:TSSTheevaluatorshallensurethattheTSSdescribeseachmechanismprovidedtosupportuserauthenticationandtherulesdescribinghowtheauthenticationmechanism(s)provideauthentication.
Specifically,forallauthenticationmechanismsspecifiedinFIA_UAU.5.1,theevaluatorshallensurethattheTSSdescribestherulesastohoweachauthenticationmechanismisused.Examplerulesarehowtheauthenticationmechanismauthenticatestheuser(i.e.howdoestheTSFverifythatthecorrectpasswordorbiometricsamplewasentered),theresultofasuccessfulauthentication(i.e.istheuserinputusedtoderiveorunlockakey)andwhichauthenticationmechanismcanbeusedatwhichauthenticationfactorinterfaces(i.e.iftherearetimes,forexample,afterareboot,thatonlyspecificauthenticationmechanismscanbeused).IfmultipleBAFsaresupportedperFIA_UAU.5.1,theinteractionbetweentheBAFsmustbedescribed.Forexample,whetherthemultipleBAFscanbeenabledatthesametime.
GuidanceTheevaluatorshallverifythatconfigurationguidanceforeachauthenticationmechanismisaddressedintheAGDguidance.
TestsTest1:ForeachauthenticationmechanismselectedinFIA_UAU.5.1,theevaluatorshallenablethatmechanismandverifythatitcanbeusedtoauthenticatetheuseratthespecifiedauthenticationfactorinterfaces.Test2:Foreachauthenticationmechanismrule,theevaluatorshallensurethattheauthenticationmechanism(s)behaveaccordingly.
FIA_UAU.6Re-AuthenticationFIA_UAU.6.1
TheTSFshallre-authenticatetheuserviathePasswordAuthenticationFactorundertheconditionsattemptedchangetoanysupportedauthenticationmechanisms.
ApplicationNote:Thepasswordauthenticationfactormustbeenteredbeforeeitherthepasswordorbiometricauthenticationfactor,ifselectedinFIA_UAU.5.1,canbechanged.
FIA_UAU.6.2TheTSFshallre-authenticatetheuserviaanauthenticationfactordefinedinFIA_UAU.5.1undertheconditionsTSF-initiatedlock,user-initiatedlock,[assignment:otherconditions].
ApplicationNote:DependingontheselectionsmadeinFIA_UAU.5.1,eitherthepassword(ataminimum),biometricauthenticationorhybridauthenticationmechanismscanbeusedtounlockthedevice.TSF-anduser-initiatedlockingisdescribedinFTA_SSL_EXT.1.
EvaluationActivities
FIA_UAU.6:TSSTherearenoTSSevaluationactivitiesforthiselement.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTest1:TheevaluatorshallconfiguretheTSFtousethePasswordAuthenticationFactoraccordingtotheAGDguidance.TheevaluatorshallchangePasswordAuthenticationFactoraccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingthefactortobechanged.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallconfiguretheTSFtousetheBAF,whichincludesconfiguringthePasswordAuthenticationFactor,accordingtotheAGDguidance.TheevaluatorshallchangetheBAFaccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingtheBAFtobechanged.Test3:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallconfiguretheTSFtousetheBAFandPINorpassword,whichincludesconfiguringthePasswordAuthenticationFactor,accordingtotheAGDguidance.TheevaluatorshallchangetheBAFandPINaccordingtotheAGDguidanceandverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforeallowingthefactortobechanged.
TSSTherearenoTSSevaluationactivitiesforthiselement.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTest1:TheevaluatorshallconfiguretheTSFtotransitiontothelockedstateafteratimeofinactivity(FMT_SMF_EXT.1)accordingtotheAGDguidance.TheevaluatorshallwaituntiltheTSFlocksandthenverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforetransitioningtotheunlockedstate.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest1verifyingthattheTSFrequirestheentryoftheBAFbeforetransitioningtotheunlockedstate.Test3:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest1verifyingthattheTSFrequirestheentryoftheBAFandPIN/passwordbeforetransitioningtotheunlockedstate.Test4:Theevaluatorshallconfigureuser-initiatedlockingaccordingtotheAGDguidance.TheevaluatorshalllocktheTSFandthenverifythattheTSFrequirestheentryofthePasswordAuthenticationFactorbeforetransitioningtotheunlockedstate.Test5:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest4verifyingthattheTSFrequirestheentryoftheBAFbeforetransitioningtotheunlockedstate.Test6:[conditional]If"hybrid"isselectedinFIA_UAU.5.1,theevaluatorshallrepeatTest4verifyingthattheTSFrequirestheentryoftheBAFandPIN/passwordbeforetransitioningtotheunlockedstate.
FIA_UAU.7ProtectedAuthenticationFeedbackFIA_UAU.7.1
TheTSFshallprovideonlyobscuredfeedbacktothedevice’sdisplaytotheuserwhiletheauthenticationisinprogress.
ApplicationNote:ThisappliestoallauthenticationmethodsspecifiedinFIA_UAU.5.1.TheTSFmaybriefly(1secondorless)displayeachcharacterorprovideanoptiontoallowtheusertounmaskthepassword;however,thepasswordmustbeobscuredbydefault.
IfaBAFisselectedinFIA_UAU.5.1,theTSFmustnotdisplaysensitiveinformationregardingthebiometricthatcouldaidanadversaryinidentifyingand/orspoofingtherespectivebiometriccharacteristicsofagivenhumanuser.Whileitistruethatbiometricsamples,bythemselves,arenotsecret,theanalysisperformedbytherespectivebiometricalgorithms,aswellasoutputdatafromthesebiometricalgorithms,isconsideredsensitiveandmustbekeptsecret.Whereapplicable,theTSFmustnotrevealormakepublicthereason(s)forauthenticationfailure.
EvaluationActivities
FIA_UAU.7:TSSTheevaluatorshallensurethattheTSSdescribesthemeansofobscuringtheauthenticationentry,forallauthenticationmethodsspecifiedinFIA_UAU.5.1.
GuidanceTheevaluatorshallverifythatanyconfigurationofthisrequirementisaddressedintheAGDguidanceandthatthepasswordisobscuredbydefault.
TestsTest1:Theevaluatorshallenterpasswordsonthedevice,includingatleastthePasswordAuthenticationFactoratlockscreen,andverifythatthepasswordisnotdisplayedonthedevice.Test2:[conditional]ForeachBAFselectedinFIA_UAU.5.1,theevaluatorshallauthenticatebyproducingabiometricsampleatlockscreen.Asthebiometricalgorithmsareperformed,theevaluatorshallverifythatsensitiveimages,audio,orotherinformationidentifyingtheuserarekeptsecretandarenotrevealedtotheuser.Additionally,theevaluatorshallproduceabiometricsamplethatfailstoauthenticateandverifythatthereason(s)forauthenticationfailure(usermismatch,lowsamplequality,etc.)arenotrevealedtotheuser.ItisacceptablefortheBAFtostatethatitwasunabletophysicallyreadthebiometricsample,forexample,ifthesensorisuncleanorthebiometricsamplewasremovedtooquickly.However,specificsregardingwhythepresentedbiometricsamplefailedauthenticationshallnotberevealedtotheuser.
FIA_UAU_EXT.1AuthenticationforCryptographicOperationFIA_UAU_EXT.1.1
TheTSFshallrequiretheusertopresentthePasswordAuthenticationFactorpriortodecryptionofprotecteddataandencryptedDEKs,KEKsand[selection:long-termtrustedchannelkeymaterial,allsoftware-basedkeystorage,nootherkeys]atstartup.
ApplicationNote:TheintentofthisrequirementistopreventdecryptionofprotecteddatabeforetheuserhasauthorizedtothedeviceusingthePasswordAuthenticationFactor.ThePasswordAuthenticationFactorisalsorequiredinorderderivethekeyusedtodecryptsensitivedata,whichincludessoftware-basedsecurekeystorage.
EvaluationActivities
FIA_UAU_EXT.1:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheprocessfordecryptingprotecteddataandkeys.TheevaluatorshallensurethatthisprocessrequirestheusertoenteraPasswordAuthenticationFactorand,inaccordancewithFCS_CKM_EXT.3,derivesaKEK,whichisusedtoprotectthesoftware-basedsecurekeystorageand(optionally)DEK(s)forsensitivedata,inaccordancewithFCS_STG_EXT.2.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsThefollowingtestsmaybeperformedinconjunctionwithFDP_DAR_EXT.1andFDP_DAR_EXT.2.
EvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:TheevaluatorshallenableencryptionofprotecteddataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatincludesauniquestringtreatedasprotecteddata.
Theevaluatorshallrebootthedevice,useatoolprovidedbydevelopertosearchfortheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcannotbefound.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbythedevelopertoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcanbefound.
Test2:[conditional]TheevaluatorshallrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallstoreakeyinthesoftware-basedsecurekeystorage.
Theevaluatorshalllockthedevice,useatoolprovidedbydevelopertoaccessthekeyamongstthestoreddata,andverifythatthekeycannotberetrievedoraccessed.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbydevelopertoaccessthekey,andverifythatthekeycanberetrievedoraccessed.
Test3:[conditional]TheevaluatorshallenableencryptionofsensitivedataandrequireuserauthenticationaccordingtotheAGDguidance.Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatincludesauniquestringtreatedassensitivedata.
Theevaluatorshalllockthedevice,useatoolprovidedbydevelopertoattempttoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcannotbefound.TheevaluatorshallenterthePasswordAuthenticationFactortoaccessfulldevicefunctionality,useatoolprovidedbydevelopertoaccesstheuniquestringamongsttheapplicationdata,andverifythattheuniquestringcanberetrieved.
FIA_UAU_EXT.2TimingofAuthenticationFIA_UAU_EXT.2.1
TheTSFshallallow[selection:[assignment:listofactions],noactions]onbehalfoftheusertobeperformedbeforetheuserisauthenticated.
FIA_UAU_EXT.2.2TheTSFshallrequireeachusertobesuccessfullyauthenticatedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.
ApplicationNote:Thesecurityrelevantactionsallowedbyunauthorizedusersinlockedstatemustbelisted.AtaminimumtheactionsthatcorrespondtothefunctionsavailabletotheuserinFMT_SMF_EXT.1andareallowedbyunauthorizedusersinlockedstateshouldbelisted.Forexample,iftheusercanenable/disablethecameraperfunction5ofFMT_SMF_EXT.1andunauthorizeduserscantakeapicturewhenthedeviceisinlockedstate,thisactionmustbelisted.
EvaluationActivities
FIA_UAU_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribestheactionsallowedbyunauthorizedusersinthelockedstate.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallattempttoperformsomeactionsnotlistedintheselectionwhilethedeviceisinthelockedstateandverifythatthoseactionsdonotsucceed.
FIA_X509_EXT.1X.509ValidationofCertificatesFIA_X509_EXT.1.1
TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:RFC5280certificatevalidationandcertificatepathvalidation.ThecertificatepathmustterminatewithacertificateintheTrustAnchorDatabase.TheTSFshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidatetherevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,CRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:
CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ServercertificatespresentedforESTshallhavetheCMCRegistrationAuthority(RA)purpose(id-kp-cmcRAwithOID1.3.6.1.5.5.7.3.28)intheEKUfield.[conditional]ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningpurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.[conditional]
ApplicationNote:FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthormustselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.OCSPstaplingandOCSPmulti-staplingonlysupportTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLshouldbeclaimed.TheWLANClientEPtowhichaMDFTOEmustalsoconformrequiresthatcertificatesareusedforEAP-TLS;thisuserequiresthattheextendedKeyUsagerulesareverified.Certificatesmayoptionallybeusedfortrustedupdatesofsystemsoftwareandapplications(FPT_TUD_EXT.2)andforintegrityverification(FPT_TST_EXT.2(1))and,ifimplemented,mustbevalidatedtocontaintheCodeSigningpurposeextendedKeyUsage.
WhileFIA_X509_EXT.1.1requiresthattheTOEperformcertainchecksonthecertificatepresentedbyaTLSserver,therearecorrespondingchecksthattheauthenticationserverwillhavetoperformonthecertificatepresentedbytheclient;namelythattheextendedKeyUsagefieldoftheclientcertificateincludes“ClientAuthentication”andthatthekeyagreementbit(fortheDiffie-Hellmanciphersuites)orthekeyenciphermentbit(forRSAciphersuites)beset.CertificatesobtainedforusebytheTOEwillhavetoconformtotheserequirementsinordertobeusedintheenterprise.ThischeckisrequiredtosupportEAP-TLSfortheWLANClientEP.
FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.
ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedtotheTrustAnchorDatabase.
EvaluationActivities
FIA_X509_EXT.1:TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServicesevaluationactivities,includingtheusecasesinFIA_X509_EXT.2.1andFIA_X509_EXT.3.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.Theevaluatorshallcreateachainofatleastfourcertificates:thenodecertificatetobetested,twoIntermediateCAs,andtheself-signedRootCA.
Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:
byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.
TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.
Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.
Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates-conditionalonwhetherCRL,OCSP,OSCPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,thenthefollowingtestsshallbeperformedforeachmethod:
Theevaluatorshalltestrevocationofthenodecertificate.
TheevaluatorshallalsotestrevocationoftheintermediateCAcertificate(i.e.theintermediateCAcertificateshouldberevokedbytherootCA).ForthetestoftheWLANusecase,onlypre-storedCRLsareused.IfOCSPstaplingperRFC6066istheonlysupportedrevocationmethod,thistestisomitted.
Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorthenattemptsthetestwithacertificatethathasbeenrevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthatthevalidationfunctionfails.
Test4:IfanyOCSPoptionisselected,theevaluatorshallconfiguretheOCSPserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitset,andverifythatvalidationoftheCRLfails.
Test5:Theevaluatorshallmodifyanybyteinthefirsteightbytesofthecertificateanddemonstratethatthecertificatefailstovalidate(thecertificatewillfailtoparsecorrectly).
Test6:Theevaluatorshallmodifyanybitinthelastbyteofthesignaturealgorithmofthecertificateanddemonstratethatthecertificatefailstovalidate(thesignatureonthecertificatewillnotvalidate).
Test7:Theevaluatorshallmodifyanybyteinthepublickeyofthecertificateanddemonstratethatthecertificatefailstovalidate(thesignatureonthecertificatewillnotvalidate).
Test8:Test8.1:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1(3)).Theevaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain.
Test8.2:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1(3)).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest8awithamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest8a,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.
FIA_X509_EXT.2X.509CertificateAuthentication
FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationformutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS[selection:IPsecinaccordancewiththePP-ModuleforVPNClient,mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity],and[selection:codesigningforsystemsoftwareupdates,codesigningformobileapplications,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses].
ApplicationNote:TheSTauthor’sfirstselectionmustmatchtheselectionofFDP_UPC_EXT.1.1/APPSandFTP_ITC_EXT.1.1.
Certificatesmayoptionallybeusedfortrustedupdatesofsystemsoftware(FPT_TUD_EXT.2.3)andmobileapplications(FPT_TUD_EXT.5.1)andforintegrityverification(FPT_TST_EXT.2/PREKERNEL).If"codesigningforsystemsoftwareupdates"or"codesigningformobileapplications"isselectedFPT_TUD_EXT.4.1mustbeincludedintheST.
IfFPT_TUD_EXT.5.1isincludedintheST,"codesigningformobileapplications"mustbeincludedintheselection.
FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminetherevocationstatusofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,allowtheusertochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].
ApplicationNote:TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.However,oftenaconnectionmustbeestablishedtoperformaverificationoftherevocationstatusofacertificate-eithertodownloadaCRLortoperformOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificateisvalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionmustdeterminethevalidity.Iftheadministrator-configuredoruser-configuredoptionisselected,theSTauthormustalsoselectfunction30inFMT_SMF_EXT.1.
TheTOEmaybehavedifferentlydependingonthetrustedchannel;forexample,inthecaseofWLANwhereconnectionsareunlikelytobeestablished,theTOEmayacceptthecertificateeventhoughcertificatesarenotacceptedforotherchannels.TheSTauthorshouldselectallapplicablebehaviors.
EvaluationActivities
FIA_X509_EXT.2:TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Theevaluatorshallverifythatanydistinctionsbetweentrustedchannelsaredescribed.
GuidanceIftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.
TestsTheevaluatorshallperformthefollowingtestforeachtrustedchannel:
Test1:Theevaluatorshalldemonstratethatusingavalidcertificatethatrequirescertificatevalidationcheckingtobeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedinFIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.
FIA_X509_EXT.3RequestValidationofCertificatesFIA_X509_EXT.3.1
TheTSFshallprovideacertificatevalidationservicetoapplications.
FIA_X509_EXT.3.2TheTSFshallrespondtotherequestingapplicationwiththesuccessorfailureofthevalidation.
ApplicationNote:InordertocomplywithalloftherulesinFIA_X509_EXT.1,multipleAPIcallsmayberequired;allofthesecallsshouldbeclearlydocumented
EvaluationActivities
FIA_X509_EXT.3:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunction(certificatevalidation)describedinthisrequirement.Thisdocumentationshallbeclearastowhichresultsindicatesuccessandfailure.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscertificatevalidationbytheTSF.TheevaluatorshallverifythattheresultsfromthevalidationmatchtheexpectedresultsaccordingtotheAPIdocumentation.Thisapplicationmaybeusedtoverifythatimport,removal,modification,andvalidationareperformedcorrectlyaccordingtothetestsrequiredbyFDP_STG_EXT.1,FTP_ITC_EXT.1,FMT_SMF_EXT.1,andFIA_X509_EXT.1.
5.1.6Class:SecurityManagement(FMT)BoththeuserandtheadministratormaymanagetheTOE.ThisadministratorislikelytobeactingremotelyandcouldbetheMobileDeviceManagement(MDM)AdministratoractingthroughanMDMAgent.
TheAdministratorisresponsibleformanagementactivities,includingsettingthepolicythatisappliedbytheenterpriseontheMobileDevice.Thesemanagementfunctionsarelikelytobeadifferentsetthanthosemanagementfunctionsprovidedtotheuser.ManagementfunctionsthatareprovidedtotheuserandnottheadministratorarelistedinFMT_MOF_EXT.1.1.ManagementfunctionsforwhichtheadministratormayadoptapolicythatrestrictstheuserfromperformingthatfunctionarelistedinFMT_MOF_EXT.1.2.
Table7comparesthemanagementfunctionsrequiredbythisProtectionProfileinthefollowingthreerequirements(FMT_MOF_EXT.1.1,FMT_MOF_EXT.1.2,andFMT_SMF_EXT.1).
FMT_MOF_EXT.1ManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1
TheTSFshallrestricttheabilitytoperformthefunctionsincolumn3ofTable7totheuser.
ApplicationNote:Thefunctionsthathavean"M"inthethirdcolumnaremandatoryforthiscomponent,thusarerestrictedtotheuser,meaningthattheadministratorcannotmanagethosefunctions.Thefunctionsthathavean"O"inthethirdcolumnareoptionalandmaybeselected;andthosefunctionswitha"-"inthethirdarenotapplicableandmaynotbeselected.TheSTauthorshouldselectthosesecuritymanagementfunctionsthatonlytheusermayperform(i.e.theonestheadministratormaynotperform).
TheSTauthormaynotselectthesamefunctioninbothFMT_MOF_EXT.1.1andFMT_MOF_EXT.1.2.Afunctioncannotcontainan"M"inbothcolumn3andcolumn5.
TheSTauthormayuseatableintheST,indicatingwithcleardemarcations(tobeaccompaniedbyanindex)thosefunctionsthatarerestrictedtotheuser(column3).TheSTauthorshoulditeratearowtoindicateanyvariationsintheselectablesub-functionsorassignedvalueswithrespecttothevaluesinthecolumns.
Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsoutsideaselectionmustbeimplementedinorderforthefunctiontobelisted.
FMT_MOF_EXT.1.2TheTSFshallrestricttheabilitytoperformthefunctionsincolumn5ofTable7totheadministratorwhenthedeviceisenrolledandaccordingtotheadministrator-configuredpolicy.
ApplicationNote:Aslongasthedeviceisenrolledinmanagement,theadministrator(oftheenterprise)mustbeguaranteedthatminimumsecurityfunctionsoftheenterprisepolicyareenforced.Furtherrestrictivepoliciescanbeappliedatanytimebytheuseronbehalfoftheuserorotheradministrators.
Thefunctionsthathavean"M"inthefifthcolumnaremandatoryforthiscomponent;thefunctionsthathavean"O"inthefifthcolumnareoptionalandmaybeselected;andthosefunctionswitha"-"inthefiftharenotapplicableandmaynotbeselected.
TheSTauthormaynotselectthesamefunctioninbothFMT_MOF_EXT.1.1andFMT_MOF_EXT.1.2.
TheSTauthorshouldselectthosesecuritymanagementfunctionsthattheadministratormayrestrict.TheSTauthormayuseatableintheST,indicatingwithcleardemarcations(tobeaccompaniedbyanindex)thosefunctionsthatareandarenotimplementedwithAPIsfortheadministrator(asincolumn4).Additionally,theSTauthorshoulddemarcatewhichfunctionstheuserispreventedfromaccessingorperforming(asincolumn5).TheSTauthorshoulditeratearowtoindicateanyvariationsintheselectablesub-functionsorassignedvalueswithrespecttothevaluesinthecolumns.
Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsoutsidetheselectionmustbeimplementedinorderforthefunctiontobelisted.
EvaluationActivities
FMT_MOF_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesthosemanagementfunctionsthatmayonlybeperformedbytheuserandconfirmthattheTSSdoesnotincludeanAdministratorAPIforanyofthesemanagementfunctions.ThisactivitywillbeperformedinconjunctionwithFMT_SMF_EXT.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.TSSTheevaluatorshallverifythattheTSSdescribesthosemanagementfunctionsthatmaybeperformedbytheAdministrator,toincludehowtheuserispreventedfromaccessing,performing,orrelaxingthefunction(ifapplicable),andhowapplications/APIsarepreventedfrommodifyingtheAdministratorconfiguration.TheTSSalsodescribesanyfunctionalitythatisaffectedbyadministrator-configuredpolicyandhow.ThisactivitywillbeperformedinconjunctionwithFMT_SMF_EXT.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTest1:TheevaluatorshallusethetestenvironmenttodeploypoliciestoMobileDevices.
Test2:Theevaluatorshallcreatepolicieswhichcollectivelyincludeallmanagementfunctionswhicharecontrolledbythe(enterprise)administratorandcannotbeoverridden/relaxedbytheuserasdefinedinFMT_MOF_EXT.1.2.Theevaluatorshallapplythesepoliciestodevices,attempttooverride/relaxeachsettingbothastheuser(ifasettingisavailable)andasanapplication(ifanAPIisavailable),andensurethattheTSFdoesnotpermitit.Notethattheusermaystillapplyamorerestrictivepolicythanthatoftheadministrator.
Test3:AdditionaltestingoffunctionsprovidedtotheadministratorareperformedinconjunctionwiththetestingactivitiesforFMT_SMF_EXT.1.1.
FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1
TheTSFshallbecapableofperformingthefollowingmanagementfunctions:
Table7:ManagementFunctions
StatusMarkers:M-MandatoryO-Optional/Objective
# ManagementFunction Impl. UserOnly
Admin AdminOnly
1 1.configurepasswordpolicy:
a. minimumpasswordlengthb. minimumpasswordcomplexityc. maximumpasswordlifetime
2 2.configuresessionlockingpolicy:
a. screen-lockenabled/disabledb. screenlocktimeoutc. numberofauthenticationfailures
3 3.enable/disabletheVPNprotection:
a. acrossdevice
[selection:b.onaper-appbasis,
c.onaper-groupofapplicationsprocessesbasis,
d.noothermethod]
4 4.enable/disable[assignment:listofallradios]
5 5.enable/disable[assignment:listofaudioorvisualcollectiondevices]:
a. acrossdevice
[selection:b.onaper-appbasis,
c.onaper-groupofapplicationsprocessesbasis,
d.noothermethod]
6 6.transitiontothelockedstate
7 7.TSFwipeofprotecteddata
8 8.configureapplicationinstallationpolicyby[selection:
a.restrictingthesourcesofapplications,
b.specifyingasetofallowedapplicationsbasedon
[assignment:applicationcharacteristics](anapplication
allowlist),c.denyinginstallationof
applications]
9 9.importkeys/secretsintothesecurekeystorage
10 10.destroyimportedkeys/secretsand[selection:nootherkeys/secrets,
[assignment:listofothercategoriesof
M - M M
M - M M
M O O O
M O O O
M O O O
M - M -
M - M -
M - M M
M O O -
M O O -
keys/secrets]]inthesecurekeystorage
11 11.importX.509v3certificatesintotheTrustAnchorDatabase
12 12.removeimportedX.509v3certificatesand[selection:nootherX.509v3
certificates,[assignment:listofothercategoriesofX.509v3certificates]]inthe
TrustAnchorDatabase
13 13.enrolltheTOEinmanagement
14 14.removeapplications
15 15.updatesystemsoftware
16 16.installapplications
17 17.removeEnterpriseapplications
18 18.enable/disabledisplaynotificationinthelockedstateof:[selection:
a.emailnotifications,b.calendarappointments,
c.contactassociatedwithphonecallnotification,
d.textmessagenotification,e.otherapplication-based
notifications,f.allnotifications
]
19 19.enabledata-atrestprotection
20 20.enableremovablemedia’sdata-at-restprotection
21 21.enable/disablelocationservices:
a. acrossdevice
[selection:b.onaper-appbasis,
c.onaper-groupofapplicationsprocessesbasis,
d.noothermethod]
22 22.enable/disabletheuseof[selection:BiometricAuthenticationFactor,Hybrid
AuthenticationFactor]
23 23.configurewhethertoallow/disallowestablishmentofatrustedchannelifthepeer/servercertificateisdeemedinvalid.
24 24.enable/disablealldatasignalingover[assignment:listofexternallyaccessible
hardwareports]
25 25.enable/disable[assignment:listofprotocolswherethedeviceactsasa
server]
26 26.enable/disabledevelopermodes
27 27.enable/disablebypassoflocaluserauthentication
28 28.wipeEnterprisedata
29 29.approve[selection:import,removal]byapplicationsofX.509v3certificatesin
theTrustAnchorDatabase
30 30.configurewhethertoallow/disallowestablishmentofatrustedchanneliftheTSFcannotestablishaconnectionto
M - M O
M O O -
M O O O
M - M O
M - M O
M - M O
M - M -
M O O O
M O O O
M O O O
M O O O
M O O O
M O O O
O O O O
O O O O
O O O O
O O O O
O O O -
O O O O
O O O O
determinethevalidityofacertificate
31 31.enable/disablethecellularprotocolsusedtoconnecttocellularnetworkbase
stations
32 32.readauditlogskeptbytheTSF
33 33.configure[selection:certificate,public-key]usedtovalidatedigital
signatureonapplications
34 34.approveexceptionsforshareduseofkeys/secretsbymultipleapplications
35 35.approveexceptionsfordestructionofkeys/secretsbyapplicationsthatdidnot
importthekey/secret
36 36.configuretheunlockbanner
37 37.configuretheauditableitems
38 38.retrieveTSF-softwareintegrityverificationvalues
39 39.enable/disable[selection:USBmassstoragemode,
USBdatatransferwithoutuserauthentication,
USBdatatransferwithoutauthenticationoftheconnecting
system]
40 40.enable/disablebackupof[selection:allapplications,selectedapplications,
selectedgroupsofapplications,configurationdata]to[selection:locally
connectedsystem,remotesystem]
41 41.enable/disable[selection:Hotspotfunctionalityauthenticatedby[selection:pre-sharedkey,passcode,noauthentication],USBtetheringauthenticatedby[selection:pre-sharedkey,passcode,noauthentication]
]
42 42.approveexceptionsforsharingdatabetween[selection:applications,groups
ofapplications]
43 43.placeapplicationsintoapplicationgroupsbasedon[assignment:enterpriseconfigurationsettings]
44 44.unenrolltheTOEfrommanagement
45 45.enable/disabletheAlwaysOnVPNprotection:
a. acrossdevice
[selection:b.onaper-appbasis,
c.onaper-groupofapplicationsprocessesbasis,
d.noothermethod]
46 46.revokeBiometrictemplate
47 47.[assignment:listofothermanagementfunctionstobeprovidedby
theTSF]
O O O O
O O O -
O O O O
O O O O
O O O O
O - O O
O - O O
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
ApplicationNote:Table7comparesthemanagementfunctionsrequiredbythisProtectionProfile.
ThefirstcolumnliststhemanagementfunctionsidentifiedinthePP.
Inthefollowingcolumns:‘M’meansMandatory‘O’meansOptional/Objective'-'meansthatnovalue(MorO)canbeassigned
Thesecondcolumn(FMT_SMF_EXT.1)indicateswhetherthefunctionistobeimplemented.TheSTauthorshouldselectwhichOptionalfunctionsareimplemented.
Thethirdcolumn(FMT_MOF_EXT.1.1)indicatesfunctionsthataretoberestrictedtotheuser(i.e.notavailabletotheadministrator).
Thefourthcolumn(Administrator)indicatesfunctionsthatareavailabletotheadministrator.Thefunctionsrestrictedtotheuser(column3)cannotalsobeavailabletotheadministrator.Functionsavailabletotheadministratorcanstillbeavailabletotheuser,aslongasthefunctionisnotrestrictedtotheadministrator(column5).Thus,iftheTOEmustofferthesefunctionstotheadministratortoperformthefourthcolumnmustbeselected.
Thefifthcolumn(FMT_MOF_EXT.1.2)indicateswhetherthefunctionistoberestrictedtotheadministratorwhenthedeviceisenrolledandtheadministratorappliestheindicatedpolicy.Ifthefunctionisrestrictedtotheadministratorthefunctionisnotavailabletotheuser.Thisdoesnotpreventtheuserfrommodifyingasettingtomakethefunctionstricter,buttheusercannotundotheconfigurationenforcedbytheadministrator.
TheSTauthormayuseatableintheST,listingonlythosefunctionsthatareimplemented.Forfunctionsthataremandatory,anysub-functionsnotinaselectionarealsomandatoryandanyassignmentsmustcontainatleastoneassignedvalue.Forfunctionsthatareoptionalandcontainanassignmentorselection,atleastonevaluemustbeassigned/selectedtobeincludedintheST.Fornon-selectablesub-functionsinanoptionalfunction,allsub-functionsmustbeimplementedinorderforthefunctiontobeincluded.Forfunctionswitha"per-appbasis"subfunctionandanassignment,theSTauthormustindicatewhichassignedfeaturesaremanageableonaper-appbasisandwhicharenotbyiteratingtherow.
Function-specificApplicationNotes:
Forfunctions3,5and21,thefunctionmustbeimplementedonadevice-widebasisbutmayalsobeimplementedonaper-appbasisoronaper-groupofapplicationsbasisinwhichtheconfigurationincludesthelistofapplicationsorgroupsofapplicationstowhichtheenable/disableapplies.
Function3addressesenablinganddisablingtheIPsecVPNonly.TheconfigurationoftheVPNClientitself(withinformationsuchasVPNGateway,certificates,andalgorithms)isaddressedbythePP-ModuleforVPNClient.Theadministratoroptionsshouldonlybelistediftheadministratorcanremotelyenable/disabletheVPNconnection.
Function3optionallyallowstheVPNtobeconfiguredper-apporper-groupsofapps.Ifthisconfigurationisselected,itdoesnotvoidFDP_IFC_EXT.1.InsteadFDP_IFC_EXT.1isappliedtotheapplicationorgroupofapplicationstheVPNisappliedto.Inotherwords,alltrafficdestinedfortheVPN-enabledapplicationorgroupofapplications,musttravelthroughtheVPN,buttrafficnotdestinedforthatapplicationorgroupofapplicationscantraveloutsidetheVPN.WhentheVPNisconfiguredacrossthedeviceFDP_IFC_EXT.1appliestoalltrafficandtheVPNmustnotsplittunnel.
