Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
ProtectionProfileforVirtualization
Version:1.12021-06-14
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2016-11-17 InitialPublication
1.1 2021-06-14 IncorporateTDs,ReferenceTLSPackage,AddEquivalencyGuidelines,etc.
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.3.2 RequirementsMetbythePlatform1.3.3 ScopeofCertification1.3.4 ProductandPlatformEquivalence1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 AuditableEventsforMandatorySFRs5.1.2 SecurityAudit(FAU)5.1.3 CryptographicSupport(FCS)5.1.4 UserDataProtection(FDP)5.1.5 IdentificationandAuthentication(FIA)5.1.6 SecurityManagement(FMT)5.1.7 ProtectionoftheTSF(FPT)5.1.8 TOEAccessBanner(FTA)5.1.9 TrustedPath/Channel(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTargetEvaluation5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocuments5.2.4 ClassALC:Life-CycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment
AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 AuditableEventsforStrictlyOptionalRequirementsA.1.2 SecurityAudit(FAU)A.1.3 ProtectionoftheTSF(FPT)A.2 ObjectiveRequirementsA.2.1 AuditableEventsforObjectiveRequirementsA.2.2 ProtectionoftheTSF(FPT)A.3 Implementation-BasedRequirementsAppendixB- Selection-BasedRequirementsB.1 AuditableEventsforSelection-BasedRequirementsB.2 CryptographicSupport(FCS)B.3 IdentificationandAuthentication(FIA)B.4 ProtectionoftheTSF(FPT)B.5 TrustedPath/Channel(FTP)AppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsC.2.1 FAU_STG_EXTOff-LoadingofAuditDataC.2.2 FCS_CKM_EXTCryptographicKeyManagementC.2.3 FCS_ENT_EXTEntropyforVirtualMachinesC.2.4 FCS_HTTPS_EXTHTTPSProtocolC.2.5 FCS_IPSEC_EXTIPsecProtocol
C.2.6 FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)C.2.7 FDP_HBI_EXTHardware-BasedIsolationMechanismsC.2.8 FDP_PPR_EXTPhysicalPlatformResourceControlsC.2.9 FDP_RIP_EXTResidualInformationinMemoryC.2.10 FDP_VMS_EXTVMSeparationC.2.11 FDP_VNC_EXTVirtualNetworkingComponentsC.2.12 FIA_AFL_EXTAuthenticationFailureHandlingC.2.13 FIA_PMG_EXTPasswordManagementC.2.14 FIA_UIA_EXTAdministratorIdentificationandAuthenticationC.2.15 FIA_X509_EXTX.509CertificateC.2.16 FMT_SMO_EXTSeparationofManagementandOperationalNetworksC.2.17 FPT_DDI_EXTDeviceDriverIsolationC.2.18 FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevicesC.2.19 FPT_EEM_EXTExecutionEnvironmentMitigationsC.2.20 FPT_GVI_EXTGuestVMIntegrityC.2.21 FPT_HAS_EXTHardwareAssistsC.2.22 FPT_HCL_EXTHypercallControlsC.2.23 FPT_IDV_EXTSoftwareIdentificationandVersionsC.2.24 FPT_INT_EXTSupportforIntrospectionC.2.25 FPT_ML_EXTMeasuredLaunchofPlatformandVMMC.2.26 FPT_RDM_EXTRemovableDevicesandMediaC.2.27 FPT_TUD_EXTTrustedUpdatesC.2.28 FPT_VDP_EXTVirtualDeviceParametersC.2.29 FPT_VIV_EXTVMMIsolationfromVMsC.2.30 FTP_ITC_EXTTrustedChannelCommunicationsC.2.31 FTP_UIF_EXTUserInterface
AppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentE.1 DesignDescriptionE.2 EntropyJustificationE.3 OperatingConditionsE.4 HealthTestingAppendixF- EquivalencyGuidelinesF.1 IntroductionF.2 ApproachtoEquivalencyAnalysisF.3 SpecificGuidanceforDeterminingProductModelEquivalenceF.4 SpecificGuidanceforDeterminingProductVersionEquivalenceF.5 SpecificGuidanceforDeterminingPlatformEquivalenceF.5.1 HardwarePlatformEquivalenceF.5.2 SoftwarePlatformEquivalenceF.6 LevelofSpecificityforTestedandClaimedEquivalentConfigurationsAppendixG- ValidationGuidelinesAppendixH- AcronymsAppendixI- Bibliography
1Introduction
1.1OverviewThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofvirtualizationtechnologiesintermsof[CC]andtodefinesecurityfunctionalandassurancerequirementsforsuchproducts.ThisPPisnotcompleteinitself,butratherprovidesasetofrequirementsthatarecommontothePP-ModulesforServerVirtualizationandforClientVirtualization.Thesecapabilitieshavebeenbrokenoutintothisgeneric‘base’PPduetothehighdegreeofsimilaritybetweenthetwoproducttypes.Duetotheincreasingprevalenceofvirtualizationtechnologyinenterprisecomputingenvironmentsandtheshifttocloudcomputing,itisessentialtoensurethatthistechnologyisimplementedsecurelyinordertomitigatetheriskintroducedbysharingmultiplecomputersandtheirresidentdataacrossasinglephysicalsystem.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TOESecurityFunctionality
Thesecurityfunctionalityoftheproductunderevaluation.
(TSF)
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
TargetofEvaluation(TOE)
Theproductunderevaluation.
1.2.2TechnicalTerms
Administrator AdministratorsperformmanagementactivitiesontheVS.ThesemanagementfunctionsdonotincludeadministrationofsoftwarerunningwithinGuestVMs,suchastheGuestOS.AdministratorsneednotbehumanasinthecaseofembeddedorheadlessVMs.AdministratorsareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.
Auditor AuditorsareresponsibleformanagingtheauditcapabilitiesoftheTOE.AnAuditormayalsobeanAdministrator.ItisnotarequirementthattheTOEbecapableofsupportinganAuditorrolethatisseparatefromthatofanAdministrator.
Domain ADomainorInformationDomainisapolicyconstructthatgroupstogetherexecutionenvironmentsandnetworksbysensitivityofinformationandaccesscontrolpolicy.Forexample,classificationlevelsrepresentinformationdomains.Withinclassificationlevels,theremightbeotherdomainsrepresentingcommunitiesofinterestorcoalitions.InthecontextofaVS,informationdomainsaregenerallyimplementedascollectionsofVMsconnectedbyvirtualnetworks.TheVSitselfcanbeconsideredanInformationDomain,ascanitsManagementSubsystem.
GuestNetwork
SeeOperationalNetwork.
GuestOperatingSystem(OS)
AnoperatingsystemthatrunswithinaGuestVM.
GuestVM AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.
HelperVM AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.Forthepurposesofthisdocument,HelperVMsareconsideredatypeofGuestVM,andarethereforesubjecttoallthesamerequirements,unlessspecificallystatedotherwise.
HostOperatingSystem(OS)
AnoperatingsystemontowhichaVSisinstalled.RelativetotheVS,theHostOSispartofthePlatform.ThereneednotbeaHostOS,butoftenVSesemployaHostOSorControlDomaintosupportguestaccesstohostresources.SometimesthesedomainsarethemselvesencapsulatedwithinVMs.
Hypercall AnAPIfunctionthatallowsVM-awaresoftwarerunningwithinaVMtoinvokeVMMfunctionality.
Hypervisor TheHypervisorispartoftheVMM.ItisthesoftwareexecutiveofthephysicalplatformofaVS.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.
InformationDomain
SeeDomain.
Introspection Acapabilitythatallowsaspeciallydesignatedandprivilegeddomaintohavevisibilityintoanotherdomainforpurposesofanomalydetectionormonitoring.
ManagementNetwork
Anetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtomanageandadministeraVS.ManagementnetworksincludenetworksusedbyVSAdministratorstocommunicatewithmanagementcomponentsoftheVS,andnetworksusedbytheVSforcommunicationsbetweenVScomponents.Forpurposesofthisdocument,networksthatconnectphysicalhostsandbackendstoragenetworksforpurposesofVMtransferorbackupareconsideredmanagementnetworks.
ManagementSubsystem
ComponentsoftheVSthatallowVSAdministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.VMMmanagementfunctionsincludeVMconfiguration,
virtualizednetworkconfiguration,andallocationofphysicalresources.
OperationalNetwork
AnOperationalNetworkisanetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtoconnectGuestVMstoeachotherandpotentiallytootherentitiesoutsideoftheVS.OperationalNetworkssupportmissionworkloadsandcustomer-specificclientorserverfunctionality.Alsocalleda“GuestNetwork.”
PhysicalPlatform
ThehardwareenvironmentonwhichaVSexecutes.Physicalplatformresourcesincludeprocessors,memory,devices,andassociatedfirmware.
Platform Thehardware,firmware,andsoftwareenvironmentintowhichaVSisinstalledandexecutes.
ServiceVM AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,VMsthatprovidelife-cyclemanagementandprovisioningofHypervisorandGuestVMs,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.
SystemSecurityPolicy(SSP)
TheoverallpolicyenforcedbytheVSdefiningconstraintsonthebehaviorofVMsandusers.
User UsersoperateGuestVMsandaresubjecttoconfigurationpoliciesappliedtotheVSbyAdministrators.UsersneednotbehumanasinthecaseofembeddedorheadlessVMs,usersareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.
VirtualMachine(VM)
AVirtualMachineisavirtualizedhardwareenvironmentinwhichanoperatingsystemmayexecute.
VirtualMachineManager(VMM)
AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.
VirtualizationSystem(VS)
Asoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneanother.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachineabstractions,amanagementsubsystem,andothercomponents.
1.3CompliantTargetsofEvaluationAVirtualizationSystem(VS)isasoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneanother.AVScreatesavirtualizedhardwareenvironment(virtualmachinesorVMs)foreachinstanceofanoperatingsystempermittingtheseenvironmentstoexecuteconcurrentlywhilemaintainingisolationandtheappearanceofexclusivecontroloverassignedcomputingresources.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachine(VM)abstractions,amanagementsubsystem,andothercomponents.AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.TheHypervisoristhesoftwareexecutiveofthephysicalplatformofaVS.AhypervisoroperatesatthehighestCPUprivilegelevelandmanagesaccesstoallofthephysicalresourcesofthehardwareplatform.Itexportsawell-defined,protectedinterfaceforaccesstotheresourcesitmanages.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.ThisdocumentdoesnotspecifyanyHypervisor-specificrequirements,thoughmanyVMMrequirementswouldnaturallyapplytoaHypervisor.AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,VMsthatprovidelife-cyclemanagementandprovisioningofHypervisorandGuestVMs,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.
AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.ThelinebetweenHelperandServiceVMscaneasilybeblurred.Forinstance,aVMthatimplementsacryptographicfunction—suchasanin-lineencryptionVM—couldbeidentifiedaseitheraServiceorHelperVMdependingontheparticularvirtualizationsolution.IfthecryptographicfunctionsarenecessaryonlyfortheprivacyofGuestVMdatainsupportoftheGuest’smissionapplications,itwouldbepropertoclassifytheencryptionVMasaHelper.ButiftheencryptionVMisnecessaryfortheVMMtoisolateGuestVMs,itwouldbepropertoclassifytheencryptionVMasaServiceVM.Forthepurposesofthisdocument,HelperVMsaresubjecttoallrequirementsthatapplytoGuestVMs,unlessspecificallystatedotherwise.
1.3.1TOEBoundaryFigure1showsagreatlysimplifiedviewofagenericVirtualizationSystemandPlatform.TOEcomponentsaredisplayedinRed.Non-TOEcomponentsareinBlue.ThePlatformisthehardware,firmware,andsoftwareontowhichtheVSisinstalled.TheVMMincludestheHypervisor,ServiceVMs,andVMcontainers,butnotthesoftwarethatrunsinsideGuestVMsorHelperVMs.TheManagementSubsystemispartoftheTOE,butmayormaynotbepartoftheVMM.
Figure1:VirtualizationSystemandPlatform
ForpurposesofthisProtectionProfile,theVirtualizationSystemistheTOE,subjecttosomecaveats.ThePlatformontowhichtheVSisinstalled(whichincludeshardware,platformfirmware,andHostOperatingSystem)isnotpartoftheTOE.SoftwareinstalledwiththeVSontheHostOSspecificallytosupporttheVSorimplementVSfunctionalityispartoftheTOE.Generalpurposesoftware—suchasdevicedriversforphysicaldevicesandtheHostOSitself—isnotpartoftheTOE,regardlessofwhetheritsupportsVSfunctionalityorrunsinsideaServiceVMorcontroldomain.SoftwarethatrunswithinGuestandHelperVMsisnotpartoftheTOE.Ingeneral,forvirtualizationproductsthatareinstalledonto“baremetal,”theentiresetofinstalledcomponentsconstitutetheTOE,andthehardwareconstitutesthePlatform.Alsoingeneral,forproductsthatarehostedbyorintegratedintoacommodityoperatingsystem,thecomponentsinstalledexpresslyforimplementingandsupportingvirtualizationareintheTOE,andthePlatformcomprisesthehardwareandHostOS.
1.3.2RequirementsMetbythePlatformDependingonthewaytheVSisinstalled,functionstestedunderthisPPmaybeimplementedbytheTOEorbythePlatform.ThereisnodifferenceinthetestingrequiredwhetherthefunctionisimplementedbytheTOEorbythePlatform.Ineithercase,thetestsdeterminewhetherthefunctionbeingtestedprovidesalevelofconfidenceacceptabletomeetthegoalsofthisProfilewithrespecttoaparticularproductandplatform.TheequivalencyguidelinesareintendedinparttoaddressthisTOEvs.Platformdistinction,andtoensurethatconfidenceintheevaluationresultsdonoterodebetweeninstancesofequivalentproductsonequivalentplatforms—andalso,ofcourse,toensurethattheappropriatetestingisdonewhenthedistinctionissignificant.
1.3.3ScopeofCertificationSuccessfulevaluationofaVirtualizationSystemagainstthisprofiledoesnotconstituteorimplysuccessfulevaluationofanyHostOperatingSystemorPlatform—nomatterhowtightlyintegratedwiththeVS.ThePlatform,includinganyHostOS,supportstheVSthroughprovisionofservicesandresources.SpecializedVScomponentsinstalledonorinaHostOStosupporttheVSmaybeconsideredpartoftheTOE.Butgeneral-purposeOScomponentsandfunctions—whetherornottheysupporttheVS—arenotpartoftheTOE,andthusarenotevaluatedunderthisPP.
1.3.4ProductandPlatformEquivalenceThetestsinthisProtectionProfilemustberunonallproductversionsandPlatformswithwhichtheVendorwouldliketoclaimcompliance—subjecttothisProfile’sequivalencyguidelines(seeAppendixF-EquivalencyGuidelines).
1.4UseCasesThisBase-PPdoesnotdefineanyusecasesforvirtualizationtechnology.ClientVirtualizationandServerVirtualizationproductshavedifferentusecasesandsothesearedefinedintheirrespectivePP-Modules.
2ConformanceClaimsConformanceStatement
ASecurityTargetmustclaimexactconformancetothisProtectionProfile,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPPsandPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP-ModulewiththisPP.
PP-ModuleforClientVirtualizationSystems,Version1.1PP-ModuleforServerVirtualizationSystems,Version1.1
CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Release5[CC].
PPClaimsThisPPdoesnotclaimconformancetoanyotherPP.
PackageClaimsThisPPisFunctionalPackageforTLS-conformant.ThisPPisFunctionalPackageforSecureShell-conformant.
3SecurityProblemDescription
3.1ThreatsT.DATA_LEAKAGE
ItisafundamentalpropertyofVMsthatthedomainsencapsulatedbydifferentVMsremainseparateunlessdatasharingispermittedbypolicy.Forthisreason,allVirtualizationSystemsshallsupportapolicythatprohibitsinformationtransferbetweenVMs.ItshallbepossibletoconfigureVMssuchthatdatacannotbemovedbetweendomainsfromVMtoVM,orthroughvirtualorphysicalnetworkcomponentsunderthecontroloftheVS.WhenVMsareconfiguredassuch,itshallnotbepossiblefordatatoleakbetweendomains,neitherbytheexpresseffortsofsoftwareorusersofaVM,norbecauseofvulnerabilitiesorerrorsintheimplementationoftheVMMorotherVScomponents.Ifitispossiblefordatatoleakbetweendomainswhenprohibitedbypolicy,thenanadversaryononedomainornetworkcanobtaindatafromanotherdomain.Suchcross-domaindataleakagecan,forexample,causeclassifiedinformation,corporateproprietaryinformation,orpersonallyidentifiableinformationtobemadeaccessibletounauthorizedentities.
T.UNAUTHORIZED_UPDATEItiscommonforattackerstotargetoutdatedversionsofsoftwarecontainingknownflaws.ThismeansitisextremelyimportanttoupdateVSsoftwareassoonaspossiblewhenupdatesareavailable.Butthesourceoftheupdatesandtheupdatesthemselvesmustbetrusted.IfanattackercanwritetheirownupdatecontainingmaliciouscodetheycantakecontroloftheVS.
T.UNAUTHORIZED_MODIFICATIONSystemintegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.MalwarerunningontheplatformmustnotbeabletoundetectablymodifyVScomponentswhilethesystemisrunningoratrest.Likewise,maliciouscoderunningwithinavirtualmachinemustnotbeabletomodifyVirtualizationSystemcomponents.
T.USER_ERRORIfaVirtualizationSystemiscapableofsimultaneouslydisplayingVMsofdifferentdomainstothesameuseratthesametime,thereisalwaysthechancethattheuserwillbecomeconfusedandunintentionallyleakinformationbetweendomains.ThisisespeciallylikelyifVMsbelongingtodifferentdomainsareindistinguishable.Maliciouscodemayalsoattempttointerferewiththeuser’sabilitytodistinguishbetweendomains.TheVSmusttakemeasurestominimizethelikelihoodofsuchconfusion.
T.3P_SOFTWAREInsomeVSimplementations,functionscriticaltothesecurityoftheTOEarebynecessityperformedbysoftwarenotproducedbythevirtualizationvendor.Suchsoftwaremayincludephysicaldevicedrivers,andevennon-TOEentitiessuchasHostOperatingSystems.SincethissoftwarehasthesameorsimilarprivilegelevelastheVS,vulnerabilitiescanbeexploitedbyanadversarytocompromisetheVSandVMs.Wherepossible,theVSshouldmitigatetheresultsofpotentialvulnerabilitiesormaliciouscontentinthird-partycodeonwhichitrelies.Forexample,physicaldevicedrivers(potentiallytheHostOS)couldbeencapsulatedwithinVMsinordertolimittheeffectsofcompromise.
T.VMM_COMPROMISETheVSisdesignedtoprovidetheappearanceofexclusivitytotheVMsandisdesignedtoseparateorisolatetheirfunctionsexceptwherespecificallyshared.FailureofsecuritymechanismscouldleadtounauthorizedintrusionintoormodificationoftheVMM,orbypassoftheVMMaltogether,bynon-TOEsoftware,suchasthatrunninginGuestorHelperVMsoronthehostplatform.ThismustbepreventedtoavoidcompromisingtheVS.
T.PLATFORM_COMPROMISETheVSmustbecapableofprotectingtheplatformfromthreatsthatoriginatewithinVMsandoperationalnetworksconnectedtotheVS.Thehostingofuntrusted—evenmalicious—domainsbytheVScannotbepermittedtocompromisethesecurityandintegrityoftheplatformonwhichtheVSexecutes.IfanattackercanaccesstheunderlyingplatforminamannernotcontrolledbytheVMM,theattackermightbeabletomodifysystemfirmwareorsoftware—compromisingboththeVSandtheunderlyingplatform.
T.UNAUTHORIZED_ACCESSFunctionsperformedbythemanagementlayerincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctionsorobtainsensitiveinformationfromtheTOE.VirtualizationSystemsareoftenmanagedremotelyovercommunicationnetworks.Membersofthesenetworkscanbebothgeographicallyandlogicallyseparatedfromeachother,andpassthroughavarietyofothersystemswhichmaybeunderthecontrolofanadversary,andoffertheopportunityforcommunicationstobecompromised.Anadversarywithaccesstoanopenmanagementnetworkcouldinjectcommandsintothemanagementinfrastructureorextractsensitiveinformation.Thiswouldprovideanadversarywithadministratorprivilegeontheplatform,andadministrativecontrolovertheVMsandvirtualnetworkconnections.Theadversarycouldalsogainaccesstothemanagementnetwork
byhijackingthemanagementnetworkchannel.
T.WEAK_CRYPTOTotheextentthatVMsappearisolatedwithintheVS,athreatofweakcryptographymayariseiftheVMMdoesnotprovidegoodentropytosupportsecurity-relatedfeaturesthatdependonentropytoimplementcryptographicalgorithms.Forexample,arandomnumbergeneratorkeepsanestimateofthenumberofbitsofnoiseintheentropypool.Fromthisentropypoolrandomnumbersarecreated.Goodrandomnumbersareessentialtoimplementingstrongcryptography.Cryptographyimplementedusingpoorrandomnumberscanbedefeatedbyasophisticatedadversary.SuchdefeatcanresultinthecompromiseofGuestVMdataandcredentials,andofVSdataandcredentials,andcanenableunauthorizedaccesstotheVSorVMs.
T.UNPATCHED_SOFTWAREVulnerabilitiesinoutdatedorunpatchedsoftwarecanbeexploitedbyadversariestocompromisetheVSorplatform.
T.MISCONFIGURATIONTheVSmaybemisconfigured,whichcouldimpactitsfunctioningandsecurity.Thismisconfigurationcouldbeduetoanadministrativeerrorortheuseoffaultyconfigurationdata.
T.DENIAL_OF_SERVICEAVMmayblockothersfromsystemresources(e.g.,systemmemory,persistentstorage,andprocessingtime)viaaresourceexhaustionattack.
3.2AssumptionsA.PLATFORM_INTEGRITY
TheplatformhasnotbeencompromisedpriortoinstallationoftheVS.
A.PHYSICALPhysicalsecuritycommensuratewiththevalueoftheTOEandthedataitcontainsisassumedtobeprovidedbytheenvironment.
A.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidance.
A.NON_MALICIOUS_USERTheuseroftheVSisnotwillfullynegligentorhostile,andusestheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.Atthesametime,maliciousapplicationscouldactastheuser,sorequirementswhichconfinemaliciousapplicationsarestillinscope.
3.3OrganizationalSecurityPoliciesThisdocumentdoesnotdefineanyadditionalOSPs.
4SecurityObjectives
4.1SecurityObjectivesfortheTOEO.VM_ISOLATION
VMsarethefundamentalsubjectofthesystem.TheVMMisresponsibleforapplyingthesystemsecuritypolicy(SSP)totheVMandallresources.Asbasicfunctionality,theVMMmustsupportasecuritypolicythatmandatesnoinformationtransferbetweenVMs.TheVMMmustsupportthenecessarymechanismstoisolatetheresourcesofallVMs.TheVMMpartitionsaplatform'sphysicalresourcesforusebythesupportedvirtualenvironments.Dependingoncustomerrequirements,aVMmayneedacompletelyisolatedenvironmentwithexclusiveaccesstosystemresourcesorsharesomeofitsresourceswithotherVMs.ItmustbepossibletoenforceasecuritypolicythatprohibitsthetransferofdatabetweenVMsthroughshareddevices.WhentheplatformsecuritypolicyallowsthesharingofresourcesacrossVMboundaries,theVMMmustensurethatallaccesstothoseresourcesisconsistentwiththepolicy.TheVMMmaydelegatetheresponsibilityforthemediationofresourcesharingtoselectServiceVMs;howeverindoingso,itremainsresponsibleformediatingaccesstotheServiceVMs,andeachServiceVMmustmediateallaccesstoanysharedresourcethathasbeendelegatedtoitinaccordancewiththeSSP.Bothvirtualandphysicaldevicesareresourcesrequiringaccesscontrol.TheVMMmustenforceaccesscontrolinaccordancewithsystemsecuritypolicy.PhysicaldevicesareplatformdeviceswithaccessmediatedviatheVMMpertheO.VMM_Integrityobjective.Virtualdevicesmayincludevirtualstoragedevicesandvirtualnetworkdevices.SomeoftheaccesscontrolrestrictionsmustbeenforcedinternaltoServiceVMs,asmaybethecaseforisolatingvirtualnetworks.VMMsmayalsoexposepurelyvirtualinterfaces.TheseareVMMspecific,andwhiletheyarenotanalogoustoaphysicaldevice,theyarealsosubjecttoaccesscontrol.
TheVMMmustsupportthemechanismstoisolateallresourcesassociatedwithvirtualnetworksandtolimitaVM'saccesstoonlythosevirtualnetworksforwhichithasbeenconfigured.TheVMMmustalsosupportthemechanismstocontroltheconfigurationsofvirtualnetworksaccordingtotheSSP.
O.VMM_INTEGRITYIntegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.ThisobjectiveconcernsonlytheintegrityoftheVS—nottheintegrityofsoftwarerunninginsideofGuestVMsorofthephysicalplatform.TheoverallobjectiveistoensuretheintegrityofcriticalcomponentsofaVS.InitialintegrityofaVScanbeestablishedthroughmechanismssuchasadigitallysignedinstallationorupdatepackage,orthroughintegritymeasurementsmadeatlaunch.IntegrityismaintainedinarunningsystembycarefulprotectionoftheVMMfromuntrustedusersandsoftware.Forexample,itmustnotbepossibleforsoftwarerunningwithinaGuestVMtoexploitavulnerabilityinadeviceorhypercallinterfaceandgaincontroloftheVMM.Thevendormustreleasepatchesforvulnerabilitiesassoonaspracticableafterdiscovery.
O.PLATFORM_INTEGRITYTheintegrityoftheVMMdependsontheintegrityofthehardwareandsoftwareonwhichtheVMMrelies.AlthoughtheVSdoesnothavecompletecontrolovertheintegrityoftheplatform,theVSshouldasmuchaspossibletrytoensurethatnousersorsoftwarehostedbytheVScanunderminetheintegrityoftheplatform.
O.DOMAIN_INTEGRITYWhiletheVSisnotresponsibleforthecontentsorcorrectfunctioningofsoftwarethatrunswithinGuestVMs,itisresponsibleforensuringthatthecorrectfunctioningofthesoftwarewithinaGuestVMisnotinterferedwithbyotherVMs.
O.MANAGEMENT_ACCESSVMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlyauthorizedusers(administrators)mayexercisemanagementfunctions.BecauseoftheprivilegesexercisedbytheVMMmanagementfunctions,itmustnotbepossiblefortheVMM’smanagementcomponentstobecompromisedwithoutadministratornotification.Thismeansthatunauthorizeduserscannotbepermittedaccesstothemanagementfunctions,andthemanagementcomponentsmustnotbeinterferedwithbyGuestVMsorunprivilegedusersonothernetworks—includingoperationalnetworksconnectedtotheTOE.VMMsincludeasetofmanagementfunctionsthatcollectivelyallowadministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.ThesemanagementfunctionsarespecifictotheVSandaredistinctfromanyothermanagementfunctionsthatmightexistfortheinternalmanagementofanygivenGuestVM.TheseVMMmanagementfunctionsareprivileged,withthesecurityoftheentiresystemrelyingontheirproperuse.TheVMMmanagementfunctionscanbeclassifiedintodifferentcategoriesandthepolicyfortheiruseandtheimpacttosecuritymayvaryaccordingly.ThemanagementfunctionsaredistributedthroughouttheVMM(withintheVMMandServiceVMs).TheVMMmustsupportthenecessarymechanismstoenablethecontrolofallmanagementfunctionsaccordingtothesystemsecuritypolicy.Whenamanagementfunctionisdistributedamongmultiple
ServiceVMs,theVMsmustbeprotectedusingthesecuritymechanismsoftheHypervisorandanyServiceVMsinvolvedtoensurethattheintentofthesystemsecuritypolicyisnotcompromised.Additionally,sincehypercallspermitGuestVMstoinvoketheHypervisor,andoftenallowthepassingofdatatotheHypervisor,itisimportantthatthehypercallinterfaceiswell-guardedandthatallparametersbevalidated.TheVMMmaintainsconfigurationdataforeveryVMonthesystem.Thisconfigurationdata,whetherofServiceorGuestVMs,mustbeprotected.Themechanismsusedtoestablish,modifyandverifyconfigurationdataarepartoftheVSmanagementfunctionsandmustbeprotectedassuch.TheproperinternalconfigurationofServiceVMsthatprovidecriticalsecurityfunctionscanalsogreatlyimpactVSsecurity.Theseconfigurationsmustalsobeprotected.InternalconfigurationofGuestVMsshouldnotimpactoverallVSsecurity.TheoverallgoalistoensurethattheVMM,includingtheenvironmentsinternaltoServiceVMs,isproperlyconfiguredandthatallGuestVMconfigurationsaremaintainedconsistentwiththesystemsecuritypolicythroughouttheirlifecycle.VirtualizationSystemsareoftenmanagedremotely.Forexample,anadministratorcanremotelyupdatevirtualizationsoftware,startandshutdownVMs,andmanagevirtualizednetworkconnections.Ifaconsoleisrequired,itcouldberunonaseparatemachineoritcoulditselfruninaVM.Whenperformingremotemanagement,anadministratormustcommunicatewithaprivilegedmanagementagentoveranetwork.CommunicationswiththemanagementinfrastructuremustbeprotectedfromGuestVMsandoperationalnetworks.