Theassignmentinfunction4consistsofallradiospresentontheTSF,suchasWi-Fi,cellular,NFC,BluetoothBR/EDR,andBluetoothLE,whichcanbeenabledanddisabled.Inthefuture,ifbothBluetoothBR/EDRandBluetoothLEaresupported,theywillberequiredtobeenabledanddisabledseparately.Disablementofthecellularradiodoesnotimplythattheradiomaynotbeenabledinordertoplaceemergencyphonecalls;however,itisnotexpectedthatadevicein"airplanemode",whereallradiosaredisabled,willautomatically(withoutauthorization)turnonthecellularradiotoplaceemergencycalls.
Theassignmentinfunction5consistsofatleastoneaudioand/orvisualdevice,suchascameraandmicrophone,whichcanbeenabledanddisabledbyeithertheuseroradministrator.Disablementofthemicrophonedoesnotimplythat
themicrophonemaynotbeenabledinordertoplaceemergencyphonecalls.Ifcertaindevicesareabletoberestrictedtotheenterprise(eitherdevice-wide,per-apporper-groupofapplications)andothersareabletoberestrictedtousers,thenthisfunctionshouldbeiteratedinthetablewiththeappropriatetableentries.
Regardingfunctions4and5,disablementofaparticularradiooraudio/visualdevicemustbeeffectiveassoonastheTOEhaspower.DisablementmustalsoapplywhentheTOEisbootedintoauxiliarybootmodes,forexample,associatedwithupdatesorbackup.IftheTOEsupportsstatesinwhichsecuritymanagementpolicyisinaccessible,forexample,duetodata-at-restprotection,itisacceptabletomeetthisrequirementbyensuringthatthesedevicesaredisabledbydefaultwhileinthesestates.Thatthesedevicesaredisabledduringauxiliarybootmodesdoesnotimplythatthedevice(particularlythecellularradio)maynotbeenabledinordertoperformemergencyphonecalls.
WipeoftheTSF(function7)isperformedaccordingtoFCS_CKM_EXT.5.Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.
Theselectioninfunction8allowstheSTauthortoselectwhichmechanismsareavailabletotheadministratorthroughtheMDMAgenttorestricttheapplicationswhichtheusermayinstall.TheSTauthormuststateifapplicationallowlistisapplieddevice-wideorifitcanbespecifiedtoapplytoeithertheEnterpriseand/orPersonalapplications.
Iftheadministratorcanrestrictthesourcesfromwhichapplicationscanbeinstalled,theSTauthorselectsoptiona.Iftheadministratorcanspecifyaallowlistofallowedapplications,theSTauthorselectsoptionb.TheSTauthorshouldlistanyapplicationcharacteristics(e.g.name,version,ordeveloper)basedonwhichtheallowlistcanbeformed.Iftheadministratorcanpreventtheuserfrominstallingadditionalapplications,theSTauthorselectsc.
Inthefuture,function12mayrequiredestructionordisablingofanydefaulttrustedCAcertificates,exceptingthoseCAcertificatesnecessaryforcontinuedoperationoftheTSF,suchasthedeveloper’scertificate.Atthistime,theSTauthormustindicateintheassignmentwhetherpre-installedoranyothercategoryofX.509v3certificatesmayberemovedfromtheTrustAnchorDatabase.
Forfunction13,theenrollmentfunctionmaybeinstallinganMDMagentandincludesthepoliciestobeappliedtothedevice.Itisacceptablefortheuserapprovalnoticetorequiretheusertointentionallyopttoviewthepolicies(forexample,by"tapping"ona"View"icon)ratherthanlistingthepoliciesinfullinthenotice.
Forfunction15,theadministratorcapabilitytoupdatethesystemsoftwaremaybelimitedtocausingaprompttotheusertoupdateratherthantheabilitytoinitiatetheupdateitself.Astheadministratorislikelytobeactingremotely,he/shewouldbeunawareofinopportunesituations,suchaslowpower,whichmaycausetheupdatetofailandthedevicetobecomeinoperable.Theusercanrefusetoaccepttheupdateinsuchsituations.Itisexpectedthatsystemarchitectswillbecognizantofthislimitationandwillenforcenetworkaccesscontrolsinordertoenforceenterprise-criticalupdates.
Function16addressesbothinstallationandupdate.Thisprotectionprofiledoesnotdistinguishbetweeninstallationandupdateofapplicationsbecausemobiledevicestypicallycompletelyoverwritethepreviousinstallationwithanewinstallationduringanapplicationupdate.
Forfunction17,"Enterpriseapplications"arethoseapplicationsthatbelongtotheEnterpriseapplicationgroup.Applicationsinstalledbytheenterpriseadministrator(includingautomaticinstallationbytheadministratorafterbeingrequestedbytheuserfromacatalogofenterpriseapplications)arebydefaultplacedintheEnterpriseapplicationgroupunlessanexceptionhasbeenmadeinfunction43ofFMT_SMF_EXT.1.1.
Ifthedisplayofnotificationsinthelockedstateissupported,theconfigurationofthesenotifications(function18)mustbeincludedintheselection.
Function19mustbeincludedintheselectionifdata-at-restprotectionisnotnativelyenabled.
Function20isimplicitlymetiftheTSFdoesnotsupportremovablemedia.
Forfunction21,locationservicesincludelocationinformationgatheredfrom
GPS,cellular,andWi-Fi.
Function22isimplicitlymetiftheTOEdoesnotcontainaBAF.ThisselectionmustcorrespondwiththeselectionmadeinFIA_UAU.5.1.IfaBAFisselectedinFIA_UAU.5.1,"BiometricAuthenticationFactor"mustbeselectedandtheuseroradminmusthavetheoptiontodisabletheuseofit.IfmultipleBAFsareselectedinFIA_UAU.5.1,thisappliestoalldifferentmodalities.If"hybrid"isselectedinFIA_UAU.5.1itmustbeselectedandtheuseroradminmusthavetheoptiontodisabletheuseofit.
Forfunction23,theconfigurationcanbedifferentdependingonthespecifictrustedchannel.
Theassignmentinfunction24consistsofallexternallyaccessiblehardwareports,suchasUSB,theSDcard,andHDMI,whosedatatransfercapabilitiescanbeenabledanddisabledbyeithertheuseroradministrator.Disablementofdatatransferoveranexternalportmustbeeffectiveduringandafterbootintothenormaloperativemodeofthedevice.IftheTOEsupportsstatesinwhichconfiguredsecuritymanagementpolicyisinaccessible,forexample,duetodata-at-restprotection,itisacceptabletomeetthisrequirementbyensuringthatdatatransferisdisabledbydefaultwhileinthesestates.Eachoftheportsmaybeenabledordisabledseparately.Theconfigurationpolicyneednotdisableallportstogether.InthecaseofUSB,chagriningisstillallowedifdatatransfercapabilitieshavebeendisabled.
Theassignmentinfunction25consistsofallprotocolswheretheTSFactsasaserver,whichcanbeenabledanddisabledbyeithertheuseroradministrator.
Function26mustbeincludedintheselectionifdevelopermodesaresupportedbytheTSF.
Function27mustbeincludedintheselectionifbypassoflocaluserauthentication,suchasa"ForgotPassword",passwordhint,orremoteauthenticationfeature,issupported.
Function29mustbeincludedintheselectioniftheTSFallowsapplications,otherthantheMDMAgents,toimportorremoveX.509v3certificatesfromtheTrustAnchorDatabase.TheMDMAgentisconsideredtheadministrator.Thisfunctiondoesnotapplytoapplicationstrustingacertificateforitsownvalidations.Thefunctiononlyappliestosituationswheretheapplicationmodifiesthedevice-wideTrustAnchorDatabase,affectingthevalidationsperformedbytheTSFforotherapplications.Theuseroradministratormaybeprovidedtheabilitytogloballyallowordenyanyapplicationrequestsinordertomeetthisrequirement.
Function30mustbeincludedintheSTif"administrator-configuredoption"isselectioninFIA_X509_EXT.2.2.
Function33shouldbeincludedintheselectionifFPT_TUD_EXT.5.1isincludedintheSTandtheconfigurableoptionisselected.
Function34shouldbeincludedintheselectionifuseroradministratorisselectedinFCS_STG_EXT.1.4.
Function35shouldbeincludedintheselectionifuseroradministratorisselectedinFCS_STG_EXT.1.5.
Function36mustbeincludedintheselectionifFTA_TAB.1isincludedintheST.
Function37mustbeincludedintheselectionifFAU_SEL.1isincludedintheST.
Forfunction41,hotspotfunctionalityreferstotheconditioninwhichthemobiledeviceisservingasanaccesspointtootherdevices,nottheconnectionoftheTOEtoexternalhotspots.
Functions42and43correspondtoFDP_ACF_EXT.1.2.
Forfunction44,FMT_SMF_EXT.2.1specifiesactionstobeperformedwhentheTOEisunenrolledfrommanagement.
Forfunction45,mustbeincludedintheSTifIPsecisselectedinFTP_ITC_EXT.1andthenativeIPsecVPNclientcanbeconfiguredtobeAlways-On.Always-OnisdefinedaswhentheTOEhasanetworkconnectiontheVPNattemptstoconnect,alldataleavingthedeviceusestheVPNwhentheVPNisconnectedandnodataleavesthatdevicewhentheVPNisdisconnected.TheconfigurationoftheVPNClientitself(withinformationsuchasVPNGateway,certificates,andalgorithms)isaddressedbythePP-ModuleforVPNClient.
EvaluationActivities
FMT_SMF_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesallmanagementfunctions,whatrole(s)canperformeachfunction,andhowthesefunctionsare(orcanbe)restrictedtotherolesidentifiedbyFMT_MOF_EXT.1.
Thefollowingactivitiesareorganizedaccordingtothefunctionnumberinthetable.TheseactivitiesincludeTSSEvaluationActivities,AGDEvaluationActivities,andtestactivities.
TestactivitiesspecifiedbelowshalltakeplaceinthetestenvironmentdescribedintheevaluationactivityforFPT_TUD_EXT.1.
GuidanceTheevaluatorshallconsulttheAGDguidancetoperformeachofthespecifiedtests,iteratingeachtestasnecessaryifboththeuserandadministratormayperformthefunction.TheevaluatorshallverifythattheAGDguidancedescribeshowtoperformeachmanagementfunction,includinganyconfigurationdetails.Foreachspecifiedmanagementfunctiontested,theevaluatorshallconfirmthattheunderlyingmechanismexhibitstheconfiguredsetting.
TestsFunction1TheevaluatorshallverifytheTSSdefinestheallowablepolicyoptions:therangeofvaluesforbothpasswordlengthandlifetime,andadescriptionofcomplexitytoincludecharactersetandcomplexitypolicies(e.g.,configurationandenforcementofnumberofuppercase,lowercase,andspecialcharactersperpassword).
Test1:TheevaluatorshallexercisetheTSFconfigurationastheadministratorandperformpositiveandnegativetests,withatleasttwovaluessetforeachvariablesetting,foreachofthefollowing:
minimumpasswordlengthminimumpasswordcomplexitymaximumpasswordlifetime
Function2TheevaluatorshallverifytheTSSdefinestherangeofvaluesforbothtimeoutperiodandnumberofauthenticationfailuresforallsupportedauthenticationmechanisms.
Test2:TheevaluatorshallexercisetheTSFconfigurationastheadministrator.Theevaluatorshallperformpositiveandnegativetests,withatleasttwovaluessetforeachvariablesetting,foreachofthefollowing:
screen-lockenabled/disabledscreenlocktimeoutnumberofauthenticationfailures(maybecombinedwithtestforFIA_AFL_EXT.1)
Function3Test3:Theevaluatorshallperformthefollowingtests:a. TheevaluatorshallexercisetheTSFconfigurationtoenabletheVPNprotection.These
configurationactionsmustbeusedforthetestingoftheFDP_IFC_EXT.1.1requirement.
b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetousetheVPNandtheothertonotusetheVPN.Theevaluatorshallexerciseeachapplication(attemptingtoaccessnetworkresources;forexample,bybrowsingdifferentwebsites)individuallywhilecapturingpacketsfromtheTOE.TheevaluatorshallverifyfromthepacketcapturethatthetrafficfromtheVPN-enabledapplicationisencapsulatedinIPsecandthatthetrafficfromtheVPN-disabledapplicationisnotencapsulatedinIPsec.
c. [conditional]If"per-groupsofapplicationbasis"isselected,theevaluatorshallcreatetwoapplicationsandtheapplicationsshallbeplacedintodifferentgroups.EnableoneapplicationgrouptousetheVPNandtheothertonotusetheVPN.Theevaluatorshallexerciseeachapplication(attemptingtoaccessnetworkresources;forexample,bybrowsingdifferentwebsites)individuallywhilecapturingpacketsfromtheTOE.TheevaluatorshallverifyfromthepacketcapturethatthetrafficfromtheapplicationintheVPN-enabledgroupisencapsulatedinIPsecandthatthetrafficfromtheapplicationintheVPN-disabledgroupisnotencapsulatedinIPsec.
Function4TheevaluatorshallverifythattheTSSincludesadescriptionofeachradioandanindicationofiftheradiocanbeenabled/disabledalongwithwhatrolecandoso.InadditiontheevaluatorshallverifythatthefrequencyrangesatwhicheachradiooperatesisincludedintheTSS.TheevaluatorshallverifythattheTSSincludesatwhatpointinthebootsequencetheradiosarepoweredonandindicatesiftheradiosareusedaspartofthe
initializationofthedevice.TheevaluatorshallconfirmthattheAGDguidancedescribeshowtoperformtheenable/disablefunctionforeachradio.
TheevaluatorshallensurethatminimalsignalleakageenterstheRFshieldedenclosure(i.e.Faradaybag,Faradaybox,RFshieldedroom)byperformingthefollowingsteps:
Step1:PlacetheantennaofthespectrumanalyzerinsidetheRFshieldedenclosure.
Step2:Enable"MaxHold"onthespectrumanalyzerandperformaspectrumsweepofthefrequencyrangebetween300MHz–6000MHz,inIKHzsteps(thisrangeshouldencompass802.11,802.15,GSM,UMTS,andLTE).ThisrangewillnotaddressNFC13.56MHz,anothertestshouldbesetupwithsimilarconstraintstoaddressNFC.
Ifpowerabove-90dBmisobserved,theFaradayboxhastoogreatofsignalleakageandshallnotbeusedtocompletethetestforFunction4.
Test4:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableanddisablethestateofeachradio(e.g.Wi-Fi,cellular,NFC,Bluetooth).Additionally,theevaluatorshallrepeatthestepsbelow,bootingintoanyauxiliarybootmodesupportedbythedevice.Foreachradio,theevaluatorshall:
Step1:PlacetheantennaofthespectrumanalyzerinsidetheRFshieldedenclosure.Configurethespectrumanalyzertosweepdesiredfrequencyrangefortheradiotobetested(basedonrangeprovidedintheTSS)).Theambientnoisefloorshallbesetto-110dBm.PlacetheTOEintotheRFshieldedenclosuretoisolatethemfromallotherRFtraffic.
Step2:TheevaluatorshallcreateabaselineoftheexpectedbehaviorofRFsignals.Theevaluatorshallpoweronthedevice,ensuretheradioinquestionisenabled,poweroffthedevice,enable"MaxHold"onthespectrumanalyzerandpoweronthedevice.Theevaluatorshallwait2minutesateachAuthenticationFactorinterfacepriortoenteringthenecessarypasswordtocompletethebootprocess,waiting5minutesafterthedeviceisfullybooted.TheevaluatorshallobservethatRFspikesarepresentattheexpecteduplinkchannelfrequency.Theevaluatorshallclearthe"MaxHold"onthespectrumanalyzer.
Step3:TheevaluatorshallverifytheabsenceofRFactivityfortheuplinkchannelwhentheradioinquestionisdisabled.Theevaluatorshallcompletethefollowingtestfivetimes.Theevaluatorshallpoweronthedevice,ensuretheradioinquestionisdisabled,poweroffthedevice,enable"MaxHold"onthespectrumanalyzerandpoweronthedevice.Theevaluatorshallwait2minutesateachAuthenticationFactorinterfacepriortoenteringthenecessarypasswordtocompletethebootprocess,waiting5minutesafterthedeviceisfullybooted.Theevaluatorshallclearthe"MaxHold"onthespectrumanalyzer.Iftheradiosareusedfordeviceinitialization,thenaspikeofRFactivityfortheuplinkchannelcanbeobservedinitiallyatdeviceboot.However,ifaspikeofRFactivityfortheuplinkchannelofthespecificradiofrequencybandisobservedafterthedeviceisfullybootedoratanAuthenticationFactorinterfaceitisdeemedthattheradioisenabled.
Function5TheevaluatorshallverifythattheTSSincludesadescriptionofeachcollectiondeviceandanindicationofifitcanbeenabled/disabledalongwithwhatrolecandoso.TheevaluatorshallconfirmthattheAGDguidancedescribeshowtoperformtheenable/disablefunction.
Test5:Theevaluatorshallperformthefollowingtest(s):a. TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnot
restrictedtotheadministrator,theuser,toenableanddisablethestateofeachaudioorvisualcollectiondevices(e.g.camera,microphone)listedbytheSTauthor.Foreachcollectiondevice,theevaluatorshalldisablethedeviceandthenattempttouseitsfunctionality.TheevaluatorshallreboottheTOEandverifythatdisabledcollectiondevicesmaynotbeusedduringorearlyinthebootprocess.Additionally,theevaluatorshallbootthedeviceintoeachavailableauxiliarybootmodeandverifythatthecollectiondevicecannotbeused.
b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetouseaccesstheA/VdeviceandtheothertonotaccesstheA/Vdevice.TheevaluatorshallexerciseeachapplicationattemptingtoaccesstheA/Vdeviceindividually.TheevaluatorshallverifythattheenabledapplicationisabletoaccesstheA/VdeviceandthedisabledapplicationisnotabletoaccesstheA/Vdevice.
c. [conditional]If"per-groupsofapplicationbasis"isselected,theevaluatorshallcreatetwoapplicationsandtheapplicationsshallbeplacedintodifferentgroups.EnableonegrouptoaccesstheA/VdeviceandtheothertonotaccesstheA/Vdevice.TheevaluatorshallexerciseeachapplicationattemptingtoaccesstheA/Vdeviceindividually.TheevaluatorshallverifythattheapplicationintheenabledgroupisabletoaccesstheA/VdeviceandtheapplicationinthedisabledgroupisnotabletoaccesstheA/Vdevice.
Function6Test6:TheevaluatorshallusethetestenvironmenttoinstructtheTSF,bothasauserandastheadministrator,tocommandthedevicetotransitiontoalockedstate,andverifythat
thedevicetransitionstothelockedstateuponcommand.
Function7Test7:TheevaluatorshallusethetestenvironmenttoinstructtheTSF,bothasauserandastheadministrator,tocommandthedevicetoperformawipeofprotecteddata.TheevaluatormustensurethatthismanagementsetupisusedwhenconductingtheEvaluationActivitiesinFCS_CKM_EXT.5.
Function8TheevaluatorshallverifytheTSSdescribestheallowableapplicationinstallationpolicyoptionsbasedontheselectionincludedintheST.Iftheapplicationallowlistisselected,theevaluatorshallverifythattheTSSincludesadescriptionofeachapplicationcharacteristicuponwhichtheallowlistmaybebased.
Test8:TheevaluatorshallexercisetheTSFconfigurationastheadministratortorestrictparticularapplications,sourcesofapplications,orapplicationinstallationaccordingtotheAGDguidance.Theevaluatorshallattempttoinstallunauthorizedapplicationsandensurethatthisisnotpossible.Theevaluatorshall,inconjunction,performthefollowingspecifictests:a. [conditional]Theevaluatorshallattempttoconnecttoanunauthorizedrepositoryin
ordertoinstallapplications.b. [conditional]Theevaluatorshallattempttoinstalltwoapplications(oneallowlisted,
andonenot)fromaknownallowedrepositoryandverifythattheapplicationnotontheallowlistisrejected.Theevaluatorshallalsoattempttoside-loadexecutablesorinstallationpackagesviaUSBconnectionstodeterminethatthewhitelistisstilladheredto
Function9&Function10TheevaluatorshallverifythattheTSSdescribeseachcategoryofkeys/secretsthatcanbeimportedintotheTSF’ssecurekeystorage.
Test9:ThetestofthesefunctionsisperformedinassociationwithFCS_STG_EXT.1.
Test10:ThetestofthesefunctionsisperformedinassociationwithFCS_STG_EXT.1.
Function11TheevaluatorshallreviewtheAGDguidancetodeterminethatitdescribesthestepsneededtoimport,modify,orremovecertificatesintheTrustAnchordatabase,andthattheusersthathaveauthoritytoimportthosecertificates(e.g.,onlyadministrator,orbothadministratorsandusers)areidentified.
Test11:TheevaluatorshallimportcertificatesaccordingtotheAGDguidanceastheuserand/orastheadministrator,asdeterminedbytheadministrativeguidance.Theevaluatorshallverifythatnoerrorsoccurduringimport.TheevaluatorshouldperformanactionrequiringuseoftheX.509v3certificatetoprovideassurancethatinstallationwascompletedproperly.
Function12TheevaluatorshallverifythattheTSSdescribeseachadditionalcategoryofX.509certificatesandtheirusewithintheTSF.
Test12:Theevaluatorshallremoveanadministrator-importedcertificateandanyothercategoriesofcertificatesincludedintheassignmentoffunction14fromtheTrustAnchorDatabaseaccordingtotheAGDguidanceastheuserandastheadministrator.
Function13TheevaluatorshallexaminetheTSStoensurethatitcontainsadescriptionofeachmanagementfunctionthatwillbeenforcedbytheenterpriseoncethedeviceisenrolled.TheevaluatorshallexaminetheAGDguidancetodeterminethatthissameinformationispresent.
Test13:Theevaluatorshallverifythatuserapprovalisrequiredtoenrollthedeviceintomanagement.
Function14TheevaluatorshallverifythattheTSSincludesanindicationofwhatapplications(e.g.,user-installedapplications,Administrator-installedapplications,orEnterpriseapplications)canberemovedalongwithwhatrolecandoso.TheevaluatorshallexaminetheAGDguidancetodeterminethatitdetails,foreachtypeofapplicationthatcanberemoved,theproceduresnecessarytoremovethoseapplicationsandtheirassociateddata.ForthepurposesofthisEvaluationActivity,"associateddata"referstodatathatarecreatedbytheappduringitsoperationthatdonotexistindependentoftheapp'sexistence,forinstance,configurationdata,ore-mailinformationthat’spartofane-mailclient.Itdoesnot,ontheotherhand,refertodatasuchaswordprocessingdocuments(forawordprocessingapp)orphotos(foraphotoorcameraapp).
Test14:TheevaluatorshallattempttoremoveapplicationsaccordingtotheAGDguidance
andverifythattheTOEnolongerpermitsuserstoaccessthoseapplicationsortheirassociateddata.
Function15Test15:TheevaluatorshallattempttoupdatetheTSFsystemsoftwarefollowingtheproceduresintheAGDguidanceandverifythatupdatescorrectlyinstallandthattheversionnumbersofthesystemsoftwareincrease.
Function16Test16:TheevaluatorshallattempttoinstallanapplicationfollowingtheproceduresintheAGDguidanceandverifythattheapplicationisinstalledandavailableontheTOE.
Function17Test17:TheevaluatorshallattempttoremoveanyEnterpriseapplicationsfromthedevicebyfollowingtheadministratorguidance.TheevaluatorshallverifythattheTOEnolongerpermitsuserstoaccessthoseapplicationsortheirassociateddata.
Function18TheevaluatorshallexaminetheAGDGuidancetodeterminethatitspecifies,foratleasteachcategoryofinformationselectedforFunction18,howtoenableanddisabledisplayinformationforthattypeofinformationinthelockedstate.
Test18:ForeachcategoryofinformationlistedintheAGDguidance,theevaluatorshallverifythatwhenthatTSFisconfiguredtolimittheinformationaccordingtotheAGD,theinformationisnolongerdisplayedinthelockedstate.
Function19Test19:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenablesystem-widedata-at-restprotectionaccordingtotheAGDguidance.TheevaluatorshallensurethatallEvaluationActivitiesforDAR(FDP_DAR)areconductedwiththedeviceinthisconfiguration.
Function20Test20:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableremovablemedia’sdata-at-restprotectionaccordingtotheAGDguidance.TheevaluatorshallensurethatallEvaluationActivitiesforDAR(FDP_DAR)areconductedwiththedeviceinthisconfiguration.
Function21Test21:Theevaluatorshallperformthefollowingtests.a. Theevaluatorshallenablelocationservicesdevice-wideandshallverifythatan
application(suchasamappingapplication)isabletoaccesstheTOE’slocationinformation.Theevaluatorshalldisablelocationservicesdevice-wideandshallverifythatanapplication(suchasamappingapplication)isunabletoaccesstheTOE’slocationinformation.
b. [conditional]If"per-appbasis"isselected,theevaluatorshallcreatetwoapplicationsandenableonetouseaccessthelocationservicesandtheothertonotaccessthelocationservices.Theevaluatorshallexerciseeachapplicationattemptingtoaccesslocationservicesindividually.Theevaluatorshallverifythattheenabledapplicationisabletoaccessthelocationservicesandthedisabledapplicationisnotabletoaccessthelocationservices.
Function22Test22:TheevaluatorshallverifythattheTSSstatesiftheTOEsupportsaBAFand/orhybridauthentication.IftheTOEdoesnotincludeaBAFand/orhybridauthenticationthistestisimplicitlymet.a. [conditional]IfaBAFisselectedtheevaluatorshallverifythattheTSSdescribesthe
proceduretoenable/disabletheBAF.IftheTOEincludesmultipleBAFs,theevaluatorshallverifythattheTSSdescribeshowtoenable/disableeachBAF,specificallyifthedifferentmodalitiescanbeindividuallyenabled/disabled.TheevaluatorshallconfiguretheTOEtoalloweachsupportedBAFtoauthenticateandverifythatsuccessfulauthenticationcanbeachievedusingtheBAF.TheevaluatorshallconfiguretheTOEtodisabletheuseofeachsupportedBAFforauthenticationandconfirmthattheBAFcannotbeusedtoauthenticate.
b. [conditional]If"Hybrid"isselectedtheevaluatorshallverifythattheTSSdescribestheproceduretoenable/disablethehybrid(biometriccredentialandPIN/password)authentication.TheevaluatorshallconfiguretheTOEtoallowhybridauthenticationtoauthenticateandconfirmthatsuccessfulauthenticationcanbeachievedusingthehybridauthentication.TheevaluatorshallconfiguretheTOEtodisabletheuseofhybridauthenticationandconfirmthatthehybridauthenticationcannotbeusedtoauthenticate.
EvaluationActivityNote:Itshouldbenotedthatthefollowingfunctionsareoptionalcapabilities,ifthefunctionisimplemented,thenthefollowingEvaluationActivitiesshallbeperformed.Thenotationof"[conditional]besidethefunctionnumberindicatesthatifthefunctionisnotincludedintheST,thenthereisnoexpectationthattheevaluationactivity
beperformed.
Function23[conditional]Test23:ThetestofthisfunctionisperformedinconjunctionwithFIA_X509_EXT.2.2,FCS_TLSC_EXT.1.3inthePackageforTransportLayerSecurity.
Function24[conditional]TheevaluatorshallverifythattheTSSincludesalistofeachexternallyaccessiblehardwareportandanindicationofifdatatransferoverthatportcanbeenabled/disabled.AGDguidancewilldescribehowtoperformtheenable/disablefunction.
Test24:TheevaluatorshallexercisetheTSFconfigurationtoenableanddisabledatatransfercapabilitiesovereachexternallyaccessiblehardwareports(e.g.USB,SDcard,HDMI)listedbytheSTauthor.Theevaluatorshallusetestequipmentfortheparticularinterfacetoensurethatnolow-levelsignalingisoccurringonallpinsusedfordatatransferwhentheyaredisabled.Foreachdisableddatatransfercapability,theevaluatorshallrepeatthistestbyrebootingthedeviceintothenormaloperationalmodeandverifyingthatthecapabilityisdisabledthroughoutthebootandearlyexecutionstageofthedevice.
Function25[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheTSFactsasaserverineachoftheprotocolslistedintheST,andthereasonforactingasaserver.
Test25:Theevaluatorshallattempttodisableeachlistedprotocolintheassignment.TheevaluatorshallverifythatremotedevicescannolongeraccesstheTOEorTOEresourcesusinganydisabledprotocols.
Function26[conditional]Test26:TheevaluatorshallexercisetheTSFconfigurationastheadministratorand,ifnotrestrictedtotheadministrator,theuser,toenableanddisableanydevelopermode.Theevaluatorshalltestthatdevelopermodeaccessisnotavailablewhenitsconfigurationisdisabled.Theevaluatorshallverifythedevelopermoderemainsdisabledduringdevicereboot.
Function27[conditional]TheevaluatorshallexaminetheAGDguidancetodeterminethatitdescribeshowtoenableanddisableany"ForgotPassword",passwordhint,orremoteauthentication(tobypasslocalauthenticationmechanisms)capability.
Test27:ForeachmechanismlistedintheAGDguidancethatprovidesa"ForgotPassword"featureorothermeanswherethelocalauthenticationprocesscanbebypassed,theevaluatorshalldisablethefeatureandensurethattheyarenotabletobypassthelocalauthenticationprocess.
Function28[conditional]Test28:TheevaluatorshallattempttowipeEnterprisedataresidentonthedeviceaccordingtotheadministratorguidance.Theevaluatorshallverifythatthedataisnolongeraccessiblebytheuser.
Function29[conditional]TheevaluatorshallverifythattheTSSdescribeshowapprovalforanapplicationtoperformtheselectedaction(import,removal)withrespecttocertificatesintheTrustAnchorDatabaseisaccomplished(e.g.,apop-up,policysetting,etc.).
TheevaluatorshallalsoverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesanysecurityfunctions(import,modification,ordestructionoftheTrustAnchorDatabase)allowedbyapplications.
Test29:Theevaluatorshallperformoneofthefollowingtests:a. [conditional]IfapplicationsmayimportcertificatestotheTrustAnchorDatabase,the
evaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatimportsacertificateintotheTrustAnchorDatabase.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtoimportthecertificate:
Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletoimportthecertificate.Failureofimportshallbetestedbyattemptingtovalidateacertificatethatchainstothecertificatewhoseimportwasattempted(asdescribedintheevaluationactivityforFIA_X509_EXT.1).Theevaluatorshallrepeatthetest,allowingtheapprovaltoverifythattheapplicationisabletoimportthecertificateandthatvalidationoccurs.
b. [conditional]IfapplicationsmayremovecertificatesintheTrustAnchorDatabase,theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatremovescertificatesfromtheTrustAnchorDatabase.TheevaluatorshallverifythattheTOErequiresapprovalbeforeallowingtheapplicationtoremovethecertificate:
Theevaluatorshalldenytheapprovalstoverifythattheapplicationisnotabletoremovethecertificate.Failureofremovalshallbetestedbyattemptingtovalidateacertificatethatchainstothecertificatewhoseremovalwasattempted
(asdescribedintheevaluationactivityforFIA_X509_EXT.1).Theevaluatorshallrepeatthetest,allowingtheapprovaltoverifythattheapplicationisabletoremove/modifythecertificateandthatvalidationnolongeroccurs.
Function30[conditional]Test30:ThetestofthisfunctionisperformedinconjunctionwithFIA_X509_EXT.2.2.
Function31[conditional]TheevaluatorshallensurethattheTSSdescribeswhichcellularprotocolscanbedisabled.TheevaluatorshallconfirmthattheAGDguidancedescribestheprocedurefordisablingeachcellularprotocolidentifiedintheTSS.
Test31:Theevaluatorshallattempttodisableeachcellularprotocolaccordingtotheadministratorguidance.Theevaluatorshallattempttoconnectthedevicetoacellularnetworkand,usingnetworkanalysistools,verifythatthedevicedoesnotallownegotiationofthedisabledprotocols.
Function32[conditional]Test32:Theevaluatorshallattempttoreadanydeviceauditlogsaccordingtotheadministratorguidanceandverifythatthelogsmayberead.ThistestmaybeperformedinconjunctionwiththeevaluationactivityofFAU_GEN.1.
Function33[conditional]Test33:ThetestofthisfunctionisperformedinconjunctionwithFPT_TUD_EXT.5.1.
Function34[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheapprovalforexceptionsforshareduseofkeys/secretsbymultipleapplicationsisaccomplished(e.g.,apop-up,policysetting,etc.).
Test34:ThetestofthisfunctionisperformedinconjunctionwithFCS_STG_EXT.1.
Function35[conditional]TheevaluatorshallverifythattheTSSdescribeshowtheapprovalforexceptionsfordestructionofkeys/secretsbyapplicationsthatdidnotimportthekey/secretisaccomplished(e.g.,apop-up,policysetting,etc.).
Test35:ThetestofthisfunctionisperformedinconjunctionwithFCS_STG_EXT.1.
Function36[conditional]TheevaluatorshallverifythattheTSSdescribesanyrestrictionsinbannersettings(e.g.,characterlimitations).
Test36:ThetestofthisfunctionisperformedinconjunctionwithFTA_TAB.1.
Function37[conditional]Test37:ThetestofthisfunctionisperformedinconjunctionwithFAU_SEL.1.
Function38[conditional]Test38:ThetestofthisfunctionisperformedinconjunctionwithFPT_NOT_EXT.2.1.
Function39[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofhowdatatransferscanbemanagedoverUSB.
Test39:Theevaluatorshallperformthefollowingtestsbasedontheselectionsmadeinthetable:a. [conditional]TheevaluatorshalldisableUSBmassstoragemode,attachthedeviceto
acomputer,andverifythatthecomputercannotmounttheTOEasadrive.TheevaluatorshallreboottheTOEandrepeatthistestwithothersupportedauxiliarybootmodes.
b. [conditional]TheevaluatorshalldisableUSBdatatransferwithoutuserauthentication,attachthedevicetoacomputer,andverifythattheTOErequiresuserauthenticationbeforethecomputercanaccessTOEdata.TheevaluatorshallreboottheTOEandrepeatthistestwithothersupportedauxiliarybootmodes.
c. [conditional]TheevaluatorshalldisableUSBdatatransferwithoutconnectingsystemauthentication,attachthedevicetoacomputer,andverifythattheTOErequiresconnectingsystemauthenticationbeforethecomputercanaccessTOEdata.TheevaluatorshallthenconnecttheTOEtoanothercomputerandverifythatthecomputercannotaccessTOEdata.TheevaluatorshallthenconnecttheTOEtotheoriginalcomputerandverifythatthecomputercanaccessTOEdata.
Function40[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofavailablebackupmethodsthatcanbeenabled/disabled.If"selectedapplicationsorselectedgroupsofapplicationsareselectedtheTSSshallincludewhichapplicationsofgroupsofapplicationsbackupcanbe
enabled/disabled.
Test40:If"allapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythattheTOEcannotcompleteabackup.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythattheTOEcanperformabackup.
If"selectedapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythatfortheselectedapplicationtheTOEpreventsbackupfromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythatfortheselectedapplicationtheTOEcanperformabackup.
If"selectedgroupsofapplications"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythatforagroupofapplicationstheTOEpreventsthebackupfromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifyforthegroupofapplicationtheTOEcanperformabackup.
If"configurationdata"isselected,theevaluatorshalldisableeachselectedbackuplocationinturnandverifythattheTOEpreventsthebackupofconfigurationdatafromoccurring.TheevaluatorshallthenenableeachselectedbackuplocationinturnandverifythattheTOEcanperformabackupofconfigurationdata.
Function41[conditional]TheevaluatorshallverifythattheTSSincludesadescriptionofHotspotfunctionalityandUSBtetheringtoincludeanyauthenticationforthese.
Test41:TheevaluatorshallperformthefollowingtestsbasedontheselectionsinFunction41.a. [conditional]Theevaluatorshallenablehotspotfunctionalitywitheachoftheofthe
supportauthenticationmethods.Theevaluatorshallconnecttothehotspotwithanotherdeviceandverifythatthehotspotfunctionalityrequirestheconfiguredauthenticationmethod.
b. [conditional]TheevaluatorshallenableUSBtetheringfunctionalitywitheachoftheofthesupportauthenticationmethods.TheevaluatorshallconnecttotheTOEoverUSBwithanotherdeviceandverifythatthetetheringfunctionalityrequirestheconfiguredauthenticationmethod.
Function42[conditional]Test42:ThetestofthisfunctionisperformedinconjunctionwithFDP_ACF_EXT.1.2.
Function43[conditional]Test43:Theevaluatorshallsetapolicytocauseadesignatedapplicationtobeplacedintoaparticularapplicationgroup.Theevaluatorshalltheninstallthedesignatedapplicationandverifythatitwasplacedintothecorrectgroup.
Function44[conditional]Test44:TheevaluatorshallattempttounenrollthedevicefrommanagementandverifythatthestepsdescribedinFMT_SMF_EXT.2.1areperformed.ThistestshouldbeperformedinconjunctionwiththeFMT_SMF_EXT.2.1evaluationactivity.
Function45[conditional]Test45:TheevaluatorshallverifythattheTSScontainsguidancetoconfiguretheVPNasAlways-On.TheevaluatorshallconfiguretheVPNasAlways-Onandperformthefollowingtest.a. TheevaluatorshallverifythatwhentheVPNisconnectedalltrafficisroutedthrough
theVPN.ThistestisperformedinconjunctionwithFDP_IFC_EXT.1.1.b. TheevaluatorshallverifythatwhentheVPNisnotestablished,thatnotrafficleaves
thedevice.TheevaluatorshallensurethattheTOEhasnetworkconnectivityandthattheVPNisestablished.TheevaluatorshalluseapacketsniffingtooltocapturethetrafficleavingtheTOE.TheevaluatorshalldisabletheVPNconnectionontheserverside.Theevaluatorshallperformactionswiththedevicesuchasnavigatingtowebsites,usingprovidedapplications,andaccessingotherInternetresourcesandverifythatnotrafficleavesthedevice.
c. TheevaluatorshallverifythattheTOEhasnetworkconnectivityandthattheVPNisestablished.Theevaluatorshalldisablenetworkconnectivity(i.e.AirplaneMode)andverifythattheVPNdisconnects.Theevaluatorshallre-establishnetworkconnectivityandverifythattheVPNautomaticallyreconnects.
Function46[conditional]Test46:TheevaluatorshallverifythattheTSSdescribestheproceduretorevokeabiometriccredentialstoredontheTOE.TheevaluatorshallconfiguretheTOEtouseBAFandconfirmthatthebiometriccanbeusedtoauthenticatetothedevice.Theevaluatorshallrevokethebiometriccredential’sabilitytoauthenticatetotheTOEandconfirmthatthesameBAFcannotbeusedtoauthenticatetothedevice.
Function47TheevaluatorshallverifythattheTSSdescribesallassignedsecuritymanagementfunctionsandtheirintendedbehavior.
Test47:TheevaluatorshalldesignandperformteststodemonstratethatthefunctionmaybeconfiguredandthattheintendedbehaviorofthefunctionisenactedbytheTOE.
FMT_SMF_EXT.2SpecificationofRemediationActionsFMT_SMF_EXT.2.1
TheTSFshalloffer[selection:wipeofprotecteddata,wipeofsensitivedata,removeEnterpriseapplications,removealldevice-storedEnterpriseresourcedata,removeEnterprisesecondaryauthenticationdata,[assignment:listotheravailableremediationactions]]uponun-enrollmentand[selection:[assignment:otheradministrator-configuredtriggers],noothertriggers].
ApplicationNote:Un-enrollmentmayconsistofremovingtheMDMagentorremovingtheadministrator’spolicies.ThefunctionsintheselectionareremediationactionsthatTOEmayprovide(perhapsviaAPIs)totheadministrator(perhapsviaanMDMagent)thatmaybeperformeduponun-enrollment."Enterpriseapplications"referstoapplicationsthatareintheEnterpriseapplicationgroup."Enterpriseresourcedata"referstoallstoredEnterprisedataandtheseparateresourcesthatareavailabletotheEnterpriseapplicationgroup,perFDP_ACF_EXT.2.1.IfFDP_ACF_EXT.2.1isincludedintheST,then"removealldevice-storedEnterpriseresourcedata"mustbeselected,andisdefinedtobeallresourcesselectedinFDP_ACF_EXT.2.1.IfFIA_UAU_EXT.4.1isincludedintheST,then"removeEnterprisesecondaryauthenticationdata"mustbeselected.IfFIA_UAU_EXT.4.1isnotincludedintheST,then"removeEnterprisesecondaryauthenticationdata"cannotbeselected.EnterprisesecondaryauthenticationdataonlyreferstoanydatastoredontheTOEthatisspecificallyusedaspartofasecondaryauthenticationmechanismtoauthenticateaccesstoEnterpriseapplicationsandsharedresources.MaterialthatisusedfortheTOE’sprimaryauthenticationmechanismorotherpurposesnotrelatedtoauthenticationtoorprotectionofEnterpriseapplicationsorsharedresourcesshouldnotberemoved.
Protecteddataisallnon-TSFdata,includingalluserorenterprisedata.Someorallofthisdatamaybeconsideredsensitivedataaswell.If"wipeofprotecteddata"isselecteditisassumedthatthesensitivedataiswipedaswell.However,if"wipeofsensitivedata"isselected,itdoesnotimplythatallnon-TSFdata(protecteddata)iswiped.If"wipeofprotecteddata"or"wipeofsensitivedata"isselectedthewipemustbeinaccordancewithFCS_CKM_EXT.5.1.Thuscryptographicallywipingthedeviceisanacceptableremediationaction.
EvaluationActivities
FMT_SMF_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribesallavailableremediationactions,whentheyareavailableforuse,andanyotheradministrator-configuredtriggers.TheevaluatorshallverifythattheTSSdescribeshowtheremediationactionsareprovidedtotheadministrator.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallusethetestenvironmenttoiterativelyconfigurethedevicetoperformeachremediationactionintheselection.TheevaluatorshallconfiguretheremediationactionperhowtheTSSstatesitisprovidedtotheadministrator.ThetestenvironmentcouldbeaMDMagentapplication,butcanalsobeanapplicationwithadministratoraccess.
5.1.7Class:ProtectionoftheTSF(FPT)
FPT_AEX_EXT.1ApplicationAddressSpaceLayoutRandomizationFPT_AEX_EXT.1.1
TheTSFshallprovideaddressspacelayoutrandomizationASLRtoapplications.
FPT_AEX_EXT.1.2Thebaseaddressofanyuser-spacememorymappingwillconsistofatleast8unpredictablebits.
ApplicationNote:The8unpredictablebitsmaybeprovidedbytheTSFRBG(asspecifiedinFCS_RBG_EXT.1)butisnotrequired.
EvaluationActivities
FPT_AEX_EXT.1:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribeshowthe8bitsaregeneratedandprovidesajustificationastowhythosebitsareunpredictable.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:Theevaluatormustselect3appsincludedwiththeTSF.ThesemustincludeanywebbrowserormailclientincludedwiththeTSF.Foreachoftheseapps,theevaluatorshalllaunchthesameappontwoseparateMobileDevicesofthesametypeandcompareallmemorymappinglocations.Theevaluatormustensurethatnomemorymappingsareplacedinthesamelocationonbothdevices.
Iftherare(atmost1/256)chanceoccursthattwomappingsarethesameforasingleappandnotthesamefortheothertwoapps,theevaluatorshallrepeatthetestwiththatapptoverifythatinthesecondtestthemappingsaredifferent.
FPT_AEX_EXT.2MemoryPagePermissionsFPT_AEX_EXT.2.1
TheTSFshallbeabletoenforceread,write,andexecutepermissionsoneverypageofphysicalmemory.
EvaluationActivities
FPT_AEX_EXT.2:TSSTheevaluatorshallensurethattheTSSdescribesofthememorymanagementunit(MMU),andensuresthatthisdescriptiondocumentstheabilityoftheMMUtoenforceread,write,andexecutepermissionsonallpagesofvirtualmemory.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_AEX_EXT.3StackOverflowProtectionFPT_AEX_EXT.3.1
TSFprocessesthatexecuteinanon-privilegedexecutiondomainontheapplicationprocessorshallimplementstack-basedbufferoverflowprotection.
ApplicationNote:A"non-privilegedexecutiondomain"referstotheusermode(asopposedtokernelmode,forinstance)oftheprocessor.WhilenotallTSFprocessesmustimplementsuchprotection,itisexpectedthatmostoftheprocesses(toincludelibrariesusedbyTSFprocesses)doimplementbufferoverflowprotections.
EvaluationActivities
FPT_AEX_EXT.3:TSSTheevaluatorshalldeterminethattheTSScontainsadescriptionofstack-basedbufferoverflowprotectionsimplementedintheTSFsoftwarewhichrunsinthenon-privilegedexecutionmodeoftheapplicationprocessor.Theexactimplementationofstack-basedbufferoverflowprotectionwillvarybyplatform.Exampleimplementationsmaybeactivatedthroughcompileroptionssuchas"-fstack-protector-all","-fstack-protector",and"/GS"flags.TheevaluatorshallensurethattheTSScontainsaninventoryofTSFbinariesandlibraries,indicatingthosethatimplementstack-basedbufferoverflowprotectionsaswellasthosethatdonot.TheTSSmustprovidearationale
forthosebinariesandlibrariesthatarenotprotectedinthismanner.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_AEX_EXT.4DomainIsolationFPT_AEX_EXT.4.1
TheTSFshallprotectitselffrommodificationbyuntrustedsubjects.
FPT_AEX_EXT.4.2TheTSFshallenforceisolationofaddressspacebetweenapplications.
ApplicationNote:InadditiontotheTSFsoftware(e.g.,kernelimage,devicedrivers,trustedapplications)thatresidesinstorage,theexecutioncontext(e.g.,addressspace,processorregisters,per-processenvironmentvariables)ofthesoftwareoperatinginaprivilegedmodeoftheprocessor(e.g.,kernel),aswellasthecontextofthetrustedapplicationsistobeprotected.Inadditiontothesoftware,anyconfigurationinformationthatcontrolsorinfluencesthebehavioroftheTSFisalsotobeprotectedfrommodificationbyuntrustedsubjects.
Configurationinformationincludes,butisnotlimitedto,userandadministrativemanagementfunctionsettings,WLANprofiles,andBluetoothdatasuchastheservice-levelsecurityrequirementsdatabase.
Untrustedsubjectsincludeuntrustedapplications;unauthorizeduserswhohaveaccesstothedevicewhilepoweredoff,inascreen-lockedstate,orwhenbootedintoauxiliarybootmodes;and,unauthorizedusersoruntrustedsoftwareorhardwarewhichmayhaveaccesstothedeviceoverawiredinterface,eitherwhenthedeviceisinascreen-lockedstateorbootedintoauxiliarybootmodes.
EvaluationActivities
FPT_AEX_EXT.4:TSSTheevaluatorshallensurethattheTSSdescribesthemechanismsthatareinplacethatpreventsnon-TSFsoftwarefrommodifyingtheTSFsoftwareorTSFdatathatgovernsthebehavioroftheTSF.Thesemechanismscouldrangefromhardware-basedmeans(e.g."executionrings"andmemorymanagementfunctionality);tosoftware-basedmeans(e.g.boundarycheckingofinputstoAPIs).TheevaluatordeterminesthatthedescribedmechanismsappearreasonabletoprotecttheTSFfrommodification.
TheevaluatorshallensuretheTSSdescribeshowtheTSFensuresthattheaddressspacesofapplicationsarekeptseparatefromoneanother.
TheevaluatorshallensuretheTSSdetailstheUSSDandMMIcodesavailablefromthedialeratthelockedstateorduringauxiliarybootmodesthatmayalterthebehavioroftheTSF.Theevaluatorshallensurethatthisdescriptionincludesthecode,theactionperformedbytheTSF,andajustificationthattheactionsperformeddonotmodifyuserorTSFdata.IfnoUSSDorMMIcodesareavailable,theevaluatorshallensurethattheTSSprovidesadescriptionofthemethodbywhichactionsprescribedbythesecodesareprevented.
TheevaluatorshallensuretheTSSdocumentsanyTSFdata(includingsoftware,executioncontext,configurationinformation,andauditlogs)whichmaybeaccessedandmodifiedoverawiredinterfaceinauxiliarybootmodes.Theevaluatorshallensurethatthedescriptionincludesdata,whichismodifiedinsupportofupdateorrestoreofthedevice.Theevaluatorshallensurethatthisdocumentationincludestheauxiliarybootmodesinwhichthedatamaybemodified,themethodsforenteringtheauxiliarybootmodes,thelocationofthedata,themannerinwhichdatamaybemodified,thedataformatandpackagingnecessarytosupportmodification,andsoftwareand/orhardwaretools,ifany,whicharenecessaryformodifyingthedata.
TheevaluatorshallensurethattheTSSprovidesadescriptionofthemeansbywhichunauthorizedandundetectedmodification(thatis,excludingcryptographicallyverifiedupdatesperFPT_TUD_EXT.2)oftheTSFdataoverthewiredinterfaceinauxiliarybootsmodesisprevented.Thelackofpubliclyavailabletoolsisnotsufficientjustification.Examplesofsufficientjustificationincludeauditingofchanges,cryptographicverificationintheformofadigitalsignatureorhash,disablingtheauxiliarybootmodes,andaccesscontrolmechanismsthatpreventwritingtofilesorflashingpartitions.
Guidance
Therearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.Inaddition,thevendorprovidesalistoffiles(e.g.,systemfiles,libraries,configurationfiles,auditlogs)thatmakeuptheTSFdata.Thislistcouldbeorganizedbyfolders/directories(e.g.,/usr/sbin,/etc),aswellasindividualfilesthatmayexistoutsideoftheidentifieddirectories.
Test1:TheevaluatorshallcreateandloadanappontotheMobileDevice.Thisappshallattempttotraverseoverallfilesystemsandreportanylocationstowhichdatacanbewrittenoroverwritten.TheevaluatormustensurethatnoneoftheselocationsarepartoftheOSsoftware,devicedrivers,systemandsecurityconfigurationfiles,keymaterial,oranotheruntrustedapplication’simage/data.Forexample,itisacceptableforatrustedphotoeditorapptohaveaccesstothedatacreatedbythecameraapp,butacalculatorapplicationshallnothaveaccesstothepictures.
Test2:Foreachavailableauxiliarybootmode,theevaluatorshallattempttomodifyaTSFfileoftheirchoosingusingthesoftwareand/orhardwaretoolsdescribedintheTSS.Theevaluatorshallverifythatthemodificationfails.
FPT_JTA_EXT.1JTAGDisablementFPT_JTA_EXT.1.1
TheTSFshall[selection:disableaccessthroughhardware,controlaccessbyasigningkey]toJTAG.
ApplicationNote:ThisrequirementmeansthataccesstoJTAGmustbedisabledeitherthroughhardwareand/orrestrictedthroughtheuseofasigningkey.
EvaluationActivities
FPT_JTA_EXT.1:TSSIf"disableaccessthroughhardware"isselected:TheevaluatorshallexaminetheTSStodeterminethelocationoftheJTAGportsontheTSF,toincludetheorderoftheports(i.e.DataIn,DataOut,Clock,etc.).
If"controlaccessbyasigningkey"isselected:TheevaluatorshallexaminetheTSStodeterminehowaccesstotheJTAGiscontrolledbyasigningkey.TheevaluatorshallexaminetheTSStodeterminewhentheJTAGcanbeaccessed,i.e.whathastheaccesstothesigningkey.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithchiplevelaccess.
If"disableaccessthroughhardware"isselected:TheevaluatorshallconnectapacketanalyzertotheJTAGports.TheevaluatorshallquerytheJTAGportforitsdeviceIDandconfirmthatthedeviceIDcannotberetrieved.
FPT_KST_EXT.1KeyStorageFPT_KST_EXT.1.1
TheTSFshallnotstoreanyplaintextkeymaterialinreadablenon-volatilememory.
ApplicationNote:TheintentionofthisrequirementisthattheTOEwillnotwriteplaintextkeyingmaterialtopersistentstorage.Forthepurposesofthisrequirement,keyingmaterialreferstoauthenticationdata,passwords,secret/privatesymmetrickeys,privateasymmetrickeys,datausedtoderivekeys,etc.Thesevaluesmustbestoredencrypted.
Thisrequirementalsoappliestoanyvaluederivedfrompasswords.Thus,the
TOEcannotstoreplaintextpasswordhashesforcomparisonpurposesbeforeprotecteddataisdecrypted,andtheTOEshouldusekeyderivationanddecryptiontoverifythePasswordAuthenticationFactor.
IfaBAFisselectedinFIA_UAU.5.1,keyingmaterialalsoreferstosourcebiometricdata(i.e.fingerprint),enrollmentandauthenticationtemplates,thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(i.e.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatecalculationsgeneratedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns,etc.),andfinalmatchscores.Anyimagesormetadataidentifyingtheuserforauthenticationshallbestoredencrypted.
If"hybrid"isselectedinFIA_UAU.5.1,inadditiontothekeyingmaterialincludedfortheBAF,mentionedinthepreviousparagraph,keyingmaterialalsoreferstothePIN/passwordusedaspartofthehybridauthentication.
EvaluationActivities
FPT_KST_EXT.1:TSSTheevaluatorshallconsulttheTSSsectionoftheSTinperformingtheEvaluationActivitiesforthisrequirement.
Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonpower-upandpasswordauthenticationrelatingtothedecryptionofDEKs,storedkeys,anddata.
TheevaluatorshallensurethatthedescriptionalsocovershowthecryptographicfunctionsintheFCSrequirementsarebeingusedtoperformtheencryptionfunctions,includinghowtheKEKs,DEKs,andstoredkeysareunwrapped,saved,andusedbytheTOEsoastopreventplaintextfrombeingwrittentonon-volatilestorage.TheevaluatorshallensurethattheTSSdescribes,foreachpower-downscenariohowtheTOEensuresthatallkeysinnon-volatilestoragearenotstoredinplaintext.
TheevaluatorshallensurethattheTSSdescribeshowotherfunctionsavailableinthesystem(e.g.,regenerationofthekeys)ensurethatnounencryptedkeymaterialispresentinpersistentstorage.
TheevaluatorshallreviewtheTSStodeterminethatitmakesacasethatkeymaterialisnotwrittenunencryptedtothepersistentstorage.
ForeachBAFselectedinFIA_UAU.5.1:
TheevaluatorshalldeterminethattheTSSalsocontainsadescriptionoftheactivitiesthathappenonbiometricauthentication,relatingtothedecryptionofDEKs,storedkeys,anddata.Inadditionhowthesystemensuresthatthebiometrickeyingmaterialisnotstoredunencryptedinpersistentstorage.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_KST_EXT.2NoKeyTransmissionFPT_KST_EXT.2.1
TheTSFshallnottransmitanyplaintextkeymaterialoutsidethesecurityboundaryoftheTOE.
ApplicationNote:Theintentionofthisrequirementistopreventtheloggingofplaintextkeyinformationtoaservicethattransmitstheinformationoff-device.Forthepurposesofthisrequirement,keymaterialreferstokeys,passwords,andothermaterialthatisusedtoderivekeys.
IfaBAFisselectedinFIA_UAU.5.1,keyingmaterialalsoreferstosourcebiometricdata(i.e.fingerprint),enrollmentandauthenticationtemplates,thefeaturesanalgorithmusestoperformbiometricauthenticationforenrollmentorverification(i.e.locationofminutia),thresholdvaluesusedinmakingthematchadjudication,intermediatecalculationsgeneratedwhilebuildinganenrollmentorauthenticationtemplate(i.e.directionmaps,minutiacounts,binarizedandskeletonizedrepresentationsoffrictionridgepatterns),andfinalmatchscores.
If"hybrid"isselectedinFIA_UAU.5.1,inadditiontothekeyingmaterialincludedfortheBAF,mentionedinthepreviousparagraph,keyingmaterialalsoreferstothePIN/passwordusedaspartofthehybridauthentication.
Inthefuture,thisrequirementwillapplytosymmetricandasymmetricprivatekeysstoredintheTOEsecurekeystoragewhereapplicationsareoutsidetheboundaryoftheTOE.Thus,theTSFwillberequiredtoprovidecryptographickeyoperations(signature,encryption,anddecryption)onbehalfofapplications(FCS_SRV_EXT.2.1)thathaveaccesstothosekeys.
EvaluationActivities
FPT_KST_EXT.2:TSSTheevaluatorshallconsulttheTSSsectionoftheSTinperformingtheEvaluationActivitiesforthisrequirement.TheevaluatorshallensurethattheTSSdescribestheTOEsecurityboundary.Thecryptographicmodulemayverywellbeaparticularkernelmodule,theOperatingSystem,theApplicationProcessor,oruptotheentireMobileDevice.
Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonpower-upandpasswordauthenticationrelatingtothedecryptionofDEKs,storedkeys,anddata.
TheevaluatorshallensurethattheTSSdescribeshowotherfunctionsavailableinthesystem(e.g.,regenerationofthekeys)ensurethatnounencryptedkeymaterialistransmittedoutsidethesecurityboundaryoftheTOE.
TheevaluatorshallreviewtheTSStodeterminethatitmakesacasethatkeymaterialisnottransmittedoutsidethesecurityboundaryoftheTOE.
ForeachBAFselectedinFIA_UAU.5.1:
Inperformingtheirreview,theevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenonbiometricauthentication,includinghowanyplaintextmaterial,includingcriticalsecurityparametersandresultsofbiometricalgorithms,areprotectedandaccessed.
TheevaluatorshallensurethattheTSSdescribeshowfunctionsavailableinthebiometricalgorithmsensurethatnounencryptedplaintextmaterial,includingcriticalsecurityparametersandintermediateresults,istransmittedoutsidethesecurityboundaryoftheTOEortootherfunctionsorsystemsthattransmitinformationoutsidethesecurityboundaryoftheTOE.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_KST_EXT.3NoPlaintextKeyExportFPT_KST_EXT.3.1
TheTSFshallensureitisnotpossiblefortheTOEuser(s)toexportplaintextkeys.
ApplicationNote:PlaintextkeysincludeDEKs,KEKs,andallkeysstoredinthesecurekeystorage(FCS_STG_EXT.1).TheintentofthisrequirementistopreventtheplaintextkeysfrombeingexportedduringabackupauthorizedbytheTOEuseroradministrator.
EvaluationActivities
FPT_KST_EXT.3:TSSTheSTauthorwillprovideastatementoftheirpolicyforhandlingandprotectingkeys.TheevaluatorshallchecktoensuretheTSSdescribesapolicyinlinewithnotexportingeitherplaintextDEKs,KEKs,orkeysstoredinthesecurekeystorage.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_NOT_EXT.1Self-TestNotificationFPT_NOT_EXT.1.1
TheTSFshalltransitiontonon-operationalmodeand[selection:logfailuresintheauditrecord,notifytheadministrator,[assignment:otheractions],nootheractions]whenthefollowingtypesoffailuresoccur:
failuresoftheself-test(s)TSFsoftwareintegrityverificationfailures[selection:nootherfailures,[assignment:otherfailures]]
EvaluationActivities
FPT_NOT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribescriticalfailuresthatmayoccurandtheactionstobetakenuponthesecriticalfailures.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:Theevaluatorshalluseatoolprovidedbythedevelopertomodifyfilesandprocessesinthesystemthatcorrespondtocriticalfailuresspecifiedinthesecondlist.Theevaluatorshallverifythatcreatingthesecriticalfailurescausesthedevicetotaketheremediationactionsspecifiedinthefirstlist.
FPT_STM.1ReliableTimeStampsFPT_STM.1.1
TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.
EvaluationActivities
FPT_STM.1:TSSTheevaluatorshallexaminetheTSStoensurethatitlistseachsecurityfunctionthatmakesuseoftime.TheTSSprovidesadescriptionofhowthetimeismaintainedandconsideredreliableinthecontextofeachofthetimerelatedfunctions.ThisdocumentationmustidentifywhethertheTSFusesaNTPserverorthecarrier’snetworktimeastheprimarytimesources.
GuidanceTheevaluatorexaminestheoperationalguidancetoensureitdescribeshowtosetthetime.
TestsTest1:Theevaluatorusestheoperationalguidetosetthetime.Theevaluatorshallthenuseanavailableinterfacetoobservethatthetimewassetcorrectly.
FPT_TST_EXT.1TSFCryptographicFunctionalityTestingFPT_TST_EXT.1.1
TheTSFshallrunasuiteofself-testsduringinitialstart-up(onpoweron)todemonstratethecorrectoperationofallcryptographicfunctionality.
ApplicationNote:Thisrequirementmaybemetbyperformingknownanswertestsand/orpair-wiseconsistencytests.Theself-testsmustbeperformedbeforethecryptographicfunctionalityisexercised(forexample,duringtheinitializationofaprocessthatutilizesthefunctionality).
Thecryptographicfunctionalityincludesthecryptographicoperationsin
FCS_COP,thekeygenerationfunctionsinFCS_CKM,andtherandombitgenerationinFCS_RBG_EXT.
EvaluationActivities
FPT_TST_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiestheself-teststhatareperformedatstart-up.ThisdescriptionmustincludeanoutlineofthetestproceduresconductedbytheTSF(e.g.,ratherthansaying"memoryistested",adescriptionsimilarto"memoryistestedbywritingavaluetoeachmemorylocationandreadingitbacktoensureitisidenticaltowhatwaswritten"shallbeused).TheTSSmustincludeanyerrorstatesthattheyTSFmayenterwhenself-testsfail,andtheconditionsandactionsnecessarytoexittheerrorstatesandresumenormaloperation.TheevaluatorshallverifythattheTSSindicatestheseself-testsarerunatstart-upautomatically,anddonotinvolveanyinputsfromoractionsbytheuseroroperator.
Theevaluatorshallinspectthelistofself-testsintheTSSandverifythatitincludesalgorithmself-tests.Thealgorithmself-testswilltypicallybeconductedusingknownanswertests.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_TST_EXT.2/PREKERNELTSFIntegrityChecking(Pre-Kernel)FPT_TST_EXT.2.1/PREKERNEL
TheTSFshallverifytheintegrityofthebootchainupthroughtheApplicationProcessorOSkernelstoredinmutablemediapriortoitsexecutionthroughtheuseof[selection:adigitalsignatureusinganimmutablehardwareasymmetrickey,animmutablehardwarehashofanasymmetrickey,animmutablehardwarehash,adigitalsignatureusingahardware-protectedasymmetrickey].
ApplicationNote:ThebootchainoftheTSFisthesequenceoffirmwareandsoftware,includingROM,bootloader(s),andkernel,whichultimatelyresultinloadingthekernelontheApplicationProcessor,regardlessofwhichprocessorexecutesthatcode.ExecutablecodethatwouldbeloadedafterthekerneliscoveredinFPT_TST_EXT.2/POSTKERNEL.