O.PATCHED_SOFTWARETheVSmustbeupdatedandpatchedwhenneededinordertopreventthepotentialcompromiseoftheVMM,aswellasthenetworksandVMsthatithosts.Identifyingandapplyingneededupdatesmustbeanormalpartoftheoperatingproceduretoensurethatpatchesareappliedinatimelyandthoroughmanner.Inordertofacilitatethis,theVSmustsupportstandardsandprotocolsthathelpenhancethemanageabilityoftheVSasanITproduct,enablingittobeintegratedaspartofamanageablenetwork(e.g.,reportingcurrentpatchlevelandpatchability).
O.VM_ENTROPYVMsmusthaveaccesstogoodentropysourcestosupportsecurity-relatedfeaturesthatimplementcryptographicalgorithms.Forexample,inordertofunctionasmembersofoperationalnetworks,VMsmustbeabletocommunicatesecurelywithothernetworkentities—whethervirtualorphysical.Theymustthereforehaveaccesstosourcesofgoodentropytosupportthatsecurecommunication.
O.AUDITAnauditlogmustbecreatedthatcapturesaccessestotheobjectstheTOEprotects.Thelogoftheseaccesses,orauditevents,mustbeprotectedfrommodification,unauthorizedaccess,anddestruction.Theauditlogmustbesufficientlydetailedtoindicatethedateandtimeoftheevent,theidentifyoftheuser,thetypeofevent,andthesuccessorfailureoftheevent.
O.CORRECTLY_APPLIED_CONFIGURATIONTheTOEmustnotapplyconfigurationsthatviolatethecurrentsecuritypolicy.TheTOEmustcorrectlyapplyconfigurationsandpoliciestoanewlycreatedGuestVM,aswellastoexistingGuestVMswhenapplicableconfigurationorpolicychangesaremade.Allchangestoconfigurationandtopolicymustconformtotheexistingsecuritypolicy.Similarly,changesmadetotheconfigurationoftheTOEitselfmustnotviolatetheexistingsecuritypolicy.
O.RESOURCE_ALLOCATIONTheTOEwillprovidemechanismsthatenforceconstraintsontheallocationofsystemresourcesinaccordancewithexistingsecuritypolicy.
4.2SecurityObjectivesfortheOperationalEnvironmentOE.CONFIG
TOEadministratorswillconfiguretheVScorrectlytocreatetheintendedsecuritypolicy.
OE.PHYSICALPhysicalsecurity,commensuratewiththevalueoftheTOEandthedataitcontains,isprovidedbytheenvironment.
OE.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidanceinatrustedmanner.
OE.NON_MALICIOUS_USERUsersaretrustedtonotbewillfullynegligentorhostileandusetheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.
4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.
Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP SecurityObjectives Rationale
T.DATA_LEAKAGE O.VM_ISOLATION LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.
O.DOMAIN_INTEGRITY LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.
T.UNAUTHORIZED_UPDATE O.VMM_INTEGRITY SystemintegritypreventstheTOEfrominstallingasoftwarepatchcontainingunknownandpotentiallymaliciouscode.
T.UNAUTHORIZED_MODIFICATION O.VMM_INTEGRITY EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.
O.AUDIT EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.
T.USER_ERROR O.VM_ISOLATION IsolationofVMsincludesclearattributionofthoseVMstotheirrespectivedomainswhichreducesthelikelihoodthatauserinadvertentlyinputsortransfersdatameantforoneVMintoanother.
T.3P_SOFTWARE O.VMM_INTEGRITY TheVMMintegritymechanismsincludeenvironment-basedvulnerabilitymitigationandpotentiallysupportforintrospectionanddevicedriverisolation,allofwhichreducethelikelihoodthatanyvulnerabilitiesinthird-partysoftwarecanbeusedtoexploittheTOE.
T.VMM_COMPROMISE O.VMM_INTEGRITY MaintainingtheintegrityoftheVMM
andensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.
O.VM_ISOLATION MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.
T.PLATFORM_COMPROMISE O.PLATFORM_INTEGRITY PlatformintegritymechanismsusedbytheTOEreducetheriskthatanattackercan‘breakout’ofaVMandaffecttheplatformonwhichtheVSisrunning.
T.UNAUTHORIZED_ACCESS O.MANAGEMENT_ACCESS EnsuringthatTSFmanagementfunctionscannotbeexecutedwithoutauthorizationpreventsuntrustedsubjectsfrommodifyingthebehavioroftheTOEinanunanticipatedmanner.
T.WEAK_CRYPTO O.VM_ENTROPY AcquisitionofgoodentropyisnecessarytosupporttheTOE'ssecurity-relatedcryptographicalgorithms.
T.UNPATCHED_SOFTWARE O.PATCHED_SOFTWARE TheabilitytopatchtheTOEsoftwareensuresthatprotectionsagainstvulnerabilitiescanbeappliedastheybecomeavailable.
T.MISCONFIGURATION O.CORRECTLY_APPLIED_CONFIGURATION Mechanismstopreventtheapplicationofconfigurationsthatviolatethecurrentsecuritypolicyhelppreventmisconfigurations.
T.DENIAL_OF_SERVICE O.RESOURCE_ALLOCATION TheabilityoftheTSFtoensuretheproperallocationofresourcesmakesdenialofserviceattacksmoredifficult.
A.PLATFORM_INTEGRITY OE.PHYSICAL Iftheunderlyingplatformhasnotbeencompromisedpriortoinstallationofthe
TOE,itsintegritycanbeassumedtobeintact.
A.PHYSICAL OE.PHYSICAL IftheTOEisdeployedinalocationthathasappropriatephysicalsafeguards,itcanbeassumedtobephysicallysecure.
A.TRUSTED_ADMIN OE.TRUSTED_ADMIN Providingguidancetoadministratorsandensuringthatindividualsareproperlytrainedandvettedbeforebeinggivenadministrativeresponsibilitieswillensurethattheyaretrusted.
A.NON_MALICIOUS_USER OE.NON_MALICIOUS_USER Iftheorganizationproperlyvetsandtrainsusers,itisexpectedthattheywillbenon-malicious.
OE.CONFIG IftheTOEisadministeredbyanon-maliciousandnon-negligentuser,theexpectedresultisthattheTOEwillbeconfiguredinacorrectandsecuremanner.
5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
5.1SecurityFunctionalRequirements
5.1.1AuditableEventsforMandatorySFRs
Table2:AuditableEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents
FAU_GEN.1 Noeventsspecified
FAU_SAR.1 Noeventsspecified
FAU_STG.1 Noeventsspecified
FAU_STG_EXT.1 Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.
FAU_STG_EXT.1 Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.
FCS_CKM.1 Noeventsspecified
FCS_CKM.2 Noeventsspecified
FCS_CKM_EXT.4 Noeventsspecified
FCS_COP.1/Hash Noeventsspecified
FCS_COP.1/KeyedHash Noeventsspecified
FCS_COP.1/Sig Noeventsspecified
FCS_COP.1/UDE Noeventsspecified
FCS_ENT_EXT.1 Noeventsspecified
FCS_RBG_EXT.1 Failureoftherandomizationprocess.
FDP_HBI_EXT.1 Noeventsspecified
FDP_PPR_EXT.1 SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.
VMandphysicaldeviceidentifiers.
FDP_PPR_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.
FDP_RIP_EXT.1 Noeventsspecified
FDP_RIP_EXT.2 Noeventsspecified
FDP_VMS_EXT.1 Noeventsspecified
FDP_VNC_EXT.1 Successfulandfailedattemptsto VMandvirtualorphysicalnetworking
connectVMstovirtualandphysicalnetworkingcomponents.
componentidentifiers.
FDP_VNC_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.VMandvirtualorphysicalnetworkingcomponentidentifiers.
FDP_VNC_EXT.1 Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.
VMandvirtualorphysicalnetworkingcomponentidentifiers.
FIA_AFL_EXT.1 Unsuccessfulloginattemptslimitismetorexceeded.
Originofattempt(e.g.,IPaddress).
FIA_UAU.5 Noeventsspecified
FIA_UIA_EXT.1 Administratorauthenticationattempts.
Provideduseridentity,originoftheattempt(e.g.,console,remoteIPaddress).
FIA_UIA_EXT.1 Alluseoftheidentificationandauthenticationmechanism.
Provideduseridentity,originoftheattempt(e.g.,console,remoteIPaddress).
FIA_UIA_EXT.1 [selection:Startandendofadministratorsession.,None]
Starttimeandendtimeofadministratorsession.
FMT_SMO_EXT.1 Noeventsspecified
FPT_DVD_EXT.1 Noeventsspecified
FPT_EEM_EXT.1 Noeventsspecified
FPT_HAS_EXT.1 Noeventsspecified
FPT_HCL_EXT.1 Invalidparametertohypercalldetected.
Hypercallinterfaceforwhichaccesswasattempted.
FPT_HCL_EXT.1 Hypercallinterfaceinvokedwhendocumentedpreconditionsarenotmet.
FPT_RDM_EXT.1 Connection/disconnectionofremovablemediaordeviceto/fromaVM.
VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.).
FPT_RDM_EXT.1 Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.
VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.).
FPT_TUD_EXT.1 Initiationofupdate.
FPT_TUD_EXT.1 Failureofsignatureverification.
FPT_VDP_EXT.1 Noeventsspecified
FPT_VIV_EXT.1 Noeventsspecified
FTA_TAB.1 Noeventsspecified
FTP_ITC_EXT.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_ITC_EXT.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_ITC_EXT.1 Failuresofthetrustedpathfunctions.
UserIDandremotesource(IPAddress)iffeasible.
FTP_UIF_EXT.1 Noeventsspecified
FTP_UIF_EXT.2 Noeventsspecified
5.1.2SecurityAudit(FAU)
FAU_GEN.1AuditDataGenerationFAU_GEN.1.1
TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:
a. Start-upandshutdownofauditfunctionsb. [AlladministrativeactionsrelevanttoclaimedSFRsasdefinedin
theAuditableEventsTablefromtheClientandServerPP-Modules]c. [AuditableeventsdefinedinTable2]d. [selection:
AuditableeventsdefinedinTable5forStrictlyOptionalSFRs,AuditableeventsdefinedinTable6forObjectiveSFRs,AuditableeventsdefinedinTable7forSelection-BasedSFRs,AuditableeventsfortheFunctionalPackageforTransportLayerSecurity(TLS),version1.1listedinTable3,AuditableeventsdefinedintheaudittablefortheFunctionalPackageforSecureShell(SSH),version1.0,nootherauditableevents
]
FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:
a. Dateandtimeoftheeventb. Typeofeventc. Subjectandobjectidentity(ifapplicable)d. Theoutcome(successorfailure)oftheevente. [AdditionalinformationdefinedinTable2]f. [selection:
AdditionalinformationdefinedinTable5forStrictlyOptionalSFRs,AdditionalinformationdefinedinTable6forObjectiveSFRs,AdditionalinformationdefinedinTable7forSelection-BasedSFRs,AdditionalinformationfortheFunctionalPackageforTransportLayerSecurity(TLS),version1.1listedinTable3,AdditionalinformationdefinedintheaudittablefortheFunctionalPackageforSecureShell(SSH),version1.0,nootherinformation
]
ApplicationNote:TheSTauthorcanincludeotherauditableeventsdirectlyinTable2;theyarenotlimitedtothelistpresented.TheSTauthorshouldupdatethetableinFAU_GEN.1.2withanyadditionalinformationgenerated.“Subjectidentity”inFAU_GEN.1.2couldbeauseridoranidentifierspecifyingaVM,forexample.AppropriateentriesfromTable5,Table6,andTable7shouldbeincludedintheSTiftheassociatedSFRsandselectionsareincluded.TheTable2entryforFDP_VNC_EXT.1referstoconfigurationsettingsthatattachVMstovirtualizednetworkcomponents.ChangestotheseconfigurationscanbemadeduringVMexecutionorwhenVMsarenotrunning.Auditrecordsmustbegeneratedforeithercase.TheintentoftheauditrequirementforFDP_PPR_EXT.1istologthattheVMisconnectedtoaphysicaldevice(whenthedevicebecomespartoftheVM'shardwareview),nottologeverytimethatthedeviceisaccessed.Generally,thisisonlyonceatVMstartup.However,somedevicescanbeconnectedanddisconnectedduringoperation(e.g.,virtualUSBdevicessuchasCD-ROMs).Allsuchconnection/disconnectioneventsmustbelogged.ThefollowingtablecontainstheeventsenumeratedintheauditableeventstablefortheTLSFunctionalPackage.InclusionoftheseeventsintheSTissubjecttoselectionabove,inclusionofthecorrespondingSFRsintheST,andsupportintheFPasrepresentedbyaselectioninthetablebelow.
Table3:AuditableEventsfortheTLSFunctionalPackage
FCS_TLSC_EXT.1 Failuretoestablishasession.
Reasonforfailure.
FCS_TLSC_EXT.1 Failuretoverifypresentedidentifier.
Presentedidentifierandreferenceidentifier.
FCS_TLSC_EXT.1 Establishment/terminationofaTLSsession.
Non-TOEendpointofconnection.
FCS_TLSS_EXT.1 Failuretoestablishasession.
Reasonforfailure.
FCS_DTLSC_EXT.1 Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.
FCS_DTLSS_EXT.1 Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.
EvaluationActivities
FAU_GEN.1TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypeshallbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePP-ConfigurationisdescribedintheTSS.
GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPP-Configuration.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommands,includingsubcommands,scripts,andconfigurationfiles,arerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePPandPP-Modules.Theevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurity-relevantwithrespecttothisPP-Configuration.TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedandadministrativeactions.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsineachauditrecordhavetheproperentries.
Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.
FAU_SAR.1AuditReviewFAU_SAR.1.1
TheTSFshallprovide[administrators]withthecapabilitytoread[allinformation]fromtheauditrecords.
FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.
EvaluationActivities
FAU_SAR.1GuidanceTheevaluatorshallreviewtheoperationalguidancefortheprocedureonhowtoreviewtheauditrecords.TestsTheevaluatorshallverifythattheauditrecordsprovidealloftheinformationspecifiedinFAU_GEN.1andthatthisinformationissuitableforhumaninterpretation.TheevaluationactivityforthisrequirementisperformedinconjunctionwiththeevaluationactivityforFAU_GEN.1.
FAU_STG.1ProtectedAuditTrailStorageFAU_STG.1.1
TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.
FAU_STG.1.2TheTSFshallbeableto[prevent]unauthorizedmodificationstothestoredaudit
recordsintheaudittrail.
ApplicationNote:TheevaluationactivityforthisSFRisnotintendedtoimplythattheTOEmustsupportanadministrator’sabilitytodesignateindividualauditrecordsfordeletion.Thatlevelofgranularityisnotrequired.
EvaluationActivities
FAU_STG.1TSSTheevaluatorshallensurethattheTSSdescribeshowtheauditrecordsareprotectedfromunauthorizedmodificationordeletion.TheevaluatorshallensurethattheTSSdescribestheconditionsthatmustbemetforauthorizeddeletionofauditrecords.TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallaccesstheaudittrailasanunauthorizedAdministratorandattempttomodifyanddeletetheauditrecords.Theevaluatorshallverifythattheseattemptsfail.Test2:TheevaluatorshallaccesstheaudittrailasanauthorizedAdministratorandattempttodeletetheauditrecords.Theevaluatorshallverifythattheseattemptssucceed.Theevaluatorshallverifythatonlytherecordsauthorizedfordeletionaredeleted.
FAU_STG_EXT.1Off-LoadingofAuditDataFAU_STG_EXT.1.1
TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.
FAU_STG_EXT.1.2TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.
ApplicationNote:Anexternallogserver,ifavailable,mightbeusedasalternativestoragespaceincasethelocalstoragespaceisfull.An‘otheraction’couldbedefinedinthiscaseas‘sendthenewauditdatatoanexternalITentity’.
EvaluationActivities
FAU_STG_EXT.1.1ProtocolsusedforimplementingthetrustedchannelmustbeselectedinFTP_ITC_EXT.1.TSSTheevaluatorshallexaminetheTSStoensureitdescribesthemeansbywhichtheauditdataaretransferredtotheexternalauditserver,andhowthetrustedchannelisprovided.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdescribeshowtoestablishthetrustedchanneltotheauditserver,aswellasdescribeanyrequirementsontheauditserver(particularauditserverprotocol,versionoftheprotocolrequired,etc.),aswellasconfigurationoftheTOEneededtocommunicatewiththeauditserver.TestsTestingofthetrustedchannelmechanismistobeperformedasspecifiedintheevaluationactivitiesforFTP_ITC_EXT.1.Theevaluatorshallperformthefollowingtestforthisrequirement:
Test1:TheevaluatorshallestablishasessionbetweentheTOEandtheauditserveraccordingtotheconfigurationguidanceprovided.TheevaluatorshallthenexaminethetrafficthatpassesbetweentheauditserverandtheTOEduringseveralactivitiesoftheevaluator’schoicedesignedtogenerateauditdatatobetransferredtotheauditserver.Theevaluatorshallobservethatthesedataarenotabletobeviewedintheclearduringthistransfer,andthattheyaresuccessfullyreceivedbytheauditserver.Theevaluatorshallrecordtheparticularsoftware(name,version)usedontheauditserverduringtesting.
FAU_STG_EXT.1.2TSSTheevaluatorshallexaminetheTSStoensureitdescribeswhathappenswhenthelocalauditdatastoreisfull.GuidanceTheevaluatorshallalsoexaminetheoperationalguidancetodeterminethatitdescribestherelationshipbetweenthelocalauditdataandtheauditdatathataresenttotheauditlogserver.
Forexample,whenanauditeventisgenerated,isitsimultaneouslysenttotheexternalserverandthelocalstore,oristhelocalstoreusedasabufferand“cleared”periodicallybysendingthedatatotheauditserver.TestsTheevaluatorshallperformoperationsthatgenerateauditdataandverifythatthisdataisstoredlocally.TheevaluatorshallperformoperationsthatgenerateauditdatauntilthelocalstoragespaceisexceededandverifiesthattheTOEcomplieswiththebehaviordefinedintheSTforFAU_STG_EXT.1.2.
5.1.3CryptographicSupport(FCS)
FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1
TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:
RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.3],ECCschemesusing[“NISTcurves”P-256,P-384,and[selection:P-521,noothercurves]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.4],FFCschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.1]].,FFCSchemesusingDiffie-Hellmangroup14thatmeetthefollowing:[RFC3526],FFCSchemesusingsafeprimesthatmeetthefollowing:[‘NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemes"]
]andspecifiedcryptographickeysizes[assignment:cryptographickeysizes]thatmeetthefollowing:[assignment:listofstandards].
ApplicationNote:TheSTauthorselectsallkeygenerationschemesusedforkeyestablishmentanddeviceauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographicprotocolsshallmatchtheselection.Whenkeygenerationisusedfordeviceauthentication,thepublickeyisexpectedtobeassociatedwithanX.509v3certificate.
IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
EvaluationActivities
FCS_CKM.1TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationschemesandkeysizesforallusesdefinedinthisPP.TestsNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
KeyGenerationforFIPSPUB186-4RSASchemesTheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:
RandomPrimes:ProvableprimesProbableprimes
PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobable
primesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes
TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatorshallseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseeds,thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.KeyGenerationforEllipticCurveCryptography(ECC)FIPS186-4ECCKeyGenerationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.FIPS186-4PublicKeyVerification(PKV)TestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.,correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
KeyGenerationforFinite-FieldCryptography(FFC)TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.TheParametergenerationspecifiestwoways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:
PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes
andtwowaystogeneratethecryptographicgroupgeneratorg:GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess.
TheKeygenerationspecifiestwowaystogeneratetheprivatekeyx:len(q)bitoutputofRBGwhere1�x�q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1�x�q-1
ThesecuritystrengthoftheRBGshallbeatleastthatofthesecurityofferedbytheFFCparameterset.Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodandthegroupgeneratorgforaverifiableprocess,theevaluatorshallseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationshallalsoconfirm
g!=0,1qdividesp-1g^qmodp=1g^xmodp=y
foreachFFCparametersetandkeypair.
Diffie-HellmanGroup14andFFCSchemesusing"safe-prime"groupsTestingforFFCSchemesusingDiffie-Hellmangroup14and"safe-prime"groupsisdoneaspartoftestinginFCS_CKM.2.1.
FCS_CKM.2CryptographicKeyDistributionFCS_CKM.2.1
TheTSFshalldistributecryptographickeysimplementfunctionalitytoperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:
RSA-basedkeyestablishmentschemesthatmeetsthefollowing:RSAES-PKCS1-v1_5asspecifiedinSection7.2ofRFC8017,“Public-KeyCryptographyStandards(PKCS)#1:RSACryptographySpecifications
Version2.2",Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56ARevision3,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,KeyestablishmentschemeusingDiffie-Hellmangroup14thatmeetsthefollowing:RFC3526
]thatmeetsthefollowing[assignment:listofstandards].
EvaluationActivities
FCS_CKM.2TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.
GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentschemes.TestsTheevaluatorshallverifytheimplementationofthekeyestablishmentschemesofthesupportedbytheTOEusingtheapplicabletestsbelow.
KeyEstablishmentSchemesRSAES-PKCS1-v1_5KeyEstablishmentSchemesTheevaluatorshallverifythecorrectnessoftheTSF'simplementationofRSAES-PKCS1-v1_5byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesRSAES-PKCS1-v1_5.
SP800-56AECCKeyEstablishmentSchemes
TheevaluatorshallverifyaTOE'simplementationofSP800-56AkeyagreementschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.FunctionTestTheFunctiontestverifiestheabilityoftheTOEtoimplementthekeyagreementschemescorrectly.Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-keyagreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeral,orbothdependingontheschemebeingtested.TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticandephemeral),theMACtags,andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEIDfields.IftheTOEdoesnotuseaKDFdefinedinSP800-56A,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.ValidityTestTheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56AkeyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomain
parametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEIDfields.TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluatorwillalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionandthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.
Diffie-HellmanGroup14TheevaluatorshallverifythecorrectnessoftheTSF'simplementationofDiffie-Hellmangroup14byusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatusesDiffie-HellmanGroup14.
FFCSchemesusing"safe-prime"groups(identifiedinAppendixDofSP800-56ARevision3)TheevaluatorshallverifythecorrectnessoftheTSF'simplementationof"safe-prime"groupsbyusingaknowngoodimplementationforeachprotocolselectedinFTP_ITC_EXT.1thatuses"safe-prime"groups.Thistestmustbeperformedforeach"safe-prime"groupthateachprotocoluses.
FCS_CKM_EXT.4CryptographicKeyDestructionFCS_CKM_EXT.4.1
TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.
ApplicationNote:Thethreataddressedbythiselementistherecoveryofdisusedcryptographickeysfromvolatilememorybyunauthorizedprocesses.TheTSFmustdestroyorcausetobedestroyedallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.ThisrequirementisthesameforallinstancesofkeyswithinTOEvolatilememoryregardlessofwhetherthememoryiscontrolledbyTOEmanufacturersoftwareorbythird-partyTOEmodules.TheevaluationactivitiesaredesignedwithflexibilitytoaddresscaseswheretheTOEmanufacturerhaslimitedinsightintothebehaviorofthird-partyTOEcomponents.
ThepreferredmethodfordestroyingkeysinTOEvolatilememoryisbydirectoverwriteofthememoryoccupiedbythekeys.Thevaluesusedforoverwritingcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitselfsuchthatthekeysarerenderedinaccessibletorunningprocesses.
Someimplementationsmayfindthatdirectoverwritingofmemoryisnotfeasibleorpossibleduetoprogramminglanguageconstraints.Manymemory-andtype-safelanguagesprovidenomechanismforprogrammerstospecifythataparticularmemorylocationbeaccessedorwritten.Thevalueofsuchlanguagesisthatitismuchharderforaprogrammingerrortoresultinabufferorheapoverflow.Thedownsideisthatmultiplecopiesofkeysmightbescatteredthroughoutlanguage-runtimememory.Insuchcases,theTOEshouldtakewhateveractionsarefeasibletocausethekeystobecomeinaccessible—freeingmemory,destroyingobjects,closingapplications,programmingusingtheminimumpossiblescopeforvariablescontainingkeys.
Likewise,ifkeysresideinmemorywithintheexecutioncontextofathird-partymodule,thentheTOEshouldtakewhateverfeasibleactionsitcantocausethekeystobedestroyed.
Cryptographickeysinnon-TOEvolatilememoryarenotcoveredbythisrequirement.ThisexpresslyincludeskeyscreatedandusedbyGuestVMs.TheGuestisresponsiblefordisposingofsuchkeys.
FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.
ApplicationNote:Theultimategoalofthiselementistoensurethatdisused
cryptographickeysareinaccessiblenotonlytocomponentsoftherunningsystem,butarealsounrecoverablethroughforensicanalysisofdiscardedstoragemedia.Theelementisdesignedtoreflectthefactthatthelattermaynotbewhollypracticalatthistimeduetothewaysomestoragetechnologiesareimplemented(e.g.,wear-levelingofflashstorage).Keystorageareasinnon-volatilestoragecanbeoverwrittenwithanyvaluethatrendersthekeysunrecoverable.Thevalueusedcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitself.
TheTSFmustdestroyallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.Sincethisisasoftware-onlyTOE,thehardwarecontrollersthatmanagenon-volatilestoragemediaarenecessarilyoutsidetheTOEboundary.Thus,theTOEmanufacturerislikelytohavelittlecontrolover—orinsightinto—thefunctioningofthesestoragedevices.TheTOEmustmakea“best-effort”todestroydisusedcryptographickeysbyinvokingtheappropriateplatforminterfaces—recognizingthatthespecificactionstakenbytheplatformareoutoftheTOE’scontrol.
ButincaseswheretheTOEhasinsightintothenon-volatilestoragetechnologiesusedbytheplatform,orwheretheTOEcanspecifyapreferenceormethodfordestroyingkeys,thedestructionshouldbeexecutedbyasingle,directoverwriteconsistingofpseudorandomdataoranewkey,byarepeatingpatternofanystaticvalue,orbyablockerase.
Forkeysstoredonencryptedmedia,itissufficientforthemediaencryptionkeystobedestroyedforallkeysstoredonthemediatobeconsidereddestroyed.
EvaluationActivities
FCS_CKM_EXT.4TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofkeyanditsoriginandlocationinmemoryorstorage.TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeyiscleared.TestsForeachkeyclearingsituationtheevaluatorshallperformoneofthefollowingactivities:
Theevaluatorshalluseappropriatecombinationsofspecializedoperationalordevelopmentenvironments,developmenttools(debuggers,emulators,simulators,etc.),orinstrumentedbuilds(developmental,debug,orrelease)todemonstratethatkeysareclearedcorrectly,includingallintermediatecopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessing.Incaseswheretestingrevealsthatthird-partysoftwaremodulesorprogramminglanguagerun-timeenvironmentsdonotproperlyoverwritekeys,thisfactmustbedocumented.Likewise,itmustbedocumentedifthereisnopracticalwaytodeterminewhethersuchmodulesorenvironmentsdestroykeysproperly.Incaseswhereitisimpossibleorimpracticabletoperformtheabovetests,theevaluatorshalldescribehowkeysaredestroyedinsuchcases,toinclude:
WhichkeysareaffectedThereasonswhytestingisimpossibleorimpracticableEvidencethatkeysaredestroyedappropriately(e.g.,citationstocomponentdocumentation,componentdeveloper/vendorattestation,componentvendortestresults)Aggravatingandmitigatingfactorsthatmayaffectthetimelinessorexecutionofkeydestruction(e.g.,caching,garbagecollection,operatingsystemmemorymanagement)
UseofdebugorinstrumentedbuildsoftheTOEandTOEcomponentsispermittedinordertodemonstratethattheTOEtakesappropriateactiontodestroykeys.Thesebuildsshouldbebasedonthesamesourcecodeasarereleasebuilds(ofcourse,withinstrumentationanddebug-specificcodeadded).