Inordertomeetthisrequirement,thehardwareprotectionmaybetransitiveinnature:ahardware-protectedpublickey,hashofanasymmetrickey,orhashmaybeusedtoverifythemutablebootloadercodewhichcontainsakeyorhashusedbythebootloadertoverifythemutableOSkernelcode,whichcontainsakeyorhashtoverifythenextlayerofexecutablecode,andsoon.
Thecryptographicmechanismusedtoverifythe(initial)mutableexecutablecodemustbeprotected,suchasbeingimplementedinhardwareorinread-onlymemory(ROM).
EvaluationActivities
FPT_TST_EXT.2/PREKERNEL:TSSTheevaluatorshallverifythattheTSSsectionoftheSTincludesadescriptionofthebootprocedures,includingadescriptionoftheentirebootchain,ofthesoftwarefortheTSF’sApplicationProcessor.Theevaluatorshallensurethatbeforeloadingthebootloader(s)fortheoperatingsystemandthekernel,allbootloadersandthekernelsoftwareitselfiscryptographicallyverified.Foreachadditionalcategoryofexecutablecodeverifiedbeforeexecution,theevaluatorshallverifythatthedescriptionintheTSSdescribeshowthatsoftwareiscryptographicallyverified.
TheevaluatorshallverifythattheTSScontainsajustificationfortheprotectionofthecryptographickeyorhash,preventingitfrombeingmodifiedbyunverifiedorunauthenticatedsoftware.TheevaluatorshallverifythattheTSScontainsadescriptionoftheprotectionaffordedtothemechanismperformingthecryptographicverification.
TheevaluatorshallverifythattheTSSdescribeseachauxiliarybootmodeavailableontheTOEduringthebootprocedures.Theevaluatorshallverifythat,foreachauxiliarybootmode,adescriptionofthecryptographicintegrityoftheexecutedcodethroughthekernelisverifiedbeforeeachexecution.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestsrequirethevendortoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Theevaluatorshallperformthefollowingtests:Test1:TheevaluatorshallperformactionstocauseTSFsoftwaretoloadandobservethattheintegritymechanismdoesnotflaganyexecutablesascontainingintegrityerrorsandthattheTOEproperlyboots.
Test2:TheevaluatorshallmodifyaTSFexecutablethatisintegrityprotectedandcausethatexecutabletobesuccessfullyloadedbytheTSF.TheevaluatorobservesthatanintegrityviolationistriggeredandtheTOEdoesnotboot.(Caremustbetakensothattheintegrityviolationisdeterminedtobethecauseofthefailuretoloadthemodule,andnotthefactthatthemodulewasmodifiedsothatitwasrenderedunabletorunbecauseitsformatwascorrupt).
Test3:[conditional]IftheSTauthorindicatesthattheintegrityverificationisperformedusingapublickey,theevaluatorshallverifythattheupdatemechanismincludesacertificatevalidationaccordingtoFIA_X509_EXT.1.TheevaluatorshalldigitallysigntheTSFexecutablewithacertificatethatdoesnothavetheCodeSigningpurposeintheextendedKeyUsagefieldandverifythatanintegrityviolationistriggered.TheevaluatorshallrepeatthetestusingacertificatethatcontainstheCodeSigningpurposeandverifythattheintegrityverificationsucceeds.Ideally,thetwocertificatesshouldbeidenticalexceptfortheextendedKeyUsagefield.
FPT_TUD_EXT.1TrustedUpdate:TSFVersionQueryFPT_TUD_EXT.1.1
TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionoftheTOEfirmware/software.
FPT_TUD_EXT.1.2TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionofthehardwaremodelofthedevice.
ApplicationNote:Thecurrentversionofthehardwaremodelofthedeviceisanidentifierthatissufficienttoindicate(intandemwithmanufacturerdocumentation)thehardwarewhichcomprisesthedevice.
FPT_TUD_EXT.1.3TheTSFshallprovideauthorizeduserstheabilitytoquerythecurrentversionofinstalledmobileapplications.
ApplicationNote:Thecurrentversionofmobileapplicationsisthenameandpublishedversionnumberofeachinstalledmobileapplication.
EvaluationActivities
FPT_TUD_EXT.1:TheevaluatorshallestablishatestenvironmentconsistingoftheMobileDeviceandanysupportingsoftwarethatdemonstratesusageofthemanagementfunctions.Thiscanbetestsoftwarefromthedeveloper,areferenceimplementationofmanagementsoftwarefromthedeveloper,orothercommerciallyavailablesoftware.TheevaluatorshallsetuptheMobileDeviceandtheothersoftwaretoexercisethemanagementfunctionsaccordingtotheprovidedguidancedocumentation.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTest1:UsingtheAGDguidanceprovided,theevaluatorshalltestthattheadministratorandusercanquery:
thecurrentversionoftheTSFoperatingsystemandanyfirmwarethatcanbeupdatedseparately
thehardwaremodeloftheTSFthecurrentversionofallinstalledmobileapplications
Theevaluatormustreviewmanufacturerdocumentationtoensurethatthehardwaremodelidentifierissufficienttoidentifythehardwarewhichcomprisesthedevice.
FPT_TUD_EXT.2TSFUpdateVerificationFPT_TUD_EXT.2.1
TheTSFshallverifysoftwareupdatestotheApplicationProcessorsystemsoftwareand[selection:[assignment:otherprocessorsystemsoftware],nootherprocessorsystemsoftware]usingadigitalsignatureverifiedbythemanufacturertrustedkeypriortoinstallingthoseupdates
ApplicationNote:ThedigitalsignaturemechanismisimplementedinaccordancewithFCS_COP.1.1/SIGN.
Atthistime,thisrequirementdoesnotrequireverificationofsoftwareupdatestothesoftwareoperatingoutsidetheApplicationProcessor.
Anychange,viaasupportedmechanism,tosoftwareresidinginnon-volatilestorageisdeemedasoftwareupdate.Thus,thisrequirementappliestoTSFsoftwareupdatesregardlessofhowthesoftwarearrivesorisdeliveredtothedevice.Thisincludesover-the-air(OTA)updatesaswellaspartitionimagescontainingsoftwarewhichmaybedeliveredtothedeviceoverawiredinterface.
FPT_TUD_EXT.2.2TheTSFshall[selection:neverupdate,updateonlybyverifiedsoftware]theTSFbootintegrity[selection:key,hash].
ApplicationNote:ThekeyorhashupdatedviathisrequirementisusedforverifyingsoftwarebeforeexecutioninFPT_TST_EXT.2/PREKERNEL.Thekeyorhashisverifiedasapartofthedigitalsignatureonanupdate,andthesoftwarewhichperformstheupdateofthekeyorhashisverifiedbyFPT_TST_EXT.2/PREKERNEL.
FPT_TUD_EXT.2.3TheTSFshallverifythatthedigitalsignatureverificationkeyusedforTSFupdates[selection:isvalidatedtoapublickeyintheTrustAnchorDatabase,matchesanimmutablehardwarepublickey].
ApplicationNote:TheSTauthormustindicatethemethodbywhichthesigningkeyforsystemsoftwareupdatesislimitedand,ifselectedinFPT_TUD_EXT.2.3,mustindicatehowthissigningkeyisprotectedbythehardware.
Ifcertificatesareused,certificatesarevalidatedforthepurposeofsoftwareupdatesinaccordancewithFIA_X509_EXT.1andshouldbeselectedinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.4.1mustbeincludedintheST.
EvaluationActivities
FPT_TUD_EXT.2:TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.Theevaluatorshallverifythatthedescriptionincludesadigitalsignatureverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythatallsoftwareandfirmwareinvolvedinupdatingtheTSFisdescribedand,ifmultiplestagesandsoftwareareindicated,thatthesoftware/firmwareresponsibleforeachstageisindicatedandthatthestage(s)whichperformsignatureverificationoftheupdateareidentified.
TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureisverifiedandthatthepublickeyusedtoverifythesignatureiseitherhardware-protectedorisvalidatedtochaintoapublickeyintheTrustAnchorDatabase.Ifhardware-protectionisselected,theevaluatorshallverifythatthemethodofhardware-protectionisdescribedandthattheSTauthorhasjustifiedwhythepublickeymaynotbemodifiedbyunauthorizedparties.
[conditional]IftheSTauthorindicatesthatsoftwareupdatestosystemsoftwarerunningonotherprocessorsisverified,theevaluatorshallverifythattheseotherprocessorsarelistedintheTSSandthatthedescriptionincludesthesoftwareupdatemechanismfortheseprocessors,ifdifferentthantheupdatemechanismforthesoftwareexecutingontheApplicationProcessor.
[conditional]IftheSTauthorindicatesthatthepublickeyisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheupdatemechanismincludesacertificatevalidationaccordingtoFIA_X509_EXT.1andacheckfortheCodeSigningpurposeintheextendedKeyUsage.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallverifythatthedeveloperhasprovidedevidencethatthefollowingtestswereperformedforeachavailableupdatemechanism:
Test1:Thetestershalltrytoinstallanupdatewithoutthedigitalsignatureandshallverifythatinstallationfails.Thetestershallattempttoinstallanupdatewithdigitalsignature,andverifythatinstallationsucceeds.Test2:Thetestershalldigitallysigntheupdatewithakeydisallowedbythedeviceandverifythatinstallationfails.Thetestershallattempttoinstallanupdatesignedwiththeallowedkeyandverifythatinstallationsucceeds.Test3:[conditional]Thetestershalldigitallysigntheupdatewithaninvalidcertificateandverifythatupdateinstallationfails.Thetesterattempttoinstallanupdatethatwasdigitallysignedusingavalidcertificateandacertificatethatcontainsthepurposeandverifythattheupdateinstallationsucceeds.Test4:[conditional]Thetestershallrepeatthesetestforthesoftwareexecutingoneachprocessorlistedinthefirstselection.Thetestershallattempttoinstallanupdatewithoutthedigitalsignatureandshallverifythatinstallationfails.Thetestershallattempttoinstallanupdatewithdigitalsignature,andverifythatinstallationsucceeds.
FPT_TUD_EXT.3ApplicationSigningFPT_TUD_EXT.3.1
TheTSFshallverifymobileapplicationsoftwareusingadigitalsignaturemechanismpriortoinstallation.
ApplicationNote:ThisrequirementdoesnotnecessitateanX.509v3certificateorcertificatevalidation.X.509v3certificatesandcertificatevalidationareaddressedinFPT_TUD_EXT.5.1.
EvaluationActivities
FPT_TUD_EXT.3:TSSTheevaluatorshallverifythattheTSSdescribeshowmobileapplicationsoftwareisverifiedatinstallation.Theevaluatorshallensurethatthismethodusesadigitalsignature.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:Thefollowingtestdoesnothavetobetestedusingthecommercialapplicationstore.
Test1:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication.Theevaluatorshalltrytoinstallthisapplicationwithoutadigitallysignatureandshallverifythatinstallationfails.Theevaluatorshallattempttoinstalladigitallysignedapplication,andverifythatinstallationsucceeds.
5.1.8Class:TOEAccess(FTA)
FTA_SSL_EXT.1TSF-andUser-initiatedLockedStateFTA_SSL_EXT.1.1
TheTSFshalltransitiontoalockedstateafteratimeintervalofinactivity.
FTA_SSL_EXT.1.2TheTSFshalltransitiontoalockedstateafterinitiationbyeithertheuserortheadministrator.
FTA_SSL_EXT.1.3TheTSFshall,upontransitioningtothelockedstate,performthefollowingoperations:
a. clearingoroverwritingdisplaydevices,obscuringthepreviouscontents;b. [assignment:otheractionsperformedupontransitioningtothelocked
state].
ApplicationNote:ThetimeintervalofinactivityisconfiguredusingFMT_SMF_EXT.1function2.Theuser/administrator-initiatedlockisspecifiedinFMT_SMF_EXT.1function6.
EvaluationActivities
FTA_SSL_EXT.1:TSSTheevaluatorshallverifytheTSSdescribestheactionsperformedupontransitioningtothelockedstate.
GuidanceTheevaluationshallverifythattheAGDguidancedescribesthemethodofsettingtheinactivityintervalandofcommandingalock.TheevaluatorshallverifythattheTSSdescribestheinformationallowedtobedisplayedtounauthorizedusers.
TestsTest1:TheevaluatorshallconfiguretheTSFtotransitiontothelockedstateafteratimeofinactivity(FMT_SMF_EXT.1)accordingtotheAGDguidance.TheevaluatorshallwaituntiltheTSFlocksandverifythatthedisplayisclearedoroverwrittenandthattheonlyactionsallowedinthelockedstateareunlockingthesessionandthoseactionsspecifiedinFIA_UAU_EXT.2.
Test2:TheevaluatorshallcommandtheTSFtotransitiontothelockedstateaccordingtotheAGDguidanceasboththeuserandtheadministrator.TheevaluatorshallwaituntiltheTSFlocksandverifythatthedisplayisclearedoroverwrittenandthattheonlyactionsallowedinthelockedstateareunlockingthesessionandthoseactionsspecifiedinFIA_UAU_EXT.2.
5.1.9Class:TrustedPath/Channels(FTP)
FTP_ITC_EXT.1TrustedChannelCommunicationFTP_ITC_EXT.1.1
TheTSFshalluse802.11-2012inaccordancewiththeExtendedPackageforWLANClients,802.1XinaccordancewiththeExtendedPackageforWLANClients,EAP-TLSinaccordancewiththeExtendedPackageforWLANClients,mutuallyauthenticatedTLSasdefinedinthePackageforTransportLayerSecurity
and[selection:IPsecinaccordancewiththePP-ModuleforVPNClient,mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity,HTTPS
]protocolstoprovideacommunicationchannelbetweenitselfandanothertrustedITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.
ApplicationNote:TheintentofthemandatoryportionoftheaboverequirementistousethecryptographicprotocolsidentifiedintherequirementtoestablishandmaintainatrustedchannelbetweentheTOEandanaccesspoint,VPNGateway,orothertrustedITproduct.
TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDevice.
TheTSFmustbevalidatedagainsttheExtendedPackageforWLANClientstosatisfythemandatorytrustedchannelsof802.11-2012,802.1X,andEAP-TLS.
TosatisfythemandatorytrustedchannelofTLSandif"mutuallyauthenticatedDTLSasdefinedinthePackageforTransportLayerSecurity"isselected,theTSFmustbevalidatedagainsttheTLSFunctionalPackage,withthefollowingselectionsmade:
FCS_TLS_EXT.1:eitherTLSorDTLSisselectedasappropriateclientisselected
FCS_TLSC_EXT.1.1orFCS_DTLSC_EXT.1.1(asappropriate):TheciphersuitesselectedmustcorrespondwiththealgorithmsandhashfunctionsallowedinFCS_COP.1.Mutualauthenticationmustbeselected
FCS_TLSC_EXT.1.3orFCS_DTLSC_EXT.1.3(asappropriate):Withnoexceptionsisselected.
IftheSTauthorselectsIPsec,theTSFmustbevalidatedagainstthePP-ModuleforVPNClient.
AppendixB-Selection-BasedRequirementscontainstherequirementsforimplementingeachoftheotheroptionaltrustedchannelprotocols.TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.
Assuredidentificationofendpointsisperformedaccordingtotheauthenticationmechanismsusedbythelistedtrustedchannelprotocols.
FTP_ITC_EXT.1.2TheTSFshallpermittheTSFtoinitiatecommunicationviathetrustedchannel.
FTP_ITC_EXT.1.3TheTSFshallinitiatecommunicationviathetrustedchannelforwirelessaccesspointconnections,administrativecommunication,configuredenterpriseconnections,and[selection:OTAupdates,nootherconnections].
EvaluationActivities
FTP_ITC_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthedetailsoftheTOEconnectingtoaccesspoints,VPNGateways,andothertrustedITproductsintermsofthecryptographicprotocolsspecifiedintherequirement,alongwithTOE-specificoptionsorproceduresthatmightnotbereflectedinthespecifications.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.
IfOTAupdatesareselected,theTSSshalldescribewhichtrustedchannelprotocolisinitiatedbytheTOEandisusedforupdates.
GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheconnectiontoaccesspoints,VPNGateways,andothertrustedITproducts.
TestsTheevaluatorshallalsoperformthefollowingtestsforeachprotocollisted:
Test1:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintextandthataprotocolanalyzeridentifiesthetrafficastheprotocolundertesting.
Test2:[conditional]IfIPsecisselected,theevaluatorshallensurethattheTOEisabletoinitiatecommunicationswithaVPNGateway,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.
Test3:[conditional]IfOTAupdatesareselected,theevaluatorshalltriggeranupdaterequestaccordingtotheoperationalguidanceandshallensurethatthecommunicationissuccessful.
Test4:Foranyotherselectedprotocol(nottestedinTest1,2,or3),theevaluatorshallensurethattheTOEisabletoinitiatecommunicationswithatrustedITproductusingtheprotocol,settinguptheconnectionasdescribedintheoperationalguidanceandensuringthatthecommunicationissuccessful.
5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:
Table8:SFRRationaleOBJECTIVE ADDRESSEDBY RATIONALE
O.PROTECTED_COMMS FCS_CKM.1,FCS_CKM.2/UNLOCKED, FCS_CKM.1supportsthe
FCS_CKM_EXT.8(BluetoothModule),FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_DTLSC_EXT.1(TLSPackage),FCS_DTLSC_EXT.2(TLSPackage),FCS_HTTPS_EXT.1,FCS_RBG_EXT.1,FCS_RBG_EXT.2(Objective),FCS_RBG_EXT.3(Objective),FCS_SRV_EXT.1,FCS_SRV_EXT.2(Objective),FCS_TLSC_EXT.1(TLSPackage),FCS_TLSC_EXT.2(TLSPackage),FCS_TLSC_EXT.3(TLSPackage),FDP_BLT_EXT.1,FDP_IFC_EXT.1,FDP_STG_EXT.1,FDP_UPC_EXT.1/APPS,FDP_UPC_EXT.1/BLUETOOTH,FIA_BLT_EXT.1(BluetoothModule),FIA_BLT_EXT.2(BluetoothModule),FIA_BLT_EXT.3(BluetoothModule),FIA_BLT_EXT.4(BluetoothModule),FIA_BLT_EXT.5(BluetoothModule),FIA_BLT_EXT.6(BluetoothModule),FIA_BLT_EXT.7(BluetoothModule),FIA_X509_EXT.1,FIA_X509_EXT.2,FIA_X509_EXT.3,FIA_X509_EXT.4(Objective),FIA_X509_EXT.5(Objective),FPT_BLT_EXT.1(Objective),FTP_BLT_EXT.1(BluetoothModule),FTP_BLT_EXT.2(BluetoothModule),FTP_BLT_EXT.3/BR(BluetoothModule),FTP_BLT_EXT.3/LE(BluetoothModule),FTP_ITC_EXT.1
objectivebydefiningthekeygenerationalgorithmsthatareusedforprotectedcommunications.FCS_CKM.2/UNLOCKEDsupportstheobjectivebydefiningthekeyestablishmentalgorithmsthatareusedforprotectedcommunications.FCS_CKM_EXT.8supportstheobjectivebyrequiringtheTSFtoperformkeyrotationforBluetoothtolimitthewindowofopportunityforanattackertodeterminethekeyvalue.FCS_COP.1/ENCRYPTsupportstheobjectivebyrequiringtheTSFtoimplementsymmetricencryptionalgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/HASHsupportstheobjectivebyrequiringtheTSFtoimplementhashalgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/SIGNsupportstheobjectivebyrequiringtheTSFtoimplementdigitalsignaturealgorithmsthatareusedinsupportofprotectedcommunications.FCS_COP.1/KEYHMACsupportstheobjectivebyrequiringtheTSFtoimplementHMACalgorithmsthatareusedinsupportofprotectedcommunications.FCS_DTLSC_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofDTLSasaclientifthisprotocolisusedforprotectedcommunications.FCS_DTLSC_EXT.2supportstheobjectivebydefiningtheTOE'simplementationofmutually-authenticatedDTLSasaclientifthisprotocolisusedforprotectedcommunications.FCS_HTTPS_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofHTTPSifthisprotocolisusedforprotectedcommunications.FCS_RBG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementdetermininsticrandombitgenerationalgorithmsthatareusedinsupportofprotectedcommunications.FCS_RBG_EXT.2supportstheobjectivebyrequiringtheTSFtosavetheDRBGstatebetweenrebootstoensureavailablityofthisservice.FCS_RBG_EXT.3supportstheobjectivebydefiningtheTSF's
implementationoftheSP800-90APersonalizationStringforapplicationsthatrequirethis.FCS_SRV_EXT.1supportstheobjectivebydefiningthecryptographicservicesthattheTSFmustmakeavailabletothird-partyapplications,whichincludesthosethatcansupportprotectedcommunications.FCS_SRV_EXT.2supportstheobjectivebyrequiringtheTSFtomakekeysinitssecurekeystorageavilableforuseinencryptionandsigningoperations.FCS_TLSC_EXT.1supportstheobjectivebydefiningtheTOE'simplementationofTLSasaclientforprotectedcommunications.FCS_TLSC_EXT.2supportstheobjectivebydefiningtheTOE'simplementationofmutually-authenticatedTLSasaclientforprotectedcommunications.FCS_TLSC_EXT.3supportstheobjectivebyrequiringtheTSFtosupporttheTLSsignaturealgorithmsextensionaspartofestablishingTLSprotectedcommunications.FDP_BLT_EXT.1supportstheobjectivebylimitingtheapplicationsthatareauthorizedtousetheBluetoothinterface,whichmayincludeatrustedchannel.FDP_IFC_EXT.1supportstheobjectivebyrequiringtheTSFtohaveeitheritsownIPsecVPNclientorinterfacethatallowsathird-partyVPNclienttobedeployedonit.FDP_STG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementaprotectedkeystoragethatcanbeusedtoprotectpersistentkeysusedforprotectedcommunicationsfromdisclosure.FDP_UPC_EXT.1/APPSsupportstheobjectivebydefiningtheprotectedcommunicationschannelsthatitallowsthird-partyapplicationstoinvoke.FDP_UPC_EXT.1/BLUETOOTHsupportstheobjectivebydefiningtheBluetoothinterfacesthatitallowsthird-partyapplicationstoinvoke.FIA_BLT_EXT.1supportstheobjectivebyensuringthatBluetoothcommunicationsarenotinitiatedwithoutuserapproval.FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoimplementBluetooth
mutualauthenticaiton.FIA_BLT_EXT.3supportstheobjectivebypreventingBluetoothspoofingbyrejectingconnectionswithduplicatedeviceaddresses.FIA_BLT_EXT.4supportstheobjectivebydefiningtheTSF'simplementationofBluetoothSecureSimplePairing.FIA_BLT_EXT.5supportstheobjectivebyrequiringtheTSFtosupportSecureConnectionsOnlymodeforthesupportedBluetoothcommunicationchannels.FIA_BLT_EXT.6supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstofortrusteddevices.FIA_BLT_EXT.7supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstoforuntrusteddevices.FIA_X509_EXT.1supportstheobjectivebydefiningtherulestheTSFusestodetermineifapresentedX.509certificateisvalid.FIA_X509_EXT.2supportstheobjectivebyrequiringtheTSFtoenumerateitsusesofX.509certificates(includingprotectedcommunications)anditsbehaviorwhenacertificate'srevocationstatusisundetermined.FIA_X509_EXT.3supportstheobjectivebyrequiringtheTSFtoprovideacertificatevalidationservicetothird-partyapplications.FIA_X509_EXT.4supportstheobjectivebydefiningtheimplementationofESTasamethodbywhichtheTSFcanobtainanX.509certificateforitsownuse.FIA_X509_EXT.5supportstheobjectivebydefiningtheimplementationofCertificateRequestMessagesasamethodbywhichtheTSFcanobtainanX.509certificateforitsownuse.FPT_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtodisablecertainBluetoothprofileswhentheyareinactivesuchthatexplicituserauthorizationisrequiredtore-enablethem.FTP_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementencryptiontoprotectBluetooth
communicationsFTP_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtopreventdatatransmissionoverBluetoothifthepaireddeviceisnotusingencryption.FTP_BLT_EXT.3/BRsupportstheobjectivebydefiningtheminimumkeysizeforBluetoothBR/EDRcommunications.FTP_BLT_EXT.3/LEsupportstheobjectivebydefiningtheminimumkeysizeforBluetoothLEcommunications.FTP_ITC_EXT.1supportstheobjectivebydefiningtheprotectedcommunicationsprotocolsthattheTSFimplements.
O.STORAGE FCS_CKM.2/LOCKED,FCS_CKM_EXT.1,FCS_CKM_EXT.2,FCS_CKM_EXT.3,FCS_CKM_EXT.4,FCS_CKM_EXT.5,FCS_CKM_EXT.6,FCS_CKM_EXT.7(Sel-Based),FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_COP.1/CONDITION,FCS_IV_EXT.1,FCS_RBG_EXT.1,FCS_STG_EXT.1,FCS_STG_EXT.2,FCS_STG_EXT.3,FDP_ACF_EXT.3(Objective),FDP_DAR_EXT.1,FDP_DAR_EXT.2,FIA_UAU_EXT.1,FPT_KST_EXT.1,FPT_KST_EXT.2,FPT_KST_EXT.3,FPT_JTA_EXT.1
FCS_CKM_EXT.1supportstheobjectivebydefiningtheTOE'srootencryptionkeythatisusedtoprotectdataatrest.FCS_CKM_EXT.2supportstheobjectivebydefininghowtheTSFcreatesdataencryptionkeysthatareusedtoprotectdataatrest.FCS_CKM_EXT.3supportstheobjectivebydefiningthekeyencryptionkeystheTOEusestoprotectdataatrestandhowtheyarecreated.FCS_CKM_EXT.4supportstheobjectivebyrequiringtheTSFtodestroykeysandkeymaterialthatcouldotherwisebeusedtocompromisedataatrest.FCS_CKM_EXT.5supportstheobjectivebydefiningthemechanismtheTSFusestoperformawipeoperationthatsecurelydestroysdataatrest.FCS_CKM_EXT.6supportstheobjectivebyrequiringtheTSFtousesecuresaltswhenperformingcryptographicoperationsthatrequirethem.FCS_CKM_EXT.7supportstheobjectivebyensuringthattheTOE'srootencryptionkeycannotbedisclosed.FCS_COP.1/ENCRYPTsupportstheobjectivebydefiningasymmetricencryption/decryptionfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/HASHsupportstheobjectivebydefiningahashfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/SIGNsupportstheobjectivebydefiningadigitalsignaturefunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/KEYHMACsupportstheobjectiveby
defininganHMACfunctionthatcanbeusedtoprotectdataatrest.FCS_COP.1/CONDITIONsupportstheobjectivebydefiningakeyderivationfunctionthatcanbeusedtoprotectdataatrest.FCS_IV_EXT.1supportstheobjectivebyensuringthatanyIVstheTSFgeneratesforAESkeysaregeneratedinanappropriatemannerbasedontherelevantstandards.FCS_RBG_EXT.1supportstheobjectivebydefiningrandombitgenerationfunctionthatcanbeusedtoprotectdataatrest.FCS_STG_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementahardwareorsoftwarekeystoretoprotectkeydataatrest.FCS_STG_EXT.2supportstheobjectivebydefiningtheconfidentialitymechanismusedtoprotectstoredkeydatafromunauthorizeddisclosure.FCS_STG_EXT.3supportstheobjectivebydefiningtheintegritymechanismusedtoprotectstoredkeydatafromunauthorizedmodification.FDP_ACF_EXT.3supportstheobjectivebyensuringthattheTSFdoesnotpermitwriteandexecutepermissionsonstoreddatatobegrantedsimultaneously.FDP_DAR_EXT.1supportstheobjectivebyrequiringtheTSFtoencryptallsensitivedatausingdataencryptionkeys.FDP_DAR_EXT.2supportstheobjectivebyrequiringtheTSFtoprovideamechanismtomarkdataassensitivesothatitcansubjecttoencryption.FIA_UAU_EXT.1supportstheobjectivebyrequiringthepresentationofavalidauthorizationfactorinordertodecryptsensitivedataatrest.FPT_KST_EXT.1supportstheobjectivebyrequiringtheTSFtopreventthestorageofplaintextkeydatainreadablenon-volatilememory.FPT_KST_EXT.2supportstheobjectivebyrequiringtheTSFtopreventanytransmissionofplaintextkeymaterialoutsideoftheTOEboundary.FPT_KST_EXT.3supportstheobjectivebyrequiringtheTSFtopreventexportofanystoredplaintextkeys.FPT_JTA_EXT.1supportsthe
objectivebyrequiringtheTSFtoenforceaccesscontrolsagainstJTAGsothatthisinterfacecannotbeusedtodisclosedataatrest.
O.CONFIG FMT_MOF_EXT.1,FMT_SMF_EXT.1,FMT_SMF_EXT.2,FTA_TAB.1(Objective)
FMT_MOF_EXT.1supportstheobjectivebyspecifyingtheTSFmanagementfunctionsthatanenduserisauthorizedtoperform.FMT_SMF_EXT.1supportstheobjectivebydefiningtheTSFmanagementfunctionsandtheusersorrolesthatareauthorizedtoinvokethem.FMT_SMF_EXT.2supportstheobjectivebydefiningtheconfigurationactionsthattheTSFperformsautomaticallyuponunenrollmentfrommobiledevicemanagement.FTA_TAB.1supportstheobjectivebyrequiringtheTSFtodisplayawarningbannertousersthatgovernsauthorizedusageoftheTOE.
O.AUTH FDP_PBA_EXT.1(Sel-Based),FIA_AFL_EXT.1,FIA_BLT_EXT.1(BluetoothModule),FIA_BLT_EXT.2(BluetoothModule),FIA_BMG_EXT.1(Sel-Based)FIA_BMG_EXT.2(Objective),FIA_BMG_EXT.3(Objective),FIA_BMG_EXT.4(Objective),FIA_BMG_EXT.5(Objective),FIA_BMG_EXT.6(Objective),FIA_PMG_EXT.1,FIA_TRT_EXT.1,FIA_UAU_EXT.1,FIA_UAU_EXT.2,FIA_UAU_EXT.4(Optional),FIA_UAU.5,FIA_UAU.6,FIA_UAU.7,FIA_X509_EXT.2,FTA_SSL_EXT.1
FDP_PBA_EXT.1supportstheobjectivebydefiningthemechanismthattheTSFusestoprotectstoredbiometrictemplates.FIA_AFL_EXT.1supportstheobjectivebydefiningtheauthenticationmechanismsthataresubjecttolockoutbehaviorandhowtheTSFhandlesrepeatedfailedauthenticationattempts.FIA_BLT_EXT.1supportstheobjectivebyrequiringausertoauthorizeallBlueoothpairings.FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoenforcemutualauthenticationforBluetooth.FIA_BMG_EXT.1supportstheobjectivebydefiningtheminimumaccuracyofbiometricauthenticationmethodsthattheTSFmustsupport.FIA_BMG_EXT.2supportstheobjectivebyrequiringtheTSFtoenforceaminimumqualitystandardonthebiometricdatausedforenrollment.FIA_BMG_EXT.3supportstheobjectivebydefiningthequalitymetricsusedbytheTSFtoenforceminimumqualityforbiometricdata.FIA_BMG_EXT.4supportstheobjectivebyrequiringtheTSFtogenerateenrollmentandauthenticationtemplatesusingdatathatexceedsaminimumqualitythreshold.FIA_BMG_EXT.5supportstheobjectivebydefininghowthe
TSFhandlesbiometricdatathatdoesnotmatchexpectedparameters.FIA_BMG_EXT.6supportstheobjectivebyrequiringtheTSFtodetectspoofedbiometricdata.FIA_PMG_EXT.1supportstheobjectivebydefiningtheminimumqualitythresholdforpasswordsthattheTSFmustenforce.FIA_TRT_EXT.1supportstheobjectivebyenforcinganauthenticationthrottlingmechanismthatlimitstherateatwhichauthenticationattemptscanbemadetotheTOE.FIA_UAU_EXT.1supportstheobjectivebyrequiringtheTSFtobeprovidedwithavalidpasswordbeforeaccesstoprotecteddataisgranted.FIA_UAU_EXT.2supportstheobjectivebydefiningtheTOEfunctionsthatcanbeaccessedwithoutauthenticationsuchthatallotherservicesrequireauthentication.FIA_UAU_EXT.4supportstheobjectivebydefiningasecondaryauthenticationmechanismforEnterpriseresources.FIA_UAU.5supportstheobjectivebydefiningallauthenticationfactorstheTSFsupportsandrulesforhowtheseauthenticationfactorsareusedtogainaccesstotheTSF.FIA_UAU.6supportstheobjectivebyrequiringtheTSFtore-authenticateuserswiththeirpasswordpriortoallowingthemtochangeanyotherauthenticationdata.FIA_UAU.7supportstheobjectivebyensuringthatTSFdoesnotdiscloseuserauthenticationdataasitisbeinginputtotheTOE.FIA_X509_EXT.2supportstheobjectivebydefiningthefunctionsforwhichtheTSFusesX.509certificatesasanauthenticationmechanism.FTA_SSL_EXT.1supportstheobjectivebyrequiringtheTSFtoensurethatanidleusersessionisterminatedafteragivenperiodoftime.