FCS_COP.1/HashCryptographicOperation(Hashing)FCS_COP.1.1/Hash
TheTSFshallperform[cryptographichashing]inaccordancewithaspecifiedcryptographicalgorithm[selection:SHA-1,SHA-256,SHA-384,SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[selection:FIPSPUB180-4"SecureHashStandard",ISO/IEC10118-3:2018]
ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigitalsignaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.Itis
expectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.
Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionshallsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).
ValidationGuidelines:
Rule#1:If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.
Rule#2:If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.Rule#3:If"HMAC-SHA-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-384"mustbeselectedinFCS_COP.1/Hash.
Rule#4:If"HMAC-SHA-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-512"mustbeselectedinFCS_COP.1/Hash.Rule#5:If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.
Rule#6:If"SHA-3-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-256"mustbeselectedinFCS_COP.1/Hash.
Rule#7:If"SHA-3-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-384"mustbeselectedinFCS_COP.1/Hash.Rule#8:If"SHA-3-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-512"mustbeselectedinFCS_COP.1/Hash.
EvaluationActivities
FCS_COP.1/HashTSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.TestsSHA-1andSHA-2TestsTheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyte-orientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebit-orientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebit-orientedvs.thebyte-orientedtestMACs.TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
ShortMessagesTestBit-orientedModeTheevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tombits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.ShortMessagesTestByte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.SelectedLongMessagesTestBit-orientedModeTheevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1�i�m.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SelectedLongMessagesTestByte-orientedModeTheevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1�i�m/8.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.PseudorandomlyGeneratedMessagesTestThistestisforbyte-orientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1of[SHAVS].TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.SHA-3TestsThetestsbelowarederivedfromtheTheSecureHashAlgorithm-3ValidationSystem(SHA3VS),Updated:April7,2016,fromtheNationalInstituteofStandardsandTechnology.
ForeachSHA-3-XXXimplementation,XXXrepresentsd,thedigestlengthinbits.Thecapacity,c,isequalto2dbits.Therateisequalto1600-cbits.
TheTSFhashingfunctionscanbeimplementedwithoneoftwoorientations.Thefirstisabit-orientedmodethathashesmessagesofarbitrarylength.Thesecondisabyte-orientedmodethathashesmessagesthatareanintegralnumberofbytesinlength(i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8).Separatetestsforeachorientationaregivenbelow.
TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmandorientationimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Theevaluatorshallcomparedigestvaluesproducedbyaknown-goodSHA-3implementationagainstthosegeneratedbyrunningthesamevaluesthroughtheTSF.
ShortMessagesTest,Bit-orientedMode
Theevaluatorsdeviseaninputsetconsistingofrate+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0toratebits.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.
ShortMessagesTest,Byte-orientedMode
Theevaluatorsdeviseaninputsetconsistingofrate/8+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0torate/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.
SelectedLongMessagesTest,Bit-orientedMode
Theevaluatorsdeviseaninputsetconsistingof100longmessagesranginginsizefromrate+(rate+1)torate+(100*(rate+1)),incrementingbyrate+1.(Forexample,SHA-3-256hasarateof1088bits.Therefore,100messageswillbegeneratedwithlengths2177,3266,…,109988bits.)Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SelectedLongMessagesTest,Byte-orientedMode
Theevaluatorsdeviseaninputsetconsistingof100messagesranginginsizefrom(rate+(rate+8))to(rate+100*(rate+8)),incrementingbyrate+8.(Forexample,SHA-3-256hasarateof1088bits.Therefore100messageswillbegeneratedoflengths2184,3280,4376,…,110688bits.)Themessagetextshallbepseudorandomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
PseudorandomlyGeneratedMessagesMonteCarlo)Test,Byte-orientedMode
Theevaluatorssupplyaseedofdbits(wheredisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Thisseedisusedbyapseudorandomfunctiontogenerate100,000messagedigests.Onehundredofthedigests(every1000thdigest)arerecordedascheckpoints.TheTOEthenusesthesameproceduretogeneratethesame100,000messagedigestsand100checkpointvalues.TheevaluatorsthencomparetheresultsgeneratedtoensurethatthecorrectresultisproducedwhenthemessagesaregeneratedbytheTSF.
FCS_COP.1/KeyedHashCryptographicOperation(KeyedHashAlgorithms)FCS_COP.1.1/KeyedHash
TheTSFshallperform[keyed-hashmessageauthentication]inaccordancewithaspecifiedcryptographicalgorithm[selection:HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode,"andFIPSPub180-4,“SecureHashStandard"].
ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.ValidationGuidelines:
Rule#1:If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.Rule#2:If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.
Rule#3:If"HMAC-SHA-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-384"mustbeselectedinFCS_COP.1/Hash.
Rule#4:If"HMAC-SHA-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-512"mustbeselectedinFCS_COP.1/Hash.Rule#5:If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.
Rule#6:If"SHA-3-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-256"mustbeselectedinFCS_COP.1/Hash.Rule#7:If"SHA-3-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-384"mustbeselectedinFCS_COP.1/Hash.
Rule#8:If"SHA-3-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-512"mustbeselectedinFCS_COP.1/Hash.
EvaluationActivities
FCS_COP.1/KeyedHashTSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.TestsThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.
FCS_COP.1/SigCryptographicOperation(SignatureAlgorithms)FCS_COP.1.1/Sig
TheTSFshallperform[cryptographicsignatureservices(generationandverification)]inaccordancewithaspecifiedcryptographicalgorithm[selection:
RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section4],ECDSAschemesusing[“NISTcurves”P-256,P-384and[selection:P-521,noothercurves]]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section5]
].
ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.
EvaluationActivities
FCS_COP.1/SigTestsThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
ECDSAAlgorithmTestsECDSAFIPS186-4SignatureGenerationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickeyandtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.ECDSAFIPS186-4SignatureVerificationTestForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
RSASignatureAlgorithmTestsSignatureGenerationTestTheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistest,theevaluatorshallgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.
SignatureVerificationTestTheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.
FCS_COP.1/UDECryptographicOperation(AESDataEncryption/Decryption)FCS_COP.1.1/UDE
TheTSFshallperform[encryptionanddecryption]inaccordancewithaspecifiedcryptographicalgorithm[selection:
AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),AES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,AES-CTR(asdefinedinNISTSP800-38A)mode
]andcryptographickeysizes[selection:128-bitkeysizes,256-bitkeysizes].
ApplicationNote:ForthefirstselectionofFCS_COP.1.1/UDE,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.
ValidationGuidelines:
Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
Rule#10:IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
EvaluationActivities
FCS_COP.1/UDEThefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.TestsAES-CBCTestsAES-CBCKnownAnswerTestsTherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.
KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.
AES-CBCMulti-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewith
thesamekeyandIVusingaknowngoodimplementation.
AES-CBCMonteCarloTestsTheevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:
#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]
Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.
AES-CCMTestsTheevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:
128bitand256bitkeysTwopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.
Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:
Test1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.Test4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.
Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresultoraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.Additionally,theevaluatorshallusetestsfromtheIEEE802.11-02/362r6document“ProposedTestvectorsforIEEE802.11TGi”,datedSeptember10,2002,Section2.1AES-CCMPEncapsulationExampleandSection2.2AdditionalAESCCMPTestVectorstofurtherverifytheIEEE802.11-2007implementationofAES-CCMP.AES-GCMTestTheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:
128bitand256bitkeysTwoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.
ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.
TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
XTS-AESTestTheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:
256bit(forAES-128)and512bit(forAES-256)keysThreedataunit(i.e.,plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.
usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.
AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)TestTheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:
128and256bitkeyencryptionkeys(KEKs)Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096bits).
usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.AES-CTRTest
Test1:KnownAnswerTests(KATs)TherearefourKnownAnswerTests(KATs)describedbelow.ForallKATs,theplaintext,initializationvector(IV),andciphertextvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbythevalidatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
Test1a:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitallzeroskey,andtheotherfiveshallbeencryptedwitha256-bitallzeroskey.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinput.
Test1b:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromencryptionofanallzerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeyvaluesshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usinganallzerociphertextvalueasinput.Test1c:Totesttheencryptfunctionality,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluesthatresultfromAESencryptionofanallzerosplaintextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondshallhave256256-bitkeys.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Totestthedecryptfunctionality,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromdecryptionofthegivenciphertextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitpairs.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezerosforiin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanallzerosplaintextwhendecryptedwithitscorrespondingkey.
Test1d:Totesttheencryptfunctionality,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromencryptionofthegivenplaintextusinga128-bitkeyvalueofallzerosandusinga256bitkeyvalueofallzeros,respectively,andanIVofallzeros.Plaintextvalueiineachsetshallhavetheleftmostbitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinput.Test2:Multi-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakey,IV,andplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkey.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalitybydecryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakeyandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkey.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyusingaknowngoodimplementation.
Test3:Monte-CarloTestForAES-CTRmodeperformtheMonteCarloTestforECBModeontheencryptionengineofthecountermodeimplementation.Thereisnoneedtotestthedecryptionengine.Theevaluatorshalltesttheencryptfunctionalityusing200plaintext/keypairs.100oftheseshalluse128bitkeys,and100oftheseshalluse256bitkeys.Theplaintextvaluesshallbe128-bitblocks.Foreachpair,1000iterationsshallberunasfollows:ForAES-ECBmode#Input:PT,Keyfori=1to1000:CT[i]=AES-ECB-Encrypt(Key,PT)PT=CT[i]Theciphertextcomputedinthe1000thiterationistheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.
If"invokeplatform-provided"isselected,theevaluatorconfirmsthatSSHconnectionsareonlysuccessfulifappropriatealgorithmsandappropriatekeysizesareconfigured.Todothis,theevaluatorshallperformthefollowingtests:
Test1:[Conditional:TOEisanSSHserver]TheevaluatorshallconfigureanSSHclienttoconnectwithaninvalidcryptographicalgorithmandkeysizeforeachlisteningSSHsocketconnectionontheTOE.TheevaluatorinitiatesSSHclientconnectionstoeachlisteningSSHsocketconnectionontheTOEandobservesthattheconnectionfailsineachattempt.Test2:[Conditional:TOEisanSSHclient]TheevaluatorshallconfigurealisteningSSHsocketonaremoteSSHserverthatacceptsonlyinvalidcryptographicalgorithmsandkeys.TheevaluatorusestheTOEtoattemptanSSHconnectiontothisserverandobservesthattheconnectionfails.
FCS_ENT_EXT.1EntropyforVirtualMachinesFCS_ENT_EXT.1.1
TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].
FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.
ApplicationNote:ThisrequirementensuresthatsufficiententropyisavailabletoanyVMthatrequiresit.Theentropyneednotprovidehigh-qualityentropyforeverypossiblemethodthataVMmightacquireit.TheVMMmust,however,providesomemeansforVMstogetsufficiententropy.Forexample,theVMMcanprovideaninterfacethatreturnsentropytoaGuestVM.Alternatively,theVMMcouldprovidepass-throughaccesstoentropysourcesprovidedbythehostplatform.
Thisrequirementallowsforthreegeneralwaysofprovidingentropytoguests:1)TheVScanprovideaHypercallaccessibletoVM-awareguests,2)accesstoavirtualizeddevicethatprovidesentropy,or3)pass-throughaccesstoahardwareentropysource(includingasourceofrandomnumbers).Inallcases,itispossiblethattheguestismadeVM-awarethroughinstallationofsoftwareordrivers.Forthesecondandthirdcases,itispossiblethattheguestcouldbeVM-unaware.ThereisnorequirementthattheTOEprovideentropysourcesasexpectedbyVM-unawareguests.Thatis,theTOEdoesnothavetoanticipateeverywayaguestmighttrytoacquireentropyaslongasitsuppliesamechanismthatcanbeusedbyVM-awareguests,orprovidesaccesstoastandardmechanismthataVM-unawareguestwoulduse.
TheSTauthorshouldselect“Hypercallinterface”iftheTSFprovidesanAPIfunctionthroughwhichguest-residentsoftwarecanobtainentropyorrandomnumbers.TheSTauthorshouldselect“virtualdeviceinterface”iftheTSFpresentsavirtualdeviceinterfacetotheGuestOSthroughwhichitcanobtainentropyorrandomnumbers.Suchaninterfacecouldpresentavirtualizedrealdevice,suchasaTPM,thatcanbeaccessedbyVM-unawareguests,oravirtualizedfictionaldevicethatwouldrequiretheGuestOStobeVM-aware.TheSTauthorshouldselect“passthroughaccesstohardwareentropysource”iftheTSFpermitsGuestVMstohavedirectaccesstohardwareentropyorrandomnumbersourceontheplatform.TheSTauthorshouldselectallitemsthatareappropriate.
ForFCS_ENT_EXT.1.2,theVMMmustensurethattheprovisionofentropytooneVMcannotaffectthequalityofentropyprovidedtoanotherVMonthesameplatform.
EvaluationActivities
FCS_ENT_EXT.1TSSTheevaluatorshallverifythattheTSSdescribeshowtheTOEprovidesentropytoGuestVMs,andhowtoaccesstheinterfacetoacquireentropyorrandomnumbers.TheevaluatorshallverifythattheTSSdescribesthemechanismsforensuringthatoneVMdoesnotaffecttheentropyacquiredbyanother.TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallinvokeentropyfromeachGuestVM.TheevaluatorshallverifythateachVMacquiresvaluesfromtheinterface.Test2:TheevaluatorshallinvokeentropyfrommultipleVMsasnearlysimultaneouslyaspracticable.TheevaluatorshallverifythattheentropyusedinoneVMisnotidenticaltothatinvokedfromtheotherVMs.
FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FCS_RBG_EXT.1.1
TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]
FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyat
leastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.
ApplicationNote:NISTSP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthefunctionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirement.Whileanyoftheidentifiedhashfunctions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-44512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.
IfthekeylengthfortheAESimplementationusedhereisdifferentthanthatusedtoencrypttheuserdata,thenFCS_COP.1/UDEmayhavetobeadjustedoriteratedtoreflectthedifferentkeylength.FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheminimumnumberofbitsofentropythatisusedtoseedtheRBG.
EvaluationActivities
FCS_RBG_EXT.1Documentationshallbeproduced—andtheevaluatorshallperformtheactivities—inaccordancewithTestsTheevaluatorshallalsoperformthefollowingtests,dependingonthestandardtowhichtheRBGconforms.Theevaluatorshallperform15trialsfortheRBGimplementation.IftheRBGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.TheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRBGfunctionality.IftheRBGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated.“generateoneblockofrandombits”meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).IftheRBGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiateDRBG,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltoreseed.Thefinalvalueisadditionalinputtothesecondgeneratecall.Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.
Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlengthNonce:Ifanonceissupported(CTR_DRBGwithnodfdoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe<=seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupported,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.
5.1.4UserDataProtection(FDP)
FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFDP_HBI_EXT.1.1
TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].
ApplicationNote:TheTSFmustuseavailablehardware-basedisolationmechanismstoconstrainVMswhenVMshavedirectaccesstophysicaldevices.“Directaccess”inthiscontextmeansthattheVMcanreadorwritedevice
memoryoraccessdeviceI/OportswithouttheVMMbeingabletointerceptandvalidateeverytransaction.
EvaluationActivities
FDP_HBI_EXT.1TSSTheevaluatorshallensurethattheTSSprovidesevidencethathardware-basedisolationmechanismsareusedtoconstrainVMswhenVMshavedirectaccesstophysicaldevices,includinganexplanationoftheconditionsunderwhichtheTSFinvokestheseprotections.GuidanceTheevaluatorshallverifythattheoperationalguidancecontainsinstructionsonhowtoensurethattheplatform-provided,hardware-basedmechanismsareenabled.
FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_PPR_EXT.1.1
TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].
FDP_PPR_EXT.1.2TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].
FDP_PPR_EXT.1.3TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].
ApplicationNote:Forpurposesofthisrequirement,physicalplatformresourcesaredividedintothreecategories:
1. thosetowhichGuestOSaccessisconfigurableandmoderatedbytheVMM2. thosetowhichtheGuestOSisneverallowedtohavedirectaccess,and3. thosetowhichtheGuestOSisalwaysallowedtohavedirectaccess.
Forelement1,theSTauthorliststhephysicalplatformresourcesthatcanbeconfiguredforGuestVMaccessbyanadministrator.Forelement2,theSTauthorliststhephysicalplatformresourcestowhichGuestVMsmayneverbealloweddirectaccess.Iftherearenosuchresources,theSTauthorselects"nophysicalplatformresources."Likewise,anyresourcestowhichallGuestVMsautomaticallyhaveaccesstoaretobelistedinthethirdelement.Iftherearenosuchresources,then"nophysicalplatformresources"isselected.
EvaluationActivities
FDP_PPR_EXT.1TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismbywhichtheVMMcontrolsaGuestVM'saccesstophysicalplatformresources.ThisdescriptionshallcoverallofthephysicalplatformsallowedintheevaluatedconfigurationbytheST.ItshouldexplainhowtheVMMdistinguishesamongGuestVMs,andhoweachphysicalplatformresourcethatiscontrollable(thatis,listedintheassignmentstatementinthefirstelement)isidentifiedtoanAdministrator.TheevaluatorshallensurethattheTSSdescribeshowtheGuestVMisassociatedwitheachphysicalresource,andhowotherGuestVMscannotaccessaphysicalresourcewithoutbeinggrantedexplicitaccess.ForTOEsthatimplementarobustinterface(otherthanjust"allowaccess"or"denyaccess"),theevaluatorshallensurethattheTSSdescribesthepossibleoperationsormodesofaccessbetweenaGuestVM'sandphysicalplatformresources.Ifphysicalresourcesarelistedinthesecondelement,theevaluatorshallexaminetheTSSandoperationalguidancetodeterminethatthereappearstobenowaytoconfigurethoseresourcesforaccessbyaGuestVM.Theevaluatorshalldocumentintheevaluationreporttheiranalysisofwhythecontrolsofferedtoconfigureaccesstophysicalresourcescan'tbeusedtospecifyaccesstotheresourcesidentifiedinthesecondelement(forexample,iftheinterfaceoffersadrop-downlistofresourcestoassign,andthedeniedresourcesarenotincludedonthatlist,thatwouldbesufficientjustificationintheevaluationreport).GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitdescribeshowanadministratorisabletoconfigureaccesstophysicalplatformresourcesforGuestVMsforeach
platformallowedintheevaluatedconfigurationaccordingtotheST.Theevaluatorshallalsodeterminethattheoperationalguidanceidentifiesthoseresourceslistedinthesecondandthirdelementsofthecomponentandnotesthataccesstotheseresourcesisexplicitlydenied/allowed,respectively.TestsUsingtheoperationalguidance,theevaluatorshallperformthefollowingtestsforeachphysicalplatformidentifiedintheST:
Test1:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigureaGuestVMtohaveaccesstothatresourceandshowthattheGuestVMisabletosuccessfullyaccessthatresource.Test2:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigurethesystemsuchthataGuestVMdoesnothaveaccesstothatresourceandshowthattheGuestVMisunabletosuccessfullyaccessthatresource.Test3:[conditional]:ForTOEsthathavearobustcontrolinterface,theevaluatorshallexerciseeachelementoftheinterfaceasdescribedintheTSSandtheoperationalguidancetoensurethatthebehaviordescribedintheoperationalguidanceisexhibited.Test4:[conditional]:IftheTOEexplicitlydeniesaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.2)physicalresourcefromaGuestVMandobservethataccessisdenied.Test5:[conditional]:IftheTOEexplicitlyallowsaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.3)physicalresourcefromaGuestVMandobservethattheaccessisallowed.IftheoperationalguidancespecifiesthataccessisallowedsimultaneouslybymorethanoneGuestVM,theevaluatorshallattempttoaccesseachresourcelistedfrommorethanoneGuestVMandshowthataccessisallowed.
FDP_RIP_EXT.1ResidualInformationinMemoryFDP_RIP_EXT.1.1
TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.
ApplicationNote:PhysicalmemorymustbezeroedbeforeitismadeaccessibletoaVMforgeneralusebyaGuestOS.
ThepurposeofthisrequirementistoensurethataVMdoesnotreceivememorycontainingdatapreviouslyusedbyanotherVMorthehost.
“Forgeneraluse”meansforusebytheGuestOSinitspagetablesforrunningapplicationsorsystemsoftware.
ThisdoesnotapplytopagessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlyOSpagesorpagesusedforvirtualdevicebuffers.
EvaluationActivities
FDP_RIP_EXT.1TSSTheevaluatorshallensurethattheTSSdocumentstheprocessusedforclearingphysicalmemorypriortoallocationtoaGuestVM,providingdetailsonwhenandhowthisisperformed.Additionally,theevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicalmemoryisnotclearedpriortoallocationtoaGuestVM,anddescribeswhenandhowthememoryiscleared.
FDP_RIP_EXT.2ResidualInformationonDiskFDP_RIP_EXT.2.1
TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerosuponallocationtoaGuestVM.
ApplicationNote:ThepurposeofthisrequirementistoensurethataVMdoesnotreceivediskstoragecontainingdatapreviouslyusedbyanotherVMorbythehost.
Clearingofdiskstorageonlyupondeallocationdoesnotmeetthisrequirement.
Thisdoesnotapplytodisk-residentfilessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlydatafilesorfilesusedforinter-VMdatatransferspermittedbypolicy.
EvaluationActivities
FDP_RIP_EXT.2TSSTheevaluatorshallensurethattheTSSdocumentshowtheTSFensuresthatdiskstorageiszeroeduponallocationtoGuestVMs.Also,theTSSmustdocumentanyconditionsunderwhichdiskstorageisnotclearedpriortoallocationtoaGuestVM.Anyfilesystemformatandmetadatainformationneededbytheevaluatortoperformthebelowtestshallbemadeavailabletotheevaluator,butneednotbepublishedintheTSS.TestsTheevaluatorshallperformthefollowingtest:
Test1:Onthehost,theevaluatorcreatesafilethatismorethanhalfthesizeofaconnectedphysicalstoragedevice(ormultiplefileswhoseindividualsizesadduptomorethanhalfthesizeofthestoragemedia).Thisfile(orfiles)shallbefilledentirelywithanon-zerovalue.Then,thefile(orfiles)shallbereleased(freedforusebutnotcleared).Next,theevaluator(asaVSAdministrator)createsavirtualdiskatleastthatlargeonthesamephysicalstoragedeviceandconnectsittoapowered-offVM.Then,fromoutsidetheGuestVM,scanthroughandcheckthatallthenon-metadata(asdocumentedintheTSS)inthefilecorrespondingtothatvirtualdiskissettozero.
FDP_VMS_EXT.1VMSeparationFDP_VMS_EXT.1.1
TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:
nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]
].
FDP_VMS_EXT.1.2TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.
FDP_VMS_EXT.1.3TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.
FDP_VMS_EXT.1.4TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.
ApplicationNote:ThefundamentalrequirementofaVirtualizationSystemistheabilitytoenforceseparationbetweeninformationdomainsimplementedasVirtualMachinesandVirtualNetworks.TheintentofthisrequirementistoensurethatVMs,VMMs,andtheVSasawholeisimplementedwiththisfundamentalrequirementinmind.
TheSTauthorshouldselect“nomechanism”intheunlikelyeventthattheVSimplementsnomechanismsfortransferringdatabetweenGuestVMs.Otherwise,theSTauthorshouldselect“virtualnetworking”andidentifyallothermechanismsthroughwhichdatacanbetransferredbetweenGuestVMs.
Examplesofnon-networkinter-VMsharingmechanismsare:Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls
FordatatransfermechanismsimplementedintermsofHypercallfunctions,FDP_VMS_EXT.1.3ismetifFPT_HCL_EXT.1.1ismetforthoseHypercallfunctions(Hypercallfunctionparametersarechecked).
Fordatatransfermechanismsthatusesharedphysicaldevices,FDP_VMS_EXT.1.3ismetifthedeviceislistedinandmeetsFDP_PPR_EXT.1.1(VMaccesstothephysicaldeviceisconfigurable).
Fordatatransfermechanismsthatusevirtualnetworking,FDP_VMS_EXT.1.3ismetifFDP_VNC_EXT.1.1ismet(VMaccesstovirtualnetworksisconfigurable).
EvaluationActivities
FDP_VMS_EXT.1TSSTheevaluatorshallexaminetheTSStoverifythatitdocumentsallinter-VMcommunicationsmechanisms(asdefinedabove),andexplainshowtheTSFpreventsthetransferofdatabetweenVMsoutsideofthemechanismslistedinFDP_VMS_EXT.1.1.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitdocumentshowtoconfigureallinter-VMcommunicationsmechanisms,includinghowtheyareinvokedandhowtheyaredisabled.TestsTheevaluatorshallperformthefollowingtestsforeachdocumentedinter-VMcommunicationschannel:
Test1:a. CreatetwoVMswithoutspecifyinganycommunicationsmechanismoroverridingthe
defaultconfiguration.b. TestthatthetwoVMscannotcommunicatethroughthemechanismsselectedin
FDP_VMS_EXT.1.1.c. CreatetwonewVMs,overridingthedefaultconfigurationtoallowcommunications
throughachannelselectedinFDP_VMS_EXT.1.1.d. TestthatcommunicationscanbepassedbetweentheVMsthroughthechannel.e. CreatetwonewVMs,thefirstwiththeinter-VMcommunicationschannelcurrently
beingtestedenabled,andthesecondwiththeinter-VMcommunicationschannelcurrentlybeingtesteddisabled.
f. TestthatcommunicationscannotbepassedbetweentheVMsthroughthechannel.g. AsanAdministrator,enableinter-VMcommunicationsbetweentheVMsonthesecond
VM.h. Testthatcommunicationscanbepassedthroughtheinter-VMchannel.i. AsanAdministratoragain,disableinter-VMcommunicationsbetweenthetwoVMs.j. Testthatcommunicationscannolongerbepassedthroughthechannel.
FDP_VMS_EXT.1.2ismetifcommunicationisunsuccessfulinstep(b).FDP_VMS_EXT.1.3ismetifcommunicationissuccessfulinstep(d)andunsuccessfulinstep(f).
FDP_VNC_EXT.1VirtualNetworkingComponentsFDP_VNC_EXT.1.1
TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachotherandtophysicalnetworks.
FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.
ApplicationNote:Virtualnetworksmustbeseparatedfromoneanothertoprovideisolationcommensuratewiththatprovidedbyphysicallyseparatenetworks.ItmustnotbepossiblefordatatocrossbetweenproperlyconfiguredvirtualnetworksregardlessofwhetherthetrafficoriginatedfromalocalGuestVMoraremotehost.
UnprivilegedusersmustnotbeabletoconnectVMstoeachotherortoexternalnetworks.
EvaluationActivities
FDP_VNC_EXT.1TSSTheevaluatorshallexaminetheTSS(oraproprietaryannex)toverifythatitdescribesthemechanismbywhichvirtualnetworktrafficisensuredtobevisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetwork.GuidanceTheevaluatormustensurethattheOperationalGuidancedescribeshowtocreatevirtualizednetworksandconnectVMstoeachotherandtophysicalnetworks.Tests
Test1:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoanetworkcomponent.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandattemptthesameconnection.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.Test2:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoaphysicalnetwork.Theevaluatorshallverifythattheattemptis
successful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandmakethesameattempt.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.
5.1.5IdentificationandAuthentication(FIA)
FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1
TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]
]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].
FIA_AFL_EXT.1.2Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministrator-definedtimeperiodhaselapsed]
ApplicationNote:TheactiontobetakenshallbepopulatedintheselectionoftheSTanddefinedintheAdministratorguidance.
ThisrequirementappliestoadefinednumberofsuccessiveunsuccessfulremotepasswordorPIN-basedauthenticationattemptsanddoesnotapplytolocalAdministrativeaccess.CompliantTOEsmayoptionallyincludecryptographicandlocalauthenticationfailuresinthenumberofunsuccessfulauthenticationattempts.
EvaluationActivities
FIA_AFL_EXT.1TestsTheevaluatorshallperformthefollowingtestsforeachcredentialselectedinFIA_AFL_EXT.1.1:TheevaluatorwillsetanAdministrator-configurablethresholdnforfailedattempts,ornotetheST-specifiedassignment.