O.INTEGRITY FAU_GEN.1,FAU_SAR.1(Objective),FAU_SEL.1(Objective),FAU_STG.1,FAU_STG.4,FCS_COP.1/HASH,FCS_COP.1/SIGN,FDP_ACF_EXT.1,FDP_ACF_EXT.3(Objective),FPT_AEX_EXT.1,FPT_AEX_EXT.2,FPT_AEX_EXT.3,FPT_AEX_EXT.4,FPT_AEX_EXT.5(Objective),FPT_AEX_EXT.6(Objective),FPT_AEX_EXT.7
FAU_GEN.1supportstheobjectivebyrequiringtheTSFtorecordactionsperformedagainstittoestablisharecordofpotentialmaliciousactivity.FAU_SAR.1supportstheobjectivebyrequiringtheTSFtoprovideamechanismto
(Objective),FPT_BBD_EXT.1(Objective),FPT_NOT_EXT.1,FPT_NOT_EXT.2(Objective),FPT_STM.1,FPT_TST_EXT.1,FPT_TST_EXT.2/PREKERNEL,FPT_TST_EXT.2/POSTKERNEL,FPT_TST_EXT.3(Sel-Based),FPT_TUD_EXT.1,FPT_TUD_EXT.2,FPT_TUD_EXT.3,FPT_TUD_EXT.4(Sel-Based),FPT_TUD_EXT.5(Objective),FPT_TUD_EXT.6(Objective)
reviewthestoredauditdatasoadministratorscandiagnosetherootcauseofmalicioususage.FAU_SEL.1supportstheobjectivebyallowingtheTSFtorestricttheauditrecordsthataregeneratedsothatrecordsunrelatedtopotentialmalicioususagecanbesuppressed.FAU_STG.1supportstheobjectivebyensuringthatamalicioususercannottamperwithauditrecordsbymodifyingordeletingthem.FAU_STG.4supportstheobjectivebyensuringtheavailabilityofauditrecords.FCS_COP.1/HASHsupportstheobjectivebyrequiringtheTSFtoimplementhashalgorithmsthatcanbeusedtoassertandverifyintegrity.FCS_COP.1/SIGNsupportstheobjectivebyrequiringtheTSFtoimplementdigitalsignaturealgorithmsthatcanbeusedtoassertandverifyintegrity.FDP_ACF_EXT.1supportstheobjectivebyrequiringtheTSFtomaintaintheintegrityofitssystemservicesbylimitingtheentitiesthatcanaccessthem.FDP_ACF_EXT.3supportstheobjectivebyrequiringtheTSFtoensurethatwritablefilescannotbeexecutedandviceversa,suchthatarbitrarycodeorscriptscannotbeexecutedtocompromisetheintegrityoftheTOE.FPT_AEX_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementASLRtopreventacompromiseoftheTSF.FPT_AEX_EXT.2supportstheobjectivebyrequiringtheTSFtoenforcepermissionsagainstmemorypagestopreventacompromiseoftheTSF.FPT_AEX_EXT.3supportstheobjectivebyrequiringtheTSFtoimplementstackoverflowprotectiontopreventacompromiseoftheTSF.FPT_AEX_EXT.4supportstheobjectivebyrequiringtheTSFtoenforceaddressspaceseparationtopreventacompromiseoftheTSF.FPT_AEX_EXT.5supportstheobjectivebyrequiringtheTSFtoimplementASLRtopreventacompromiseoftheTSF.FPT_AEX_EXT.6supportstheobjectivebyrequiringtheTSFtoensurethatwritablefilescannotbeexecutedandviceversa,suchthatarbitrarycodeorscriptscannotbeexecuted
tocompromisetheintegrityoftheTOE.FPT_AEX_EXT.7supportstheobjectivebyrequiringtheTSFtoimplementheapoverflowprotectiontopreventacompromiseoftheTSF.FPT_BBD_EXT.1supportstheobjectivebyensuringthatisolationbetweentheTOE'sbasebandprocessorandapplictaionprocessorisenforcedsothataccesstothebasebandprocessorisstrictlycontrolled.FPT_NOT_EXT.1supportstheobjectivebyrequiringtheTSFtotakesomeactiontopreventitsintegrityintheeventofvariousfailureconditions.FPT_NOT_EXT.2supportstheobjectivebyrequiringtheTSFtomakeitsintegrityverificationvaluesavailableforthepurposeofremoteattestation.FPT_STM.1supportstheobjectivebyensuringaccuratesystemtimedataisappliedtoauditlogs.FPT_TST_EXT.1supportstheobjectivebydefiningtheself-teststhattheTSFperformstovalidateitsownintegrity.FPT_TST_EXT.2/PREKERNELsupportstheobjectivebyrequiringtheTSFtoverifytheintegrityofitsbootchainpriortokernelload.FPT_TST_EXT.2/POSTKERNELsupportstheobjectivebyrequiringtheTSFtoverifytheintegrityofstoredexecutablecodepriortoitsexecution.FPT_TST_EXT.3supportstheobjectivebyrequiringtheTSFtoblockcodeexecutionifitscodesigningcertificateisinvalid.FPT_TUD_EXT.1supportstheobjectivebyallowinguserstodeterminetheversionoftheTOE'shardware,software/firmware,andinstalledapplications.FPT_TUD_EXT.2supportstheobjectivebyrequiringtheTSFtovalidatetheintegrityofsoftwareupdatespriortoinstallingthem.FPT_TUD_EXT.3supportstheobjectivebyrequiringtheTSFtovalidatetheintegrityofthird-partyapplicationspriortoinstallingthem.FPT_TUD_EXT.4supportstheobjectivebyrequiringtheTSFtoblockinstallationofcodeifitsassociatedcodesigningcertificateisinvalid.FPT_TUD_EXT.5supportsthe
objectivebyspecifyingtheX.509certificatethattheTSFusestoverifyapplicationspriortotheirinstallation.FPT_TUD_EXT.6supportstheobjectivebypreventingtheTSFfrombeingrolledbacktoanearlierversionthatmayhaveknownvulnerabilitiesthatweresubsequentlypatched.
O.PRIVACY FDP_ACF_EXT.1,FDP_ACF_EXT.2(Sel-Based),FDP_BCK_EXT.1(Objective),FMT_SMF_EXT.1,FMT_SMF_EXT.3(Objective)
FDP_ACF_EXT.1supportstheobjectivebyenforcingrestrictionsonservicesthatcouldcompromiseuserprivacyifaccessedinappropriately.FDP_ACF_EXT.2supportstheobjectivebyrequiringtheTSFtoprovideseparateuserdatastoresforapplicationgroupssothattheprivacyofthatdatacanbemaintained.FDP_BCK_EXT.1supportstheobjectivebyallowingdatatobeexcludedfrombackupoperationsthatcouldcompromiseuserprivacyifdisclosed.FMT_SMF_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementmanagementfunctionsthatcontroltheextenttowhichuserdataiscollectedanddisseminated.FMT_SMF_EXT.3supportstheobjectivebyrequiringtheTSFtoidentifyitsauthorizedadministratorssothatauserknowstheextenttowhichvariousadministratorshaveaccesstothedevice.
5.2SecurityAssuranceRequirementsTheSecurityObjectivesinSection4SecurityObjectiveswereconstructedtoaddressthreatsidentifiedinSection3SecurityProblemDescription.TheSecurityFunctionalRequirements(SFRs)inSection5.1SecurityFunctionalRequirementsareaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.
ThissectionliststhesetofSARsfromCCpart3thatarerequiredinevaluationsagainstthisPP.IndividualEvaluationActivitiestobeperformedarespecifiedbothinSection5.1SecurityFunctionalRequirementsaswellasinthissection.
ThegeneralmodelforevaluationofTOEsagainstSTswrittentoconformtothisPPisasfollows:
AftertheSThasbeenapprovedforevaluation,theITSEFwillobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCommonEvaluationMethodology(CEM)fortheASEandALCSARs.TheITSEFalsoperformstheEvaluationActivitiescontainedwithinSection5.1SecurityFunctionalRequirements,whichareintendedtobeaninterpretationoftheotherCEMevaluationrequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheEvaluationActivitiesthatarecapturedinSection5.1SecurityFunctionalRequirementsalsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.
TheTOESecurityAssuranceRequirementsareidentifiedinTable9.
Table9:SecurityAssuranceRequirements
AssuranceClass AssuranceComponents
SecurityTarget(ASE) ConformanceClaims(ASE_CCL.1)
ExtendedComponentsDefinition(ASE_ECD.1)
STIntroduction(ASE_INT.1)
SecurityObjectivesfortheOperationalEnvironment(ASE_OBJ.1)
StatedSecurityRequirements(ASE_REQ.1)
SecurityProblemDefinition(ASE_SPD.1)
TOESummarySpecification(ASE_TSS.1)
Development(ADV) BasicFunctionalSpecification(ADV_FSP.1)
GuidanceDocuments(AGD) OperationalUserGuidance(AGD_OPE.1)
PreparativeProcedures(AGD_PRE.1)
LifeCycleSupport(ALC) LabelingoftheTOE(ALC_CMC.1)
TOECMCoverage(ALC_CMS.1)
TimelySecurityUpdates(ALC_TSU_EXT)
Tests(ATE) IndependentTesting–Sample(ATE_IND.1)
VulnerabilityAssessment(AVA) VulnerabilitySurvey(AVA_VAN.1)
5.2.1ClassASE:SecurityTargetTheSTisevaluatedasperASEactivitiesdefinedintheCEMforASE_CCL.1,ASE_ECD.1,ASE_INT.1,ASE_OBJ.2,ASE_REQ.2,ASE_SPD.1,andASE_TSS.1.Inaddition,theremaybeEvaluationActivitiesspecifiedwithinSection5.1SecurityFunctionalRequirementsthatcallfornecessarydescriptionstobeincludedintheTSSthatarespecifictotheTOEtechnologytype.
5.2.2ClassADV:DevelopmentThedesigninformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTSSportionoftheST,andanyadditionalinformationrequiredbythisPPthatisnottobemadepublic.
ADV_FSP.1BasicFunctionalSpecificationThefunctionalspecificationdescribestheTOESecurityFunctionsInterface(TSFIs).Itisnotnecessarytohaveaformalorcompletespecificationoftheseinterfaces.Additionally,becauseTOEsconformingtothisPPwillnecessarilyhaveinterfacestotheOperationalEnvironmentthatarenotdirectlyinvokablebyTOEusers,thereislittlepointspecifyingthatsuchinterfacesbedescribedinandofthemselvessinceonlyindirecttestingofsuchinterfacesmaybepossible.ForthisPP,theactivitiesforthisfamilyshouldfocusonunderstandingtheinterfacespresentedintheTSSinresponsetothefunctionalrequirementsandtheinterfacespresentedintheAGDdocumentation.Noadditional"functionalspecification"documentationisnecessarytosatisfytheevaluationactivitiesspecified.
Theinterfacesthatneedtobeevaluatedarecharacterizedthroughtheinformationneededtoperformtheevaluationactivitieslisted,ratherthanasanindependent,abstractlist.
Developeractionelements:ADV_FSP.1.1D
Thedevelopershallprovideafunctionalspecification.
ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.
ApplicationNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomprisedoftheinformationcontainedintheAGD_OPE,AGD_PRE,andtheAPIinformationthatisprovidedtoapplicationdevelopers,includingtheAPIsthatrequireprivilegetoinvoke.
Thedevelopermayreferenceawebsiteaccessibletoapplicationdevelopersandtheevaluator.TheAPIdocumentationmustincludethoseinterfacesrequiredinthisprofile.TheAPIdocumentationmustclearlyindicatetowhichproductsandversionseachavailablefunctionapplies.
TheevaluationactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.
Contentandpresentationelements:ADV_FSP.1.3C
ThefunctionalspecificationshalldescribethepurposeandmethodofuseforeachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.4CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.5CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.
ADV_FSP.1.6CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.
Evaluatoractionelements:ADV_FSP.1.7E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ADV_FSP.1.8ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.
EvaluationActivities
ADV_FSP.1:TherearenospecificevaluationactivitiesassociatedwiththeseSARs,exceptensuringtheinformationisprovided.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.1SecurityFunctionalRequirements,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherevaluationactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.
5.2.3ClassAGD:GuidanceDocumentationTheguidancedocumentswillbeprovidedwiththeST.GuidancemustincludeadescriptionofhowtheITpersonnelverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.ThedocumentationshouldbeinaninformalstyleandreadablebytheITpersonnel.
GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes:
instructionstosuccessfullyinstalltheTSFinthatenvironmentinstructionstomanagethesecurityoftheTSFasaproductandasacomponentofthelargeroperationalenvironmentinstructionstoprovideaprotectedadministrativecapability
Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;requirementsonsuchguidancearecontainedintheevaluationactivitiesspecifiedwitheachrequirement.
AGD_OPE.1OperationalUserGuidance
Developeractionelements:AGD_OPE.1.1D
Thedevelopershallprovideoperationaluserguidance.
ApplicationNote:Theoperationaluserguidancedoesnothavetobecontainedinasingledocument.Guidancetousers,administratorsandapplicationdeveloperscanbespreadamongdocumentsorwebpages.Whereappropriate,theguidancedocumentationisexpressedintheeXtensibleConfigurationChecklistDescriptionFormat(XCCDF)tosupportsecurityautomation.
Ratherthanrepeatinformationhere,thedevelopershouldreviewtheevaluationactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorwillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.
Contentandpresentationelements:AGD_OPE.1.2C
Theoperationaluserguidanceshalldescribe,foreachuserrole,theuser-
accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.
ApplicationNote:Userandadministrator(e.g.,MDMagent),andapplicationdeveloperaretobeconsideredinthedefinitionofuserrole.
AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,foreachuserrole,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.
AGD_OPE.1.4CTheoperationaluserguidanceshalldescribe,foreachuserrole,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.
AGD_OPE.1.5CTheoperationaluserguidanceshall,foreachuserrole,clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.
AGD_OPE.1.6CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheOS(includingoperationfollowingfailureoroperationalerror),theirconsequences,andimplicationsformaintainingsecureoperation.
AGD_OPE.1.7CTheoperationaluserguidanceshall,foreachuserrole,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
AGD_OPE.1.8CTheoperationaluserguidanceshallbeclearandreasonable.
Evaluatoractionelements:AGD_OPE.1.9E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
AGD_OPE.1:SomeofthecontentsoftheoperationalguidanceareverifiedbytheevaluationactivitiesinSection5.1SecurityFunctionalRequirementsandevaluationoftheTOEaccordingtothe[CEM].Thefollowingadditionalinformationisalsorequired.
Theoperationalguidanceshallcontainalistofnativelyinstalledapplicationsandanyrelevantversionnumbers.Ifanythirdpartyvendorsarepermittedtoinstallapplicationsbeforepurchasebytheenduserorenterprise,theseapplicationsshallalsobelisted.
TheoperationalguidanceshallcontaininstructionsforconfiguringthecryptographicengineassociatedwiththeevaluatedconfigurationoftheTOE.ItshallprovideawarningtotheadministratorthatuseofothercryptographicengineswasnotevaluatednortestedduringtheCCevaluationoftheTOE.
ThedocumentationmustdescribetheprocessforverifyingupdatestotheTOEbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocessincludesthefollowingsteps:
Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.
TheTOEwilllikelycontainsecurityfunctionalitythatdoesnotfallinthescopeofevaluationunderthisPP.Theoperationalguidanceshallmakeitcleartoanadministratorwhichsecurityfunctionalityiscoveredbytheevaluationactivities.
AGD_PRE.1PreparativeProcedures
Developeractionelements:AGD_PRE.1.1D
ThedevelopershallprovidetheTOE,includingitspreparativeprocedures.
ApplicationNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheevaluationactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.
Contentandpresentationelements:AGD_PRE.1.2C
ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper'sdeliveryprocedures.
AGD_PRE.1.3CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
Evaluatoractionelements:AGD_PRE.1.4E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AGD_PRE.1.5ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheOScanbepreparedsecurelyforoperation.
EvaluationActivities
AGD_PRE.1:Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatformsclaimedfortheTOEintheST.
5.2.4ClassALC:Life-cycleSupportAttheassurancelevelprovidedforTOEsconformanttothisPP,life-cyclesupportislimitedtoend-user-visibleaspectsofthelife-cycle,ratherthananexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocess.Thisisnotmeanttodiminishthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct;rather,itisareflectionontheinformationtobemadeavailableforevaluationatthisassurancelevel.
ALC_CMC.1LabelingoftheTOEThiscomponentistargetedatidentifyingtheTOEsuchthatitcanbedistinguishedfromotherproductsorversionsfromthesamevendorandcanbeeasilyspecifiedwhenbeingprocuredbyanenduser.
Developeractionelements:ALC_CMC.1.1D
ThedevelopershallprovidetheTOEandareferencefortheTOE.
Contentandpresentationelements:ALC_CMC.1.2C
TheTOEshallbelabeledwithauniquereference.
Evaluatoractionelements:ALC_CMC.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_CMC.1:TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.Further,theevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.
ALC_CMS.1TOECMCoverageGiventhescopeoftheTOEanditsassociatedevaluationevidencerequirements,thiscomponent’sevaluationactivitiesarecoveredbytheevaluationactivitieslistedforALC_CMC.1.
Developeractionelements:ALC_CMS.1.1D
ThedevelopershallprovideaconfigurationlistfortheTOE.
Contentandpresentationelements:ALC_CMS.1.2C
Theconfigurationlistshallincludethefollowing:theTOEitself;andtheevaluationevidencerequiredbytheSARs.
ALC_CMS.1.3CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.
Evaluatoractionelements:ALC_CMS.1.4E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ApplicationNote:The"evaluationevidencerequiredbytheSARs"inthisPPislimitedtotheinformationintheSTcoupledwiththeguidanceprovidedtoadministratorsandusersundertheAGDrequirements.ByensuringthattheTOEisspecificallyidentifiedandthatthisidentificationisconsistentintheSTandintheAGDguidance(asdoneintheevaluationactivityforALC_CMC.1),theevaluatorimplicitlyconfirmstheinformationrequiredbythiscomponent.
Life-cyclesupportistargetedaspectsofthedeveloper’slife-cycleandinstructionstoprovidersofapplicationsforthedeveloper’sdevices,ratherthananin-depthexaminationoftheTSFmanufacturer’sdevelopmentandconfigurationmanagementprocess.Thisisnotmeanttodiminishthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct;rather,it’sareflectionontheinformationtobemadeavailableforevaluation.
EvaluationActivities
ALC_CMS.1:Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironment(s)areinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.
TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.
ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheend-userdevicesareupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,carriers(s))andthestepsthatareperformed(e.g.,developertesting,carriertesting),includingworst-casetimeperiods,beforeanupdateismadeavailabletothepublic.
Developeractionelements:ALC_TSU_EXT.1.1D
ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.
Contentandpresentationelements:ALC_TSU_EXT.1.2C
ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware.
Note:Thesoftwaretobedescribedincludestheoperatingsystemsoftheapplicationprocessorandthebasebandprocessor,aswellasanyfirmwareandapplications.TheprocessdescriptionincludestheTOEdeveloperprocessesaswellasanythird-party(carrier)processes.Theprocessdescriptionincludeseachdeploymentmechanism(e.g.,over-the-airupdates,per-carrierupdates,downloadedupdates).
ALC_TSU_EXT.1.3CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.
Note:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,mobilecarrier)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.
ALC_TSU_EXT.1.4CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.
Note:Thereportingmechanismcouldincludewebsites,emailaddresses,aswellasameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).
ALC_TSU_EXT.1.5CThedescriptionshallincludewhereuserscanseekinformationabouttheavailabilityofnewupdatesincludingdetails(e.g.CVEidentifiers)ofthespecificpublicvulnerabilitiescorrectedbyeachupdate.
Note:Thepurposeofprovidingthisinformationissothatusersandenterprisescandeterminewhichdevicesaresusceptibletopubliclyknownvulnerabilitiessothattheycanmakeappropriateriskdecisions,suchaslimitingaccesstoenterpriseresourcesuntilupdatesareinstalled.
Evaluatoractionelements:ALC_TSU_EXT.1.6E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_TSU_EXT.1:TheevaluatorshallverifythattheTSScontainsadescriptionofthetimelysecurityupdateprocessusedbythedevelopertocreateanddeploysecurityupdates.TheevaluatorshallverifythatthisdescriptionaddressestheTOEOS,thefirmware,andbundledapplications,each.Theevaluatorshallalsoverifythat,inadditiontotheTOEdeveloper’sprocess,anycarrierorotherthird-partyprocessesarealsoaddressedinthedescription.Theevaluatorshallalsoverifythateachmechanismfordeploymentofsecurityupdatesisdescribed.
Theevaluatorshallverifythat,foreachdeploymentmechanismdescribedfortheupdateprocess,theTSSlistsatimebetweenpublicdisclosureofavulnerabilityandpublicavailabilityofthesecurityupdatetotheTOEpatchingthisvulnerability,toincludeanythird-partyorcarrierdelaysindeployment.Theevaluatorshallverifythatthistimeisexpressedinanumberorrangeofdays.
Theevaluatorshallverifythatthisdescriptionincludesthepubliclyavailablemechanisms(includingeitheranemailaddressorwebsite)forreportingsecurityissuesrelatedtotheTOE.Theevaluatorshallverifythatthedescriptionofthismechanismincludesamethodforprotectingthereporteitherusingapublickeyforencryptingemailoratrustedchannelforawebsite.
Theevaluatorshallverifythatthedescriptionincludeswhereuserscanseekinformationabouttheavailabilityofnewsecurityupdatesincludingdetailsofthespecificpublicvulnerabilitiescorrectedbyeachupdate.TheevaluatorshallverifythatthedescriptionincludestheminimumamountoftimethattheTOEisexpectedtobesupportedwithsecurityupdates,andtheprocessbywhichuserscanseekinformationaboutwhentheTOEisnolongerexpectedtoreceivesecurityupdates.
5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsoftheevaluationprocessisthetestreportasspecifiedinthefollowingrequirements.
SincemanyoftheAPIsarenotexposedattheuserinterface(e.g.,touchscreen),theabilitytostimulatethenecessaryinterfacesrequiresadeveloper’stestenvironment.Thistestenvironmentwillallowtheevaluator,forexample,toaccessAPIsandviewfilesysteminformationthatisnotavailableonconsumerMobileDevices.
ATE_IND.1IndependentTesting–Conformance
TestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperational)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1SecurityFunctionalRequirementsbeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2SecurityAssuranceRequirements.TheEvaluationActivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.
Developeractionelements:ATE_IND.1.1D
ThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:ATE_IND.1.2C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:ATE_IND.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ATE_IND.1.4ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.
EvaluationActivities
ATE_IND.1:Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.Thetestplancoversallofthetestingactionscontainedinthe[CEM]andthebodyofthisPP’sEvaluationActivities.Whileitisnotnecessarytohaveonetestcasepertestlistedinanevaluationactivity,theevaluatormustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.
Thetestplanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.
Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorisexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)shouldbeprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofthecryptographicenginetobeused.ThecryptographicalgorithmsimplementedbythisenginearethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).
Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa"fail"and"pass"result(andthesupportingdetails),andnotjustthe"pass"result.
5.2.6ClassAVA:VulnerabilityAssessmentForthecurrentgenerationofthisprotectionprofile,theevaluationlabisexpectedtosurveyopensourcestodiscoverwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,theevaluatorwillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.Thisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffutureprotectionprofiles.
AVA_VAN.1VulnerabilitySurvey
Developeractionelements:
AVA_VAN.1.1DThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:AVA_VAN.1.2C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:AVA_VAN.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AVA_VAN.1.4ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.
ApplicationNote:PublicdomainsourcesincludetheCommonVulnerabilitiesandExposures(CVE)dictionaryforpublicly-knownvulnerabilities.
AVA_VAN.1.5ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.
EvaluationActivities
AVA_VAN.1:Theevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationtofindvulnerabilitiesthathavebeenfoundinmobiledevicesandtheimplementedcommunicationprotocolsingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.
Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicability,ortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.
AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.
Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP.
Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.
Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.
A.1StrictlyOptionalRequirements
A.1.1Class:IdentificationandAuthentication(FIA)
FIA_UAU_EXT.4SecondaryUserAuthenticationFIA_UAU_EXT.4.1
TheTSFshallprovideasecondaryauthenticationmechanismforaccessingEnterpriseapplicationsandresources.ThesecondaryauthenticationmechanismshallcontrolaccesstotheEnterpriseapplicationandsharedresourcesandshallbeincorporatedintotheencryptionofprotectedandsensitivedatabelongingtoEnterpriseapplicationsandsharedresources.
ApplicationNote:FortheBYODusecase,Enterpriseapplicationsanddatamustbeprotectedusingadifferentpasswordthantheuserauthenticationtogainaccesstothepersonalapplicationsanddata,ifconfigured.
ThisrequirementmustbeincludedintheSTiftheTOEimplementsacontainersolution,inwhichthereisaseparateauthentication,toseparateuserandEnterpriseapplicationsandresources.
FIA_UAU_EXT.4.2TheTSFshallrequiretheusertopresentthesecondaryauthenticationfactorpriortodecryptionofEnterpriseapplicationdataandEnterprisesharedresourcedata.
ApplicationNote:ThisrequirementmustbeselectedifFIA_UAU_EXT.4.1isselected.TheintentofthisrequirementistopreventdecryptionofprotectedEnterpriseapplicationdataandEnterprisesharedresourcedatabeforetheuserhasauthenticatedtothedeviceusingthesecondaryauthenticationfactor.EnterprisesharedresourcedataconsistsoftheFDP_ACF_EXT.2.1selections.
EvaluationActivities
FIA_UAU_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiselement.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTheEvaluationActivitiesforanyselectedrequirementsrelatedtodeviceauthenticationmustbeseparatelyperformedforthesecondaryauthenticationmechanism(inadditiontoactivitiesperformedfortheprimaryauthenticationmechanism).Therequirementsare:FIA_UAU.6,FIA_PMG_EXT.1,FIA_TRT_EXT.1,FIA_UAU.7,FIA_UAU_EXT.2,FTA_SSL_EXT.1,FCS_STG_EXT.2,FMT_SMF_EXT.1/FMT_MOF_EXT.1#1,#2,#8,#21,and#36.
Additionally,FIA_AFL_EXT.1mustbemet,exceptthatinFIA_AFL_EXT.1.2theseparatetestisperformedwiththetext"wipeofallprotecteddata"changedto"wipeofallEnterpriseapplicationdataandallEnterprisesharedresourcedata."
TSSTheevaluatorshallverifythattheTSSsectionoftheSTdescribestheprocessfordecryptingEnterpriseapplicationdataandsharedresourcedata.TheevaluatorshallensurethatthisprocessrequirestheusertoenteranAuthenticationFactorand,inaccordancewithFCS_CKM_EXT.3,derivesaKEKwhichisusedtoprotectthesoftware-basedsecurekeystorageand(optionally)DEK(s)forsensitivedata,inaccordancewithFCS_STG_EXT.2.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.
A.2ObjectiveRequirements
A.2.1Class:SecurityAudit(FAU)
FAU_SAR.1AuditReviewFAU_SAR.1.1
TheTSFshallprovidetheadministratorwiththecapabilitytoreadallauditedeventsandrecordcontentsfromtheauditrecords.
ApplicationNote:Theadministratormusthaveaccesstoreadtheauditrecord,perhapsthroughanAPIorviaanMDMAgent,whichtransfersthelocalrecordsstoredontheTOEtotheMDMServerwheretheenterpriseadministratormayviewthem.IfthisrequirementisincludedintheST,function32mustbeincludedintheselectionofFMT_SMF_EXT.1.
FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.
EvaluationActivities
FAU_SAR.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluationactivityforthisrequirementisperformedinconjunctionwithtestforfunction32ofFMT_SMF_EXT.1.
FAU_SEL.1SelectiveAuditFAU_SEL.1.1
TheTSFshallbeabletoselectthesetofeventstobeauditedfromthesetofallauditableeventsbasedonthefollowingattributes[selection:
eventtype,successofauditablesecurityevents,failureofauditablesecurityevents,[assignment:otherattributes]
].
ApplicationNote:Theintentofthisrequirementistoidentifyallcriteriathatcanbeselectedtotriggeranauditevent.ThiscanbeconfiguredthroughaninterfaceontheTSFforauseroradministratortoinvoke.FortheSTauthor,theassignmentisusedtolistanyadditionalcriteriaor"none".
EvaluationActivities
FAU_SEL.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTheevaluatorshallreviewtheadministrativeguidancetoensurethattheguidanceitemizesalleventtypes,aswellasdescribesallattributesthataretobeselectableinaccordancewiththerequirement,toincludethoseattributeslistedintheassignment.Theadministrativeguidanceshallalsocontaininstructionsonhowtosetthepre-selectionaswellasexplainthesyntax(ifpresent)formulti-valuepre-selection.Theadministrativeguidanceshallalsoidentifythoseauditrecordsthatarealwaysrecorded,regardlessoftheselectioncriteriacurrentlybeingenforced.
TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:Foreachattributelistedintherequirement,theevaluatorshalldeviseatesttoshowthatselectingtheattributecausesonlyauditeventswiththatattribute(orthosethatarealwaysrecorded,asidentifiedintheadministrativeguidance)toberecorded.
Test2:[conditional]IftheTSFsupportsspecificationofmorecomplexauditpre-selectioncriteria(e.g.,multipleattributes,logicalexpressionsusingattributes)thentheevaluatorshalldevisetestsshowingthatthiscapabilityiscorrectlyimplemented.Theevaluatorshallalso,inthetestplan,provideashortnarrativejustifyingthesetoftestsasrepresentativeandsufficienttoexercisethecapability.
A.2.2Class:CryptographicSupport(FCS)
FCS_RBG_EXT.2RandomBitGeneratorStatePreservationFCS_RBG_EXT.2.1
TheTSFshallsavethestateofthedeterministicRBGatpower-off,andshallusethisstateasinputtothedeterministicRBGatstartup.
ApplicationNote:Thecapabilitytoaddthestatesavedatpower-offasinputtotheRBGpreventsanRBGthatisslowtogatherentropyfromproducingthesameoutputregularlyandacrossreboots.Sincethereisnoguaranteeoftheprotectionsprovidedwhenthestateisstored(orarequirementforanysuchprotection),itisassumedthatthestateis'known',andthereforecannotcontributeentropytotheRBG,butcanintroduceenoughvariationthattheinitialRBGvaluesarenotpredictableandexploitable.
EvaluationActivities
FCS_RBG_EXT.2:TSSTheevaluationactivityforthisrequirementiscapturedintheRBGdocumentationforAppendixD-EntropyDocumentationAndAssessment.Theevaluatorshallverifythatthedocumentationdescribeshowthestateisgeneratedsoastobeavailableforthenextstartup,howthestateisusedasinputtotheDRBG,andanyprotectionmeasuresusedforthestatewhiletheTOEispoweredoff.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FCS_RBG_EXT.3SupportforPersonalizationStringFCS_RBG_EXT.3.1
TheTSFshallallowapplicationstoadddatatothedeterministicRBGusingthePersonalizationStringasdefinedinSP800-90A.
ApplicationNote:AsspecifiedinSP800-90A,theTSFmustnotcountdatainputfromanapplicationtowardstheentropyrequiredbyFCS_RBG_EXT.1.Thus,theTSFmustnotallowtheonlyinputtotheRBGseedtobefromanapplication.
EvaluationActivities
FCS_RBG_EXT.3:TheevaluatorshallverifythatthisfunctionisincludedasaninterfacetotheRBGinthedocumentationrequiredbyAppendixD-EntropyDocumentationAndAssessmentandthatthe
behavioroftheRBGfollowingacalltothisinterfaceisdescribed.TheevaluatorshallalsoverifythatthedocumentationoftheRBGdescribestheconditionsofuseandpossiblevaluesforthePersonalizationStringinputtotheSP800-90AspecifiedDRBG.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovide,anapplicationthataddsdatatotheRBGviathePersonalizationString.Theevaluatorshallverifythattherequestsucceeds.
FCS_SRV_EXT.2CryptographicAlgorithmServicesFCS_SRV_EXT.2.1
TheTSFshallprovideamechanismforapplicationstorequesttheTSFtoperformthefollowingcryptographicoperations:
AlgorithmsinFCS_COP.1/ENCRYPTAlgorithmsinFCS_COP.1/SIGN
bykeysstoredinthesecurekeystorage.
ApplicationNote:TheTOEwill,therefore,berequiredtoperformcryptographicoperationsonbehalfofapplicationsusingthekeysstoredintheTOE’ssecurekeystorage.
EvaluationActivities
FCS_SRV_EXT.2:TheevaluatorshallverifythattheAPIdocumentationforthesecurekeystorageincludesthecryptographicoperationsbythestoredkeys.
TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestscryptographicoperationsofstoredkeysbytheTSF.TheevaluatorshallverifythattheresultsfromtheoperationmatchtheexpectedresultsaccordingtotheAPIdocumentation.TheevaluatorshallusetheseAPIstotestthefunctionalityofthesecurekeystorageaccordingtotheEvaluationActivitiesinFCS_STG_EXT.1.
A.2.3Class:UserDataProtection(FDP)
FDP_ACF_EXT.3SecurityAttributeBasedAccessControlFDP_ACF_EXT.3.1
TheTSFshallenforceanaccesscontrolpolicythatprohibitsanapplicationfromgrantingbothwriteandexecutepermissiontoafileonthedeviceexceptfor[selection:filesstoredintheapplication'sprivatedatafolder,noexceptions].
EvaluationActivities
FDP_ACF_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:Theevaluatorshallwrite,orthedevelopershallprovide,anapplicationthatattemptstostoreafilewithbothwriteandexecutepermissions.Iftheselectionis"noexceptions",thentheevaluatorshallverifythatthisactionfailsandthatthepermissionsonthefilearenotsimultaneouslywriteandexecute.Iftheselectionis"application'sprivatedatafolder",thentheevaluatorshallensurethattheattempttostorethefileisoutsideoftheapplication'sprivatedatafolder.Test2:TheevaluatorshalltraversethefilesystemexaminingthepermissiononeachTSFfiletoverifythatnofilehasbothwriteandexecutepermissionsset.Iftheselectionis"application'sprivatedatafolder",thenonlyfilesoutsideofthisfolderneedtobeexaminedbytheevaluatorforthistest.
FDP_BCK_EXT.1ApplicationBackupFDP_BCK_EXT.1.1
TheTSFshallprovideamechanismforapplicationstomark[selection:allapplicationdata,selectedapplicationdata]tobeexcludedfromdevicebackups.
ApplicationNote:DevicebackupsincludeanymechanismbuiltintotheTOEthatallowsstoredapplicationdatatobeextractedoveraphysicalportorsentoverthenetwork,butdoesnotincludeanyfunctionalityimplementedbyaspecificapplicationitselfiftheapplicationisnotincludedintheTOE.Thelackofapublic/documentedAPIforperformingbackups,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.
EvaluationActivities
FDP_BCK_EXT.1:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsIf"allapplicationdata"isselected,theevaluatorshallinstallanapplicationthathasmarkedallofitsapplicationdatatobeexcludedfrombackups.Theevaluatorshallcausedatatobeplacedintotheapplication’sstoragearea.Theevaluatorshallattempttobackuptheapplicationdataandverifythatthebackupfailsorthattheapplication’sdatawasnotincludedinthebackup.
If"selectedapplicationdata"isselected,theevaluatorshallinstallanapplicationthathasmarkedselectedapplicationdatatobeexcludedfrombackups.Theevaluatorshallcausedatacoveredby"selectedapplicationdata"tobeplacedintotheapplication’sstoragearea.Theevaluatorshallattempttobackupthatselectedapplicationdataandverifythateitherthebackupfailsorthattheselecteddataisexcludedfromthebackup.
FDP_BLT_EXT.1LimitationofBluetoothDeviceAccessFDP_BLT_EXT.1.1
TheTSFshalllimittheapplicationsthatmaycommunicatewithaparticularpairedBluetoothdevice.
ApplicationNote:NoteveryapplicationwithprivilegestouseBluetoothshouldbepermittedtocommunicatewitheverypairedBluetoothdevice.Forexample,theTSFmaychoosetorequirethatonlytheapplicationthatinitiatedthecurrentconnectionmaycommunicatewiththedevice,oritmaystrictlytiethepaireddevicetothefirstapplicationthatmakesasocketconnectiontothedevicefollowinginitialpairing.Additionally,formoreflexibility,theTSFmaychoosetoprovidetheuserwithawaytoselectwhichapplicationsonthedevicemaycommunicatewithorobservecommunicationswitheachpairedBluetoothdevice.
EvaluationActivities
FDP_BLT_EXT.1:TSS
TheevaluatorshallensurethattheTSSdescribesthemechanismusedtopreventunrestrictedaccesstopairedBluetoothdevices(and/ortheircommunicationdata)byeveryapplicationwithaccesstotheBluetoothsystemserviceontheTOE.TheevaluatorshallverifythatthismethodeitherrestrictsaccesstoasingleapplicationorprovidesexplicitcontroloftheapplicationsthatmaycommunicatewiththepairedBluetoothdevice.
GuidanceTheevaluatorshallverifythattheAGDcontainsthestepstoconfigurewhichapplicationsareallowedtocommunicatewithagivenBluetoothperipheral.
TestsTheevaluatorshallestablishaBluetoothconnectionwithanyperipheral.TheevaluatorshallverifythatanapplicationthatisallowedtocommunicatewiththeBluetoothperipheralisabletoandthatanapplicationthatisnotallowedtocommunicatewiththatBluetoothperipheralisunabletocommunicatewiththeperipheral.
A.2.4Class:IdentificationandAuthentication(FIA)
FIA_BMG_EXT.2BiometricEnrollmentFIA_BMG_EXT.2.1
TheTSFshallonlyusebiometricsamplesofsufficientqualityforenrollment.Sampledatashallhave[assignment:qualitymetricscorrespondingtoeachbiometricmodality].
ApplicationNote:Differentbiometricmodalitiesutilizedifferentqualitystandards.ThequalitystandardfortheeachBAFselectedinFIA_UAU.5shouldbelistedintheassignment.Forexample,fingerprintmayutilizetheNFIQstandardwhereNFIQ1.0scoresof1,2,or3arerequiredforuseinhardwarePIV,where1isthehighestqualitystandard.NFIQ2.0isanewerversionoftheNFIQstandardthathasnotseenwidespreadadoptionasofthepublicationofthisPPbutisbeingconsideredbythescientificcommunityaswellasbyindustry.Samplesusedtocreatetheauthenticationtemplate/profileatenrollmentmustbemutuallyconsistent.Aftertheauthenticationtemplatehasbeencreated,itmustbetestedtodeterminewhetherornotitisofsufficientqualityandifnot,morequalitysamplesmustbeaddeduntilitisofsufficientquality.
EvaluationActivities
FIA_BMG_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribeshowthequalityofsamplesusedtocreatetheauthenticationtemplateatenrollmentareverified.Aswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.
GuidanceTheevaluatorshallverifythattheAGDguidancedescribeshowtoenrollauserforeachbiometricmodalitysupported.
TestsTheevaluatorshallinputbiometricsamplesforenrollment.Uponinputtingbiometricsamplesafixednumberoftimesasspecifiedintheprompts,oneormoreauthenticationtemplateswillbegenerated.Theevaluatorshallverifythatthedeviceonlyacceptssamplesofsufficientqualityorrequestsadditionalsamplesiftheauthenticationtemplateisnotofsufficientquality.Forallqualitymetrics,theevaluatorshallensurethatbiometricsamplesachievingaworsequalityscorethantheprescribedthresholdarerejected.
FIA_BMG_EXT.3BiometricVerificationFIA_BMG_EXT.3.1
TheTSFshallonlyusebiometricsamplesofsufficientqualityforverification.Assuch,sampledatashallhave[assignment:qualitymetricscorrespondingtoeachbiometricmodality].
ApplicationNote:Differentbiometricmodalitiesutilizedifferentqualitystandards.ThequalitystandardfortheeachBAFselectedinFIA_UAU.5shouldbelistedintheassignment.Forexample,fingerprintmayutilizetheNFIQstandardwhereNFIQ1.0scoresof1,2,or3arerequiredforuseinhardwarePIV,where1isthehighestqualitystandard.NFIQ2.0isanewerversionoftheNFIQstandardthathasnotseenwidespreadadoptionasofthepublicationof
thisPPbutisbeingconsideredbythescientificcommunityaswellasbyindustry.
EvaluationActivities
FIA_BMG_EXT.3:TSSTheevaluatorshallverifythattheTSSdescribeshowthequalityofsamplesusedtoverifyauthenticationareverified.Aswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.Theevaluatorshallenrollauserforeachbiometricmodalitysupported.Theevaluatorwilltheninputbiometricsamplesforverificationandensurethatthedeviceonlyacceptssamplesofsufficientquality.Theevaluatorshallensurethatbiometricsamplesachievingaworsequalityscorethantheprescribedthresholdarerejected.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FIA_BMG_EXT.4BiometricTemplatesFIA_BMG_EXT.4.1
TheTSFshallonlygenerateanduseenrollmenttemplatesand/orauthenticationtemplatesofsufficientqualityforanysubsequentauthenticationfunctions.
ApplicationNote:Ifthevendorneedstodevelopanauthenticationtemplateusingmultipleenrollmentsamples,theymustallbemutuallyconsistentandcorrespondtothebiometriccharacteristicsofasingleuserandsource.Forthepurposesofthisrequirement,enrollmenttemplatesaretemplatesconstructedfromsampledata,whileauthenticationtemplatesaregeneratedbasedonsampledataand/orenrollmenttemplatesandstoredformatching/biometricverificationpurposes.Oneormoretemplatescouldbegeneratedduringenrollmentwithouttheuserknowinghowmany.
Authenticationtemplatesmaynothavestandardqualitymetrics,butvendorand/orlabsstillneedtoensurethatsuchtemplateshaveasufficientfeaturesetavailabletoprovideadesiredidentityassurancelevel.Examplesincludeminimumnumberoffingerprintminutiae.
EvaluationActivities
FIA_BMG_EXT.4:TSSTheevaluatorshallverifythattheTSSdescribeshowthesamplesusedtocreatetheauthenticationtemplateatenrollmentaremutuallyconsistentandhowthemutualconsistencyisvalidated,bothintermsofthemethodofvalidationaswellasthequalitystandardthatthevalidationmethodusestoperformtheassessment.
Theevaluatorshallinputbiometricsamplesforenrollment.Indoingso,theevaluatorshallverifytheenrollmenttemplatesgeneratedareofsufficientquality.Uponinputtingbiometricsamplesafixednumberoftimesasspecifiedintheprompts,theevaluatorshalladditionallyverifythatanyenrollmentandauthenticationtemplatesgeneratedareofsufficientquality.Thatis,theyshallallbemutuallyconsistentandcorrespondtothebiometriccharacteristicsofasingleuserandsource(e.g.thesamefingerfromthesameperson).
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FIA_BMG_EXT.5HandlingUnusualBiometricTemplatesFIA_BMG_EXT.5.1
Thematchingalgorithmshallhandleproperlyformattedenrollmenttemplatesand/orauthenticationtemplates,especiallythosewithunusualdataproperties,appropriately.Ifsuchtemplatescontainincorrectsyntax,areoflowquality,orcontainenrollmentdataconsideredunrealisticforagivenmodality,thentheyshallberejectedbythematchingalgorithmandanerrorcodeshallbereported.
ApplicationNote:Whileitisimportanttohaveproperlyformattedenrollmentorauthenticationtemplates,itisequallyimportantforthematchingalgorithmtocorrectlyhandleenrollmentand/orauthenticationtemplatesthathaveunusualdatapropertiesorareoflowquality.Ifthematchingalgorithmdetectstemplatesthatareoflowquality,havelownumbersofbitsofcomplexity,ormaintainunusualdataproperties,itmustreturnanerrorcodeorotherindicationinordertoprotectthesystemfrompossiblespoofingordenial-of-serviceattacks.Forthepurposesofthisrequirement,enrollmenttemplatesaretemplatesconstructedfromsampledata,whileauthenticationtemplatesarestoredformatching/biometricverificationpurposes.
Examplesofunusualdatapropertiesthatmaycausefingerprintenrollmenttemplaterejectioninclude,butarenotlimitedto,minutiacountsthataretoohighortoolow,directionfieldmapsthatdonotcorrespondtorealfingerprintridgeflowmaps,alldetectedminutiacrowdedtotheextremeedgesoftheimagearea,andridgewidthsthataretoowideortoonarrow.
Accordingly,ifanenrollmenttemplateand/orauthenticationtemplatemeetsthestructuralrequirementsbutwithoutpropersyntax,thematchingalgorithmmustsimilarlyreturnanerrorcodeorotherindicationtosimilareffect.
EvaluationActivities
FIA_BMG_EXT.5:TSSTheevaluatorshallverifythattheTSShowthematchingalgorithmaddressesproperlyformattedtemplateswithunusualdataproperties,incorrectsyntax,orlowquality.Theevaluatorshallensurethattheseclaimsaresoundthroughappropriatetestingbasedontestprogramsprovidedbythevendor.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FIA_BMG_EXT.6SpoofDetectionsforBiometricsFIA_BMG_EXT.6.1
TheTSFshallperformPresentationAttackDetectiontestinguptotheattackpotentialof[selection:basic,intermediate,advanced]attacks,foreachbiometricmodalitiesselectedinFIA_UAU.5.1oneachenrollmentandauthenticationattempt,rejectingdetectedspoofs.WhenanauthenticationattemptfailsduetoPADtesting,theTSFshallnotindicatetotheuserthereasonforfailuretoauthenticate.
ApplicationNote:PresentationAttackDetection(PAD)isalsoknownaslivenessdetectionorspoofdetection.IfmultiplemodalitiesareselectedinFIA_UAU.5.1,thenthisSFRmustbeiteratedforeachmodality.Foreachmodality,onlyoneattackstrengthmustbeselected.
BecausePresentationAttackDetection(PAD)isanopen-endedproblemmuchlikevulnerabilitytesting,itisneithercost-effectivenorfeasibletocreateacompletelistofattackvectorsandperformtestingonallofthemduringthetimeframeforCCevaluations.Suchalistwouldbeever-changing,andunlikecodevulnerabilities(i.e.CVEs),theequipment,skill,time,andcostrequiredtotesthighlysophisticatedattacksishighlyinfeasibleforatestinglabgiventhecurrenttimeframeforCCevaluations.Nevertheless,itisaknownriskthathasbeendocumentedbyresearchersforyears.
Therefore,vendorsareresponsibleforprovidingtheirowndocumentationspecifyingthemeasurestheTSFtakestomitigatepresentationattacksandtheappropriatepen-testing(forexample,redteamingandblueteaming)performedasproof.
Tobespecific,basicattacks(includingbasicandenhanced-basic[IBPC])refertoattacksinliteratureoflowskillthatcanbeperformedonalimitedbudget.Thisincludes,butisnotlimitedto,playbackattacksofaspokenutteranceusingadifferentmobiledeviceforvoiceauthentication,takingaphotographofafingerprintorfacialandsubmittingittothesensor,amongotherexamples.
Intermediate(ormoderate[IBPC])attackscaninclude,butarenotlimitedto,creatingafoamfingertothwartfingerprintdetectionandusingahigherqualityplaybackdevicetothwartlivenessdetection.
Advanced(includinghighandbeyondhigh[IBPC])attackscaninclude,butarenotlimitedto,creatingasynthetichandwiththegivenfingerprintusinganexpensive3D-printerandforcingsomeonetorevealone’scredentialsthroughcoercionorthreatsthatmaycauseharm(wheredetectionofduressisrequired).Manyoftheseattacktechniquesmaybesensitiveorgovernmentclassified.
EvaluationActivities
FIA_BMG_EXT.6:TSSThetestingmethodologyspecifiedinISO19989Informationtechnology—Securityevaluationofpresentationattackdetectionforbiometrics[ISO19989]istobeusedtodeterminetheefficacyofthePADfortheselectedattackpotential.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ISO19989isindraftstatusatthetimeofpublicationofthisPP.OncetheISOstandardispublished,itshallbeusedtomeettheevaluationactivityforthisrequirement.Henniger,Scheuermann,andKniess[IBPC],provideadescriptionofattackpotentialcalculationwithexamples.UntilsuchtimeasISO19989ispublished,thevendorshallprovidetothelabadescriptionofthePADprocessingimplementedintheTSF,testproceduresusedtovalidatesuccessfuloperationofPAD,andtestdatawithresultsofthePADvalidationtesting.Thelabmayanalyzethetestproceduresanddatatovalidatevendortestresultsor,optionally,mayconductitsowntesting.
Ifthelabperformsitsowntesting,itishighlyrecommendedthatthevendorprovidesspooftestingtools,asitisnotexpectedforthelabtocreateatestprocedureformodalitiesoutsideofestablishedstandardsandeasilyimplementedprocedures.Labscanalsoexpeditethetestingprocessbypurchasingtheappropriatespoofkitsandrecipesfromspecializedbiometricstestinglabs.
FIA_X509_EXT.4X.509CertificateEnrollmentFIA_X509_EXT.4.1
TheTSFshallusetheEnrollmentoverSecureTransport(EST)protocolasspecifiedinRFC7030torequestcertificateenrollmentusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2.
FIA_X509_EXT.4.2TheTSFshallbecapableofauthenticatingESTrequestsusinganexistingcertificateandcorrespondingprivatekeyasspecifiedbyRFC7030Section3.3.2.
FIA_X509_EXT.4.3TheTSFshallbecapableofauthenticatingESTrequestsusingHTTPBasicAuthenticationwithausernameandpasswordasspecifiedbyRFC7030Section3.2.3.
FIA_X509_EXT.4.4TheTSFshallperformauthenticationoftheESTserverusinganExplicitTrustAnchorfollowingtherulesdescribedinRFC7030,section3.6.1.
ApplicationNote:ESTalsousesHTTPSasspecifiedinFCS_HTTPS_EXT.1toestablishasecureconnectiontoanESTserver.TheseparateTrustAnchorDatabasededicatedtoESToperationsisdescribedasExplicitTrustAnchorsinRFC7030.
FIA_X509_EXT.4.5TheTSFshallbecapableofrequestingserver-providedprivatekeysasspecifiedinRFC7030Section4.4.
FIA_X509_EXT.4.6TheTSFshallbecapableofupdatingitsEST-specificTrustAnchorDatabaseusingthe"RootCAKeyUpdate"processdescribedinRFC7030Section4.1.3.
FIA_X509_EXT.4.7TheTSFshallgenerateaCertificateRequestMessageforESTasspecifiedinRFC2986andbeabletoprovidethefollowinginformationintherequest:publickeyand[selection:device-specificinformation,CommonName,Organization,OrganizationalUnit,Country].
ApplicationNote:Thepublickeyreferencedisthepublickeyportionofthe
public-privatekeypairgeneratedbytheTOEasspecifiedinFCS_CKM.1.
FIA_X509_EXT.4.8TheTSFshallvalidatethechainofcertificatesfromtheRootCAcertificateintheTrustAnchorDatabasetotheESTServerCAcertificateuponreceivingaCACertificatesResponse.
EvaluationActivities
FIA_X509_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTheevaluatorshallchecktoensurethattheoperationalguidancecontainsinstructionsonrequestingcertificatesfromanESTserver,includinggeneratingaCertificateRequestMessage.
TestsTheevaluatorshallalsoperformthefollowingtests.OthertestsareperformedinconjunctionwiththeevaluationactivitylistedinthePackageforTransportLayerSecurity.
Test1:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserverusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2,authenticatingthecertificaterequesttotheserverusinganexistingcertificateandprivatekeyasdescribedbyRFC7030Section3.3.2.TheevaluatorshallconfirmthattheresultingcertificateissuccessfullyobtainedandinstalledintheTOEkeystore.
Test2:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserverusingthesimpleenrollmentmethoddescribedinRFC7030Section4.2,authenticatingthecertificaterequesttotheserverusingausernameandpasswordasdescribedbyRFC7030Section3.2.3.TheevaluatorshallconfirmthattheresultingcertificateissuccessfullyobtainedandinstalledintheTOEkeystore.
Test3:TheevaluatorshallmodifytheESTservertoreturnacertificatecontainingadifferentpublickeythanthekeyincludedintheTOE’scertificaterequest.TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestcertificateenrollmentfromanESTserver.TheevaluatorshallconfirmthattheTOEdoesnotaccepttheresultingcertificatesincethepublickeyintheissuedcertificatedoesnotmatchthepublickeyinthecertificaterequest.
Test4:TheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentaservercertificatetotheTOEthatispresentintheTOEgeneralTrustAnchorDatabasebutnotitsEST-specificTrustAnchorDatabase.TheevaluatorshallcausetheTOEtorequestcertificateenrollmentfromtheESTserver.Theevaluatorshallverifythattherequestisnotsuccessful.
Test5:TheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentaninvalidcertificate.TheevaluatorshallcausetheTOEtorequestcertificateenrollmentfromtheESTserver.TheevaluatorshallverifythattherequestisnotsuccessfulTheevaluatorshallconfiguretheESTserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheCMCRApurposeandverifythatrequeststotheESTserverfail.ThetestershallrepeatthetestusingavalidcertificateandacertificatethatcontainstheCMCRApurposeandverifythatthecertificateenrollmentrequestssucceed.
Test6:TheevaluatorshalluseapacketsniffingtoolbetweentheTOEandanESTserver.TheevaluatorshallturnonthesniffingtoolandcausetheTOEtorequestcertificateenrollmentfromanESTserver.TheevaluatorshallverifythattheESTprotocolinteractionoccursoveraTransportLayerSecurity(TLS)protectedconnection.TheevaluatorisnotexpectedtodecrypttheconnectionbutratherobservethatthepacketsconformtotheTLSprotocolformat.
Test7:TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestaserver-providedprivatekeyandcertificatefromanESTserver.TheevaluatorshallconfirmthattheresultingprivatekeyandcertificatearesuccessfullyobtainedandinstalledintheTOEkeystore.
Test8:TheevaluatorshallmodifytheESTserverto,inresponsetoaserver-providedprivatekeyandcertificaterequest,returnaprivatekeythatdoesnotcorrespondwiththepublickeyinthereturnedcertificate.TheevaluatorshallusetheoperationalguidancetocausetheTOEtorequestaserver-providedprivatekeyandcertificate.TheevaluatorshallconfirmthattheTOEdoesnotaccepttheresultingprivatekeyandcertificatesincetheprivatekeyandpublickeydonotcorrespond.
Test9:TheevaluatorshallconfiguretheESTservertoprovidea"RootCAKeyUpdate"as
describedinRFC7030Section4.1.3.TheevaluatorshallcausetheTOEtorequestCAcertificatesfromtheESTserverandshallconfirmthattheEST-specificTrustAnchorDatabaseisupdatedwiththenewtrustanchor.
Test10:TheevaluatorshallconfiguretheESTservertoprovidea"RootCAKeyUpdate"asdescribedinRFC7030Section4.1.3,butshallmodifypartoftheNewWithOldcertificate’sgeneratedsignature.TheevaluatorshallcausetheTOEtorequestCAcertificatesfromtheESTserverandshallconfirmthattheEST-specificTrustAnchorDatabaseisnotupdatedwiththenewtrustanchorsincethesignaturedidnotverify.
Test11:TheevaluatorshallusetheoperationalguidancetocausetheTOEtogenerateacertificaterequestmessage.TheevaluatorshallcapturethegeneratedmessageandensurethatitconformstotheformatspecifiedbyRFC2986.Theevaluatorshallconfirmthatthecertificaterequestprovidesthepublickeyandotherrequiredinformation,includinganynecessaryuser-inputinformation.
FIA_X509_EXT.5X.509CertificateRequestsFIA_X509_EXT.5.1
TheTSFshallgenerateaCertificateRequestMessageasspecifiedinRFC2986andbeabletoprovidethefollowinginformationintherequest:publickeyand[selection:device-specificinformation,CommonName,Organization,OrganizationalUnit,Country].
ApplicationNote:ThepublickeyreferencedinFIA_X509_EXT.5.1isthepublickeyportionofthepublic-privatekeypairgeneratedbytheTOEasspecifiedinFCS_CKM.1.ThetrustedchannelrequirementsdonotapplytocommunicationwiththeCAforthecertificaterequest/responsemessages.
AsEnrollmentoverSecureTransport(EST)isanewstandardthathasnotyetbeenwidelyadopted,thisrequirementisincludedasaninterimobjectiverequirementinordertoallowdeveloperstodistinguishthoseproductswhichhavedohavetheabilitytogenerateCertificateRequestMessagesbutdonotyetimplementEST.
FIA_X509_EXT.5.2TheTSFshallvalidatethechainofcertificatesfromtheRootCAuponreceivingtheCACertificateResponse.
EvaluationActivities
FIA_X509_EXT.5:TSSIftheSTauthorselects"device-specificinformation",theevaluatorshallverifythattheTSScontainsadescriptionofthedevice-specificfieldsusedincertificaterequests.
GuidanceTheevaluatorshallchecktoensurethattheoperationalguidancecontainsinstructionsongeneratingaCertificateRequestMessage.IftheSTauthorselects"CommonName","Organization","OrganizationalUnit",or"Country",theevaluatorshallensurethatthisguidanceincludesinstructionsforestablishingthesefieldsbeforecreatingthecertificaterequestmessage.
TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorshallusetheoperationalguidancetocausetheTOEtogenerateacertificaterequestmessage.Theevaluatorshallcapturethegeneratedmessageandensurethatitconformstotheformatspecified.Theevaluatorshallconfirmthatthecertificaterequestprovidesthepublickeyandotherrequiredinformation,includinganynecessaryuser-inputinformation.
Test2:Theevaluatorshalldemonstratethatvalidatingacertificateresponsemessagewithoutavalidcertificationpathresultsinthefunctionfailing.TheevaluatorshallthenloadacertificateorcertificatesastrustedCAsneededtovalidatethecertificateresponsemessage,anddemonstratethatthefunctionsucceeds.Theevaluatorshallthendeleteoneofthecertificates,andshowthatthefunctionfails.
A.2.5Class:SecurityManagement(FMT)
FMT_SMF_EXT.3CurrentAdministrator
FMT_SMF_EXT.3.1TheTSFshallprovideamechanismthatallowsuserstoviewalistofcurrentlyauthorizedadministratorsandthemanagementfunctionsthateachadministratorisauthorizedtoperform.
EvaluationActivities
FMT_SMF_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallcausetheTOEtobeenrolledintomanagement.Theevaluatorshalltheninvokethismechanismandverifytheabilitytoviewthatthedevicehasbeenenrolled,andviewthemanagementfunctionsthattheadministratorisauthorizedtoperform.
A.2.6Class:ProtectionoftheTSF(FPT)
FPT_AEX_EXT.5KernelAddressSpaceLayoutRandomizationFPT_AEX_EXT.5.1
TheTSFshallprovideaddressspacelayoutrandomization(ASLR)tothekernel.
FPT_AEX_EXT.5.2Thebaseaddressofanykernel-spacememorymappingwillconsistof[assignment:numbergreaterthanorequalto4]unpredictablebits.
ApplicationNote:TheunpredictablebitsmaybeprovidedbytheTSFRBG(asspecifiedinFCS_RBG_EXT.1).
EvaluationActivities
FPT_AEX_EXT.5:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribeshowthebitsaregeneratedandprovidesajustificationastowhythosebitsareunpredictable.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsEvaluationActivityNote:ThefollowingtestrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Test1:TheevaluatorshallreboottheTOEsixtimes.Foreachofthesereboots,theevaluatorshallexaminememorymappinglocationsofthekernel.Theevaluatormustensurethatforatleastfiverebootsthememorymappingsarenotplacedinthesamelocationonbothdevices.
FPT_AEX_EXT.6WriteorExecuteMemoryPagePermissionsFPT_AEX_EXT.6.1
TheTSFshallpreventwriteandexecutepermissionsfrombeingsimultaneouslygrantedtoanypageofphysicalmemory[selection:withnoexceptions,[assignment:specificexceptions]].
ApplicationNote:Memoryusedforjust-in-time(JIT)compilationisanticipatedasanexceptioninthisrequirement;ifso,theSTauthormustaddresshowthisexceptionispermitted.Itisexpectedthatthememorymanagementunitwilltransitionthesystemtoanon-operationalstateifanyviolationisdetectedinkernelmemoryspace.
EvaluationActivities
FPT_AEX_EXT.6:TSSTheevaluatorshallensurethattheTSSdescribeshowtheoperatingsystemoftheapplicationprocessorpreventsallprocessesexecutinginanon-privilegedexecutiondomainfromachievingwriteandexecutepermissionsonanypageofmemory(withonlyspecifiedexceptions).TheevaluatorshallensurethattheTSSdescribeshowsuchprocessesareunabletorequestpagesofmemorywithsuchpermissions,andhowtheyareunabletochangepermissionstobothwriteandexecuteonanypagesalreadyallocatedtothem.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_AEX_EXT.7HeapOverflowProtectionFPT_AEX_EXT.7.1
TheTSFshallincludeheap-basedbufferoverflowprotectionsintheruntimeenvironmentitprovidestoprocessesthatexecuteontheapplicationprocessor.