Test1:Theevaluatorwillattempttoauthenticateremotelywiththecredentialn-1times.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythatauthenticationissuccessful.Test2:Theevaluatorwillmakenattemptstoauthenticateusingabadcredential.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythattheattemptisunsuccessful.NotethattheauthenticationattemptsandlockoutsmustalsobeloggedasspecifiedinFAU_GEN.1.
Afterreachingthelimitforunsuccessfulauthenticationattemptstheevaluatorwillproceedasfollows:
Test1:IftheAdministratoractionselectioninFIA_AFL_EXT.1.2isselected,thentheevaluatorwillconfirmbytestingthatfollowingtheoperationalguidanceandperformingeachactionspecifiedintheSTtore-enabletheremoteAdministrator’saccessresultsinsuccessfulaccess(whenusingvalidcredentialsforthatAdministrator).Test2:IfthetimeperiodselectioninFIA_AFL_EXT.1.2isselected,theevaluatorwillwaitforjustlessthanthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsdoesnotresultinsuccessfulaccess.Theevaluatorwillthenwaituntiljustafterthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsresultsinsuccessfulaccess.
FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1
TheTSFshallprovidethefollowingauthenticationmechanisms:[selection:[selection:local,directory-based]authenticationbasedonusernameandpassword,authenticationbasedonusernameandaPINthatreleasesanasymmetrickeystoredinOE-protectedstorage,
[selection:local,directory-based]authenticationbasedonX.509certificates,[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential
]tosupportAdministratorauthentication.
ApplicationNote:Selectionof‘authenticationbasedonusernameandpassword’requiresthatFIA_PMG_EXT.1beincludedintheST.ThisalsorequiresthattheSTincludeamanagementfunctionforpasswordmanagement.IftheSTauthorselects‘authenticationbasedonanSSHpublic-keycredential’,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.TheSTmustincludeFIA_X509_EXT.1andFIA_X509_EXT.2if'authenticationbasedonX.509certificates'isselected.
PINsusedtoaccessOE-protectedstoragearesetandmanagedbytheOE-protectedstoragemechanism.ThusrequirementsonPINmanagementareoutsidethescopeoftheTOE.
ValidationGuidelines:
Rule#11:If"directory-based"isselectedanywhereinFIA_UAU.5.1then"Abilitytoconfigurename/addressofdirectoryservertobindwith"mustbeselectedintheClientorServermodulemanagementfunctiontable.Rule#12:If"authenticationbasedonusernameandpassword"isselectedinFIA_UAU.5.1then"AbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1"mustbeselectedintheClientorServermodulemanagementfunctiontable.
FIA_UAU.5.2TheTSFshallauthenticateanyAdministrator’sclaimedidentityaccordingtothe[assignment:rulesdescribinghowthemultipleauthenticationmechanismsprovideauthentication].
EvaluationActivities
FIA_UAU.5TestsIf‘usernameandpasswordauthentication‘isselected,theevaluatorwillconfiguretheVSwithaknownusernameandpasswordandconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandpassword.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectpassword.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘usernameandPINthatreleasesanasymmetrickey‘isselected,theevaluatorwillexaminetheTSSforguidanceonsupportedprotectedstorageandwillthenconfiguretheTOEorOEtoestablishaPINwhichenablesreleaseoftheasymmetrickeyfromtheprotectedstorage(suchasaTPM,ahardwaretoken,orisolatedexecutionenvironment)withwhichtheVScaninterface.Theevaluatorwillthenconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandPIN.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectPIN.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘X.509certificateauthentication‘isselected,theevaluatorwillgenerateanX.509v3certificateforanAdministratoruserwiththeClientAuthenticationEnhancedKeyUsagefieldset.TheevaluatorwillprovisiontheVSforauthenticationwiththeX.509v3certificate.TheevaluatorwillensurethatthecertificatesarevalidatedbytheVSasperFIA_X509_EXT.1.1andthenconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheX.509v3certificate.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:Theevaluatorwillgenerateasecondcertificateidenticaltothefirstexceptforthepublickeyandanyvaluesderivedfromthepublickey.TheevaluatorwillattempttoauthenticatetotheVSwiththiscertificate.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘SSHpublic-keycredentialauthentication‘isselected,theevaluatorshallgenerateapublic-privatehostkeypairontheTOEusingRSAorECDSA,andasecondpublic-privatekeypaironaremoteclient.TheevaluatorshallprovisiontheVSwiththeclientpublickeyforauthenticationoverSSH,andconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingamessagesignedbytheclientprivatekeythatcorrespondstoprovisionedclientpublickey.Theevaluatorwill
ensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillgenerateasecondclientkeypairandwillattempttoauthenticatetotheVSwiththeprivatekeyoverSSHwithoutfirstprovisioningtheVStosupportthenewkeypair.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFIA_UIA_EXT.1.1
TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.
ApplicationNote:Usersdonothavetoauthenticate,onlyAdministratorsneedtoauthenticate.
EvaluationActivities
FIA_UIA_EXT.1TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthelogonprocessforeachlogonmethod(local,remote(HTTPS,SSH,etc.))supportedfortheproduct.Thisdescriptionshallcontaininformationpertainingtothecredentialsallowed/used,anyprotocoltransactionsthattakeplace,andwhatconstitutesa“successfullogon.”Theevaluatorshallexaminetheoperationalguidancetodeterminethatanynecessarypreparatorysteps(e.g.,establishingcredentialmaterialsuchaspre-sharedkeys,tunnels,certificates)tologginginaredescribed.Foreachsupportedloginmethod,theevaluatorshallensuretheoperationalguidanceprovidesclearinstructionsforsuccessfullyloggingon.Ifconfigurationisnecessarytoensuretheservicesprovidedbeforeloginarelimited,theevaluatorshalldeterminethattheoperationalguidanceprovidessufficientinstructiononlimitingtheallowedservices.
5.1.6SecurityManagement(FMT)
FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksFMT_SMO_EXT.1.1
TheTSFshallsupporttheseparationofmanagementandoperationalnetworktrafficthrough[selection:separatephysicalnetworks,separatelogicalnetworks,trustedchannelsasdefinedinFTP_ITC_EXT.1,dataencryptionusinganalgorithmspecifiedinFCS_COP.1/UDE].
ApplicationNote:Managementcommunicationsmustbeseparatefromuserworkloadcommunications.Administrativenetworktraffic—includingcommunicationsbetweenphysicalhostsconcerningloadbalancing,auditdata,VMstartupandshutdown—mustbeisolatedfromguestoperationalnetworks.Forpurposesofthisrequirement,managementtrafficalsoincludesVMstransmittedovermanagementnetworkswhetherforbackup,livemigration,ordeployment.
“Separatephysicalnetworks”referstousingseparatephysicalinterfacesandcablestoisolatemanagementandoperationalnetworksfromeachother.
“Separatelogicalnetworks”referstousinglogicalnetworkingconstructs,suchasseparateIPspacesorvirtualnetworkstoisolatetrafficacrossgeneral-purposenetworkingports.Managementandoperationalnetworksarekeptseparatewithinthehostsusingseparatevirtualizednetworkingcomponents.
IftheSTauthorselects“trustedchannels...”thentheprotocolsusedfornetworkseparationmustbeselectedinFTP_ITC_EXT.1.
TheSTauthorselects"dataencryption..."if,forexample,theTOEencryptsVMsasdatablobsforbackup,storage,deployment,orlivemigration,anddoesnotsendthedatathroughatunnel.IftheSTauthorselects"dataencryption..."thenthealgorithmsandkeysizesmustbeselectedinFCS_COP.1/UDE.
TheSTauthorshouldselectasmanymechanismsasapply.
EvaluationActivities
FMT_SMO_EXT.1
TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeshowmanagementandoperationaltrafficisseparated.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatitdetailshowtoconfiguretheVStokeepManagementandOperationaltrafficseparate.TestsTheevaluatorshallconfiguretheTOEasdocumentedintheguidance.Ifseparationislogical,thentheevaluatorshallcapturepacketsonthemanagementnetwork.IfplaintextGuestnetworktrafficisdetected,therequirementisnotmet.Ifseparationusestrustedchannels,thentheevaluatorshallcapturepacketsonthenetworkoverwhichtrafficistunneled.IfplaintextGuestnetworktrafficisdetected,therequirementisnotmet.Ifdataencryptionisused,thentheevaluatorshallcapturepacketsonthenetworkoverwhichthedataissentwhileaVMorotherlargedatastructureisbeingtransmitted.IfplaintextVMcontentsaredetected,therequirementisnotmet.
5.1.7ProtectionoftheTSF(FPT)
FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesFPT_DVD_EXT.1.1
TheTSFshallpreventGuestVMsfromaccessingvirtualdeviceinterfacesthatarenotpresentintheVM’scurrentvirtualhardwareconfiguration.
ApplicationNote:ThevirtualizedhardwareabstractionimplementedbyaparticularVSmightincludethevirtualizedinterfacesformanydifferentdevices.SometimesthesedevicesarenotpresentinaparticularinstantiationofaVM.TheinterfacefordevicesnotpresentmustnotbeaccessiblebytheVM.
Suchinterfacesincludememorybuffers,PCIBusinterfaces,andprocessorI/Oports.
ThepurposeofthisrequirementistoreducetheattacksurfaceoftheVMMbyblockingaccesstounusedinterfaces.
EvaluationActivities
FPT_DVD_EXT.1TestsTheevaluatorshallconnectadevicetoaVM,thenfromwithintheguestscantheVM'sdevicestoensurethattheconnecteddeviceispresent--usingadevicedriverorotheravailablemeanstoscantheVM'sI/OportsorPCIBusinterfaces.(Thedevice'sinterfaceshouldbedocumentedintheTSSunderFPT_VDP_EXT.1.)TheevaluatorshallremovethedevicefromtheVMandrunthescanagain.Thisrequirementismetifthedevice'sinterfacesarenolongerpresent.
FPT_EEM_EXT.1ExecutionEnvironmentMitigationsFPT_EEM_EXT.1.1
TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:
Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms
]
ApplicationNote:Processormanufacturers,compilerdevelopers,andoperatingsystemvendorshavedevelopedexecutionenvironment-basedmitigationsthatincreasethecosttoattackersbyaddingcomplexitytothetaskofcompromisingsystems.SoftwarecanoftentakeadvantageofthesemechanismsbyusingAPIsprovidedbytheoperatingsystemorbyenablingthemechanismthroughcompilerorlinkeroptions.ThisrequirementdoesnotmandatethattheseprotectionsbeenabledthroughouttheVirtualizationSystem—onlythattheybeenabledwheretheyhavelikelyimpact.Forexample,codethatreceivesandprocessesuserinputshouldtakeadvantageofthesemechanisms.
Fortheselection,theSTauthorselectsthesupportedmechanismsandusestheassignmenttoincludemechanismsnotlistedintheselection,ifany.
EvaluationActivities
FPT_EEM_EXT.1TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,theexecutionenvironment-basedvulnerabilitymitigationmechanismsusedbytheTOEonthatplatform.TheevaluatorshallensurethatthelistscorrespondtowhatisspecifiedinFPT_EEM_EXT.1.1.
FPT_HAS_EXT.1HardwareAssistsFPT_HAS_EXT.1.1
TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.
FPT_HAS_EXT.1.2TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.
ApplicationNote:Thesehardware-assistshelpreducethesizeandcomplexityoftheVMM,andthus,ofthetrustedcomputingbase,byeliminatingorreducingtheneedforparavirtualizationorbinarytranslation.Paravirtualizationinvolvesmodifyingguestsoftwaresothatinstructionsthatcannotbeproperlyvirtualizedareneverexecutedonthephysicalprocessor.
FortheassignmentinFPT_HAS_EXT.1,theSTauthorliststhehardware-basedvirtualizationassistsonallplatformsincludedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforsoftware-basedbinarytranslation.Examplesforthex86platformareIntelVT-xandAMD-V.“None”isanacceptableassignmentforplatformsthatdonotrequirevirtualizationassistsinordertoeliminatetheneedforbinarytranslation.ThismustbedocumentedintheTSS.
FortheassignmentinFPT_HAS_EXT.1.2,theSTauthorliststhesetofhardware-basedvirtualizationmemory-handlingextensionsforallplatformslistedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforshadowpagetables.Examplesforthex86platformareIntelEPTandAMDRVI.“None”isanacceptableassignmentforplatformsthatdonotrequirememory-handlingassistsinordertoeliminatetheneedforshadowpagetables.ThismustbedocumentedintheTSS.
EvaluationActivities
FPT_HAS_EXT.1TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,thehardwareassistsandmemory-handlingextensionsusedbytheTOEonthatplatform.TheevaluatorshallensurethattheselistscorrespondtowhatisspecifiedintheapplicableFPT_HAS_EXTcomponent.
FPT_HCL_EXT.1HypercallControlsFPT_HCL_EXT.1.1
TheTSFshallvalidatetheparameterspassedtoHypercallinterfacespriortoexecutionoftheVMMfunctionalityexposedbyeachinterface.
ApplicationNote:ThepurposeofthisrequirementistohelpensuretheintegrityoftheVMMbyprotectingtheattacksurfaceexposedtountrustedGuestVMsthroughHypercalls.
AHypercallinterfaceallowsVMMfunctionalitytobeinvokedbyVM-awareguestsoftware.Forexample,ahypercallinterfacecouldbeusedtogetinformationabouttherealworld,suchasthetimeofdayortheunderlyinghardwareofthehostsystem.AhypercallcouldalsobeusedtotransferdatabetweenVMsthroughacopy-pastemechanism.BecausehypercallinterfacesexposetheVMMtoGuestsoftware,theseinterfacesconstituteattacksurface.
Thereisnoexpectationthattheevaluatorwillneedtoreviewsourcecodein
ordertoaccomplishtheevaluationactivity.
EvaluationActivities
FPT_HCL_EXT.1TSSTheevaluatorshallexaminetheTSS(orproprietaryTSSAnnex)toensurethatallhypercallfunctionsaredocumentedatthelevelnecessaryfortheevaluatortorunthebelowtest.Documentationforeachhypercallinterfacemustinclude:howtoinvoketheinterface,parametersandlegalvalues,andanyconditionsunderwhichtheinterfacecanbeinvoked(e.g.,fromguestusermode,guestprivilegedmode,duringguestbootonly).GuidanceThereisnooperationalguidanceforthiscomponent.TestsTheevaluatorshallperformthefollowingtest:ForeachhypercallinterfacedocumentedintheTSSorproprietaryTSSAnnex,theevaluatorshallattempttoinvokethefunctionfromwithintheVMusinganinvalidparameter(ifany).IftheVMMorVScrashesorgeneratesanexception,orifnoerrorisreturnedtotheguest,thenthetestfails.Ifanerrorisreturnedtotheguest,thenthetestsucceeds.
FPT_RDM_EXT.1RemovableDevicesandMediaFPT_RDM_EXT.1.1
TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.
FPT_RDM_EXT.1.2TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:
theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain
]
ApplicationNote:ThepurposeoftheserequirementsistoensurethatVMsarenotgiveninadvertentaccesstoinformationfromdifferentdomainsbecauseofmediaorremovablemediadevicesleftconnectedtophysicalmachines.Removablemediaismediathatcanbeejectedfromadevice,suchasacompactdisc,floppydisk,SD,orcompactflashmemorycard.
Removablemediadevicesareremovabledevicesthatincludemedia,suchasUSBflashdrivesandUSBharddrives.Removablemediadevicescanthemselvescontainremovablemedia(e.g.,USBCDROMdrives).
Forpurposesofthisrequirement,anInformationDomainis:
a. AVMorcollectionofVMsb. TheVirtualizationSystemc. HostOSd. ManagementSubsystem
Theserequirementsalsoapplytovirtualizedremovablemedia—suchasvirtualCDdrivesthatconnecttoISOimages—aswellasphysicalmedia—suchasCDROMsandUSBflashdrives.InthecaseofvirtualCDROMs,virtualejectionofthevirtualmediaissufficient.
Inthefirstassignment,theSTauthorlistsallremovablemediaandremovablemediadevices(bothvirtualandreal)thataresupportedbytheTOE.TheSTauthorthenselectsactionsthatareappropriateforallremovablemediaandremovablemediadevices(bothvirtualandreal)thatarebeingclaimedintheassignment.
Forclarity,theSTauthormayiteratethisrequirementsothatlikeactionsaregroupedwiththeremovablemediaordevicestowhichtheyapply(e.g.,thefirstiterationcouldcontainalldevicesforwhichmediaisejectedonaswitch;theseconditerationcouldcontainalldevicesforwhichaccessispreventedona
switch,etc.).
EvaluationActivities
FPT_RDM_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitdescribestheassociationbetweenthemediaordevicessupportedbytheTOEandtheactionsthatcanoccurwhenswitchinginformationdomains.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdocumentshowanadministratororuserconfiguresthebehaviorofeachmediaordevice.TestsTheevaluatorshallperformthefollowingtestforeachlistedmediaordevice:
Test1:TheevaluatorshallconfiguretwoVMsthataremembersofdifferentinformationdomains,withthemediaordeviceconnectedtooneoftheVMs.TheevaluatorshalldisconnectthemediaordevicefromtheVMandconnectittotheotherVM.TheevaluatorshallverifythattheactionperformedisconsistentwiththeactionassignedintheTSS.
FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFPT_TUD_EXT.1.1
TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.
ApplicationNote:Theversioncurrentlyrunning(beingexecuted)maynotbetheversionmostrecentlyinstalled.Forinstance,maybetheupdatewasinstalledbutthesystemrequiresarebootbeforethisupdatewillrun.Therefore,itneedstobeclearthatthequeryshouldindicateboththemostrecentlyexecutedversionaswellasthemostrecentlyinstalledupdate.
FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].
FPT_TUD_EXT.1.3TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.
ApplicationNote:ThedigitalsignaturemechanismreferencedinFPT_TUD_EXT.1.3isoneofthealgorithmsspecifiedinFCS_COP.1/SIG.
Ifcertificatesareusedbytheupdateverificationmechanism,thenFIA_X509_EXT.1andFIA_X509_EXT.2mustbeincludedintheST.CertificatesarevalidatedinaccordancewithFIA_X509_EXT.1andtheappropriateselectionsshouldbemadeinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.2mustbeincludedintheST.
“Update”inthecontextofthisSFRreferstotheprocessofreplacinganon-volatile,systemresidentsoftwarecomponentwithanother.TheformerisreferredtoastheNVimage,andthelatteristheupdateimage.WhiletheupdateimageistypicallynewerthantheNVimage,thisisnotarequirement.Therearelegitimatecaseswherethesystemownermaywanttorollbackacomponenttoanolderversion(e.g.,whenthecomponentmanufacturerreleasesafaultyupdate,orwhenthesystemreliesonanundocumentedfeaturenolongerpresentintheupdate).Likewise,theownermaywanttoupdatewiththesameversionastheNVimagetorecoverfromfaultystorage.
Alldiscretesoftwarecomponents(e.g.,applications,drivers,kernel,firmware)oftheTSF,shouldbedigitallysignedbythecorrespondingmanufacturerandsubsequentlyverifiedbythemechanismperformingtheupdate.Sinceitisrecognizedthatcomponentsmaybesignedbydifferentmanufacturers,itisessentialthattheupdateprocessverifythatboththeupdateandNVimageswereproducedbythesamemanufacturer(e.g.,bycomparingpublickeys)orsignedbylegitimatesigningkeys(e.g.,successfulverificationofcertificateswhenusingX.509certificates).
TheDigitalSignatureoptionisthepreferredmechanismforauthenticating
updates.ThePublishedHashoptionwillberemovedfromafutureversionofthisPP.
ValidationGuidelines:
Rule#14:IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.
EvaluationActivities
FPT_TUD_EXT.1TSSTheevaluatorshallverifythattheTSSdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.UpdatestotheTOEeitherhaveahashassociatedwiththem,oraresignedbyanauthorizedsource.Theevaluatorshallverifythatthedescriptionincludeseitheradigitalsignatureorpublishedhashverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureorpublishedhashisverifiedtoincludehowthecandidateupdatesareobtained,theprocessingassociatedwithverifyingtheupdate,andtheactionsthattakeplaceforbothsuccessfulandunsuccessfulverification.Ifdigitalsignaturesareused,theevaluatorshallalsoensurethedefinitionofanauthorizedsourceiscontainedintheTSS.IftheSTauthorindicatesthatacertificate-basedmechanismisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheTSScontainsadescriptionofhowthecertificatesarecontainedonthedevice.TheevaluatoralsoensuresthattheTSS(oradministratorguidance)describeshowthecertificatesareinstalled/updated/selected,ifnecessary.TestsTheevaluatorshallperformthefollowingtests:
Test1:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.TheevaluatorobtainsalegitimateupdateusingproceduresdescribedintheoperationalguidanceandverifiesthatitissuccessfullyinstalledontheTOE.Aftertheupdate,theevaluatorperformstheversionverificationactivityagaintoverifytheversioncorrectlycorrespondstothatoftheupdate.Test2:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.Theevaluatorobtainsorproducesillegitimateupdatesasdefinedbelow,andattemptstoinstallthemontheTOE.TheevaluatorverifiesthattheTOErejectsalloftheillegitimateupdates.Theevaluatorperformsthistestusingallofthefollowingformsofillegitimateupdates:1. Amodifiedversion(e.g.,usingahexeditor)ofalegitimatelysignedorhashedupdate2. Animagethathasnotbeensigned/hashed3. Animagesignedwithaninvalidhashorinvalidsignature(e.g.,byusingadifferentkey
asexpectedforcreatingthesignatureorbymanualmodificationofalegitimatehash/signature)
FPT_VDP_EXT.1VirtualDeviceParametersFPT_VDP_EXT.1.1
TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.
FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.
ApplicationNote:ThepurposeofthisrequirementistoensurethattheVMMisnotvulnerabletocompromisethroughtheprocessingofmalformeddatapassedtothevirtualdeviceinterfacefromaGuestOS.TheVMMcannotassumethatanydatacomingfromaVMiswell-formed—evenifthevirtualdeviceinterfaceisuniquetotheVSandthedatacomesfromavirtualdevicedriversuppliedbytheVirtualizationVendor.
EvaluationActivities
FPT_VDP_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitlistsallvirtualdevicesaccessiblebytheguestOS.TheTSS,oraseparateproprietarydocument,mustalsodocumentallvirtualdeviceinterfacesatthelevelofI/OportsorPCIBusinterfaces-includingportnumbers(absoluteorrelativetoabase),portname,addressrange,andadescriptionoflegalinputvalues.
TheTSSmustalsodescribetheexpectedbehavioroftheinterfacewhenpresentedwithillegalinputvalues.ThisbehaviormustbedeterministicandindicativeofparametercheckingbytheTSF.TheevaluatormustensurethattherearenoobviousorpubliclyknownvirtualI/OportsmissingfromtheTSS.Thereisnoexpectationthatevaluatorswillexaminesourcecodetoverifythe“all”partoftheevaluationactivity.TestsForeachvirtualdeviceinterface,theevaluatorshallattempttoaccesstheinterfaceusingatleastoneparametervaluethatisoutofrangeorillegal.ThetestispassediftheinterfacebehavesinthemannerdocumentedintheTSS.Interfacesthatdonothaveinputparametersneednotbetested.ThistestcanbeperformedinconjunctionwiththetestsforFPT_DVD_EXT.1.
FPT_VIV_EXT.1VMMIsolationfromVMsFPT_VIV_EXT.1.1
TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.
FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.
ApplicationNote:ThisrequirementisintendedtoensurethatsoftwarerunningwithinaGuestVMcannotcompromiseotherVMs,theVMM,ortheplatform.ThisrequirementisnotmetifGuestVMsoftware—whateveritsprivilegelevel—cancrashtheVSorthePlatform,orbreakoutofitsvirtualhardwareabstractiontogainexecutionontheplatform,withinoroutsideofthecontextoftheVMM.
ThisrequirementisnotviolatedifsoftwarerunningwithinaVMcancrashtheGuestOSandthereisnowayforanattackertogainexecutionintheVMMoroutsideofthevirtualizeddomain.
FPT_VIV_EXT.1.2addressesseveralspecificmechanismsthatmustnotbepermittedtobypasstheVMMandinvokeprivilegedcodeonthePlatform.
Ataminimum,theTSFshouldenforcethefollowing:Onthex86platform,avirtualSystemManagementInterrupt(SMI)cannotinvokeplatformSystemManagementMode(SMM).AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausephysicalplatformfirmwareorphysicalplatformBIOStobemodified.AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausetheVMMtobemodified.
Oftheabove,thefirstbulletdoesnotapplytoplatformsthatdonotsupportSMM.TherationalebehindthethirdbulletisthatafirmwareupdateofasingleVMmustnotaffectotherVMs.SoifmultipleVMssharethesamefirmwareimageaspartofacommonhardwareabstraction,thentheupdateofasinglemachine’sBIOSmustnotbeallowedtochangethecommonabstraction.ThevirtualhardwareabstractionispartoftheVMM.
EvaluationActivities
FPT_VIV_EXT.1TSSTheevaluatorshallverifythattheTSS(oraproprietaryannextotheTSS)describeshowtheTSFensuresthatguestsoftwarecannotdegradeordisruptthefunctioningofotherVMs,theVMMortheplatform.AndhowtheTSFpreventsguestsfrominvokinghigher-privilegeplatformcode,suchastheexamplesinthenote.
5.1.8TOEAccessBanner(FTA)
FTA_TAB.1TOEAccessBannerFTA_TAB.1.1
Beforeestablishinganadministrativeusersession,theTSFshalldisplayasecurityAdministrator-specifiedadvisorynoticeandconsentwarningmessageregardinguseoftheTOE.
ApplicationNote:ThisrequirementisintendedtoapplytointeractivesessionsbetweenahumanuserandaTOE.ITentitiesestablishingconnectionsorprogrammaticconnections(e.g.,remoteprocedurecallsoveranetwork)arenotrequiredtobecoveredbythisrequirement.
EvaluationActivities
FTA_TAB.1TestsTheevaluatorshallconfiguretheTOEtodisplaytheadvisorywarningmessage“TESTTESTWarningMessageTESTTEST”.Theevaluatorshallthenlogoutandconfirmthattheadvisorymessageisdisplayedbeforelogincanoccur.
5.1.9TrustedPath/Channel(FTP)
FTP_ITC_EXT.1TrustedChannelCommunicationsFTP_ITC_EXT.1.1
TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheFunctionalPackageforSecureShell
]and[selection:certificate-basedauthenticationoftheremotepeer,non-certificate-basedauthenticationoftheremotepeer,noauthenticationoftheremotepeer
]toprovideatrustedcommunicationchannelbetweenitself,andauditservers(asrequiredbyFAU_STG_EXT.1),and
[selection:remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities
]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.
ApplicationNote:IftheSTauthorselectseitherTLSorHTTPS,theTSFshallbevalidatedagainsttheFunctionalPackageforTLS.ThisPPdoesnotmandatethataproductimplementTLSwithmutualauthentication,butiftheproductincludesthecapabilitytoperformTLSwithmutualauthentication,thenmutualauthenticationmustbeincludedwithintheTOEboundary.TheTLSPackagerequiresthattheX509requirementsbeincludedbythePP,soselectionofTLSorHTTPScausesFIA_X509_EXT.*tobeselected.
IftheSTauthorselectsSSH,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.
IftheSTauthorselects"certificate-basedauthenticationoftheremotepeer,"thenFIA_X509_EXT.1andFIA_X509_EXT.2mustbeincludedintheST."Noauthenticationoftheremotepeer"shouldbeselectedonlyiftheTOEisactingasaserverinanon-mutualauthenticationconfiguration.
TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.
ValidationGuidelines:
Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.Rule#10:IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
Rule#15:If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselected
inFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.
Rule#16:If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.Rule#17:If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.
Rule#18:If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.
EvaluationActivities
FTP_ITC_EXT.1TSSTheevaluatorwillreviewtheTSStodeterminethatitlistsalltrustedchannelstheTOEusesforremotecommunications,includingboththeexternalentitiesandremoteusersusedforthechannelaswellastheprotocolthatisusedforeach.TestsTheevaluatorwillconfiguretheTOEtocommunicatewitheachexternalITentityandtypeofremoteuseridentifiedintheTSS.TheevaluatorwillmonitornetworktrafficwhiletheVSperformscommunicationwitheachofthesedestinations.Theevaluatorwillensurethatforeachsessionatrustedchannelwasestablishedinconformancewiththeprotocolsidentifiedintheselection.
FTP_UIF_EXT.1UserInterface:I/OFocusFTP_UIF_EXT.1.1
TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.