ApplicationNote:Theseheap-basedbufferoverflowprotectionsareexpectedtoensuretheintegrityofheapmetadatasuchasmemoryaddressesoroffsetsrecordedbytheheapimplementationtomanagememoryblocks.Thisincludeschunkheaders,look-asidelists,andotherdatastructuresusedtotrackthestateandlocationofmemoryblocksmanagedbytheheap.
EvaluationActivities
FPT_AEX_EXT.7:TSSTheevaluatorshallverifythattheTSSenumeratestheheapimplementationsprovidedtouserspaceprocesses.TheevaluatorshallensurethattheTSSlistsalltypesofheapmetadataandidentifieshowtheintegrityofeachtypeofmetadataisensured.TheevaluatorshallensurethattheTSSidentifiesallfieldswithineachtypeofmetadataandidentifieshowtheintegrityofthesefieldsisensured.TheevaluatorshallverifythattheTSSidentifiesthemannerinwhichanerrorconditionisenteredwhenaheapoverflowisdetectedandtheresultingactionstakenbytheTSF.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsForeachheapimplementation,theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication,whichallocatesmemoryfromtheheapandthenwritesarbitrarydatasignificantlybeyondtheendoftheallocatedbuffer.Theevaluatorshallattempttoexecutethisapplicationandverifythatthewriteisnotallowed.
FPT_BBD_EXT.1ApplicationProcessorMediationFPT_BBD_EXT.1.1
TheTSFshallpreventcodeexecutingonanybasebandprocessor(BP)fromaccessingapplicationprocessor(AP)resourcesexceptwhenmediatedbytheAP.
ApplicationNote:Theseresourcesinclude:Volatileandnon-volatilememoryControlofanddatafromintegratedandnon-integratedperipherals(e.g.USBcontrollers,touchscreencontrollers,LCDcontroller,codecs)Controlofanddatafromintegratedandnon-integratedI/Osensors(e.g.camera,light,microphone,GPS,accelerometers,geomagneticfieldsensors)
Mobiledevicesarebecomingincreasinglycomplexhavinganapplicationprocessorthatrunsanoperatingsystemanduserapplicationsandseparatebasebandprocessor(s)thathandlecellularandotherwirelessnetworkconnectivity.
TheapplicationprocessorwithinmostmodernMobileDevicesisasystemonachip(SoC)thatintegrates,forexample,CPU/GPUcoresandmemory
interfaceelectronicsintoasingle,power-efficientpackage.Basebandprocessorsarebecomingincreasinglycomplexthemselvesdeliveringvoiceencodingalongsidemultipleindependentradios(LTE,Wi-Fi,Bluetooth,FM,GPS)inasinglepackagecontainingmultipleCPUsandDSPs.
Thus,thebasebandprocessor(s)intheserequirementsincludesuchintegratedSoCsandincludeanyradioprocessors(integratedornot)ontheMobileDevice.
Allotherrequirementsmostly,exceptwherenoted,applytofirmware/softwareontheapplicationprocessor,butfuturerequirements(notably,allIntegrity,AccessControl,andAnti-Exploitationrequirements)willapplytoapplicationprocessorsandbasebandprocessors.
EvaluationActivities
FPT_BBD_EXT.1:TSSTheevaluatorshallensurethattheTSSsectionoftheSTdescribesatahighlevelhowtheprocessorsontheMobileDeviceinteract,includingwhichbusprotocolstheyusetocommunicate,anyotherdevicesoperatingonthatbus(peripheralsandsensors),andidentificationofanysharedresources.TheevaluatorshallverifythatthedesigndescribedintheTSSdoesnotpermitanyBPsfromaccessinganyoftheperipheralsandsensorsorfromaccessingmainmemory(volatileandnon-volatile)usedbytheAP.Inparticular,theevaluatorshallensurethatthedesignpreventsmodificationofexecutablememoryoftheAPbytheBP.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
FPT_BLT_EXT.1LimitationofBluetoothProfileSupportFPT_BLT_EXT.1.1
TheTSFshalldisablesupportfor[assignment:listofBluetoothprofiles]BluetoothprofileswhentheyarenotcurrentlybeingusedbyanapplicationontheMobileDevice,andshallrequireexplicituseractiontoenablethem.
ApplicationNote:SomeBluetoothservicesincurmoreseriousconsequencesifunauthorizedremotedevicesgainaccesstothem.SuchservicesshouldbeprotectedbymeasureslikedisablingsupportfortheassociatedBluetoothprofileunlessitisactivelybeingusedbyanapplicationontheMobileDevice(inordertopreventdiscoverybyaServiceDiscoveryProtocolsearch),andthenrequiringexplicituseractiontoenablethoseprofilesinordertousetheservices.Itmaybefurtherappropriatetorequireadditionaluseractionbeforegrantingaremotedeviceaccesstothatservice.
Forexample,itmaybeappropriatetodisabletheOBEXPushProfileuntilauserontheMobileDevicepushesabuttoninanapplicationindicatingreadinesstotransferanobject.Aftercompletionoftheobjecttransfer,supportfortheOBEXprofileshouldbesuspendeduntilthenexttimetheuserrequestsitsuse.
EvaluationActivities
FPT_BLT_EXT.1:TSSTheevaluatorshallensurethattheTSSlistsallBluetoothprofilesthataredisabledwhilenotinusebyanapplicationandwhichneedexplicituseractioninordertobecomeenabled.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallperformthefollowingtests:
Test1:WhiletheserviceisnotinactiveusebyanapplicationontheTOE,theevaluatorshallattempttodiscoveraserviceassociatedwitha"protected"Bluetoothprofile(asspecifiedbytherequirement)ontheTOEviaaServiceDiscoveryProtocolsearch.TheevaluatorshallverifythattheservicedoesnotappearintheServiceDiscoveryProtocolsearchresults.Next,theevaluatorshallattempttogainremoteaccesstotheservicefroma
devicethatdoesnotcurrentlyhaveatrusteddevicerelationshipwiththeTOE.Theevaluatorshallverifythatthisattemptfailsduetotheunavailabilityoftheserviceandprofile.
Test2:TheevaluatorshallrepeatTest1withadevicethatcurrentlyhasatrusteddevicerelationshipwiththeTOEandverifythatthesamebehaviorisexhibited.
FPT_NOT_EXT.2Self-TestNotificationFPT_NOT_EXT.2.1
TheTSFshall[selection:audit,providetheadministratorwith]TSF-softwareintegrityverificationvalues.
ApplicationNote:Thesenotificationsaretypicallycalledremoteattestationandtheseintegrityvaluesaretypicallycalledmeasurements.Theintegrityvaluesarecalculatedfromhashesofcriticalmemoryandvalues,includingexecutablecode.TheSTauthormustselectwhetherthesevaluesareloggedasapartofFAU_GEN.1.1orareprovidedtotheadministrator.
FPT_NOT_EXT.2.2TheTSFshallcryptographicallysignallintegrityverificationvalues.
ApplicationNote:TheintentofthisrequirementistoprovideassurancetotheadministratorthattheresponsesprovidedarefromtheTOEandhavenotbeenmodifiedorspoofedbyaman-in-the-middlesuchasanetwork-basedadversaryoramaliciousMDMAgent.
EvaluationActivities
FPT_NOT_EXT.2:TSSTheevaluatorshallverifythattheTSSdescribeswhichcriticalmemoryismeasuredfortheseintegrityvaluesandhowthemeasurementisperformed(includingwhichTOEsoftwareperformsthesegeneratesthesevalues,howthatsoftwareaccessesthecriticalmemory,andwhichalgorithmsareused).
GuidanceIftheintegrityvaluesareprovidedtotheadministrator,theevaluatorshallverifythattheAGDguidancecontainsinstructionsforretrievingthesevaluesandinformationforinterpretingthem.Forexample,ifmultiplemeasurementsaretaken,whatthosemeasurementsareandhowchangestothosevaluesrelatetochangesinthedevicestate.
TestsEvaluationActivityNote:ThefollowingtestmayrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Theevaluatorshallrepeatthefollowingtestforeachmeasurement:Test1:Theevaluatorshallbootthedeviceinanapprovedstateandrecordthemeasurementtaken(eitherfromthelogorbyusingtheadministrativeguidancetoretrievethevalueviaanMDMAgent).Theevaluatorshallmodifythecriticalmemoryorvaluethatismeasured.Theevaluatorshallbootthedeviceandverifythatthemeasurementchanged.
TSSTheevaluatorshallverifythattheTSSdescribeswhichkeytheTSFusestosigntheresponsestoqueriesandthecertificateusedtoproveownershipofthekey,andthemethodofassociatingthecertificatewithaparticulardevicemanufacturerandmodel.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTheevaluatorshallperformthefollowingtest:
Test1:Theevaluatorshallwrite,orthedevelopershallprovide,amanagementapplicationthatquerieseithertheauditlogsorthemeasurements.TheevaluatorshallverifythattheresponsestothesequeriesaresignedandverifythesignaturesagainsttheTOE’scertificate.
FPT_TST_EXT.2/POSTKERNELTSFIntegrityChecking(Post-Kernel)FPT_TST_EXT.2.1/POSTKERNEL
TheTSFshallverifytheintegrityof[selection:allexecutablecode,[assignment:subsetofexecutablecode]]storedinmutablemediapriortoitsexecutionthroughtheuseof[selection:adigitalsignatureusinganimmutablehardwareasymmetrickey,animmutablehardwarehashofanasymmetrickey,animmutablehardwarehash,adigitalsignatureusingahardware-protectedasymmetrickey,hardware-protectedhash].
ApplicationNote:Allexecutablecodecoveredinthisrequirementisexecutedafterthekernelisloaded.
If"allexecutablecodeinmutablemedia"isverified,implementationinhardwareorinread-onlymemoryisanaturallogicalconsequence.
Atthistime,theverificationofsoftwareexecutedonotherprocessorsstoredinmutablemediaisnotrequired;however,itmaybeaddedinthefirstassignment.Ifallexecutablecode(includingbootloader(s),kernel,devicedrivers,pre-loadedapplications,user-loadedapplications,andlibraries)isverified,"allexecutablecodestoredinmutablemedia"shouldbeselected.
EvaluationActivities
FPT_TST_EXT.2/POSTKERNEL:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluationactivityshallbecompletedinconjunctionwithFPT_TST_EXT.2/PREKERNELforallexecutablecodespecified.
FPT_TUD_EXT.5ApplicationVerificationFPT_TUD_EXT.5.1
TheTSFshallbydefaultonlyinstallmobileapplicationscryptographicallyverifiedby[selection:abuilt-inX.509v3certificate,aconfiguredX.509v3certificate].
ApplicationNote:Thebuilt-incertificateisinstalledbythemanufacturereitherattimeofmanufactureorasapartofsystemupdates.TheconfiguredcertificateusedtoverifythesignatureissetaccordingtoFMT_SMF_EXT.1function33.
EvaluationActivities
FPT_TUD_EXT.5:TSSTheevaluatorshallverifythattheTSSdescribeshowmobileapplicationsoftwareisverifiedatinstallation.Theevaluatorshallensurethatthismethodusesadigitalsignaturebyacodesigningcertificate.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTest1:Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplication.Theevaluatorshalltrytoinstallthisapplicationwithoutadigitallysignatureandshallverifythatinstallationfails.Theevaluatorshallattempttoinstallanapplicationdigitallysignedwithanappropriatecertificate,andverifythatinstallationsucceeds.
Test2:Theevaluatorshalldigitallysigntheapplicationwithaninvalidcertificateandverifythatapplicationinstallationfails.TheevaluatorshalldigitallysigntheapplicationwithacertificatethatdoesnothavetheCodeSigningpurposeandverifythatapplicationinstallationfails.ThistestmaybeperformedinconjunctionwiththeEvaluationActivitiesforFIA_X509_EXT.1.
Test3:Ifnecessary,theevaluatorshallconfigurethedevicetolimitthepublickeysthatcansignapplicationsoftwareaccordingtotheAGDguidance.Theevaluatorshalldigitallysigntheapplicationwithacertificatedisallowedbythedeviceorconfigurationandverifythatapplicationinstallationfails.Theevaluatorshallattempttoinstallanapplicationdigitallysignedwithanauthorizedcertificateandverifythatapplicationinstallationsucceeds.
FPT_TUD_EXT.6TrustedUpdateVerificationFPT_TUD_EXT.6.1
TheTSFshallverifythatsoftwareupdatestotheTSFareacurrentorlaterversionthanthecurrentversionoftheTSF.
ApplicationNote:Alaterversionhasalargerversionnumber.Themethodfordistinguishingnewersoftwareversionsfromolderversionsisdeterminedbythemanufacturer.
EvaluationActivities
FPT_TUD_EXT.6:TSSTheevaluatorshallverifythattheTSSdescribesthemechanismthatpreventstheTSFfrominstallingsoftwareupdatesthatareanolderversionthatthecurrentlyinstalledversion.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallrepeatthefollowingteststocoverallallowedsoftwareupdatemechanismsasdescribedintheTSS.Forexample,iftheupdatemechanismreplacesanentirepartitioncontainingmanyseparatecodefiles,theevaluatordoesnotneedtorepeatthetestforeachindividualfile.
Test1:Theevaluatorshallattempttoinstallanearlierversionofsoftware(asdeterminedbythemanufacturer).Theevaluatorshallverifythatthisattemptfailsbycheckingtheversionidentifiersorcryptographichashesoftheprivilegedsoftwareagainstthosepreviouslyrecordedandcheckingthatthevalueshavenotchanged.
Test2:Theevaluatorshallattempttoinstallacurrentorlaterversionandshallverifythattheupdatesucceeds.
A.2.7Class:TOEAccess(FTA)
FTA_TAB.1DefaultTOEAccessBannersFTA_TAB.1.1
Beforeestablishingausersession,theTSFshalldisplayanadvisorywarningmessageregardingunauthorizeduseoftheTOE.
ApplicationNote:Thisrequirementmaybemetwiththeconfigurationofeithertextoranimagecontainingthetextofthedesiredmessage.TheTSFmustminimallydisplaythisinformationatstartup,butmayalsodisplaytheinformationateveryunlock.ThebannerisconfiguredaccordingtoFMT_SMF_EXT.1function36.
EvaluationActivities
FTA_TAB.1:TSSTheTSSshalldescribewhenthebannerisdisplayed.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallalsoperformthefollowingtest:
Test1:Theevaluatorfollowstheoperationalguidancetoconfigureanoticeandconsent
warningmessage.TheevaluatorshallthenstartuporunlocktheTSF.TheevaluatorshallverifythatthenoticeandconsentwarningmessageisdisplayedineachinstancedescribedintheTSS.
A.3Implementation-basedRequirements
A.3.1BluetoothIftheTOEincludesBluetoothhardware,thefollowingSFRsmustbeclaimed:IfthisisimplementedbytheTOE,thefollowingrequirementsmustbeincludedintheST:
FDP_UPC_EXT.1/BLUETOOTH
A.3.1.1Class:UserDataProtection(FDP)
FDP_UPC_EXT.1/BLUETOOTHInter-TSFUserDataTransferProtection(Bluetooth)FDP_UPC_EXT.1.1/BLUETOOTH
TheTSFshallprovideameansfornon-TSFapplicationsexecutingontheTOEtouse
BluetoothBR/EDRinaccordancewiththePP-ModuleforBluetooth,and[selection:
BluetoothLEinaccordancewiththePP-ModuleforBluetooth,nootherprotocol
]toprovideaprotectedcommunicationchannelbetweenthenon-TSFapplicationandanotherITproductthatislogicallydistinctfromothercommunicationchannels,providesassuredidentificationofitsendpoints,protectschanneldatafromdisclosure,anddetectsmodificationofthechanneldata.
ApplicationNote:IftheTOEincludesBluetoothhardware,thisrequirementmustbeincludedintheST.TheintentofthisrequirementisthatBluetoothBR/EDRandoptionallyBluetoothLEisavailableforusebyuserapplicationsrunningonthedeviceforuseinconnectingtodistant-endservicesthatarenotnecessarilypartoftheenterpriseinfrastructure.TheSTauthormustlistwhichtrustedchannelprotocolsareimplementedbytheMobileDeviceforusebynon-TSFapps.
TheTSFmustbevalidatedagainstrequirementsfromthePP-ModuleforBluetooth.ItshouldbenotedthattheFTP_ITC_EXT.1requiresthatallTSFcommunicationsbeprotectedusingtheprotocolsindicatedinthatrequirement,sotheprotocolsrequiredbythiscomponentride"ontopof"thoselistedinFTP_ITC_EXT.1.
FDP_UPC_EXT.1.2/BLUETOOTHTheTSFshallpermitthenon-TSFapplicationstoinitiatecommunicationviathetrustedchannel.
EvaluationActivities
FDP_UPC_EXT.1/BLUETOOTH:TheevaluatorshallverifythattheAPIdocumentationprovidedaccordingtoSection5.2.2ClassADV:Developmentincludesthesecurityfunctions(protectionchannel)describedintheserequirements,andverifythattheAPIsimplementedtosupportthisrequirementincludetheappropriatesettings/parameterssothattheapplicationcanbothprovideandobtaintheinformationneededtoassuremutualidentificationoftheendpointsofthecommunicationasrequiredbythiscomponent.
TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthatallprotocolslistedintheTSSarespecifiedandincludedintherequirementsintheST.
GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsnecessaryforconfiguringtheprotocol(s)selectedforusebytheapplications.
TestsEvaluationActivityNote:ThefollowingtestrequiresthedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonconsumerMobileDeviceproducts.
Theevaluatorshallwrite,orthedevelopershallprovideaccessto,anapplicationthatrequestsprotectedchannelservicesbytheTSF.TheevaluatorshallverifythattheresultsfromtheprotectedchannelmatchtheexpectedresultsaccordingtotheAPIdocumentation.ThisapplicationmaybeusedtoassistinverifyingtheprotectedchannelEvaluationActivitiesfortheprotocolrequirements.Theevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorsshallensurethattheapplicationisabletoinitiatecommunicationswithanexternalITentityusingeachprotocolspecifiedintherequirement,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Theevaluatorshallensure,foreachcommunicationchannelwithanauthorizedITentity,thechanneldataarenotsentinplaintext.
AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.
B.1Class:CryptographicSupport(FCS)
FCS_CKM_EXT.7CryptographicKeySupport(REK)
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFCS_CKM_EXT.1.1.
FCS_CKM_EXT.7.1AREKshallnotbeabletobereadfromorexportedfromthehardware.
ApplicationNote:If"mutable-hardware"isselectedinFCS_CKM_EXT.1.1,FCS_CKM_EXT.7mustbeincludedintheST.Notethatif"immutable-hardware"isselectedinFCS_CKM_EXT.1.1itimplicitlymeetsFCS_CKM_EXT.7.
Thelackofapublic/documentedAPIforimportingorexporting,whenaprivate/undocumentedAPIexists,isnotsufficienttomeetthisrequirement.
EvaluationActivities
FCS_CKM_EXT.7:TSSTheevaluationactivityforthiscomponentisperformedinconjunctionwiththeevaluationactivityforFCS_CKM_EXT.1.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
B.2Class:UserDataProtection(FDP)
FDP_ACF_EXT.2AccessControlforSystemResources
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFDP_ACF_EXT.1.2.
FDP_ACF_EXT.2.1TheTSFshallprovideaseparate[selection:addressbook,calendar,keystore,accountcredentialdatabase,[assignment:listofadditionalresources]]foreachapplicationgroupandonlyallowapplicationswithinthatprocessgrouptoaccesstheresource.Exceptionsmayonlybeexplicitlyauthorizedforsuchsharingby[selection:theuser,theadministrator,noone].
ApplicationNote:If"groupsofapplications"isselectedinFDP_ACF_EXT.1.2,FDP_ACF_EXT.2mustbeincludedintheST.
EvaluationActivities
FDP_ACF_EXT.2:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
Tests
Foreachselectedresource,theevaluatorshallcausedatatobeplacedintotheEnterprisegroup’sinstanceofthatsharedresource.TheevaluatorshallinstallanapplicationintothePersonalgroupthatattemptstoaccessthesharedresourceinformationandverifythatitcannotaccesstheinformation.
FDP_PBA_EXT.1StorageofCriticalBiometricParameters
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1.
FDP_PBA_EXT.1.1TheTSFshallprotecttheauthenticationtemplate[selection:usingaPINasanadditionalfactor,usingapasswordasanadditionalfactor,[assignment:othercircumstances]].
ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FDP_PBA_EXT.1.1mustbeincludedintheST.If"hybrid"isselectedinFIA_UAU.5.1,then"usingaPINasanadditionalfactor"or"usingapasswordasanadditionalfactor"mustbeselected.If"hybrid"isnotselectedinFIA_UAU.5.1,thentheauthenticationtemplatemustbesecuredbyothermeans,whichshouldbespecifiedintheassignment.Sincecompromisedauthenticationtemplatescanbeusedingeneratingpresentation/spoofattacks,itisimportanttoutilizesecuremethodsforprotectingthem.
EvaluationActivities
FDP_PBA_EXT.1:TSSTheevaluatorshalldeterminethattheTSScontainsadescriptionoftheactivitiesthathappenduringbiometricauthentication.
TheevaluatorshallensurethattheauthenticationtemplateisprotectedeitherusingaPINorbyothersecuremeans,asspecifiedbythevendor.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTherearenotestevaluationactivitiesforthiscomponent.
B.3Class:IdentificationandAuthentication(FIA)
FIA_BMG_EXT.1AccuracyofBiometricAuthentication
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1,FIA_UAU.5.1.
FIA_BMG_EXT.1.1Theone-attemptBAFFalseAcceptRate(FAR)for[assignment:biometricmodalityselectedinFIA_UAU.5.1]shallnotexceed[assignment:claimedFARnogreaterthan1:100]withaone-attemptBAFFalseRejectRate(FRR)nottoexceed1in[assignment:claimedFRRnogreaterthan1:10].
ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FIA_BMG_EXT.1.1mustbeincludedintheST.TheassignmentmustbecompletedforeachbiometricmodalityselectedinFIA_UAU.5.1.IfmultiplebiometricmodalitiesareselectedinFIA_UAU.5.1,itisacceptableforeachmodalitytohaveadifferentFARandFRR.
TheFalseAcceptRate(FAR)isthemeasureofthelikelihoodthatthebiometricwillincorrectlyacceptanauthenticationattemptbyanunauthorizeduser.Asystem'sFARtypicallyisstatedastheproportionofverificationtransactionswithwrongfulclaimsofidentitythatareincorrectlyconfirmed.
TheFalseRejectRate(FRR)isthemeasureofthelikelihoodthatthebiometricsecuritysystemwillincorrectlyrejectanauthenticationattemptbyanauthorizeduser.Asystem'sFRRtypicallyisstatedastheproportionofverificationtransactionswithtruthfulclaimsofidentitythatareincorrectlydenied.
Pleasenotethatwithouttheuseofhybridauthentication,multipleauthenticationattemptsforaBAFthatisclaimedtohaveaone-attemptFARbetween1:100and1:500inclusivewillnotproduceanacceptableSAFARinmeetingFIA_BMG_EXT.1.2.Moregenerally,dependingonthenumberofauthenticationattemptsallowedfortheBAF,theclaimedFARmustbestrong(orequivalently,low)enoughsothattheSAFARchoseninFIA_BMG_EXT.1.2canbemetwithinthe1%marginmandated.
Generallytestingenvironmentsforabiometricsysteminamobiledevicearebasedonasinglelegitimateuserenrollingandtestsubjectsattempttoauthenticate.SinceathoroughevaluationforFARandFRRmeetingalltheconditionsofstatisticalindependenceisnotfeasibleinthetimeframeofCCevaluationsandinagreementwithISO/IEC19795,theuseofofflinetestingisacceptableevenifthiscausesthebiometricsystemtodeviateslightlyfromtheevaluatedconfiguration.Additionally,fullcross-comparison(i.e.alltestsubjectsarecomparedtonon-self)isacceptable.
Detailedexplanationscorrespondingtothetestingenvironmentsthatareacceptable,toincludethenumberoftrialsneeded,canbefoundinSectionG.1ExperimentalSetupsAndErrorBarsInTestingFARAndFRR.
FIA_BMG_EXT.1.2TheoverallSystemAuthenticationFalseAcceptRate(SAFAR)shallbenogreaterthan1in[assignment:aSAFARnogreaterthan1:500]withina1%margin.
ApplicationNote:IfaBAFor"hybrid"isselectedinFIA_UAU.5.1,FIA_BMG_EXT.1.2mustbeincludedintheST.
SystemAuthenticationFalseAcceptRate(SAFAR)isdefinedbythecombinationofindividualerrorratesforeachauthenticationfactorandattemptsusedforaccesstoasinglesessiononthedevice.
Accessingasinglesessionmayinvolveasingleauthenticationfactor,inwhichcasetheSAFARforasingleattemptwillbeequaltothefalseacceptrate(FAR)ofthatauthenticationfactorandtheSAFARfornattemptswillbe
,assumingindependence.
Accessingasinglesessiononthedevicemayinvolvetheabilitytousemultipleauthenticationfactors.Itmaybethecasethatonlyoneauthenticationfactorisneededtoaccessasinglesessiononthedevice(i.e.bothapasswordandaBAFcanbeused,butonlyoneisneeded)orthatbothauthenticationfactorsareneededtoaccessasinglesessiononthedevice(i.e.boththeBAFandaPINmustbeentered).ThefullequationsforcalculatingtheSAFARcanbefoundinSectionG.3SAFARCalculationEquations.Afullyworked-outexamplethatappliestheequationsinSectionG.3SAFARCalculationEquationsforcalculatingtheSAFARcanbefoundinSectionG.4SAFARCalculationExample.
Theworst-casescenariomustbeusedtocalculatetheSAFAR.ThustheauthenticationfactorwiththehighestFARmustbeusedforthemaximumnumberofauthenticationattemptsallowedforthatfactor.Ifanyauthenticationattemptsremain,thentheauthenticationfactorwiththesecondhighestFARisusedforthemaximumnumberofauthenticationattemptsallowedforthatfactorandsoon.Forexample,theTOEsupportsapasswordandaBAF,theFARfortheBAFishigherthantheFARforthepasswordandeachauthenticationfactorutilizesasharedcounterperFIA_AFL_EXT.1.Thentheworst-casescenarioistheBAFisutilizedforthemaximumnumberofauthenticationattemptsallowedfortheBAF.Foranyremainingauthenticationattemptsallowedthepasswordisutilized.
AnotherexampleistheTOEsupportsapasswordandtwoBAFs,wheretheBAFshavedifferentFARs,withbothFARsbeinghigherthanthepasswordFAR.Thentheworst-casescenarioisthattheBAFwiththehighestFARisusedforthemaximumnumberofauthenticationattemptsallowedforthatBAF,followedbythesecondBAFifanyauthenticationattemptsareallowedforthatBAF.Ifanyauthenticationattemptsremain,thenthepasswordisutilizedforthoseattempts.
The1%marginisincludedforcaseswhereaBAFisnotacriticalauthenticationfactorandthusbothBAFandpasswordcanbeusedinasessionwithoutexceedingthedeclaredSAFAR.
EvaluationActivities
FIA_BMG_EXT.1:
TSSTheevaluatorshallverifythattheTSScontainsevidencesupportingthetestingandcalculationscompletedtodeterminetheFARandFRR.AppendixG-BiometricDerivationandExamplesprovidesguidancetohowthistestingcouldbecompletedandtowhaterrorbarsareexpectedwhentheRuleof3isapplied.TheevaluatorshallconsultAppendixG-BiometricDerivationandExamplesasareference,butshouldnottreatitasamandate.TheevaluatorshallverifythattheTSScontainsevidenceofwhetheronlineorofflinetestingwasused.Ifofflinetestingwascompleted,evidencedescribingthedifferencesbetweenthebiometricsystemusedfortestingandtheTOEintheevaluatedconfiguration,ifanymustbeincluded.
ThefollowingdocumentationisnotrequiredtobepartoftheTSS-itmaybesubmittedasaseparateproprietarydocument.Theevaluatorshallverifytheevidenceincludeshowmanyimposterswereusedfortestingandthatthetestingdescribeshowimpostersarecomparedtoenrolledusers,forexample,ifmultipledevicesforonlinetestingorfullcross-comparisonforofflinetestingwasused.AdequatedocumentationisrequiredtodemonstratethattestingwascompletedtosupporttheclaimedFARandFRR.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.TSSTheevaluatorshallverifythattheTSSindicateswhichSAFARtheTOEistargetingandcontainsevidencesupportingthecalculations,perSectionG.3SAFARCalculationEquations,completedtodeterminetheSAFAR.TheevaluatorshallverifythattheTSScontainsevidenceofhowtheauthenticationfactorsinteract,perFIA_UAU.5.2andFIA_AFL_EXT.1.TheevaluatorshallverifythattheTSS,containsthecombination(s)ofauthenticationfactorsneededtomeettheSAFAR,andthenumberofattemptsforeachauthenticationfactortheTOEisconfiguredtoallow.AdequatedocumentationisrequiredtodemonstratethecalculationscompletedtosupporttheclaimedSAFAR.
GuidanceTherearenoguidanceevaluationactivitiesforthiselement.
TestsTherearenotestevaluationactivitiesforthiselement.
B.4Class:ProtectionoftheTSF(FPT)
FPT_TST_EXT.3TSFIntegrityTesting
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1.
FPT_TST_EXT.3.1TheTSFshallnotexecutecodeifthecodesigningcertificateisdeemedinvalid.
ApplicationNote:Certificatesmayoptionallybeusedforcodesigningforintegrityverification(FPT_TST_EXT.2.1/PREKERNEL).If"codesigningforintegrityverification"isselectedinFIA_X509_EXT.2.1,FPT_TST_EXT.3.1mustbeincludedintheST.
Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.
EvaluationActivities
FPT_TST_EXT.3:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTestingforthiselementisperformedinconjunctionwiththeEvaluationActivitiesfor
FPT_TST_EXT.2.1/PREKERNEL.
FPT_TUD_EXT.4TrustedUpdateVerification
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FIA_X509_EXT.2.1.
FPT_TUD_EXT.4.1TheTSFshallnotinstallcodeifthecodesigningcertificateisdeemedinvalid.
ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.2.3)andofmobileapplications(FPT_TUD_EXT.5.1).ThiselementmustbeincludedintheSTifcertificatesareusedforeitherupdateelement.Ifeither"codesigningforsystemsoftwareupdates"or"codesigningformobileapplications"isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.4.1mustbeincludedintheST.
Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.
EvaluationActivities
FPT_TUD_EXT.4:TSSTherearenoTSSevaluationactivitiesforthiscomponent.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTestingforthiselementisperformedinconjunctionwiththeEvaluationActivitiesforFPT_TUD_EXT.2andFPT_TUD_EXT.5.
AppendixC-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisProtectionProfile.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainsttheProtectionProfileprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.
Requirement RationaleforSatisfaction
FAU_SEL.1-SelectiveAudit
FAU_SEL.1hasadependencyonFMT_MTD.1sinceconfigurationofauditdataisasubsetofmanagingTSFdata.ThisdependencyismetbytheextendedSFRFMT_SMF_EXT.1,whichdefines"configuretheauditableitems"asamanagementfunctionandspecifiestherolesthatmayperformthis,consistentwithhowFMT_MTD.1wouldtypicallysatisfythedependency.
FCS_CKM.1-CryptographicKeyGeneration
FCS_CKM.1hasadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFgenerates.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurpose.
FCS_CKM.1-CryptographicKeyGeneration
FCS_CKM.1hasadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFgenerates.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.
FCS_CKM.2-CryptographicKeyEstablishment
BothiterationsofFCS_CKM.2haveadependencyonFCS_CKM.4forthesubsequentdestructionofanykeysthattheTSFestablishes.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.
FCS_COP.1-CryptographicOperation
AlliterationsofFCS_COP.1haveadependencyonFCS_CKM.4forthesubsequentdestructionofanyresidualkeymaterialtheTSFcreatesaspartoftheoperation.ThisdependencyismetbytheextendedSFRFCS_CKM_EXT.4,whichservesthesamepurposeasitsCCPart2equivalent.
FIA_UAU.7-ProtectedAuthenticationFeedback
FIA_UAU.7hasadependencyonFIA_UAU.1sinceprotectedauthenticationfeedbackisnotpossiblewithoutanauthenticationmechanism.ThisdependencyismetbytheextendedSFRFIA_UAU_EXT.1,whichservesthesamepurposeasitsCCPart2equivalent.
AppendixD-EntropyDocumentationAndAssessmentThedocumentationoftheentropysourceshouldbedetailedenoughthat,afterreading,theevaluatorwillthoroughlyunderstandtheentropysourceandwhyitcanbereliedupontoprovideentropy.Thisdocumentationshouldincludemultipledetailedsections:designdescription,entropyjustification,operatingconditions,andhealthtesting.ThisdocumentationisnotrequiredtobepartoftheTSS.
D.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.
Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.
Ifimplemented,thedesigndescriptionshallincludeadescriptionofhowthird-partyapplicationscanaddentropytotheRBG.AdescriptionofanyRBGstatesavingbetweenpower-offandpower-onshallbeincluded.
D.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.
Theentropyjustificationshallnotincludeanydataaddedfromanythird-partyapplicationorfromanystatesavingbetweenrestarts.
D.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.
D.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.
AppendixE-UseCaseTemplatesThefollowingusecasetemplateslistthoseselections,assignments,andobjectiverequirementsthatbestsupporttheusecasesidentifiedbythisProtectionProfile.NotethatthetemplatesassumethatallSFRslistedinSection5.1SecurityFunctionalRequirementsareincludedintheST,notjustthoselistedinthetemplates.ThesetemplatesanddeviationsfromthetemplateshouldbeidentifiedintheSecurityTargettoassistcustomerswithmakingrisk-basedpurchasingdecisions.ProductsthatdonotmeetthesetemplatesarenotprecludedfromuseinthescenariosidentifiedbythisProtectionProfile.
Severaloftheusecasestemplatesincludeobjectiverequirementsthatarestronglydesiredfortheindicatedusecases.Readerscanexpectthoserequirementstobemademandatoryinafuturerevisionofthisprotectionprofile,andindustryshouldaimtoincludethatsecurityfunctionalityinproductsinthenear-term.
Whereselectionsforaparticularrequirementarenotidentifiedinausecasetemplate,allavailableselectionsareequallyapplicabletotheusecase.
E.1[USECASE1]Enterprise-owneddeviceforgeneral-purposeenterpriseuseTable10:Enterprise-OwnedTemplate
Requirement Action
FCS_STG_EXT.1.4 Donotselect"theuser."
FMT_MOF_EXT.1.2Function21 IncludeintheST.
FMT_MOF_EXT.1.2Function25 IncludeinST.AssignpersonalHotspotconnections(iffeatureexists).
FMT_MOF_EXT.1.2Function36 IncludeinST.
FMT_MOF_EXT.1.2Function39 IncludeinST.Select"USBMassstoragemode."
FMT_MOF_EXT.1.2Function41 IncludeinST.Select"USBtethering."
FMT_SMF_EXT.1.1Function25 IncludeinST.AssignpersonalHotspotconnections(iffeatureexists).
FMT_SMF_EXT.1.1Function36 IncludeinST.
FMT_SMF_EXT.1.1Function39 IncludeinST.Select"USBMassstoragemode."
FMT_SMF_EXT.1.1Function41 IncludeinST.Selectbothoptions.
FPT_BBD_EXT.1.1 IncludeinST.
FPT_TST_EXT.2.1/POSTKERNEL IncludeinSTandSelect"allexecutablecodestoredinmutablemedia."
FPT_TUD_EXT.5.1 IncludeinST.
FTA_TAB.1.1 IncludeinST.
E.2[USECASE2]Enterprise-owneddeviceforspecialized,high-securityuseTable11:HighSecurityTemplate
Requirement Action
FCS_CKM.1.1 SelectRSAwithkeysizeof3072orselectECCschemes.
FCS_CKM.2.1/UNLOCKED SelectECCschemes,ifECCschemesareselectedinFCS_CKM.1.1.
FCS_CKM.2.1/LOCKED Select"RSAschemes"orselect"ECCschemesthatmeetNISTSP800-56ARevision3".
FCS_CKM_EXT.1.1 If"symmetric"isselectedthen"256bits"mustbeselected.If"asymmetric"isselectedandRSAschemeisselectedinFCS_CKM.1.1then"128bits"canbeselected.If"asymmetric"isselectedandECCschemeisselectedinFCS_CKM.1.1,then"192bits"canbeselected.
FCS_CKM_EXT.2.1 Select256bits.
FCS_CKM_EXT.3.1 IfasymmetricKEKsisselectedandRSAschemeisselectedinFCS_CKM.1.1thenassign128bitssecuritystrength.IfasymmetricKEKsisselectedandECCschemeisselectedinFCS_CKM.1.1thenassign192bitssecuritystrength.IfsymmetricKEKsisselected,select256bitsecuritystrength.
FCS_COP.1.1/ENCRYPT Select256bits.
FCS_COP.1.1/HASH SelectSHA-384.
FCS_COP.1.1/SIGN Assignakeysizeof3072forRSAorselectECDSAschemes.
FCS_COP.1.1/CONDITION Select256bits.
FCS_RBG_EXT.1.2 Select256bits.
FCS_TLSC_EXT.1.1(TLSPackage)
SelectTLS_RSA_WITH_AES_256_GCM_SHA384orTLS_ECDHE_ECDSA_WITHAES_256_GCM_SHA384.
FCS_TLSC_EXT.2.1(TLSPackage)
Selectsecp384r1,ifincludedinST(ifECCschemesareselectedinFCS_CKM.1.1).
FDP_DAR_EXT.1.2 Select256bits.
FIA_X509_EXT.2.2 Selecteither"allowtheadministratortochoose..."or"notacceptthecertificate".
FMT_MOF_EXT.1.2Function3
IncludeinST.
FMT_MOF_EXT.1.2Function4
AssignallradiosonTSF.
FMT_MOF_EXT.1.2Function5
AssignallaudioorvisualcollectiondevicesonTSF.
FMT_MOF_EXT.1.2Function19
IncludeinST.
FMT_MOF_EXT.1.2Function21
IncludeinST.
FMT_MOF_EXT.1.2Function44
IncludeinST.
FMT_MOF_EXT.1.2Function45
IncludeinST(ifIPsecisselectedinFTP_ITC_EXT.1).
FMT_SMF_EXT.1.1Function12
AssignallX.509v3certificatesintheTrustAnchorDatabase.
FMT_SMF_EXT.1.1Function18
Select"f.allnotifications".
FMT_SMF_EXT.1.1Function24
IncludeinST.AssignatleastUSB.
FMT_SMF_EXT.1.1Function25
IncludeinST.AssignallprotocolswheretheTSFactsasaserver.
FMT_SMF_EXT.1.1Function36
IncludeinST.
FMT_SMF_EXT.2.1 Select"wipeofprotecteddata"and"wipeofsensitivedata".
FAU_SAR.1.1 IncludeinST.
FAU_SAR.1.2 IncludeinST.
FAU_SEL.1.1 IncludeinST.Select"eventtype","successofauditablesecurityevents",and"failureofauditablesecurityevents".
FCS_SRV_EXT.2.1 IncludeinST.
FPT_AEX_EXT.5.1 IncludeinST.
FPT_AEX_EXT.5.2 IncludeinST.
FPT_BBD_EXT.1.1 IncludeinST.
FTA_TAB.1.1 IncludeinST.
E.3[USECASE3]Personally-owneddeviceforpersonalandenterpriseuseTable12:BYODTemplate
Requirement Action
FMT_SMF_EXT.1.1Function3 Select"b.onaper-appbasis","c.onaper-groupsofapplicationbasis"orboth
FMT_SMF_EXT.1.1Function5 Select"b.onaper-appbasis","c.onaper-groupsofapplicationbasis"orboth
FMT_SMF_EXT.1.1Function17
IncludeinST.
FMT_SMF_EXT.1.1Function28
IncludeinST.
FMT_SMF_EXT.1.1Function44
IncludeinST(M-M-)
FMT_SMF_EXT.2.1 Select"RemoveEnterpriseApplications"
FDP_ACF_EXT.1.2 Select"GroupsofApplications"
FDP_ACF_EXT.2.1 IncludeinST.
E.4[USECASE4]Personally-owneddeviceforpersonalandlimitedenterpriseuseAtthistimenorequirementsorselectionsarerecommendedforthisusecase.
AppendixF-InitializationVectorRequirementsforNIST-ApprovedCipherModesTable13:ReferencesandIVRequirementsforNIST-approvedCipherModes
CipherMode Reference IVRequirements
ElectronicCodebook(ECB) SP800-38A
NoIV
Counter(CTR) SP800-38A
"InitialCounter"shallbenon-repeating.Nocountervalueshallberepeatedacrossmultiplemessageswiththesamesecretkey.
CipherBlockChaining(CBC) SP800-38A
IVsshallbeunpredictable.RepeatingIVsleakinformationaboutwhetherthefirstoneormoreblocksaresharedbetweentwomessages,soIVsshouldbenon-repeatinginsuchsituations.
OutputFeedback(OFB) SP800-38A
IVsshallbenon-repeatingandshallnotbegeneratedbyinvokingthecipheronanotherIV.
CipherFeedback(CFB) SP800-38A
IVsshouldbenon-repeatingasrepeatingIVsleakinformationaboutthefirstplaintextblockandaboutcommonsharedprefixesinmessages.
XEX(XOREncryptXOR)TweakableBlockCipherwithCiphertextStealing(XTS)
SP800-38E
NoIV.Tweakvaluesshallbenon-negativeintegers,assignedconsecutively,andstartingatanarbitrarynon-negativeinteger.
Cipher-basedMessageAuthenticationCode(CMAC)
SP800-38B
NoIV
KeyWrapandKeyWrapwithPadding
SP800-38F
NoIV
CounterwithCBC-MessageAuthenticationCode(CCM)
SP800-38C
NoIV.Noncesshallbenon-repeating.
GaloisCounterMode(GCM) SP800-38D
IVshallbenon-repeating.ThenumberofinvocationsofGCMshallnotexceed foragivensecretkeyunlessanimplementationonlyuses96-bitIVs(defaultlength).
AppendixG-BiometricDerivationandExamplesG.1ExperimentalSetupsAndErrorBarsInTestingFARAndFRR
G.1.1IntroductionForthepurposesofthisPP,FIA_BMG_EXT.1requirestestingforFAR,FRRandSAFARifaBAFisincludedintheTOE.InthisversionofthePPitisexpectedthatthevendorwillprovideevidencetotheevaluatorofthetestingcompletedtosupporttheclaimedFARandFRR.ThisAppendixprovidesaguidetohowthistestingcouldbedoneandtowhaterrorbarsareexpectedwhentheRuleof3isapplied.ThisguideshouldbetreatedasareferenceandnotasaNIAPmandate,requirement,orsetofmandatesorrequirements.
G.1.2TestingenvironmentthatcouldmeetFIA_BMG_EXT.1.1InperformingtestsforFARandFRR,ISO/IEC19795-1recommendsthatvendorsortestinglabsusethelargesttestpopulationthatcanbereasonablymanaged.Generally,testingenvironmentsformobiledevicesarebaseduponindividualdeviceswiththeirownlocalauthenticationtemplates/profileswherethesubmittedbiometricsamplesaredestroyedaftersubmission.ItisinfeasibletomeetthegiventimeframeforCCevaluationsofmobiledevicesifofflinetestingisnotsupported.Eitheronlineorofflinetestingisacceptable.ThenumberoftestsubjectsneededtosupportaclaimedFARandFRR,willdependonifonlineorofflinetestingisusedduetohowthesubjectsarecompared.
Ifonlinetestingisutilized,itisexpectedthatthetestingisconducteddirectlyontheTOE.ThelegitimateuserwillenrollontheTOEandalltestsubjectswillbecomparedtoonlythelegitimateuser.ThusifthetargetFARis1:100,atleast300independentsamplesshallbeusedcorrespondingto300usersandatleast300independenttrialsarerequiredintestingthisFAR.ItisacceptablethatmultipleTOEs,eachwithadifferentlegitimateuser,couldbeusedtoreducethenumberoftestsubjectsneededforonlinetesting.Withtheassumptionthatthetestsubjectsarecomparedagainstalllegitimateusersandnolegitimateusersarecountedastestsubjects,ifNDdevicesareused,thenumberoftestsubjectsneededcanbedividedbyND.
Ifofflinetestingisused,itisexpectedthatthebiometricsystemusedfortestingwillnotbeintheevaluatedconfigurationoftheTOEtoallowforafullcross-comparison,inwhichthebiometricsamplefromthetestsubjectsiscomparedwitheverynon-selftemplate.Itisexpected,thatthebiometricsystemusedfortestingwillcollectsamplesandgeneratetemplatesexactlythesameasthebiometricsystemintheTOE.However,eventhoughthecomparisontodetermineifavalidsampleisprovided(i.e.matchingalgorithm)shouldremainthesame,itisacceptableifthebiometricsystemismodifiedtocompleteafullcross-comparison.PerISO/IEC19795,thesecomparisonswillnotbestatisticallyindependent,butthisapproachisstatisticallyunbiased.Additionally,offlinetestingwithafullcross-comparisongreatlyreducesthenumberoftestsubjectsneeded.IfthereareNUusers,thenumberofavailableindividualindependentcomparisonswillbeNU*(NU-1)/2.ThusifthetargetFARis1:10000,only246testsubjectsareneededifofflinetestingofafullcross-comparisonisused.
G.1.3DerivingFalseAcceptRateToexpediteapprovalwhilemaintainingastatisticallyvalidresult,itisrequiredforthevendororindependentlabtoperformtestingusingthreetimesthesamplesize,ataminimum,i.e.the"Ruleof3"forthenumberoftrials.
Threetimesthesamplesizecorrespondsto90%confidenceandc=0.95(rounded,worst-case),wherecisapercentage/fractionoftheintendedfalseerrorrate(eitherFARorFRR)forwhichtheerrorbariscalculated.
TheparametersassociatedwiththeRuleof3arederivedbytreatingabiometrictest,consistingofmanycomparisons,asaseriesofBernoullitrials.
Asshowninthetablesbelow,theerrorbarmaybelargeifahigherfalseerrorrateisdeclared.
Thetablebelowassumesonlinetestingusingasingledevice,thusasinglelegitimateuser.
Table14:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforonlinetesting,givenRuleof3
FalseErrorRate
Falseerrorrates,90%confidence,c=0.95
Numberoferrors(rounded)
Numberoftestsubjectsneeded
1%(1:100) 1%±0.95% 3 297
0.1%(1:1000) 0.1%±0.095% 3 2995
0.01%(1:10000)
0.01%±0.0095% 3 29977
0.001%(1:100000)
0.001%±0.00095% 3 299797
0.0001% 0.0001%±0.000095% 3 2997998
(1:1000000)
ThetablebelowassumesthatNDdevicesareusedforonlinetesting.
Table15:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforonlinetestingwithNDdevices,givenRuleof3
FalseErrorRate
Falseerrorrates,90%confidence,c=0.95
Numberoferrors(rounded)
Numberoftestsubjectsneeded
1%(1:100) 1%±0.95% 3 297/ND
0.1%(1:1000) 0.1%±0.095% 3 2995/ND
0.01%(1:10000)
0.01%±0.0095% 3 29977/ND
0.001%(1:100000)
0.001%±0.00095% 3 299797/ND
0.0001%(1:1000000)
0.0001%±0.000095% 3 2997998/ND
Thetablebelowassumesofflinetestingusingafullcross-comparison.
Table16:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneededforofflinetestingandfullcross-comparison,givenRuleof3
FalseErrorRate
Falseerrorrates,90%confidence,c=0.95
Numberoferrors(rounded)
Numberoftestsubjectsneeded
1%(1:100) 1%±0.95% 3 25
0.1%(1:1000) 0.1%±0.095% 3 78
0.01%(1:10000)
0.01%±0.0095% 3 246
0.001%(1:100000)
0.001%±0.00095% 3 776
0.0001%(1:1000000)
0.0001%±0.000095% 3 2450
G.1.4DerivingFalseRejectRateAswithFalseAcceptRate,itisrequiredforthevendororlabtoperformtestingusingthreetimesthesamplesize,ataminimum,i.e.the"Ruleof3".Threetimesthesamplesizecorrespondsto90%confidenceandc=0.95(rounded,worst-case),wherecisapercentage/fractionoftheintendedfalseerrorrate(eitherFARorFRR)forwhichtheerrorbariscalculated.
Asshowninthetablebelow,theerrorbarmaybelargeifahigherfalseerrorrateisdeclared:
Table17:Comparisonoffalseerrorrates,numberoferrors,andnumberoftestsubjectsneeded,givenRuleof3
FalseErrorRate
Falseerrorrates,90%confidence,c=0.95
Numberoferrors(rounded)
Numberoftestsubjectsneeded
10%(1:10) 10%±9.5% 3 27
5%(1:20) 5%±4.75% 3 57
2%(1:50) 2%±1.9% 3 147
1%(1:100) 1%±0.95% 3 297
G.2DerivationoftheRuleof3(andsimilarrules,forcompleteness)AbiometrictestcanbetreatedasaseriesofBernoullitrialsforwhichabinomialdistributionofthenumber
ofsuccessesandfailuresisassumed.Whencalculatinganerrorintervalforwhichabinomialdistributionisassumed,oneconfidenceinterval(denotedIconf)thatiswidelyusedisthestandardWaldinterval,expressedinEquation(1)as:
wherep=X/nisthesampleproportionofsuccesses(orerrorinthiscase),zα/2isthe100(1–α/2)thpercentileofthestandardnormaldistribution,andnisthenumberoftrials.
AlthoughintervalssuchastheWilson,Agresti-Coull,andJeffreysintervalsarerecommendedbyBrownetal.,biometricstestinginpracticerestsonthederivationoftheRuleof30basedontheWalddistribution[BROWN].However,becauseofthelargesamplesize,numberoftestsubjects,andnumberoftrialsrequiredfortheRuleof30,thisPPmandatestheRuleof3tomaketestingmorefeasible.
Insimplerform,thisreferstoaconfidenceintervalwitherrorEexpressedas:
Rearrangingtheequationtoexpressthenumberoftrials,n,intermsoferrorE,thisexpressionbecomes:
Inpractice,Eisexpressedasaproportionoftheerrorprobabilityas:
Thus,nfinallybecomes:
Fora90%confidenceinterval,zα/2=1.6449,whilefora95%confidenceinterval,zα/2=1.96.
Thusitiseasytoseethatfora90%confidenceintervalwithc=0.95:
whichconfirmstheruleof3andcompletesourderivation.
G.3SAFARCalculationEquationsAnumberofequationscanbeusedincalculatingSAFAR.Afully-workedexamplethatappliestheequationsbelowcanbefoundinSectionG.4SAFARCalculationExample.
TheSAFARforasingleauthenticationfactoriscalculatedas .
ThusletSAFARibetheSAFARfortheithauthenticationfactorwhereniisthenumberofauthenticationattemptsallowedforthegivenfactor,treatedindividuallyasaseparateauthenticationsystem,whichcanbeexpressedas
assumingeachattemptisindependent.
Ifmultipleauthenticationfactorsarerequired(withalltopass),i.e.passwordplusbiometricfactor,theSAFARforasingleattemptwillbetheproductofeachindividualfactor’sfalseacceptrate,assumingeachattemptisindependent.
Thus,forahybridcombinationofmPIN/passwordandbiometricfactors(denotedwithindexj)withniattemptsallowed,treatedcollectivelyasanindividualauthenticationfactorinaseparateauthenticationsystem,theSAFARcanbeexpressedas:
assumingeachattemptisindependent.BecausethisiscurrentlyassociatedwithaPIN/passwordandbiometrics,m=2inthiscase.
Whenordered,letSAFAR(k)betheSAFARfortheauthenticationfactorwiththelargestSAFAR,andSAFAR(1)betheSAFARfortheauthenticationfactorwiththesmallestSAFAR,i.e.SAFAR(1)≤SAFAR(s)≤…≤SAFAR(k-1)≤SAFAR(k).
Assuch,thefollowingequationsforSAFARutilizingmultiplefactorsfollow(usingtheworstSAFARs):
Iftheuserhasachoiceofmultipleauthenticationfactorswithachoiceofonlyoneauthenticationfactorinagivensession(i.e.allauthenticationfactorsareconsideredcriticalandausercannotswitchbetweenauthenticationfactors),theoverallSAFARwillbeequaltoSAFAR(k),assumingeachattemptisindependent.
Iftheuserhasachoiceofmultipleauthenticationfactorsandcanchoosetoattemptauthenticationusingmorethanonefactorwithsuccessrequiringanyfactortopassandniattemptsallowedperfactor)foragivensession,theSAFARforkavailableauthenticationfactorswillbe
assumingeachattemptisindependent.Iftherearecriticalfactors,thehighestSAFARcorrespondingtotheworst-casesetofchoicesshallbereported.
Iftheuserhasthechoiceofanumberofauthenticationfactorsfromwhichtheusermustchoosemfactors,allofwhichmustpasswithnattemptsperfactorallowed,theSAFARforasinglecombinationofmfactorswillbe
assumingeachattemptisindependent.Ifm<kavailablefactors,theworst-caseofall combinationsoffactorsbecomestheoverallSAFAR.
G.4SAFARCalculationExamplePasswordandfingerprintauthenticationexample:
Supposetheoverallauthenticationsystemconsistsoftwoauthenticationfactors:afourcharacterpasswordfactorallowingfortenattemptsandafingerprintbiometricfactorwithanFARof1:1000allowingforfiveattempts.
Passwordsutilizetheminimumcharactersetof63characters,plusoneadditionalacceptedcharacter,makingit64.Assumeeachattemptisindependent.
a. WhatistheSAFARofeachindividualauthenticationfactor,treatedseparately?b. Iftheusercanonlyauthenticateusingasingleauthenticationfactor,assumingallauthenticationfactors
availablearecriticalandthereisnopossibilityfortheusertoswitchbetweenauthenticationfactors,whatistheoverallSAFAR?
c. Iftheusercanauthenticateusinganyauthenticationfactorinanauthenticationsession,andnoneareconsideredcriticalfactors,whatistheoverallSAFAR?
d. Iftheconditionsarethesameasinc)butpasswordisnowacriticalauthenticationfactorthatwillcauseadevicewipe,whatistheoverallSAFAR?
e. Ifthepasswordfactorandfingerprintbiometricfactorarebothrequiredwiththenumberofattemptsforfingerprintincreasedtoten,whatistheoverallSAFAR?Whatistheriskifauthenticationfeedbackisprovidedforeachmodality(i.e.fingerprintfailedorpasswordfailed)?
f. f)Ifthepassword/PINfactorandfingerprintbiometricfactorarebothcombinedintoahybridfactor(bothmustbeusedandtheonlyauthenticationfeedbackallowedisvalidloginorinvalidlogin)forentrywithtenattemptsallowedforthehybridfactor,whatistheoverallSAFAR?Whyisthisscenariomoresecurethane)?
Solution:
a. TheSAFARforafour-characterpasswordallowingfortenattempts,utilizinga64characterset,is:
TheSAFARforafingerprintbiometricfactorwithanFARof1:1000,allowingforfiveattempts,is:
$$SAFAR_{\left(fingerprint|5attempts\right)}=1-\left(1-FAR\right)^{attempts}
SAFAR_{\left(fingerprint|5attempts\right)}=1-\left(1-10^{-3}\right)^{5}=4.990*10^{-3}\left(rounded\right)$$
b. Iftheuserisonlyallowedtopickonefactor,theoverallSAFARisthatoftheweakestone,whichis
c. Iftheusercanauthenticateusinganyauthenticationfactorinanauthenticationsession,theoverallSAFARis:
d. Iftheconditionsarethesameasinc)butwithpasswordasacriticalfactor,theworst-casescenarioisthesameasinc)inthatthepasswordfactorispickedlast,thus
e. Ifpasswordandfingerprintarenowrequiredfactors,theSAFARforfingerprinthastoberecalculatedfortenattempts:
SincetheSAFARforpasswordwithtenattemptsallowedisknown,itthenfollowsthat:
Theriskofprovidingauthenticationfeedbackisthatifeitherauthenticationfactoriscompromised,thesamesamplecanthenbeusedbytheadversaryforeveryauthenticationafter,thusreducingtheSAFARforthesystemtothatoftheotherauthenticationfactor.
f. Ifpassword/PINandfingerprintarenowcombinedintoasinglehybridfactor,theSAFARisasfollows:
Thisismoresecurethane)becausenotonlyaretherelessattemptsoverallbeforethemaximumcountisexceeded(10insteadof20),theadversarywouldnotknowifasamplesubmittedforeitherfactorresultsinauthenticationunlessthepresentationofbothfactorsresultsinsuccessfulauthentication.
AppendixH-AcknowledgementsThisprotectionprofilewasdevelopedbytheMobilityTechnicalCommunitywithrepresentativesfromindustry,U.S.Governmentagencies,CommonCriteriaTestLaboratories,andinternationalCommonCriteriaschemes.TheNationalInformationAssurancePartnershipwishestoacknowledgeandthankthemembersofthisgroupwhosededicatedeffortscontributedsignificantlytothepublication.Theseorganizationsinclude:
U.S.GovernmentDefenseInformationSystemsAgency(DISA)InformationAssuranceDirectorate(IAD)NationalInformationAssurancePartnership(NIAP)NationalInstituteofStandardsandTechnology(NIST)
InternationalCommonCriteriaSchemesAustralasianInformationSecurityEvaluationProgram(AISEP)CanadianCommonCriteriaEvaluationandCertificationScheme(CSEC)Information-technologyPromotionAgency,Japan(IPA)UKITSecurityEvaluationandCertificateScheme(NCSC)
IndustryApple,Inc.BlackBerryLGElectronics,Inc.MicrosoftCorporationMotorolaSolutionsSamsungElectronicsCo.,Ltd.OtherMembersoftheMobilityTechnicalCommunity
CommonCriteriaTestLaboratoriesEWA-Canada,Ltd.GossamerSecuritySolutions
AppendixI-Acronyms
Acronym Meaning
AEAD AuthenticatedEncryptionwithAssociatedData
AES AdvancedEncryptionStandard
ANSI AmericanNationalStandardsInstitute
AP ApplicationProcessor
API ApplicationProgrammingInterface
ASLR AddressSpaceLayoutRandomization
BAF BiometricAuthenticationFactor
BP BasebandProcessor
BR/EDR (Bluetooth)BasicRate/EnhancedDataRate
Base-PP BaseProtectionProfile
CA CertificateAuthority
CBC CipherBlockChaining
CC CommonCriteria
CCM CounterwithCBC-MessageAuthenticationCode
CCMP CCMProtocol
CEM CommonEvaluationMethodology
CMC CertificateManagementoverCryptographicMessageSyntax(CMS)
CPU CentralProcessingUnit
CRL CertificateRevocationList
CSP CriticalSecurityParameter
DAR DataAtRest
DEK DataEncryptionKey
DEP DataExecutionPrevention
DH Diffie-Hellman
DNS DomainNameSystem
DSA DigitalSignatureAlgorithm
DTLS DatagramTransportLayerSecurity
EAP ExtensibleAuthenticationProtocol
EAPOL EAPOverLAN
ECDH EllipticCurveDiffieHellman
ECDSA EllipticCurveDigitalSignatureAlgorithm
EEPROM ElectricallyErasableProgrammableRead-OnlyMemory
EST EnrollmentoverSecureTransport
FAR FalseAcceptRate
FEK FileEncryptionKey
FIPS FederalInformationProcessingStandards
FM FrequencyModulation
FQDN FullyQualifiedDomainName
FRR FalseRejectRate
GCM GaloisCounterMode
GPS GlobalPositioningSystem
GPU GraphicsProcessingUnit
HDMI HighDefinitionMultimediaInterface
HMAC Keyed-HashMessageAuthenticationCode
HTTPS HyperTextTransferProtocolSecure
IEEE InstituteofElectricalandElectronicsEngineers
IP InternetProtocol
IPC Inter-ProcessCommunication
IPsec InternetProtocolSecurity
KEK KeyEncryptionKey
LE (Bluetooth)LowEnergy
LTE LongTermEvolution
MD MobileDevice
MDM MobileDeviceManagement
MMI Man-MachineInterface
MMS MultimediaMessagingService
NFC NearFieldCommunication
NFIQ NISTFingerprintImageQuality
NIST NationalInstituteofStandardsandTechnology
NX NeverExecute
OCSP OnlineCertificateStatusProtocol
OE OperationalEnvironment
OID ObjectIdentifier
OS OperatingSystem
OTA OvertheAir
PAD PresentationAttackDetection
PAE PortAccessEntity
PBKDF Password-BasedKeyDerivationFunction
PD ProtectedData
PMK PairwiseMasterKey
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
PTK PairwiseTemporalKey
RA RegistrationAuthority
RBG RandomBitGenerator
REK RootEncryptionKey
ROM Read-onlymemory
RSA RivestShamirAdlemanAlgorithm
SAR SecurityAssuranceRequirement
SFR SecurityFunctionalRequirement
SHA SecureHashAlgorithm
SMS ShortMessagingService
SPI SecurityParameterIndex
SSH SecureShell
SSID ServiceSetIdentifier
ST SecurityTarget
TLS TransportLayerSecurity
TOE TargetofEvaluation
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
URI UniformResourceIdentifier
USB UniversalSerialBus
USSD UnstructuredSupplementaryServiceData
VPN VirtualPrivateNetwork
XCCDF eXtensibleConfigurationChecklistDescriptionFormat
XTS XEX(XOREncryptXOR)TweakableBlockCipherwithCiphertextStealing
AppendixJ-Bibliography
Identifier Title
[ANSI409.1]
ANSI/CITS409.1-2005.BiometricsPerformanceTestingandReporting—Part1:PrinciplesandFindings."AnnexB.ANSI/CITS,2005.
[BROWN] IntervalEstimationforaBinomialProportion.Brown,Cai,andDasGupta.
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.
[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2012-09-004,Version3.1,Revision5,April2017.
[IBPC] Onsecurityevaluationoffingerprintrecognitionsystems--IBPCPresentation.,Henniger,Scheuermann,andKniess.InternationalBiometricPerformanceTestingConference(IBPC),2010.RetrievedJune12,2015.
[ISO19989]
ISO/IECNP19989:EvaluationofpresentationattackdetectionforbiometricsInternationalOrganizationforStandardization(ISO),2014.
[NFIQ1.0]
NISTFingerprintImageQualityandrelationtoPIV,Tabassi,Elham.NISTInformationTechnologyLaboratory,2005.RetrievedJune13,2015.
[NFIQ2.0]
BiometricQuality:Thepushtowardszeroerrorbiometrics.,Tabassi,Elhametal.InternationalBiometricsPerformanceConference(IBPC),2016.RetrievedMay30,2016.
[NIST] TheNISTspeakerrecognitionevaluation—Overview,methodology,systems,results,perspective,Doddington,Przybocki,Martin,andReynolds.SpeechCommunication31:Elsevier,2000,RetrievedJune10,2015.