ApplicationNote:Thisrequirementappliestoallusers—whetherUserorAdministrator.InenvironmentswheremultipleVMsrunatthesametime,theusermusthaveawayofknowingwhichVMuserinputisdirectedtoatanygivenmoment.Thisisespeciallyimportantinmultiple-domainenvironments.
Inthecaseofahumanuser,thisisusuallyavisualindicator.InthecaseofheadlessVMs,theuserisconsideredtobeaprogram,butthisprogramstillneedstoknowwhichVMitissendinginputto;thiswouldtypicallybeaccomplishedthroughprogrammaticmeans.
EvaluationActivities
FTP_UIF_EXT.1TSSTheevaluatorshallensurethattheTSSliststhesupporteduserinputdevices.GuidanceTheevaluatorshallensurethattheoperationalguidancespecifieshowthecurrentinputfocusisindicatedtotheuser.TestsForeachsupportedinputdevice,theevaluatorshalldemonstratethattheinputfromeachdevicelistedintheTSSisdirectedtotheVMthatisindicatedtohavetheinputfocus.
FTP_UIF_EXT.2UserInterface:IdentificationofVMFTP_UIF_EXT.2.1
TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.
ApplicationNote:InenvironmentswhereauserhasaccesstomorethanoneVMatthesametime,theusermustbeabletodeterminetheidentityofeachVMdisplayedinordertoavoidinadvertentcross-domaindataentry.
TheremustbeamechanismforassociatinganidentifierwithaVMsothatanapplicationorprogramdisplayingtheVMcanidentifytheVMtousers.Thisisgenerallyindicatedvisuallyforhumanusers(e.g.,VMidentityinthewindowtitlebar)andprogrammaticallyforheadlessVMs(e.g.,anAPIfunction).TheidentificationmustbeuniquetotheVS,butdoesnotneedtobeuniversallyunique.
EvaluationActivities
FTP_UIF_EXT.2TSSTheevaluatorshallensurethattheTSSdescribesthemechanismforidentifyingVMstotheuser,howidentitiesareassignedtoVMs,andhowconflictsareprevented.TestsTheevaluatorshallperformthefollowingtest:TheevaluatorshallattempttocreateandstartatleastthreeGuestVMsonasingledisplaydevicewheretheevaluatorattemptstoassigntwooftheVMsthesameidentifier.IftheuserinterfacedisplaysdifferentidentifiersforeachVM,thentherequirementismet.Likewise,therequirementismetifthesystemrefusestocreateorstartaVMwhenthereisalreadyaVMwiththesameidentifier.
5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:
Table4:SFRRationaleObjective Addressedby Rationale
O.VM_ISOLATION FAU_GEN.1 Auditeventscanreportattemptstobreachisolation.
FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromphysicalstorageuponre-allocationofthestorage.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_DVD_EXT.1 EnsuresthatVMscanaccessonlythosevirtualdevicesthattheyareconfiguredtoaccess.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokeprivilegedcodewithoutproperhypervisormediation.
O.VMM_INTEGRITY FAU_GEN.1 Auditeventscanreportpotentialintegritybreachesandattempts.
FCS_CKM.1 Requiresgenerationofasymmetrickeysforprotectionofintegritymeasures.
FCS_COP.1 Ensuresproperfunctioningof
cryptographicalgorithmsusedtoprotectdataintegrity.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_DDI_EXT.1 RequiresthatphysicaldevicedriversbeisolatedotherpartsoftheTOEandfromoneanother(optional).
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_HCL_EXT.1 RequiresthatHypercallparametersbevalidated.
FPT_ML_EXT.1 RequiresmeasuredlaunchoftheplatformandVMM(objective).
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokeprivilegedcodewithoutproperhypervisormediation.
O.PLATFORM_INTEGRITY FDP_HBI_EXT.1 RequiresthattheTOEuseplatform-supportedmechanismsforaccesstophysicaldevices.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_DVD_EXT.1 EnsuresthatVMscannotaccessvirtualdevicesthattheyarenotconfiguredtoaccess.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_HCL_EXT.1 RequiresthatHypercallparametersbevalidated.
FPT_ML_EXT.1 RequiresmeasuredlaunchoftheplatformandVMM(objective).
FPT_VDP_EXT.1 Requiresvalidationofparameterdata
passedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokeprivilegedcodewithoutproperhypervisormediation.
O.DOMAIN_INTEGRITY FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.
FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocatedtoanotherdomain.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromphysicalstorageuponre-allocationofthestoragetoanotherdomain.
FDP_VMS_EXT.1 Ensuresthatauthorizeddatatransfersbetweendomainsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_GVI_EXT.1 RequiresthattheTOEsupportGuestVMmeasurementsandintegritychecks(optional).
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_INT_EXT.1 RequiresthattheTOEsupportintrospectionintoGuestVMs(optional).
FPT_RDM_EXT.1 Requiressupportforrulesforswitchingremoveablemediabetweendomainstoreducethechanceofdataspillage.
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FTP_UIF_EXT.1 Ensuresthatusersareabletodeterminethedomainwiththecurrentinputfocus.
FTP_UIF_EXT.2 EnsuresthatuserscanknowtheidentityofanyVMthattheycanaccess.
O.MANAGEMENT_ACCESS FAU_GEN.1 Auditeventsreportattemptstoaccessthemanagementsubsystem.
FCS_CKM.1 Requiresgenerationofasymmetrickeysfortrustedcommunicationschannels.
FCS_CKM.2 Requiresestablishmentofcryptographickeysfortrustedcommunicationschannels.
FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedto
implementaccesscontrols.
FCS_HTTPS_EXT.1 EnsuresthatHTTPStrustedcommunicationschannelsareimplementedproperly.
FCS_IPSEC_EXT.1 EnsuresthatIPsectrustedcommunicationschannelsareimplementedproperly.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FIA_AFL_EXT.1 RequiresthattheTOEdetectfailedauthenticationattemptsforAdministratoraccess.
FIA_PMG_EXT.1 Ensuresthatpassword-basedadministratorloginisproperlyimplemented.
FIA_UAU.5 EnsuresthatstrongmechanismsareusedforAdministratorauthentication.
FIA_UIA_EXT.1 RequiresthatAdministratorsbesuccessfullyauthenticatedbeforeperformingmanagementfunctions.
FIA_X509_EXT.1 Ensuresthatcertificatevalidationisimplementedproperly.
FIA_X509_EXT.2 Ensuresthatcertificate-basedauthenticationisimplementedproperly.tfunctions.
FMT_SMO_EXT.1 RequiresthattheTOEsupporthavingseparatemanagementandoperationalnetworks.
FTP_ITC_EXT.1 Ensuresthattrustedcommunicationschannelsareimplementedusinggoodcryptography.
FTP_TRP.1 Ensuresthatcertaincommunicationsuseatrustedpath.
O.PATCHED_SOFTWARE FPT_IDV_EXT.1 Requiressupportforsoftwareidentificationlabels(optional).
FPT_TUD_EXT.1 Requiressupportforproductupdates.
FPT_TUD_EXT.2 Specifiesrequirementsforcertificate-basedcodesigningforupdate.
O.VM_ENTROPY FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
O.AUDIT FAU_ARP.1 Requiressupportforautomaticresponsestoauditevents(optional).
FAU_GEN.1 Requiresreportingofauditevents.
FAU_SAA.1 Requiressupportforrulesforindicatingsecurityviolationsbasedonauditevents(optional).
FAU_SAR.1 RequiressupportforAdministratorreviewofauditrecords.
FAU_STG.1 Requiresprotectionofstoredaudit
records.
FAU_STG_EXT.1 RequiressupportforprotectedtransmissionofauditrecordsofftheTOE.
O.CORRECTLY_APPLIED_CONFIGURATION FDP_VMS_EXT.1 EnsuresthatdatasharingbetweenVMsisturnedoffbydefault.
O.RESOURCE_ALLOCATION FCS_CKM_EXT.4 Requirescryptographickeydestructiontoensureresidualdatainsharedstorageisunrecoverable.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstorageuponre-allocationofthestorage.
5.2SecurityAssuranceRequirementsTheSecurityObjectivesfortheTOEinSection4wereconstructedtoaddressthreatsidentifiedinSection3.1.TheSecurityFunctionalRequirements(SFRs)inSection5.1areaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.ThissectionliststhesetofSecurityAssuranceRequirements(SARs)fromPart3oftheCommonCriteriaforInformationTechnologySecurityEvaluation,Version3.1,Revision5thatarerequiredinevaluationsagainstthisPP.IndividualevaluationactivitiestobeperformedarespecifiedinbothSection5.1aswellasinthissection.AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCEMfortheASEandALCSARs.TheITSEFalsoperformstheevaluationactivitiescontainedwithinSection5,whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheevaluationactivitiesthatarecapturedinSection5alsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.
5.2.1ClassASE:SecurityTargetEvaluationAsperASEactivitiesdefinedin[CEM]plustheTSSevaluationactivitiesdefinedforanySFRsclaimedbytheTOE.
5.2.2ClassADV:DevelopmentTheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTOESummarySpecification(TSS)portionoftheST.TheTOEdevelopermustconcurwiththedescriptionoftheproductthatiscontainedintheTSSasitrelatestothefunctionalrequirements.TheevaluationactivitiescontainedinSection5.2shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSSsection.
ADV_FSP.1Basicfunctionalspecification
Developeractionelements:ADV_FSP.1.1D
Thedevelopershallprovideafunctionalspecification.
ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.
DeveloperNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomposedoftheinformationcontainedintheAGD_OPRandAGD_PREdocumentation,coupledwiththeinformationprovidedintheTSSoftheST.TheevaluationactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.
Contentandpresentationelements:ADV_FSP.1.1C
Thefunctionalspecificationshalldescribethepurposeandmethodofusefor
eachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.2CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.3CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.
ADV_FSP.1.4CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.
Evaluatoractionelements:ADV_FSP.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ADV_FSP.1.2ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.
ApplicationNote:TherearenospecificevaluationactivitiesassociatedwiththeseSARs.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.2,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherevaluationactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.
5.2.3ClassAGD:GuidanceDocumentsTheguidancedocumentswillbeprovidedwiththedeveloper’ssecuritytarget.GuidancemustincludeadescriptionofhowtheauthorizeduserverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.Thedocumentationshouldbeinaninformalstyleandreadablebyanauthorizeduser.GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes
instructionstosuccessfullyinstalltheTOEinthatenvironment;andinstructionstomanagethesecurityoftheTOEasaproductandasacomponentofthelargeroperationalenvironment.
Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;specificrequirementsonsuchguidancearecontainedintheevaluationactivitiesspecifiedwithindividualSFRswhereapplicable.
AGD_OPE.1OperationalUserGuidance
Developeractionelements:AGD_OPE.1.1D
Thedevelopershallprovideoperationaluserguidance.
DeveloperNote:Ratherthanrepeatinformationhere,thedevelopershouldreviewtheevaluationactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorswillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.
Contentandpresentationelements:AGD_OPE.1.1C
Theoperationaluserguidanceshalldescribewhatforeachuserroletheauthorizeduser-accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.
AGD_OPE.1.2CTheoperationaluserguidanceshalldescribe,foreachuserroletheauthorizeduser,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.
AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,foreachuserroletheauthorizeduser,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.
AGD_OPE.1.4CTheoperationaluserguidanceshall,foreachuserroletheauthorizeduser,
clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.
AGD_OPE.1.5CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheTOE(includingoperationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.
AGD_OPE.1.6CTheoperationaluserguidanceshall,foreachuserroletheauthorizeduser,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
AGD_OPE.1.7CTheoperationaluserguidanceshallbeclearandreasonable.
Evaluatoractionelements:AGD_OPE.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
AGD_OPE.1SomeofthecontentsoftheoperationalguidancewillbeverifiedbytheevaluationactivitiesinSection5.2andevaluationoftheTOEaccordingtotheCEM.Thefollowingadditionalinformationisalsorequired.Theoperationalguidanceshallcontaininstructionsforconfiguringthepasswordcharacteristics,numberofallowedauthenticationattemptfailures,thelockoutperiodtimesforinactivity,andthenoticeandconsentwarningthatistobeprovidedwhenauthenticating.Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.ThedocumentationshalldescribetheprocessforverifyingupdatestotheTOE,eitherbycheckingthehashorbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocessincludesthefollowingsteps:
InstructionsforqueryingthecurrentversionoftheTOEsoftware.Forhashes,adescriptionofwherethehashforagivenupdatecanbeobtained.Fordigitalsignatures,instructionsforobtainingthecertificatethatwillbeusedbytheFCS_COP.1/SIGmechanismtoensurethatasignedupdatehasbeenreceivedfromthecertificateowner.Thismaybesuppliedwiththeproductinitially,ormaybeobtainedbysomeothermeans.Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.
AGD_PRE.1Preparativeprocedures
Developeractionelements:AGD_PRE.1.1D
ThedevelopershallprovidetheTOEincludingitspreparativeprocedures.
DeveloperNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheevaluationactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.
Contentandpresentationelements:AGD_PRE.1.1C
ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper’sdeliveryprocedures.
AGD_PRE.1.2CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
Evaluatoractionelements:AGD_PRE.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AGD_PRE.1.2ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOEcanbepreparedsecurelyforoperation.
EvaluationActivities
AGD_PRE.1Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatforms(thatis,combinationofhardwareandoperatingsystem)claimedfortheTOEintheST.Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.
5.2.4ClassALC:Life-CycleSupportAttheassurancelevelspecifiedforTOEsconformanttothisPP,life-cyclesupportislimitedtoanexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocessinordertoprovideabaselinelevelofassurancethattheTOEitselfisdevelopedinasecuremannerandthatthedeveloperhasawell-definedprocessinplacetodeliverupdatestomitigateknownsecurityflaws.Thisisaresultofthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct.
ALC_CMC.1LabelingoftheTOE
Developeractionelements:ALC_CMC.1.1D
ThedevelopershallprovidetheTOEandareferencefortheTOE.
Contentandpresentationelements:ALC_CMC.1.1C
TheTOEshallbelabeledwithitsuniquereference.
Evaluatoractionelements:ALC_CMC.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_CMC.1TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.TheevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.
ALC_CMS.1TOECMcoverage
Developeractionelements:ALC_CMS.1.1D
ThedevelopershallprovideaconfigurationlistfortheTOE.
Contentandpresentationelements:ALC_CMS.1.1C
Theconfigurationlistshallincludethefollowing:theTOEitself;andthe
evaluationevidencerequiredbytheSARs.
ALC_CMS.1.2CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.
Evaluatoractionelements:ALC_CMS.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_CMS.1Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironmentareinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.
ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheVSisupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,hardwarevendors)andthestepsthatareperformed(e.g.,developertesting),includingworstcasetimeperiods,beforeanupdateismadeavailabletothepublic.
Developeractionelements:ALC_TSU_EXT.1.1D
ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.
Contentandpresentationelements:ALC_TSU_EXT.1.1C
ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware/firmware.
ALC_TSU_EXT.1.2CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.
ApplicationNote:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,hardwarevendor)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.
ALC_TSU_EXT.1.3CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.
ApplicationNote:Thereportingmechanismcouldincludewebsites,emailaddresses,andameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).
Evaluatoractionelements:ALC_TSU_EXT.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsofthe
evaluationprocessisthetestreportasspecifiedinthefollowingrequirements.
ATE_IND.1IndependentTesting-ConformanceTestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperation)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1arebeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2.Theevaluationactivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.
Developeractionelements:ATE_IND.1.1D
ThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:ATE_IND.1.1C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:ATE_IND.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ATE_IND.1.2ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.
EvaluationActivities
ATE_IND.1Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.Whileitisnotnecessarytohaveonetestcasepertestlistedinanevaluationactivity,theevaluatorsmustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.TheTestPlanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorsareexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)isprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofcryptographicenginestobeused.ThecryptographicalgorithmsimplementedbytheseenginesarethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa“fail”and“pass”result(andthesupportingdetails),andnotjustthe“pass”result.
5.2.6ClassAVA:VulnerabilityAssessmentForthefirstgenerationofthisProtectionProfile,theevaluationlabisexpectedtosurveyopensourcestolearnwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,evaluatorswillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.ThisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffuturePPs.
AVA_VAN.1Vulnerabilitysurvey
Developeractionelements:AVA_VAN.1.1D
ThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:AVA_VAN.1.1C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:AVA_VAN.1.1E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AVA_VAN.1.2ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.
AVA_VAN.1.3ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.
EvaluationActivities
AVA_VAN.1AswithATE_INDtheevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationtodeterminethevulnerabilitiesthathavebeenfoundinvirtualizationingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicabilityortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Forexample,ifthevulnerabilitycanbedetectedbypressingakeycombinationonboot-up,atestwouldbesuitableattheassurancelevelofthisPP.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.
AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.
Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludetheSFRsintheST,butarenotrequiredinordertoconformtothisPP.
Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.
Thethirdtype(A.3Implementation-BasedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.
A.1StrictlyOptionalRequirements
A.1.1AuditableEventsforStrictlyOptionalRequirements
Table5:AuditableEventsforOptionalRequirements
Requirement AuditableEvents AdditionalAuditRecordContents
FAU_ARP.1 Actionstakenduetopotentialsecurityviolations.
FAU_SAA.1 Enablinganddisablingofanyoftheanalysismechanisms.
FAU_SAA.1 AutomatedresponsesperformedbytheTSF.
FPT_GVI_EXT.1 Actionstakenduetofailedintegritycheck.
A.1.2SecurityAudit(FAU)
FAU_ARP.1SecurityAuditAutomaticResponseFAU_ARP.1.1
TheTSFshalltake[assignment:listofactions]upondetectionofapotentialsecurityviolation.
ApplicationNote:Incertaincases,itmaybeusefulforVirtualizationSystemstoperformautomatedresponsestocertainsecurityevents.AnexamplemayincludehaltingaVMwhichhastakensomeactiontoviolateakeysystemsecuritypolicy.Thismaybeespeciallyusefulwithheadlessendpointswhenthereisnohumanuserintheloop.
ThepotentialsecurityviolationmentionedinFAU_ARP.1.1referstoFAU_SAA.1.
EvaluationActivities
FAU_ARP.1TestsTheevaluatorshallgenerateapotentialsecurityviolationasdefinedinFAU_SAA.1andverifythateachactionintheassignmentinFAU_ARP.1.1isperformedbytheTSFasaresult.TheevaluatorshallperformthisactionforeachsecurityviolationthatisdefinedinFAU_SAA.1.
FAU_SAA.1PotentialViolationAnalysisFAU_SAA.1.1
TheTSFshallbeabletoapplyasetofrulesinmonitoringtheauditedeventsandbasedupontheserulesindicateapotentialviolationoftheenforcementoftheSFRs.
FAU_SAA.1.2
TheTSFshallenforcethefollowingrulesformonitoringauditedevents:
a. Accumulationorcombinationof[assignment:subsetofdefinedauditableevents]knowntoindicateapotentialsecurityviolation;
b. [assignment:anyotherrules].
ApplicationNote:ThepotentialsecurityviolationdescribedinFAU_SAA.1canbeusedasatriggerforautomatedresponsesasdefinedinFAU_ARP.1.
EvaluationActivities
FAU_SAA.1TestsTheevaluatorshallcauseeachcombinationofauditableeventsdefinedinFAU_SAA.1.2tooccur,andverifythatapotentialsecurityviolationisindicatedbytheTSF.
A.1.3ProtectionoftheTSF(FPT)
FPT_GVI_EXT.1GuestVMIntegrityFPT_GVI_EXT.1.1
TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].
ApplicationNote:TheprimarypurposeofthisrequirementistoidentifyanddescribethemechanismsusedtoverifytheintegrityofGuestVMsthathavebeen'imported'insomefashion,thoughthesemechanismscouldalsobeappliedtoallGuestVMs,dependingonthemechanismused.ImportationforthisrequirementcouldincludeVMmigration(liveorotherwise),theimportationofvirtualdiskfilesthatwerepreviouslyexported,VMsinsharedstorage,etc.ItispossiblethatatrustedVMcouldhavebeenmodifiedduringthemigrationorimport/exportprocess,orVMscouldhavebeenobtainedfromuntrustedsourcesinthefirstplace,sointegritychecksontheseVMscanbeaprudentmeasuretotake.TheseintegritycheckscouldbeasthoroughasmakingsuretheentireVMexactlymatchesapreviouslyknownVM(byhashforexample),orbysimplycheckingcertainconfigurationsettingstoensurethattheVM'sconfigurationwillnotviolatethesecuritymodeloftheVS.
EvaluationActivities
FPT_GVI_EXT.1TSSForeachmechanismlistedintheassignment,theevaluatorshallensurethattheTSSdocumentsthemechanism,includinghowitverifiesVMintegrity,whichsetofGuestVMsitwillcheck(allGuestVMs,onlymigratedVMs,etc.),whensuchchecksoccur(beforeVMstartup,immediatelyfollowingimportation/migration,ondemand,etc.),andwhichactionsaretakenifaVMfailstheintegritycheck(orwhichrangeofactionsarepossibleiftheactionisconfigurable).
A.2ObjectiveRequirements
A.2.1AuditableEventsforObjectiveRequirements
Table6:AuditableEventsforObjectiveRequirementsRequirement AuditableEvents AdditionalAuditRecordContents
FPT_DDI_EXT.1 Noeventsspecified
FPT_IDV_EXT.1 Noeventsspecified
FPT_INT_EXT.1 Introspectioninitiated/enabled. TheVMintrospected.
FPT_ML_EXT.1 Integrityinitiated/enabled. Integritymeasurementvalues.
A.2.2ProtectionoftheTSF(FPT)
FPT_DDI_EXT.1DeviceDriverIsolationFPT_DDI_EXT.1.1
TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfrom
theVMMandallotherdomains.
ApplicationNote:Inordertofunctiononphysicalhardware,theVMMmusthaveaccesstothedevicedriversforthephysicalplatformonwhichitruns.Thesedriversareoftenwrittenbythirdparties,andyetareeffectivelyapartoftheVMM.ThustheintegrityoftheVMMinpartdependsonthequalityofthirdpartycodethatthevirtualizationvendorhasnocontrolover.Byencapsulatingthesedriverswithinoneormorededicateddriverdomains(e.g.,ServiceVMorVMs)thedamageofadriverfailureorvulnerabilitycanbecontainedwithinthedomain,andwouldnotcompromisetheVMM.Whendriverdomainshaveexclusiveaccesstoaphysicaldevice,hardwareisolationmechanisms,suchasIntel'sVT-d,AMD'sInput/OutputMemoryManagementUnit(IOMMU),orARM'sSystemMemoryManagementUnit(MMU)shouldbeusedtoensurethatoperationsperformedbyDirectMemoryAccess(DMA)hardwareareproperlyconstrained.
EvaluationActivities
FPT_DDI_EXT.1TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribesthemechanismusedfordevicedriverisolation.IftheTSSdocumentindicatesthatahardwareisolationmechanismisused,theevaluatorshallverifythattheTSSdocumentationenumeratesthehardware-isolatedDMA-capabledevices,andthatitalsoprovidesacompletelistoftheaccessibletargetsformemorytransactionsforeachofthoseDMA-capabledevices.(AnexampleofinformationthatmightbeincludedintheTSSdocumentation:alistingofallpagesbelongingtothedriverdomain,theidentificationofasubsetofthedriverdomain'spagesthatthedriverdomainhaspermittedthedeviceaccessto,ortheidentificationofadedicatedareaofmemoryreservedforthedeviceordriverdomain).
FPT_IDV_EXT.1SoftwareIdentificationandVersionsFPT_IDV_EXT.1.1
TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.
FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.
ApplicationNote:SWIDtagsareXMLfilesembeddedwithinsoftwarethatprovideastandardmethodforITdepartmentstotrackandmanagethesoftware.ThepresenceofSWIDscangreatlysimplifythesoftwaremanagementprocessandimprovesecuritybyenhancingtheabilityofITdepartmentstomanageupdates.
EvaluationActivities
FPT_IDV_EXT.1TSSTheevaluatorshallexaminetheTSStoensureitdescribeshowSWIDtagsareimplementedandtheformatofthetags.TheevaluatorshallverifythattheformatcomplieswithFPT_IDV_EXT.1.1andthatSWIDsarestoredinaccordancewithFPT_IDV_EXT.1.2.TestsTheevaluatorshallperformthefollowingtest:
Test1:TheevaluatorshallcheckfortheexistenceofSWIDtagsina.swidtagfile.TheevaluatorshallopenthefileandverifythateachSWIDcontainsatleastaSoftwareIdentityelementandanEntityelement.
FPT_INT_EXT.1SupportforIntrospectionFPT_INT_EXT.1.1
TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.
ApplicationNote:Introspectioncanbeusedtosupportmalwareandanomalydetectionfromoutsideoftheguestenvironment.ThisnotonlyhelpsprotecttheGuestOS,italsoprotectstheVSbyprovidinganopportunityfortheVStodetectthreatstoitselfthatoriginatewithinVMs,andthatmayattempttobreakoutoftheVMandcompromisetheVMMorotherVMs.
ThehostingofmalwaredetectionsoftwareoutsideoftheguestVMhelpsprotecttheguestandhelpsensuretheintegrityofthemalwaredetection/antivirussoftware.ThiscapabilitycanbeimplementedintheVMMitself,butideallyitshouldbehostedbyaServiceVMsothatitcanbebettercontainedanddoesnotintroducebugsintotheVMM.
EvaluationActivities
FPT_INT_EXT.1TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribestheinterfaceforVMintrospectionandwhethertheintrospectionisperformedbytheVMMoranotherVM.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitcontainsinstructionsforconfigurationoftheintrospectionmechanism.
FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMFPT_ML_EXT.1.1
TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:
StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents
]
FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.
ApplicationNote:AmeasuredlaunchoftheplatformandVSdemonstratesthattheproperTOEsoftwarewasloaded.Ameasuredlaunchprocessemploysverifiableintegritymeasurementmechanisms.Forexample,aVSmayhashcomponentssuchasthehypervisor,serviceVMs,ortheManagementSubsystem.Ameasuredlaunchprocessonlyallowscomponentstobeexecutedafterthemeasurementhasbeenrecorded.Anexampleprocessmayaddeachcomponent’shashbeforeitisexecutedsothatthefinalhashreflectstheevidenceofacomponent’sstatepriortoexecution.Themeasurementmaybeverifiedasthesystemboots,butthisisnotrequired.
ThePlatformisoutsideoftheTOE.However,thisrequirementspecifiesthattheVSmustbecapableofreceivingPlatformmeasurementsifthePlatformprovidesthem.ThisrequirementisrequiringTOEsupportforPlatformmeasurementsifprovided;itisnotplacingarequirementonthePlatformtotakesuchmeasurements.
Ifavailable,hardwareshouldbeusedtostoremeasurementsinsuchamannerthattheycannotbemodifiedinanymannerexcepttobeextended.Thesemeasurementsshouldbeproducedinarepeatablemannersothatathirdpartycanverifythemeasurementsifgiventheinputs.Hardwaredevices,likeTrustedPlatformModules(TPM),TrustZone,andMMUaresomeexamplesthatmayserveasfoundationsforstoringandreportingmeasurements.
Platformswitharootoftrustformeasurement(RTM)shouldinitiatethemeasuredlaunchprocess.ThismayincludecoreBIOSorthechipset.ThechipsetisthepreferredRTM,butcoreBIOSorotherfirmwareisacceptable.InasystemwithoutatraditionalRTM,thefirstcomponentthatbootswouldbeconsideredtheRTM,thisisnotpreferred.
EvaluationActivities
FPT_ML_EXT.1TSSTheevaluatorshallverifythattheTSSorOperationalGuidancedescribeshowintegritymeasurementsareperformedandmadeavailabletotheManagementSubsystem.TheevaluatorshallexaminetheoperationalguidancetoverifythatitdocumentshowtoaccessthemeasurementsintheManagementSubsystem.TestsTheevaluatorshallperformthefollowingtest:
Test1:TheevaluatorshallstarttheVS,loginasanAdministrator,andverifythatthemeasurementsforthespecifiedcomponentsareviewableintheManagementSubsystem.
A.3Implementation-BasedRequirementsThisPPdoesnotdefineanyImplementation-Basedrequirements.
AppendixB-Selection-BasedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.
B.1AuditableEventsforSelection-BasedRequirementsTable7:AuditableEventsforSelection-basedRequirements
Requirement AuditableEvents AdditionalAuditRecordContents
FCS_HTTPS_EXT.1 FailuretoestablishaHTTPSSession. Reasonforfailure.Non-TOEendpointofconnection(IPaddress)forfailures.
FCS_HTTPS_EXT.1 Establishment/TerminationofaHTTPSsession.
Non-TOEendpointofconnection(IPaddress).
FCS_IPSEC_EXT.1 FailuretoestablishanIPsecSA. Reasonforfailure.Non-TOEendpointofconnection(IPaddress).
FCS_IPSEC_EXT.1 Establishment/TerminationofanIPsecSAA.
Non-TOEendpointofconnection(IPaddress).
FIA_PMG_EXT.1 Noeventsspecified
FIA_X509_EXT.1 Failuretovalidateacertificate. Reasonforfailure.
FIA_X509_EXT.2 Noeventsspecified
FPT_TUD_EXT.2 Noeventsspecified
FTP_TRP.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_TRP.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_TRP.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.
B.2CryptographicSupport(FCS)
FCS_HTTPS_EXT.1HTTPSProtocol
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FTP_ITC_EXT.1.1.
FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects"TLS/HTTPS"inFTP_ITC_EXT.1.1.
TheSTauthormustprovideenoughdetailtodeterminehowtheimplementationiscomplyingwiththestandardsidentified;thiscanbedoneeitherbyaddingelementstothiscomponent,orbyadditionaldetailintheTSS.
FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.
EvaluationActivities
FCS_HTTPS_EXT.1TSSTheevaluatorshallchecktheTSStoensurethatitisclearonhowHTTPSusesTLStoestablishanadministrativesession,focusingonanyclientauthenticationrequiredbytheTLSprotocolvs.
securityadministratorauthenticationwhichmaybedoneatadifferentleveloftheprocessingstack.TestsTestingforthisactivityisdoneaspartoftheTLStesting;thismayresultinadditionaltestingiftheTLStestsaredoneattheTLSprotocollevel.
FCS_IPSEC_EXT.1IPsecProtocol
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FTP_ITC_EXT.1.1.
FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselected"IPsec"inFTP_ITC_EXT.1.1.
RFC4301callsforanIPsecimplementationtoprotectIPtrafficthroughtheuseofaSecurityPolicyDatabase(SPD).TheSPDisusedtodefinehowIPpacketsaretobehandled:PROTECTthepacket(e.g.,encryptthepacket),BYPASStheIPsecservices(e.g.,noencryption),orDISCARDthepacket(e.g.,dropthepacket).TheSPDcanbeimplementedinvariousways,includingrouteraccesscontrollists,firewallrulesets,a"traditional"SPD,etc.Regardlessoftheimplementationdetails,thereisanotionofa"rule"thatapacketis"matched"againstandaresultingactionthattakesplace.
Whiletheremustbeameanstoordertherules,ageneralapproachtoorderingisnotmandated,aslongastheTOEcandistinguishtheIPpacketsandapplytherulesaccordingly.TheremaybemultipleSPDs(oneforeachnetworkinterface),butthisisnotrequired.
FCS_IPSEC_EXT.1.2TheTSFshallimplement[selection:transportmode,tunnelmode].
ApplicationNote:IftheTOEisusedtoconnecttoaVPNgatewayforthepurposesofestablishingasecureconnectiontoaprivatenetwork,theSTauthorshallselecttunnelmode.IftheTOEusesIPsectoestablishanend-to-endconnectiontoanotherIPsecVPNClient,theSTauthorshallselecttransportmode.IftheTOEusesIPsectoestablishaconnectiontoaspecificendpointdeviceforthepurposeofsecureremoteadministration,theSTauthorshallselecttransportmode.
FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.
FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.
FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:
[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].
]
ApplicationNote:IftheTOEimplementsSHA-2hashalgorithmsforIKEv1orIKEv2,theSTauthorshallselectRFC4868.
FCS_IPSEC_EXT.1.6TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]
protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].
FCS_IPSEC_EXT.1.7TheTSFshallensurethat[selection:
IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.
]
ApplicationNote:TheSTauthorisaffordedaselectionbasedontheversionofIKEintheirimplementation.ThereisafurtherselectionwithinthisselectionthatallowstheSTauthortospecifywhichentityisresponsiblefor“configuring”thelifeoftheSA.AnimplementationthatallowsanadministratortoconfiguretheclientoraVPNgatewaythatpushestheSAlifetimedowntotheclientarebothacceptable.
AsfarasSAlifetimesareconcerned,theTOEcanlimitthelifetimebasedonthenumberofbytestransmitted,orthenumberofpacketstransmitted.Eitherpacket-basedorvolume-basedSAlifetimesareacceptable;theSTauthormakestheappropriateselectiontoindicatewhichtypeoflifetimelimitsaresupported.
TheSTauthorchooseseithertheIKEv1requirementsorIKEv2requirements(orboth,dependingontheselectioninFCS_IPSEC_EXT.1.5.TheIKEv1requirementcanbeaccomplishedeitherbyprovidingAuthorizedAdministrator-configurablelifetimes(withappropriateinstructionsindocumentsmandatedbyAGD_OPE),orby“hardcoding”thelimitsintheimplementation.ForIKEv2,therearenohardcodedlimits,butinthiscaseitisrequiredthatanadministratorbeabletoconfigurethevalues.Ingeneral,instructionsforsettingtheparametersoftheimplementation,includinglifetimeoftheSAs,shouldbeincludedintheoperationalguidancegeneratedforAGD_OPE.ItisappropriatetorefinetherequirementintermsofnumberofMB/KBinsteadofnumberofpackets,aslongastheTOEiscapableofsettingalimitontheamountoftrafficthatisprotectedbythesamekey(thetotalvolumeofallIPsectrafficprotectedbythatkey).
FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].
ApplicationNote:TheselectionisusedtospecifyadditionalDHgroupssupported.ThisappliestoIKEv1andIKEv2exchanges.ItshouldbenotedthatifanyadditionalDHgroupsarespecified,theymustcomplywiththerequirements(intermsoftheephemeralkeysthatareestablished)listedinFCS_CKM.1.
SincetheimplementationmayallowdifferentDiffie-HellmangroupstobenegotiatedforuseinformingtheSAs,theassignmentsinFCS_IPSEC_EXT.1.9andFCS_IPSEC_EXT.1.10maycontainmultiplevalues.ForeachDHgroupsupported,theSTauthorconsultsTable2in800-57todeterminethe“bitsofsecurity”associatedwiththeDHgroup.Eachuniquevalueisthenusedtofillintheassignment(for1.9theyaredoubled;for1.10theyareinserteddirectlyintotheassignment).Forexample,supposetheimplementationsupportsDHgroup14(2048-bitMODP)andgroup20(ECDHusingNISTcurveP-384).FromTable2,thebitsofsecurityvalueforgroup14is112,andforgroup20itis192.ForFCS_IPSEC_EXT.1.9,then,theassignmentwouldread“[224,384]”andforFCS_IPSEC_EXT.1.10itwouldread“[112,192]”(althoughinthiscasetherequirementshouldprobablyberefinedsothatitmakessensemathematically).
FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)numberofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.
FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].
FCS_IPSEC_EXT.1.11TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].
ApplicationNote:Atleastonepublic-key-basedPeerAuthenticationmethodisrequiredinordertoconformtothisPP-Module;oneormoreofthepublickeyschemesischosenbytheSTauthortoreflectwhatisimplemented.TheSTauthoralsoensuresthatappropriateFCSrequirementsreflectingthealgorithmsused(andkeygenerationcapabilities,ifprovided)arelistedtosupportthosemethods.NotethattheTSSwillelaborateonthewayinwhichthesealgorithmsaretobeused(forexample,2409specifiesthreeauthenticationmethodsusingpublickeys;eachonesupportedwillbedescribedintheTSS).
If“pre-sharedkeys”isselected,theselection-basedrequirementFIA_PSK_EXT.1mustbeclaimed.
FCS_IPSEC_EXT.1.12TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvaluesfortheentityattemptingtoestablishaconnection.
ApplicationNote:TheTOEmustsupportatleastoneofthefollowingidentifiertypes:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,orDistinguishedName(DN).Inthefuture,theTOEwillberequiredtosupportalloftheseidentifiertypes.TheTOEisexpectedtosupportasmanyIPaddressformats(IPv4andIPv6)asIPversionssupportedbytheTOEingeneral.TheSTauthormayassignadditionalsupportedidentifiertypesinthesecondselection.
FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.
ApplicationNote:Atthistime,onlythecomparisonbetweenthepresentedidentifierinthepeer’scertificateandthepeer’sreferenceidentifierismandatedbythetestingbelow.However,inthefuture,thisrequirementwilladdresstwoaspectsofthepeercertificatevalidation:1)comparisonofthepeer’sIDpayloadtothepeer’scertificatewhicharebothpresentedidentifiers,asrequiredbyRFC4945and2)verificationthatthepeeridentifiedbytheIDpayloadandthecertificateisthepeerexpectedbytheTOE(perthereferenceidentifier).Atthattime,theTOEwillberequiredtodemonstratebothaspects(i.e.thattheTOEenforcesthatthepeer’sIDpayloadmatchesthepeer’scertificatewhichbothmatchconfiguredpeerreferenceidentifiers).
ExcludingtheDNidentifiertype(whichisnecessarilytheSubjectDNinthepeercertificate),theTOEmaysupporttheidentifierineithertheCommonNameorSubjectAlternativeName(SAN)orboth.Ifbotharesupported,thepreferredlogicistocomparethereferenceidentifiertoapresentedSAN,andonlyifthepeer’scertificatedoesnotcontainaSAN,tofallbacktoacomparisonagainsttheCommonName.Inthefuture,theTOEwillberequiredtocomparethereferenceidentifiertothepresentedidentifierintheSANonly,ignoringtheCommonName.
TheconfigurationofthepeerreferenceidentifierisaddressedbyFMT_SMF.1.1/VPN.
FCS_IPSEC_EXT.1.14The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.
ApplicationNote:Ifthisfunctionalityisconfigurable,theTSFmaybeconfiguredbyaVPNGatewayorbyanAdministratoroftheTOEitself.
TheSTauthorchooseseitherorbothoftheIKEselectionsbasedonwhatisimplementedbytheTOE.Obviously,theIKEversionschosenshouldbeconsistentnotonlyinthiselement,butwithotherchoicesforotherelementsinthiscomponent.Whileitisacceptableforthiscapabilitytobeconfigurable,thedefaultconfigurationintheevaluatedconfiguration(either"outofthebox"orbyconfigurationguidanceintheAGDdocumentation)mustenablethisfunctionality.
EvaluationActivities
FCS_IPSEC_EXT.1TSSInadditiontotheTSSEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheTOEboundaryincludesageneral-purposeoperatingsystemormobiledevice,theevaluatorshallexaminetheTSStoensurethatitdescribeswhethertheVPNclientcapabilityisarchitecturallyintegratedwiththeplatformitselforwhetheritisaseparateexecutablethatisbundledwiththeplatform.GuidanceInadditiontotheOperationalGuidanceEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheconfigurationoftheIPsecbehaviorisfromanenvironmentalsource,mostnotablyaVPNgateway(e.gthroughreceiptofrequiredconnectionparametersfromaVPNgateway),theevaluatorshallensurethattheoperationalguidancecontainsanyappropriateinformationforensuringthatthisconfigurationcanbeproperlyapplied.NoteinthiscasethattheimplementationoftheIPsecprotocolmustbeenforcedentirelywithintheTOEboundary;i.e.itisnotpermissibleforasoftwareapplicationTOEtobeagraphicalfront-endforIPsecfunctionalityimplementedtotallyorinpartbytheunderlyingOSplatform.ThebehaviorreferencedhereisforthepossibilitythattheconfigurationoftheIPsecconnectionisinitiatedfromoutsidetheTOE,whichispermissiblesolongastheTSFissolelyresponsibleforenforcingtheconfiguredbehavior.However,itisallowablefortheTSFtorelyonlow-levelplatform-providednetworkingfunctionstoimplementtheSPDfromtheclient(e.g.,enforcementofpacketroutingdecisions).
TestsAsaprerequisiteforperformingtheTestEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshalldothefollowing:Theevaluatorshallminimallycreateatestenvironmentequivalenttothetestenvironmentillustratedbelow.ThetrafficgeneratorusedtoconstructnetworkpacketsshouldprovidetheevaluatorwiththeabilitymanipulatefieldsintheICMP,IPv4,IPv6,UDP,andTCPpacketheaders.Theevaluatorshallprovidejustificationforanydifferencesinthetestenvironment.
Figure2:IPsecTestEnvironmentNotethattheevaluatorshallperformalltestsusingtheVirtualizationSystemandarepresentativesampleofplatformslistedintheST(forTOEsthatclaimtosupportmultipleplatforms).FCS_IPSEC_EXT.1.1TSSTheevaluatorshallexaminetheTSSanddeterminethatitdescribeshowtheIPseccapabilitiesareimplemented.TheevaluatorshallensurethattheTSSdescribesatahighlevelthearchitecturalrelationshipbetweentheIPsecimplementationandtherestoftheTOE(e.g.,istheIPsecimplementationanintegratedpartoftheVSorisitastandaloneexecutablethatisbundledintotheVS).TheevaluatorshallensurethattheTSSdescribeshowtheSPDisimplementedandtherulesforprocessingbothinboundandoutboundpacketsintermsoftheIPsecpolicy.TheTSSdescribestherulesthatareavailableandtheresultingactionsavailableaftermatchingarule.TheTSSdescribeshowtheavailablerulesandactionsformtheSPDusingtermsdefinedinRFC4301
suchasBYPASS(e.g.,noencryption),DISCARD(e.g.,dropthepacket),andPROTECT(e.g.,encryptthepacket)actionsdefinedinRFC4301.Asnotedinsection4.4.1ofRFC4301,theprocessingofentriesintheSPDisnon-trivialandtheevaluatorshalldeterminethatthedescriptionintheTSSissufficienttodeterminewhichruleswillbeappliedgiventherulestructureimplementedbytheTOE.Forexample,iftheTOEallowsspecificationofranges,conditionalrules,etc.,theevaluatorshalldeterminethatthedescriptionofruleprocessing(forbothinboundandoutboundpackets)issufficienttodeterminetheactionthatwillbeapplied,especiallyinthecasewheretwodifferentrulesmayapply.Thisdescriptionshallcoverboththeinitialpackets(thatis,noSAisestablishedontheinterfaceorforthatparticularpacket)aswellaspacketsthatarepartofanestablishedSA.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifyitinstructstheAdministratorhowtoconstructentriesintotheSPDthatspecifyaruleforprocessingapacket.Thedescriptionincludesallthreecases–arulethatensurespacketsareencrypted/decrypted,dropped,andflowthroughtheTOEwithoutbeingencrypted.TheevaluatorshalldeterminethatthedescriptionintheoperationalguidanceisconsistentwiththedescriptionintheTSS,andthatthelevelofdetailintheoperationalguidanceissufficienttoallowtheadministratortosetuptheSPDinanunambiguousfashion.ThisincludesadiscussionofhoworderingofrulesimpactstheprocessingofanIPpacket.
TestsTheevaluatorusestheoperationalguidancetoconfiguretheTOEtocarryoutthefollowingtests:
Test1:TheevaluatorshallconfiguretheSPDsuchthatthereisarulefordroppingapacket,encryptingapacket,andallowingapackettoflowinplaintext.Theselectorsusedintheconstructionoftheruleshallbedifferentsuchthattheevaluatorcangenerateapacketandsendpacketstothegatewaywiththeappropriatefields(fieldsthatareusedbytherule-e.g.,theIPaddresses,TCP/UDPports)inthepacketheader.Theevaluatorperformsbothpositiveandnegativetestcasesforeachtypeofrule(e.g.,apacketthatmatchestheruleandanotherthatdoesnotmatchtherule).Theevaluatorobservesviatheaudittrail,andpacketcapturesthattheTOEexhibitedtheexpectedbehavior:appropriatepacketsweredropped,allowedtoflowwithoutmodification,encryptedbytheIPsecimplementation.Test2:Theevaluatorshalldeviseseveralteststhatcoveravarietyofscenariosforpacketprocessing.AswithTest1,theevaluatorensuresbothpositiveandnegativetestcasesareconstructed.ThesescenariosshallexercisetherangeofpossibilitiesforSPDentriesandprocessingmodesasoutlinedintheTSSandoperationalguidance.Potentialareastocoverincluderuleswithoverlappingrangesandconflictingentries,inboundandoutboundpackets,andpacketsthatestablishSAsaswellaspacketsthatbelongtoestablishedSAs.Theevaluatorshallverify,viatheaudittrailandpacketcaptures,foreachscenariothattheexpectedbehaviorisexhibited,andisconsistentwithboththeTSSandtheoperationalguidance.
FCS_IPSEC_EXT.1.2TSSTheevaluatorcheckstheTSStoensureitstatesthatanIPsecVPNcanbeestablishedtooperateintunnelmodeortransportmode(asselected).
GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsonhowtoconfiguretheconnectionineachmodeselected.Ifbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.
TestsTheevaluatorshallperformthefollowingtestsbasedontheselectionschosen:
Test1:(conditional):Iftunnelmodeisselected,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintunnelmodeandalsoconfiguresaVPNpeertooperateintunnelmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowablecryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatorshalltheninitiateaconnectionfromtheTOE/PlatformtotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetunnelmode.Test2:(conditional):Iftransportmodeisselectted,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintransportmodeandalsoconfiguresaVPNpeertooperateintransportmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowedcryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.Theevaluatortheninitiatesaconnectionfrom
theTOE/platformtoconnecttotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetransportmode.
FCS_IPSEC_EXT.1.3TSSIfbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.
GuidanceTheevaluatorshallcheckthattheoperationalguidanceprovidesinstructionsonhowtoconstructoracquiretheSPDandusestheguidancetoconfiguretheTOEforthefollowingtest.
TestsTheevaluatorshallperformthefollowingtest:
Test1::TheevaluatorshallconfiguretheSPDsuchthatithasentriesthatcontainoperationsthatDISCARD,PROTECT,and(ifapplicable)BYPASSnetworkpackets.TheevaluatormayusetheSPDthatwascreatedforverificationofFCS_IPSEC_EXT.1.1.TheevaluatorshallconstructanetworkpacketthatmatchesaBYPASSentryandsendthatpacket.Theevaluatorshouldobservethatthenetworkpacketispassedtotheproperdestinationinterfacewithnomodification.Theevaluatorshallthenmodifyafieldinthepacketheader;suchthatitnolongermatchestheevaluator-createdentries(theremaybea“TOE-created”finalentrythatdiscardspacketsthatdonotmatchanypreviousentries).Theevaluatorsendsthepacket,andobservesthatthepacketwasnotpermittedtoflowtoanyoftheTOE’sinterfaces.
FCS_IPSEC_EXT.1.4TSSTheevaluatorshallexaminetheTSStoverifythatthealgorithmsAES-GCM-128andAES-GCM-256areimplemented.Ifthe"ST"authorhasselectedeitherAES-CBC-128orAES-CBC-256intherequirement,thentheevaluatorverifiestheTSSdescribestheseaswell.Inaddition,theevaluatorensuresthattheSHA-basedHMACalgorithmconformstothealgorithmsspecifiedinFCS_COP.1/KeyedHashCryptographicOperations(KeyedHashAlgorithms).
GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.
TestsTest1:TheevaluatorshallconfiguretheTOE/platformasindicatedintheoperationalguidanceconfiguringtheTOE/platformtouseeachofthesupportedalgorithms,attempttoestablishaconnectionusingESP,andverifythattheattemptsucceeds.
FCS_IPSEC_EXT.1.5TSSTheevaluatorshallexaminetheTSStoverifythatIKEv1orIKEv2(asselected)areimplemented.IfIKEv1isimplemented,theevaluatorshallverifythattheTSSindicateswhetherornotXAUTHissupported,andthataggressivemodeisnotusedforIKEv1Phase1exchanges(i.e.onlymainmodeisused).Itmaybethattheseareconfigurableoptions.
GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitinstructstheadministratorhowtoconfiguretheTOEtouseIKEv1orIKEv2(asselected),andusestheguidancetoconfiguretheTOEtoperformNATtraversalforthetestbelow.IfXAUTHisimplemented,theevaluatorshallverifythattheoperationalguidanceprovidesinstructionsonhowitisenabledordisabled.IftheTOEsupportsIKEv1,theevaluatorshallverifythattheoperationalguidanceeitherassertsthatonlymainmodeisusedforPhase1exchanges,orprovidesinstructionsfordisablingaggressivemode.
TestsTestsareperformedinconjunctionwiththeotherIPsecevaluationactivitieswiththeexceptionoftheactivitiesbelow:
Test1::TheevaluatorshallconfiguretheTOEsothatitwillperformNATtraversalprocessingasdescribedintheTSSandRFC7296,section2.23.TheevaluatorshallinitiateanIPsecconnectionanddeterminethattheNATissuccessfullytraversed.IftheTOEsupportsIKEv1withorwithoutXAUTH,theevaluatorshallverifythatthistestcanbe
successfullyrepeatedwithXAUTHenabledanddisabledinthemannerspecifiedbytheoperationalguidance.IftheTOEonlysupportsIKEv1withXAUTH,theevaluatorshallverifythatconnectionsnotusingXAUTHareunsuccessful.IftheTOEonlysupportsIKEv1withoutXAUTH,theevaluatorshallverifythatconnectionsusingXAUTHareunsuccessful.Test2:(conditional)::IftheTOEsupportsIKEv1,theevaluatorshallperformanyapplicableoperationalguidancestepstodisabletheuseofaggressivemodeandthenattempttoestablishaconnectionusinganIKEv1Phase1connectioninaggressivemode.Thisattemptshouldfail.TheevaluatorshallshowthattheTOEwillrejectaVPNgatewayfrominitiatinganIKEv1Phase1connectioninaggressivemode.Theevaluatorshouldthenshowthatmainmodeexchangesaresupported.
FCS_IPSEC_EXT.1.6TSSTheevaluatorshallensuretheTSSidentifiesthealgorithmsusedforencryptingtheIKEv1orIKEv2payload,andthatthealgorithmsAES-CBC-128,AES-CBC-256arespecified,andifothersarechosenintheselectionoftherequirement,thoseareincludedintheTSSdiscussion.
GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.
TestsTheevaluatorshallusetheoperationalguidancetoconfiguretheTOE(ortoconfiguretheOperationalEnvironmenttohavetheTOEreceiveconfiguration)toperformthefollowingtestforeachciphersuiteselected:
Test1:TheevaluatorshallconfiguretheTOEtousetheciphersuiteundertesttoencrypttheIKEv1orIKEv2payloadandestablishaconnectionwithapeerdevice,whichisconfiguredtoonlyacceptthepayloadencryptedusingtheindicatedciphersuite.Theevaluatorwillconfirmthealgorithmwasthatusedinthenegotiation.Theevaluatorwillconfirmthattheconnectionissuccessfulbyconfirmingthatdatacanbepassedthroughtheconnectiononceitisestablished.Forexample,theevaluatormayconnecttoawebpageontheremotenetworkandverifythatitcanbereached.
FCS_IPSEC_EXT.1.7TSSTherearenoTSSEAsforthisrequirement.
GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEconfiguresthevaluesforSAlifetimes.Inaddition,theevaluatorshallcheckthattheguidancehastheoptionforeithertheAdministratororVPNGatewaytoconfigurePhase1SAsiftime-basedlimitsaresupported.Currentlytherearenovaluesmandatedforthenumberofpacketsornumberofbytes,theevaluatorshallsimplychecktheoperationalguidancetoensurethatthiscanbeconfiguredifselectedintherequirement.TestsWhentestingthisfunctionality,theevaluatorneedstoensurethatbothsidesareconfiguredappropriately.FromtheRFC“AdifferencebetweenIKEv1andIKEv2isthatinIKEv1SAlifetimeswerenegotiated.InIKEv2,eachendoftheSAisresponsibleforenforcingitsownlifetimepolicyontheSAandrekeyingtheSAwhennecessary.Ifthetwoendshavedifferentlifetimepolicies,theendwiththeshorterlifetimewillendupalwaysbeingtheonetorequesttherekeying.Ifthetwoendshavethesamelifetimepolicies,itispossiblethatbothwillinitiatearekeyingatthesametime(whichwillresultinredundantSAs).Toreducetheprobabilityofthishappening,thetimingofrekeyingrequestsSHOULDbejittered.”EachofthefollowingtestsshallbeperformedforeachversionofIKEselectedintheFCS_IPSEC_EXT.1.5protocolselection:
Test1:(Conditional)::Theevaluatorshallconfigureamaximumlifetimeintermsofthe#ofpackets(orbytes)allowedfollowingtheoperationalguidance.TheevaluatorshallestablishanSAanddeterminethatoncetheallowed#ofpackets(orbytes)throughthisSAisexceeded,theconnectionisclosed.Test2:(Conditional):TheevaluatorshallconstructatestwhereaPhase1SAisestablishedandattemptedtobemaintainedformorethan24hoursbeforeitisrenegotiated.TheevaluatorshallobservethatthisSAisclosedorrenegotiatedin24hoursorless.IfsuchanactionrequiresthattheTOEbeconfiguredinaspecificway,theevaluatorshallimplementtestsdemonstratingthattheconfigurationcapabilityoftheTOEworksasdocumentedintheoperationalguidance.Test3:[conditional]:TheevaluatorshallperformatestsimilartoTest2forPhase2SAs,exceptthatthelifetimewillbe8hoursorlessinsteadof24hoursorless.Test4:[conditional]:IfafixedlimitforIKEv1SAsissupported,theevaluatorshall
establishanSAandobservethattheconnectionisclosedafterthefixedtrafficortimevalueisreached.
FCS_IPSEC_EXT.1.8TSSTheevaluatorshallchecktoensurethattheDHgroupsspecifiedintherequirementarelistedasbeingsupportedintheTSS.IfthereismorethanoneDHgroupsupported,theevaluatorcheckstoensuretheTSSdescribeshowaparticularDHgroupisspecified/negotiatedwithapeer.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorshallperformthefollowingtest:
Test1:ForeachsupportedDHgroup,theevaluatorshalltesttoensurethatallsupportedIKEprotocolscanbesuccessfullycompletedusingthatparticularDHgroup.
FCS_IPSEC_EXT.1.9TSSTheevaluatorshallchecktoensurethat,foreachDHgroupsupported,theTSSdescribestheprocessforgenerating"x"(asdefinedinFCS_IPSEC_EXT.1.9)andeachnonce.TheevaluatorshallverifythattheTSSindicatesthattherandomnumbergeneratedthatmeetstherequirementsinthisEPisused,andthatthelengthof"x"andthenoncesmeetthestipulationsintherequirement.
GuidanceTherearenoAGDEAsforthisrequirement.
TestsTherearenotestEAsforthisrequirement.
FCS_IPSEC_EXT.1.10EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.9.FCS_IPSEC_EXT.1.11TSSTheevaluatorensuresthattheTSSidentifiesRSAorECDSAasbeingusedtoperformpeerauthentication.Ifpre-sharedkeysarechosenintheselection,theevaluatorshallchecktoensurethattheTSSdescribeshowpre-sharedkeysareestablishedandusedinauthenticationofIPsecconnections.ThedescriptionintheTSSshallalsoindicatehowpre-sharedkeyestablishmentisaccomplisheddependingonwhethertheTSFcangenerateapre-sharedkey,acceptapre-sharedkey,orboth.TheevaluatorshallensurethattheTSSdescribeshowtheTOEcomparesthepeer’spresentedidentifiertothereferenceidentifier.ThisdescriptionshallincludewhetherthecertificatepresentedidentifieriscomparedtotheIDpayloadpresentedidentifier,whichfieldsofthecertificateareusedasthepresentedidentifier(DN,CommonName,orSAN)and,ifmultiplefieldsaresupported,thelogicalordercomparison.IftheSTauthorassignedanadditionalidentifiertype,theTSSdescriptionshallalsoincludeadescriptionofthattypeandthemethodbywhichthattypeiscomparedtothepeer’spresentedcertificate.
GuidanceTheevaluatorshallcheckthattheoperationalguidancedescribeshowpre-sharedkeysaretobegeneratedandestablished.TheevaluatorensurestheoperationalguidancedescribeshowtosetuptheTOEtousethecryptographicalgorithmsRSAorECDSA(asselected).InordertoconstructtheenvironmentandconfiguretheTOEforthefollowingtests,theevaluatorwillensurethattheoperationalguidancealsodescribeshowtoconfiguretheTOEtoconnecttoatrustedCA,andensureavalidcertificateforthatCAisloadedintotheTOEasatrustedCA.Theevaluatorshallalsoensurethattheoperationalguidanceincludestheconfigurationofthereferenceidentifiersforthepeer.
TestsForefficiency’ssake,thetestingthatisperformedherehasbeencombinedwiththetestingforFIA_X509_EXT.2andFIA_X509_EXT.3(forIPsecconnectionsanddependingontheBase-PP),FCS_IPSEC_EXT.1.12,andFCS_IPSEC_EXT.1.13.ThefollowingtestsshallberepeatedforeachpeerauthenticationprotocolselectedintheFCS_IPSEC_EXT.1.11selectionabove:
Test1::TheevaluatorshallhavetheTOEgenerateapublic-privatekeypair,andsubmitaCSR(CertificateSigningRequest)toaCA(trustedbyboththeTOEandthepeerVPNusedtoestablishaconnection)foritssignature.ThevaluesfortheDN(CommonName,
Organization,OrganizationalUnit,andCountry)willalsobepassedintherequest.Alternatively,theevaluatormayimporttotheTOEapreviouslygeneratedprivatekeyandcorrespondingcertificate.Test2:TheevaluatorshallconfiguretheTOEtouseaprivatekeyandassociatedcertificatesignedbyatrustedCAandshallestablishanIPsecconnectionwiththepeer.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRLorOCSPisselected;ifbothareselected,andthenatestisperformedforeachmethod.ForthiscurrentversionofthePP-Module,theevaluatorhastoonlytestoneupinthetrustchain(futuredraftsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthattheSAisestablished.Theevaluatorthenattemptsthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthattheTOEwillnotestablishanSA.Test4:[conditional]:Theevaluatorshallgenerateapre-sharedkeyanduseit,asindicatedintheoperationalguidance,toestablishanIPsecconnectionwiththeVPNGWpeer.Ifthegenerationofthepre-sharedkeyissupported,theevaluatorshallensurethatestablishmentofthekeyiscarriedoutforaninstanceoftheTOEgeneratingthekeyaswellasaninstanceoftheTOEmerelytakinginandusingthekey.Foreachsupportedidentifiertype(excludingDNs),theevaluatorshallrepeatthefollowingtests:Test5:Foreachfieldofthecertificatesupportedforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Test6:Foreachfieldofthecertificatesupportforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tonotmatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationfails.Thefollowingtestsareconditional:Test7:[conditional]:If,accordingtotheTSS,theTOEsupportsbothCommonNameandSANcertificatefieldsandusesthepreferredlogicoutlinedintheApplicationNote,thetestsabovewiththeCommonNamefieldshallbeperformedusingpeercertificateswithnoSANextension.Additionally,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOEtonotmatchtheSANinthepeer’spresentedcertificatebuttomatchtheCommonNameinthepeer’spresentedcertificate,andverifythattheIKEauthenticationfails.Test8:[conditional]:IftheTOEsupportsDNidentifiertypes,theevaluatorshallconfigurethepeer'sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthesubjectDNinthepeer'spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Todemonstrateabit-wisecomparisonoftheDN,theevaluatorshallchangeasinglebitintheDN(preferably,inanObjectIdentifier(OID)intheDN)andverifythattheIKEauthenticationfails.TodemonstrateacomparisonofDNvalues,theevaluatorshallchangeanyoneofthefourDNvaluesandverifythattheIKEauthenticationfails.Test9:[conditional]:IftheTOEsupportsbothIPv4andIPv6andsupportsIPaddressidentifiertypes,theevaluatormustrepeattest1and2withbothIPv4addressidentifiersandIPv6identifiers.Additionally,theevaluatorshallverifythattheTOEverifiesthattheIPheadermatchestheidentifiersbysettingthepresentedidentifiersandthereferenceidentifierwiththesameIPaddressthatdiffersfromtheactualIPaddressofthepeerintheIPheadersandverifyingthattheIKEauthenticationfails.Test10:[conditional]:If,accordingtotheTSS,theTOEperformscomparisonsbetweenthepeer’sIDpayloadandthepeer’scertificate,theevaluatorshallrepeatthefollowingtestforeachcombinationofsupportedidentifiertypesandsupportedcertificatefields(asabove).TheevaluatorshallconfigurethepeertopresentadifferentIDpayloadthanthefieldinthepeer’spresentedcertificateandverifythattheTOEfailstoauthenticatetheIKEpeer.
FCS_IPSEC_EXT.1.12EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.13EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.14TSSTheevaluatorshallcheckthattheTSSdescribesthepotentialstrengths(intermsofthenumberofbitsinthesymmetrickey)ofthealgorithmsthatareallowedfortheIKEandESPexchanges.TheTSSshallalsodescribethechecksthataredonewhennegotiatingIKEv1Phase2andIKEv2CHILD_SAsuitestoensurethatthestrength(intermsofthenumberofbitsofkeyinthesymmetricalgorithm)ofthenegotiatedalgorithmislessthanorequaltothatoftheIKESAthatisprotectingthenegotiation.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorfollowstheguidancetoconfiguretheTOEtoperformthefollowingtests:
Test1:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallsuccessfullynegotiateanIPsecconnectionusingeachofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Test2:[conditional]:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESPthatselectsanencryptionalgorithmwithmorestrengththanthatbeingusedfortheIKESA(i.e.,symmetricalgorithmwithakeysizelargerthanthatbeingusedfortheIKESA).Suchattemptsshouldfail.Test3:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanIKESAusinganalgorithmthatisnotoneofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Suchanattemptshouldfail.Test4::ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESP(assumestheproperparameterswhereusedtoestablishtheIKESA)thatselectsanencryptionalgorithmthatisnotidentifiedinFCS_IPSEC_EXT.1.4.Suchanattemptshouldfail.
B.3IdentificationandAuthentication(FIA)
FIA_PMG_EXT.1PasswordManagement
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1.
FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:
a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]
b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects‘authenticationbasedonusernameandpassword’inFIA_UAU.5.1.
TheSTauthorselectsthespecialcharactersthataresupportedbytheTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.“Administrativepasswords”referstopasswordsusedbyadministratorstogainaccesstotheManagementSubsystem.
EvaluationActivities
FIA_PMG_EXT.1GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitprovidesguidancetosecurityadministratorsinthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.TestsTheevaluatorshallalsoperformthefollowingtest.
Test1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecombinationsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.
FIA_X509_EXT.1X.509CertificateValidation
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FPT_TUD_EXT.1.3,FTP_ITC_EXT.1.1.
FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:
RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificate
TheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:
CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.
ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanism,”if"certificate-basedauthenticationoftheremotepeer"isselectedinFTP_ITC_EXT.1.1,orif"authenticationbasedonX.509certificates"isselectedinFIA_UAU.5.1.
FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforIPsec;thisuserequiresthattheextendedKeyUsagerulesareverified.CertificatesmayoptionallybeusedforSSH,TLS,andHTTPsand,ifimplemented,mustbevalidatedtocontainthecorrespondingextendedKeyUsage.
OCSPstaplingandOCSPmulti-staplingsupportonlyTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLmustbeclaimed.IfOCSPisnotsupportedtheEKUprovisionforcheckingtheOCSPSigningpurposeismetbydefault.
RegardlessoftheselectionofTSForTOEplatform,thevalidationmustresultinatrustedrootCAcertificateinarootstoremanagedbytheplatform.
OCSPresponsesaresignedusingeitherthecertificate’sissuer’sCAcertificateoranOCSPcertificateissuedtoanOCSPresponderdelegatedbythatissuertosignOCSPresponses.AcompliantTOEisabletovalidateOCSPresponsesineithercase,buttheOCSPsigningextendedkeyusagepurposeisonlyrequiredtobecheckedinOCSPcertificates.
FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.
ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrustedCAcertificates.
EvaluationActivities
FIA_X509_EXT.1TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServices
evaluationactivities,includingtheuseslistedinFIA_X509_EXT.2.1.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.
Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:
byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.
TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRL,OCSP,OCSPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,thenatestisperformedforeachmethod.Theevaluatorhastoonlytestoneupinthetrustchain(futurerevisionsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorshallthenattemptthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)andverifythatthevalidationfunctionfails.Test4:IfanyOCSPoptionisselected,theevaluatorshallpresentadelegatedOCSPcertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitsetandverifythatvalidationoftheCRLfails.Test5:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).Theevaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain..Test6:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest5withamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest5,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.
FIA_X509_EXT.2X.509CertificateAuthentication
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1,FPT_TUD_EXT.1.3,FTP_ITC_EXT.1.1.
FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH,codesigningforsystemsoftwareupdates,[assignment:otheruses]]
ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanism,”if"certificate-basedauthenticationoftheremotepeer"isselectedinFTP_ITC_EXT.1,orif"authenticationbasedonX.509certificates"isselectedinFIA_UAU.5.1.
ThisSFRmustalsobeincludedintheSTifX.509certificate-basedauthenticationisusedfor"otheruses"aslistedintheassignmentinFIA_X509_EXT.2.1.
ValidationGuidelines:Rule#9:IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
Rule#14:IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.
Rule#15:If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselectedinFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.
Rule#16:If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.Rule#17:If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.
Rule#18:If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.
FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].
ApplicationNote:Oftenaconnectionmustbeestablishedtochecktherevocationstatusofacertificate-eithertodownloadaCRLortoperformalookupusingOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethevalidity.TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.Iftheadministrator-configuredoptionisselectedbytheSTAuthor,theSTAuthormustensurethatthisisalsodefinedasamanagementfunctionthatisprovidedbytheTOE.
ValidationGuidelines:
Rule#13:If"allowtheadministratortochoosewhethertoacceptthecertificateinthesecases"isselectedthen"Abilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate"intheClientorServermodulemanagementfunctiontablemustalsobeselected.
EvaluationActivities
FIA_X509_EXT.2TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementstatesthattheadministratorspecifiesthedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsTheevaluatorshallperformTest1foreachfunctionlistedinFIA_X509_EXT.2.1thatrequirestheuseofcertificates:
Test1:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatusingavalidcertificaterequiresthatcertificatevalidationcheckingbeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedinFIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.
B.4ProtectionoftheTSF(FPT)
FPT_TUD_EXT.2TrustedUpdateBasedonCertificates
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_X509_EXT.2.1,FPT_TUD_EXT.1.3.
FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.
ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.1.3).ThiselementmustbeincludedintheSTifcertificatesareusedforvalidatingupdates.If“codesigningforsystemsoftwareupdates”isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.2mustbeincludedintheST.
Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithFIA_X509_EXT.1.
EvaluationActivities
FPT_TUD_EXT.2TestsTheevaluationactivityforthisrequirementisperformedinconjunctionwiththeevaluationactivityforFIA_X509_EXT.1andFIA_X509_EXT.2.
B.5TrustedPath/Channel(FTP)
FTP_TRP.1TrustedPath
Theinclusionofthisselection-basedcomponentdependsuponaselectionin.
FTP_TRP.1.1TheTSFshalluseatrustedchannelasspecifiedinFTP_ITC_EXT.1toprovideatrustedcommunicationpathbetweenitselfand[remote]administratorsthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrom[modification,disclosure].
FTP_TRP.1.2TheTSFshallpermit[remoteadministrators]toinitiatecommunicationviathetrustedpath.
FTP_TRP.1.3TheTSFshallrequiretheuseofthetrustedpathfor[[allremoteadministrationactions]].
ApplicationNote:ThisSFRisincludedintheSTif"remote"isselectedinFMT_MOF_EXT.1.1oftheclientorserverPP-Module.
ProtocolsusedtoimplementtheremoteadministrationtrustedchannelmustbeselectedinFTP_ITC_EXT.1.
ThisrequirementensuresthatauthorizedremoteadministratorsinitiateallcommunicationwiththeTOEviaatrustedpath,andthatallcommunicationswiththeTOEbyremoteadministratorsisperformedoverthispath.ThedatapassedinthistrustedcommunicationchannelareencryptedasdefinedtheprotocolchoseninthefirstselectioninFTP_ITC_EXT.1.TheSTauthorchoosesthemechanismormechanismssupportedbytheTOE,andthenensuresthatthedetailedrequirementsinAppendixBcorrespondingtotheirselectionarecopiedtotheSTifnotalreadypresent.
EvaluationActivities
FTP_TRP.1TSSTheevaluatorshallexaminetheTSStodeterminethatthemethodsofremoteTOEadministrationareindicated,alongwithhowthosecommunicationsareprotected.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSinsupportofTOEadministrationareconsistentwiththosespecifiedintherequirement,andareincludedintherequirementsintheST.
GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheremoteadministrativesessionsforeachsupportedmethod.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:Theevaluatorsshallensurethatcommunicationsusingeachspecified(intheoperationalguidance)remoteadministrationmethodistestedduringthecourseoftheevaluation,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Foreachmethodofremoteadministrationsupported,theevaluatorshallfollowtheoperationalguidancetoensurethatthereisnoavailableinterfacethatcanbeusedbyaremoteusertoestablishremoteadministrativesessionswithoutinvokingthetrustedpath.Test3:Theevaluatorshallensure,foreachmethodofremoteadministration,thechanneldataisnotsentinplaintext.Test4:Theevaluatorshallensure,foreachmethodofremoteadministration,modificationofthechanneldataisdetectedbytheTOE.
Additionalevaluationactivitiesareassociatedwiththespecificprotocols.
AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedinthePP-Module.
C.1ExtendedComponentsTableAllextendedcomponentsspecifiedinthePP-Modulearelistedinthistable:
Table8:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents
SecurityAudit(FAU) FAU_STG_EXTOff-LoadingofAuditData
CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagementFCS_ENT_EXTEntropyforVirtualMachinesFCS_HTTPS_EXTHTTPSProtocolFCS_IPSEC_EXTIPsecProtocolFCS_RBG_EXTCryptographicOperation(RandomBitGeneration)
UserDataProtection(FDP) FDP_HBI_EXTHardware-BasedIsolationMechanismsFDP_PPR_EXTPhysicalPlatformResourceControlsFDP_RIP_EXTResidualInformationinMemoryFDP_VMS_EXTVMSeparationFDP_VNC_EXTVirtualNetworkingComponents
IdentificationandAuthentication(FIA)
FIA_AFL_EXTAuthenticationFailureHandlingFIA_PMG_EXTPasswordManagementFIA_UIA_EXTAdministratorIdentificationandAuthenticationFIA_X509_EXTX.509Certificate
SecurityManagement(FMT) FMT_SMO_EXTSeparationofManagementandOperationalNetworks
ProtectionoftheTSF(FPT) FPT_DDI_EXTDeviceDriverIsolationFPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevicesFPT_EEM_EXTExecutionEnvironmentMitigationsFPT_GVI_EXTGuestVMIntegrityFPT_HAS_EXTHardwareAssistsFPT_HCL_EXTHypercallControlsFPT_IDV_EXTSoftwareIdentificationandVersionsFPT_INT_EXTSupportforIntrospectionFPT_ML_EXTMeasuredLaunchofPlatformandVMMFPT_RDM_EXTRemovableDevicesandMediaFPT_TUD_EXTTrustedUpdatesFPT_VDP_EXTVirtualDeviceParametersFPT_VIV_EXTVMMIsolationfromVMs
TrustedPath/Channel(FTP) FTP_ITC_EXTTrustedChannelCommunicationsFTP_UIF_EXTUserInterface
C.2ExtendedComponentDefinitions
C.2.1FAU_STG_EXTOff-LoadingofAuditData
FamilyBehaviorThisfamilydefinesrequirementsfortheTSFtobeabletosecurelytransmitauditdatabetweentheTOEandanexternalITentity.
ComponentLeveling
FAU_STG_EXT 1
FAU_STG_EXT.1,Off-LoadingofAuditData,requirestheTSFtotransmitauditdatausingatrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisfull.
Management:FAU_STG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigureandmanagetheauditsystemandauditdata,includingtheabilitytoconfigure
name/addressofaudit/loggingservertowhichtosendaudit/loggingrecords.
Audit:FAU_STG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.
FAU_STG_EXT.1Off-LoadingofAuditDataHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications
FAU_STG_EXT.1.1TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.
FAU_STG_EXT.1.2
TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.
C.2.2FCS_CKM_EXTCryptographicKeyManagement
FamilyBehaviorThisfamilydefinesrequirementsformanagementofcryptographickeys.
ComponentLeveling
FCS_CKM_EXT 1
FCS_CKM_EXT.4,CryptographicKeyDestruction,requirestheTSFtodestroyormakeunrecoverableemptykeysinvolatileandnon-volatilememory.Notethatcomponentlevel4isusedherebecauseofthiscomponent’ssimilaritytotheCCPart2componentFCS_CKM.4.
Management:FCS_CKM_EXT.4Nospecificmanagementfunctionsareidentified.
Audit:FCS_CKM_EXT.4Therearenoauditableeventsforeseen.
FCS_CKM_EXT.4CryptographicKeyDestructionHierarchicalto:Noothercomponents.Dependenciesto:[FCS_CKM.1CryptographicKeyGeneration,orFCS_CKM.2CryptographicKeyDistribution]
FCS_CKM_EXT.4.1TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.
FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.
C.2.3FCS_ENT_EXTEntropyforVirtualMachines
FamilyBehaviorThisfamilydefinesrequirementsforavailabilityofentropydatageneratedorcollectedbytheTSF.
ComponentLeveling
FCS_ENT_EXT 1
FCS_ENT_EXT.1,EntropyforVirtualMachines,requirestheTSFtoprovideentropydatatoVMsinaspecifiedmanner.
Management:FCS_ENT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_ENT_EXT.1Therearenoauditableeventsforeseen.
FCS_ENT_EXT.1EntropyforVirtualMachinesHierarchicalto:Noothercomponents.Dependenciesto:FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)
FCS_ENT_EXT.1.1TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].
FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.
C.2.4FCS_HTTPS_EXTHTTPSProtocol
FamilyBehaviorThisfamilydefinesrequirementsforprotectingremotemanagementsessionsbetweentheTOEandaSecurityAdministrator.ThisfamilydescribeshowHTTPSwillbeimplemented.
ComponentLeveling
FCS_HTTPS_EXT 1
FCS_HTTPS_EXT.1,HTTPSProtocol,definesrequirementsfortheimplementationoftheHTTPSprotocol.
Management:FCS_HTTPS_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_HTTPS_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. FailuretoestablishanHTTPSsession.b. Establishment/terminationofanHTTPSsession.
FCS_HTTPS_EXT.1HTTPSProtocolHierarchicalto:Noothercomponents.Dependenciesto:[FCS_TLSC_EXT.1TLSClientProtocol,orFCS_TLSC_EXT.2TLSClientProtocolwithMutualAuthentication,orFCS_TLSS_EXT.1TLSServerProtocol,orFCS_TLSS_EXT.2TLSServerProtocolwithMutualAuthentication]
FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.
FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.
C.2.5FCS_IPSEC_EXTIPsecProtocol
FamilyBehaviorThisfamilydefinesrequirementsforprotectingcommunicationsusingIPsec.
ComponentLeveling
FCS_IPSEC_EXT 1
FCS_IPSEC_EXT.1,IPsecProtocol,requiresthatIPsecbeimplementedasspecified.
Management:FCS_IPSEC_EXT.1
Nospecificmanagementfunctionsareidentified.
Audit:FCS_IPSEC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. FailuretoestablishanIPsecSA.b. Establishment/TerminationofanIPsecSA.
FCS_IPSEC_EXT.1IPsecProtocolHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFCS_CKM.2CryptographicKeyEstablishmentFCS_COP.1CryptographicOperationFCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FIA_X509_EXT.1X.509CertificateValidation
FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.
FCS_IPSEC_EXT.1.2
TheTSFshallimplement[selection:transportmode,tunnelmode].
FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.
FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.
FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:[selection:
IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].
]
FCS_IPSEC_EXT.1.6
TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].
FCS_IPSEC_EXT.1.7
TheTSFshallensurethat[selection:IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.
]
FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bit
MODP),nootherDHgroups]].
FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)numberofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.
FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].
FCS_IPSEC_EXT.1.11
TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].
FCS_IPSEC_EXT.1.12
TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvaluesfortheentityattemptingtoestablishaconnection.
FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.
FCS_IPSEC_EXT.1.14
The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.
C.2.6FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)
FamilyBehaviorThisfamilydefinesrequirementsforrandombit/numbergeneration.
ComponentLeveling
FCS_RBG_EXT 1
FCS_RBG_EXT.1,CryptographicOperation(RandomBitGeneration),requiresrandombitgenerationtobeperformedinaccordancewithselectedstandardsandseededbyanentropysource.
Management:FCS_RBG_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_RBG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failureoftherandomizationprocess.
FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)Hierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation
FCS_RBG_EXT.1.1TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]
FCS_RBG_EXT.1.2
ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:a
software-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.
C.2.7FDP_HBI_EXTHardware-BasedIsolationMechanisms
FamilyBehaviorThisfamilydefinesrequirementsforisolationofGuestVMsfromthehardwareresourcesofthephysicaldeviceonwhichtheGuestVMsaredeployed.
ComponentLeveling
FDP_HBI_EXT 1
FDP_HBI_EXT.1,Hardware-BasedIsolationMechanisms,requirestheTSFtoidentifythemechanismsusedtoisolateGuestVMsfromplatformhardwareresources.
Management:FDP_HBI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FDP_HBI_EXT.1Therearenoauditableeventsforeseen.
FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation
FDP_HBI_EXT.1.1
TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].
C.2.8FDP_PPR_EXTPhysicalPlatformResourceControls
FamilyBehaviorThisfamilydefinesrequirementsforthephysicalresourcesthattheTOEwillalloworprohibitGuestVMstoaccess.
ComponentLeveling
FDP_PPR_EXT 1
FDP_PPR_EXT.1,PhysicalPlatformResourceControls,requirestheTSFtodefinethehardwareresourcesthatGuestVMsmayalwaysaccess,mayneveraccess,andmayconditionallyaccessbasedonadministrativeconfiguration.
Management:FDP_PPR_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigureVMaccesstophysicaldevices.
Audit:FDP_PPR_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.
b. Securitypolicyviolations.
FDP_PPR_EXT.1PhysicalPlatformResourceControlsHierarchicalto:Noothercomponents.Dependenciesto:FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFMT_SMR.1SecurityRoles
FDP_PPR_EXT.1.1TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].
FDP_PPR_EXT.1.2
TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].
FDP_PPR_EXT.1.3
TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].
C.2.9FDP_RIP_EXTResidualInformationinMemory
FamilyBehaviorThisfamilydefinesrequirementsforensuringthatallocationofdatatoaGuestVMdoesnotcauseadisclosureofresidualdatafromapreviousVM.
ComponentLeveling
FDP_RIP_EXT12
FDP_RIP_EXT.1,ResidualInformationinMemory,requirestheTSFtoensurethatphysicalmemoryisclearedtozerospriortoitsallocationtoaGuestVM.
Management:FDP_RIP_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FDP_RIP_EXT.1Therearenoauditableeventsforeseen.
FDP_RIP_EXT.1ResidualInformationinMemoryHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FDP_RIP_EXT.1.1TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.FDP_RIP_EXT.2,ResidualInformationonDisk,requirestheTSFtoensurethatphysicaldiskstorageiscleareduponallocationtoaGuestVM.
Management:FDP_RIP_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FDP_RIP_EXT.2Therearenoauditableeventsforeseen.
FDP_RIP_EXT.2ResidualInformationonDiskHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FDP_RIP_EXT.2.1TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerosuponallocationtoaGuestVM.
C.2.10FDP_VMS_EXTVMSeparation
FamilyBehaviorThisfamilydefinesrequirementsforthelogicalseparationofmultipleGuestVMsthataremanagedbythesameVirtualizationSystem.
ComponentLeveling
FDP_VMS_EXT 1
FDP_VMS_EXT.1,VMSeparation,requirestheTSFtomaintainlogicalseparationbetweenGuestVMsexcept
throughtheuseofspecificconfigurablemethods.
Management:FDP_VMS_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigureinter-VMdatasharing.
Audit:FDP_VMS_EXT.1Therearenoauditableeventsforeseen.
FDP_VMS_EXT.1VMSeparationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FDP_VMS_EXT.1.1
TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]
].
FDP_VMS_EXT.1.2TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.
FDP_VMS_EXT.1.3TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.
FDP_VMS_EXT.1.4TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.
C.2.11FDP_VNC_EXTVirtualNetworkingComponents
FamilyBehaviorThisfamilydefinesrequirementsforconfigurationofvirtualnetworkingbetweenGuestVMsthataremanagedbytheVirtualizationSystem.
ComponentLeveling
FDP_VNC_EXT 1
FDP_VNC_EXT.1,VirtualNetworkingComponents,requirestheTSFtosupporttheconfigurationofvirtualnetworkingbetweenGuestVMs.
Management:FDP_VNC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigurevirtualnetworksincludingVM.
Audit:FDP_VNC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.b. Securitypolicyviolations.c. Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.
FDP_VNC_EXT.1VirtualNetworkingComponentsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparationFMT_SMR.1SecurityRoles
FDP_VNC_EXT.1.1TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother
andtophysicalnetworks.
FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.
C.2.12FIA_AFL_EXTAuthenticationFailureHandling
FamilyBehaviorThisfamilydefinesrequirementsfordetectionandpreventionofbruteforceauthenticationattempts.
ComponentLeveling
FIA_AFL_EXT 1
FIA_AFL_EXT.1,AuthenticationFailureHandling,requirestheTSFtolockanadministratoraccountwhenanexcessivenumberoffailedauthenticationattemptshavebeenobserveduntilsomerestorativeeventoccurstoenabletheaccount.
Management:FIA_AFL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigurelockoutpolicythroughunsuccessfulauthenticationattempts.
Audit:FIA_AFL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Unsuccessfulloginattemptslimitismetorexceeded.
FIA_AFL_EXT.1AuthenticationFailureHandlingHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFMT_SMR.1SecurityRoles
FIA_AFL_EXT.1.1
TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]
]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].
FIA_AFL_EXT.1.2
Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingaremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministrator-definedtimeperiodhaselapsed]
C.2.13FIA_PMG_EXTPasswordManagement
FamilyBehaviorThisfamilydefinesrequirementsforthecompositionofadministratorpasswords.
ComponentLeveling
FIA_PMG_EXT 1
FIA_PMG_EXT.1,PasswordManagement,requirestheTSFtoensurethatadministratorpasswordsmeetadefinedpasswordpolicy.
Management:FIA_PMG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigureAdministratorpasswordpolicy,includingtheabilitytochangedefaultauthorizationfactors.
Audit:FIA_PMG_EXT.1
Therearenoauditableeventsforeseen.
FIA_PMG_EXT.1PasswordManagementHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthentication
FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:
a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]
b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported
C.2.14FIA_UIA_EXTAdministratorIdentificationandAuthentication
FamilyBehaviorThisfamilydefinesrequirementsforensuringthataccesstotheTSFisnotgrantedtounauthenticatedsubjects.
ComponentLeveling
FIA_UIA_EXT 1
FIA_UIA_EXT.1,AdministratorIdentificationandAuthentication,requirestheTSFtoensurethatallsubjectsattemptingtoperformTSF-mediatedactionsareidentifiedandauthenticatedpriortoauthorizingtheseactionstobeperformed.
Management:FIA_UIA_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FIA_UIA_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Administratorauthenticationattempts.b. Alluseoftheidentificationandauthenticationmechanism.c. Administratorsessionstarttimeandendtime.
FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_UAU.5MultipleAuthenticationMechanisms
FIA_UIA_EXT.1.1TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.
C.2.15FIA_X509_EXTX.509Certificate
FamilyBehaviorThisfamilydefinesrequirementsforthevalidationanduseofX.509certificates.
ComponentLeveling
FIA_X509_EXT12
FIA_X509_EXT.1,X.509CertificateValidation,defineshowtheTSFmustvalidateX.509certificatesthatarepresentedtoit.
Management:FIA_X509_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Configurationofactiontotakeifunabletodeterminethevalidityofacertificate.
Audit:FIA_X509_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failuretovalidateacertificate.
FIA_X509_EXT.1X.509CertificateValidationHierarchicalto:Noothercomponents.Dependenciesto:FPT_STM.1ReliableTimeStamps
FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:
RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:
CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.
FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.FIA_X509_EXT.2,X.509CertificateAuthentication,requirestheTSFtoidentifythefunctionsforwhichitusesX.509certificatesforauthentication
Management:FIA_X509_EXT.2ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. ConfigurationofTSFbehaviorwhencertificaterevocationstatuscannotbedetermined.
Audit:FIA_X509_EXT.2Therearenoauditableeventsforeseen.
FIA_X509_EXT.2X.509CertificateAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_X509_EXT.1X.509CertificateValidationFTP_ITC_EXT.1TrustedChannelCommunications
FIA_X509_EXT.2.1
TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[assignment:securetransportprotocols],and[assignment:otheruses].
FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[assignment:actiontotake].
C.2.16FMT_SMO_EXTSeparationofManagementandOperationalNetworks
FamilyBehaviorThisfamilydefinesrequirementsforseparationofmanagementandoperationalnetworks.
ComponentLeveling
FMT_SMO_EXT 1
FMT_SMO_EXT.1,SeparationofManagementandOperationalNetworks,requirestheTSFtoseparateitsmanagementandoperationalnetworksthroughadefinedmechanism.
Management:FMT_SMO_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FMT_SMO_EXT.1Therearenoauditableeventsforeseen.
FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FMT_SMO_EXT.1.1
TheTSFshallsupporttheseparationofmanagementandoperationalnetworktrafficthrough[selection:separatephysicalnetworks,separatelogicalnetworks,trustedchannelsasdefinedinFTP_ITC_EXT.1,dataencryptionusinganalgorithmspecifiedinFCS_COP.1/UDE].
C.2.17FPT_DDI_EXTDeviceDriverIsolation
FamilyBehaviorThisfamilydefinesrequirementsforisolationofdevicedrivers
ComponentLeveling
FPT_DDI_EXT 1
FPT_DDI_EXT.1,DeviceDriverIsolation,requirestheTSFtoisolatedevicedriversforphysicaldevicesfromallvirtualdomains.
Management:FPT_DDI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_DDI_EXT.1Therearenoauditableeventsforeseen.
FPT_DDI_EXT.1DeviceDriverIsolationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_DDI_EXT.1.1TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfromtheVMMandallotherdomains.
C.2.18FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices
FamilyBehaviorThisfamilydefinesrequirementsforensuringthatGuestVMscannotaccessthevirtualhardwareinterfacesdisabledordisconnectedvirtualdevices.
ComponentLeveling
FPT_DVD_EXT 1
FPT_DVD_EXT.1,Non-ExistenceofDisconnectedVirtualDevices,requirestheTSFtopreventGuestVMsfromaccessingvirtualdevicesthatitisnotconfiguredtohaveaccessto.
Management:FPT_DVD_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_DVD_EXT.1Therearenoauditableeventsforeseen.
FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesHierarchicalto:Noothercomponents.Dependenciesto:FPT_VDP_EXT.1VirtualDeviceParameters
FPT_DVD_EXT.1.1TheTSFshallpreventGuestVMsfromaccessingvirtualdeviceinterfacesthatarenotpresentintheVM’scurrentvirtualhardwareconfiguration.
C.2.19FPT_EEM_EXTExecutionEnvironmentMitigations
FamilyBehaviorThisfamilydefinesrequirementsfortheTOE’scompatibilitywithplatformmechanismsthatpreventvulnerabilitiesthatallowfortheexecutionofunauthorizedcodeorbypassofaccessrestrictionsonmemoryorstorage.
ComponentLeveling
FPT_EEM_EXT 1
FPT_EEM_EXT.1,ExecutionEnvironmentMitigations,requirestheTSFtoidentifytheexecutionenvironment-basedprotectionmechanismsthatitcanuseforself-protection.
Management:FPT_EEM_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_EEM_EXT.1Therearenoauditableeventsforeseen.
FPT_EEM_EXT.1ExecutionEnvironmentMitigationsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_EEM_EXT.1.1TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:
Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms
]
C.2.20FPT_GVI_EXTGuestVMIntegrity
FamilyBehaviorThisfamilydefinesrequirementsfortheTOEtoasserttheintegrityofGuestVMs.
ComponentLeveling
FPT_GVI_EXT 1
FPT_GVI_EXT.1,GuestVMIntegrity,requirestheTSFtospecifythemechanismsitusestoverifytheintegrityofGuestVMs.
Management:FPT_GVI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_GVI_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Actionstakenduetofailedintegritycheck.
FPT_GVI_EXT.1GuestVMIntegrityHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_GVI_EXT.1.1
TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuest
VMintegritymechanisms].
C.2.21FPT_HAS_EXTHardwareAssists
FamilyBehaviorThisfamilydefinesrequirementsforuseofhardware-basedvirtualizationassistsasperformanceenhancements.
ComponentLeveling
FPT_HAS_EXT 1
FPT_HAS_EXT.1,HardwareAssists,requirestheTSFtoidentifythehardwareassistsitusestoreduceTOEcomplexity.
Management:FPT_HAS_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_HAS_EXT.1Therearenoauditableeventsforeseen.
FPT_HAS_EXT.1HardwareAssistsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_HAS_EXT.1.1
TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.
FPT_HAS_EXT.1.2
TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.
C.2.22FPT_HCL_EXTHypercallControls
FamilyBehaviorThisfamilydefinesrequirementsforcontrolofHypercallinterfaces.
ComponentLeveling
FPT_HCL_EXT 1
FPT_HCL_EXT.1,HypercallControls,requirestheTSFtoimplementappropriateparametervalidationtoprotecttheVMMfromunauthorizedaccessthroughahypercallinterface.
Management:FPT_HCL_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_HCL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Invalidparametertohypercalldetected.b. Hypercallinterfaceinvokedwhendocumentedpreconditionsarenotmet.
FPT_HCL_EXT.1HypercallControlsHierarchicalto:Noothercomponents.Dependenciesto:FMT_SMR.1SecurityRoles
FPT_HCL_EXT.1.1TheTSFshallvalidatetheparameterspassedtoHypercallinterfacespriortoexecutionoftheVMMfunctionalityexposedbyeachinterface.
C.2.23FPT_IDV_EXTSoftwareIdentificationandVersions
FamilyBehavior
ThisfamilydefinesrequirementsfortheuseofSWIDtagstoidentifytheTOE.
ComponentLeveling
FPT_IDV_EXT 1
FPT_IDV_EXT.1,SoftwareIdentificationandVersions,requirestheTSFtoidentifyitselfusingSWIDtags.
Management:FPT_IDV_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_IDV_EXT.1Therearenoauditableeventsforeseen.
FPT_IDV_EXT.1SoftwareIdentificationandVersionsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_IDV_EXT.1.1TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.
FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.
C.2.24FPT_INT_EXTSupportforIntrospection
FamilyBehaviorThisfamilydefinesrequirementsforsupportingVMintrospection.
ComponentLeveling
FPT_INT_EXT 1
FPT_INT_EXT.1,SupportforIntrospection,requirestheTSFtosupportintrospection.
Management:FPT_INT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_INT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Introspectioninitiated/enabled.
FPT_INT_EXT.1SupportforIntrospectionHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_INT_EXT.1.1TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.
C.2.25FPT_ML_EXTMeasuredLaunchofPlatformandVMM
FamilyBehaviorThisfamilydefinesrequirementsformeasuredlaunch.
ComponentLeveling
FPT_ML_EXT 1
FPT_ML_EXT.1,MeasuredLaunchofPlatformandVMM,requirestheTSFtosupportameasuredlaunchofitself.
Management:FPT_ML_EXT.1
Nospecificmanagementfunctionsareidentified.
Audit:FPT_ML_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Integritymeasurementscollected.
FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_ML_EXT.1.1TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:
StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents
]
FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.
C.2.26FPT_RDM_EXTRemovableDevicesandMedia
FamilyBehaviorThisfamilydefinesrequirementsforenforcementofdomainisolationwhenremovabledevicescanbeconnectedtoadomain.
ComponentLeveling
FPT_RDM_EXT 1
FPT_RDM_EXT.1,RemovableDevicesandMedia,requirestheTSFtoensurethatVMsarenotinadvertentlygivenaccesstoinformationindifferentdomainsbecauseremovablemediaissimultaneouslyaccessiblefromseparatedomains.
Management:FPT_RDM_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Abilitytoconfigureremovablemediapolicy.Abilitytoconnect/disconnectremovabledevicesto/fromaVM.
Audit:FPT_RDM_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Connection/disconnectionofremovablemediaordeviceto/fromaVM.b. Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.
FPT_RDM_EXT.1RemovableDevicesandMediaHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation
FPT_RDM_EXT.1.1TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.
FPT_RDM_EXT.1.2
TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:
theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain
]
C.2.27FPT_TUD_EXTTrustedUpdates
FamilyBehaviorThisfamilydefinesrequirementsforensuringthatupdatestotheTOEsoftwareandfirmwarearegenuine.
ComponentLeveling
FPT_TUD_EXT12
FPT_TUD_EXT.1,TrustedUpdatestotheVirtualizationSystem,requirestheTSFtodefinethemechanismforapplyingandverifyingTOEupdates.
Management:FPT_TUD_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoupdatetheVirtualizationSystem.
Audit:FPT_TUD_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Initiationofupdate.b. Failureofsignatureverification.
FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemHierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation
FPT_TUD_EXT.1.1TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.
FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].
FPT_TUD_EXT.1.3
TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[assignment:integrityaction]priortoinstallingthoseupdates.FPT_TUD_EXT.2,TrustedUpdateBasedonCertificates,requirestheTSFtovalidateupdatesusingacodesigningcertificate.
Management:FPT_TUD_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FPT_TUD_EXT.2Therearenoauditableeventsforeseen.
FPT_TUD_EXT.2TrustedUpdateBasedonCertificatesHierarchicalto:Noothercomponents.Dependenciesto:FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFIA_X509_EXT.1X.509ValidationFIA_X509_EXT.2X.509Authentication
FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.
C.2.28FPT_VDP_EXTVirtualDeviceParameters
FamilyBehaviorThisfamilydefinesrequirementsforprocessingdatatransmittedtotheTOEfromaGuestVM.
ComponentLeveling
FPT_VDP_EXT 1
FPT_VDP_EXT.1,VirtualDeviceParameters,requirestheTSFtointerfacewithGuestVMsthroughvirtualhardwareabstractionssothatanydatatransmittedtotheTOEfromaGuestVMcanbevalidatedaswell-formed.
Management:FPT_VDP_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_VDP_EXT.1Therearenoauditableeventsforeseen.
FPT_VDP_EXT.1VirtualDeviceParametersHierarchicalto:Noothercomponents.Dependenciesto:FPT_VIV_EXT.1VMMIsolationfromVMs
FPT_VDP_EXT.1.1TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.
FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.
C.2.29FPT_VIV_EXTVMMIsolationfromVMs
FamilyBehaviorThisfamilydefinesrequirementsforensuringtheTOEislogicallyisolatedfromitsGuestVMs
ComponentLeveling
FPT_VIV_EXT 1
FPT_VIV_EXT.1,VMMIsolationfromVMs,requirestheTSFtoensurethatthereisnomechanismbywhichaGuestVMcaninterfacewiththeTOE,otherVMs,orthehardwareplatformwithoutauthorization.
Management:FPT_VIV_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_VIV_EXT.1Therearenoauditableeventsforeseen.
FPT_VIV_EXT.1VMMIsolationfromVMsHierarchicalto:Noothercomponents.Dependenciesto:FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_VMS_EXT.1VMSeparation
FPT_VIV_EXT.1.1TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.
FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.
C.2.30FTP_ITC_EXTTrustedChannelCommunications
FamilyBehaviorThisfamilydefinesrequirementsforprotectionofdataintransitbetweentheTOEanditsoperationalenvironment.
ComponentLeveling
FTP_ITC_EXT 1
FTP_ITC_EXT.1,TrustedChannelCommunications,requirestheTSFtoimplementoneormorecryptographicprotocolstosecureconnectivitybetweentheTSFandvariousexternalentities.
Management:FTP_ITC_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FTP_ITC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Initiationofthetrustedchannel.b. Terminationofthetrustedchannel.c. Failuresofthetrustedpathfunctions.
FTP_ITC_EXT.1TrustedChannelCommunicationsHierarchicalto:Noothercomponents.Dependenciesto:FAU_STG_EXT.1Off-LoadingofAuditData
FTP_ITC_EXT.1.1
TheTSFshalluse[assignment:transportmechanism]and[assignment:authenticationmechanism]toprovideatrustedcommunicationchannelbetweenitself,andauditservers(asrequiredbyFAU_STG_EXT.1),and
[assignment:remoteentities]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.
C.2.31FTP_UIF_EXTUserInterface
FamilyBehaviorThisfamilydefinesrequirementsforunambiguouslyidentifyingthespecificGuestVMthataTOEuserisinteractingwithatanygivenpointintime.
ComponentLeveling
FTP_UIF_EXT12
FTP_UIF_EXT.1,UserInterface:I/OFocus,requirestheTSFtounambiguouslyidentifytheGuestVMthathasthecurrentinputfocusforinputperipherals.
Management:FTP_UIF_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FTP_UIF_EXT.1Therearenoauditableeventsforeseen.
FTP_UIF_EXT.1UserInterface:I/OFocusHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies
FTP_UIF_EXT.1.1TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.FTP_UIF_EXT.2,UserInterface:IdentificationofVM,requirestheTOEtoperformpoweronself-teststoverifyitsfunctionalityandtheintegrityofitsstoredexecutablecode.
Management:FTP_UIF_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FTP_UIF_EXT.2Therearenoauditableeventsforeseen.
FTP_UIF_EXT.2UserInterface:IdentificationofVMHierarchicalto:Noothercomponents.
Dependenciesto:Nodependencies
FTP_UIF_EXT.2.1TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.
AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP.TheserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePPprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated..Table9:ImplicitlySatisfiedRequirements
Requirement RationaleforSatisfaction
FCS_CKM.4–CryptographicKeyDestruction
FCS_CKM.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FCS_CKM.4–CryptographicKeyDestruction
FCS_CKM.2hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FCS_CKM.4–CryptographicKeyDestruction
EachiterationofFCS_COP.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FIA_UID.1–TimingofIdentification
FMT_SMR.2hasadependencyonFIA_UID.1.TheextendedSFRFIA_UID_EXT.1expressesthisdependencybyalsorequiringuseridentificationforuseoftheTOE.
FPT_STM.1–ReliableTimeStamps
FAU_GEN.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.
FPT_STM.1–ReliableTimeStamps
FIA_X509_EXT.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.
AppendixE-EntropyDocumentationandAssessment
E.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.
E.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.
E.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.
E.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.
AppendixF-EquivalencyGuidelines
F.1IntroductionThepurposeofequivalenceinPP-basedevaluationsistofindabalancebetweenevaluationrigorandcommercialpracticability--toensurethatevaluationsmeetcustomerexpectationswhilerecognizingthatthereislittletobegainedfromrequiringthateveryvariationinaproductorplatformbefullytested.IfaproductisfoundtobecompliantwithaPPononeplatform,thenallequivalentproductsonequivalentplatformsarealsoconsideredtobecompliantwiththePP.
AVendorcanmakeaclaimofequivalenceiftheVendorbelievesthataparticularinstanceoftheirProductimplementsPP-specifiedsecurityfunctionalityinawayequivalenttotheimplementationofthesamefunctionalityonanotherinstanceoftheirProductonwhichthefunctionalitywastested.TheProductinstancescandifferinversionnumberorfeaturelevel(model),ortheinstancesmayrunondifferentplatforms.Equivalencycanbeusedtoreducethetestingrequiredacrossclaimedevaluatedconfigurations.ItcanalsobeusedduringAssuranceMaintenancetoreducetestingneededtoaddmoreevaluatedconfigurationstoacertification.
TheseequivalencyguidelinesdonotreplaceAssuranceMaintenancerequirementsorNIAPPolicy#5requirementsforCAVPcertificates.Normayequivalencybeusedtoleverageevaluationswithexpiredcertifications.
ThisdocumentprovidesguidancefordeterminingwhetherProductsandPlatformsareequivalentforpurposesofevaluationagainsttheProtectionProfileforVirtualization(VPP)wheninstantiatedwitheithertheClientorServerPP-Module.
Equivalencehastwoaspects:
1. ProductEquivalence:ProductsmaybeconsideredequivalentiftherearenodifferencesbetweenProductModelsandProductVersionswithrespecttoPP-specifiedsecurityfunctionality.
2. PlatformEquivalence:PlatformsmaybeconsideredequivalentiftherearenosignificantdifferencesintheservicestheyprovidetotheProduct--orinthewaytheplatformsprovidethoseservices--withrespecttoPP-specifiedsecurityfunctionality.
TheequivalencydeterminationismadeinaccordancewiththeseguidelinesbytheValidatorandSchemeusinginformationprovidedbytheEvaluator/Vendor.
F.2ApproachtoEquivalencyAnalysisTherearetwoscenariosforperformingequivalencyanalysis.Oneiswhenaproducthasbeencertifiedandthevendorwantstoshowthatalaterproductshouldbeconsideredcertifiedduetoequivalencewiththeearlierproduct.Theotheriswhenmultipleproductvariantsaregoingthoughevaluationtogetherandthevendorwouldliketoreducetheamountoftestingthatmustbedone.Thebasicrulesfordeterminingequivalencearethesameinbothcases.Butthereisoneadditionalconsiderationthatappliestoequivalencewithpreviouslycertifiedproducts.Thatis,theproductwithwhichequivalenceisbeingclaimedmusthaveavalidcertificationinaccordancewithschemerulesandtheAssuranceMaintenanceprocessmustbefollowed.Ifaproduct’scertificationhasexpired,thenequivalencecannotbeclaimedwiththatproduct.
Whenperformingequivalencyanalysis,theEvaluator/VendorshouldfirstusethefactorsandguidelinesforProductModelequivalencetodeterminethesetofProductModelstobeevaluated.Ingeneral,ProductModelsthatdonotdifferinPP-specifiedsecurityfunctionalityareconsideredequivalentforpurposesofevaluationagainsttheVPP.
IfmultiplerevisionlevelsofProductModelsaretobeevaluated--ortodeterminewhetherarevisionofanevaluatedproductneedsre-evaluation--theEvaluator/VendorandValidatorshouldusethefactorsandguidelinesforProductVersionequivalencetodeterminewhetherProductVersionsareequivalent.
HavingdeterminedthesetofProductModelsandVersionstobeevaluated,thenextstepistodeterminethesetofPlatformsthattheProductsmustbetestedon.
Eachnon-equivalentProductforwhichcomplianceisclaimedmustbefullytestedoneachnon-equivalentplatformforwhichcomplianceisclaimed.Fornon-equivalentProductsonequivalentplatforms,onlythedifferencesthataffectPP-specifiedsecurityfunctionalitymustbetestedforeachproduct.
IfthesetofequivalentProductsincludesonlybare-metalinstallations,thentheequivalencyanalysisiscomplete.Butifanymembersofthesetincludehostedinstallationsorinstallationsthatintegratewithanexistinghostoperatingsystemorcontroldomain,thensoftwareplatformequivalencemustbetakenintoconsideration.TheEvaluator/VendorandValidatorshouldusethefactorsandguidanceforsoftwareplatformequivalencetodeterminewhetherdifferentmodelsorversionsofhostorcontroldomainoperatingsystemsrequireseparatetesting.
“DifferencesinPP-SpecifiedSecurityFunctionality”DefinedIfPP-specifiedsecurityfunctionalityisimplementedbytheTOE,thendifferencesintheactualimplementationbetweenversionsorproductmodelsbreakequivalenceforthatfeature.Likewise,iftheTOEimplementsthefunctionalityinoneversionormodelandthefunctionalityisimplementedbytheplatforminanotherversionormodel,thenequivalenceisbroken.Ifthefunctionalityisimplementedbytheplatforminmultiplemodelsorversionsonequivalentplatforms,thenthefunctionalityisconsidereddifferentiftheproductinvokestheplatformdifferentlytoperformthefunction.
F.3SpecificGuidanceforDeterminingProductModelEquivalenceProductModelequivalenceattemptstodeterminewhetherdifferentfeaturelevelsofthesameproductacrossaproductlineareequivalentforpurposesofPPtesting.Forexample,ifaproducthasa“basic”editionandan“enterprise”edition,isitnecessarytotestbothmodels?Ordoestestingonemodelprovidesufficientconfidencethatbothmodelsarecompliant?
Table10,below,liststhefactorsfordeterminingProductModelequivalence.
Table10:FactorsforDeterminingProductModelEquivalence
Factor Same/Different Guidance
TargetPlatform
Different ProductModelsthatvirtualizedifferentinstructionsets(e.g.,x86,ARM,POWER,SPARC,MIPS)arenotequivalent.
InstallationTypes
Different IfaProductcanbeinstalledeitheronbaremetalorontoanoperatingsystemandthevendorwantstoclaimthatbothinstallationtypesconstituteasingleModel,thenseetheguidancefor“PP-SpecifiedFunctionality,”below.
SoftwarePlatform
Different ProductModelsthatrunonsubstantiallydifferentsoftwareenvironments,suchasdifferenthostoperatingsystems,arenotequivalent.Modelsthatinstallondifferentversionsofthesamesoftwareenvironmentmaybeequivalentdependingonthebelowfactors.
PP-SpecifiedFunctionality
Same IfthedifferencesbetweenModelsaffectonlynon-PP-specifiedfunctionality,thentheModelsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweenModels,thentheModelsarenotequivalentandmustbetestedseparately.Itisnecessarytotestonlythefunctionalityaffectedbythesoftwaredifferences.Ifonlydifferencesaretested,thenthedifferencesmustbeenumerated,andforeachdifferencetheVendormustprovideanexplanationofwhyeachdifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductModelsarefullytestedseparately,thenthereisnoneedtodocumentthedifferences.
F.4SpecificGuidanceforDeterminingProductVersionEquivalenceIncasesofversionequivalence,differencesareexpressedintermsofchangesimplementedinrevisionsofanevaluatedProduct.Ingeneral,versionsareequivalentifthechangeshavenoeffectonanysecurity-relevantclaimsabouttheTOEorevaluationevidence.Non-security-relevantchangestoTOEfunctionalityortheadditionofnon-security-relevantfunctionalitydoesnotaffectequivalence.
Table11:FactorsforDeterminingProductVersionEquivalence
Factor Same/Different Guidance
ProductModels
Different VersionsofdifferentProductModelsarenotequivalentunlesstheModelsareequivalentasdefinedinSection3.
PP-SpecifiedFunctionality
Same Ifthedifferencesaffectonlynon-PP-specifiedfunctionality,thentheVersionsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferences,thentheVersionsareconsideredtobenotequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductVersionsarefully
testedseparately,thenthereisnoneedtodocumentthedifferences.
F.5SpecificGuidanceforDeterminingPlatformEquivalencePlatformequivalenceisusedtodeterminetheplatformsthataproductmustbetestedon.Theseguidelinesaredividedintosectionsfordetermininghardwareequivalenceandsoftware(hostOS/controldomain)equivalence.IftheProductisinstalledontobaremetal,thenonlyhardwareequivalenceisrelevant.IftheProductisinstalledontoanOS—orisintegratedintoanOS—thenbothhardwareandsoftwareequivalencearerequired.Likewise,iftheProductcanbeinstalledeitheronbaremetaloronanoperatingsystem,bothhardwareandsoftwareequivalencearerelevant.
F.5.1HardwarePlatformEquivalenceIfaVirtualizationSolutionrunsdirectlyonhardwarewithoutanoperatingsystem,thenplatformequivalenceisbasedprimarilyonprocessorarchitectureandinstructionsets.
Platformswithdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.Thisisprobablynotanissuebecausethereislikelytobeadifferentproductmodelfordifferenthardwareenvironments.
Equivalencyanalysisbecomesimportantwhencomparingplatformswiththesameprocessorarchitecture.ProcessorswiththesamearchitecturethathaveinstructionsetsthataresubsetsorsupersetsofeachotherarenotdisqualifiedfrombeingequivalentforpurposesofaVPPevaluation.IftheVStakesthesamecodepathswhenexecutingPP-specifiedsecurityfunctionalityondifferentprocessorsofthesamefamily,thentheprocessorscanbeconsideredequivalentwithrespecttothatapplication.
Forexample,ifaVSfollowsonecodepathonplatformsthatsupporttheAES-NIinstructionandanotheronplatformsthatdonot,thenthosetwoplatformsarenotequivalentwithrespecttothatVSfunctionality.ButiftheVSfollowsthesamecodepathwhetherornottheplatformsupportsAES-NI,thentheplatformsareequivalentwithrespecttothatfunctionality.
TheplatformsareequivalentwithrespecttotheVSiftheplatformsareequivalentwithrespecttoallPP-specifiedsecurityfunctionality.
Table12:FactorsforDeterminingHardwarePlatformEquivalence
Factor Same/Different/None Guidance
PlatformArchitectures
Different Hardwareplatformsthatimplementdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.
PP-SpecifiedFunctionality
Same Forplatformswiththesameprocessorarchitecture,theplatformsareequivalentwithrespecttotheapplicationifexecutionofallPP-specifiedsecurityfunctionalityfollowsthesamecodepathonbothplatforms.
F.5.2SoftwarePlatformEquivalenceIftheProductinstallsontoorintegrateswithanoperatingsystemthatisnotinstalledwiththeproduct--andthusisnotpartoftheTOE--thentheProductmustbetestedonallnon-equivalentSoftwarePlatforms.
TheguidanceforProductModel(Section3)specifiesthatProductsintendedforuseonsubstantiallydifferentoperatingsystems(e.g.,Windowsvs.Linuxvs.SunOS)aredifferentModels.Therefore,platformsrunningsubstantiallydifferentoperatingsystemsarenotequivalent.Likewise,operatingsystemswithdifferentmajorversionnumbersarenotequivalentforpurposesofthisPP.
Asaresult,SoftwarePlatformequivalenceislargelyconcernedwithrevisionsandvariationsofoperatingsystemsthataresubstantiallythesame(e.g.,differentversionsandrevisionlevelsofWindowsorLinux).
Table13:FactorsforDeterminingSoftwarePlatformEquivalence
Factor Same/Different/None Guidance
PlatformType/Vendor
Different Operatingsystemsthataresubstantiallydifferentorcomefromdifferentvendorsarenotequivalent.
PlatformVersions
Different Operatingsystemsarenotequivalentiftheyhavedifferentmajorversionnumbers.
PP-SpecifiedFunctionality
Same Ifthedifferencesbetweensoftwareplatformmodelsorversionsaffectonlynon-PP-specifiedfunctionality,thenthesoftwareplatformsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweensoftwareplatformversionsormodels,thenthesoftwareplatformsarenotconsideredequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductsarefullytestedoneachplatform,thenthereisnoneedtodocumentthedifferences.
F.6LevelofSpecificityforTestedandClaimedEquivalentConfigurationsInordertomakeequivalencydeterminations,thevendorandevaluatormustagreeontheequivalencyclaims.TheymustthenprovidetheschemewithsufficientinformationabouttheTOEinstancesandplatformsthatwereevaluated,andtheTOEinstancesandplatformsthatareclaimedtobeequivalent.
TheSTmustdescribeallconfigurationsevaluateddowntoprocessormanufacturer,modelnumber,andmicroarchitectureversion.
TheinformationregardingclaimedequivalentconfigurationsdependsontheplatformthattheVSwasdevelopedforandrunson.
Bare-MetalVS
ForVSesthatrunwithoutanoperatingsystemonbare-metalorvirtualbare-metal,theclaimedconfigurationmustdescribetheplatformdowntothespecificprocessormanufacturer,modelnumber,andmicroarchitectureversion.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEoperatesdifferentlytoleverageplatformdifferences(e.g.,instructionsetextensions)inthetestedconfigurationversustheclaimedequivalentconfiguration.
VSwithOSSupport
ForVSesthatrunonanOShostorwiththeassistanceofanOS,thentheclaimedconfigurationmustdescribetheOSdowntoitsspecificmodelandversionnumber.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEfunctionsdifferentlytoleverageplatformdifferencesinthetestedconfigurationversustheclaimedequivalentconfiguration.
AppendixG-ValidationGuidelinesThisappendixcontains"rules"specifiedbythePPAuthorsthatindicatewhethercertainselectionsrequirethemakingofotherselectionsinorderforaSecurityTargettobevalid.Forexample,selecting"HMAC-SHA-3-384"asasupportedkeyed-hashalgorithmwouldrequirethat"SHA-3-384"beselectedasahashalgorithm.Thisappendixcontainsonlysuch"rules"ashavebeendefinedbythePPAuthors,anddoesnotnecessarilyrepresentallsuchdependenciesinthedocument.
Rule#1If"HMAC-SHA-1"isselectedinFCS_COP.1/KeyedHashthen"SHA-1"mustbeselectedinFCS_COP.1.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectHMAC-SHA-1
THEN FromFCS_COP.1.1/Hash:*selectSHA-1
Rule#2If"HMAC-SHA-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-256"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectHMAC-SHA-256
THEN FromFCS_COP.1.1/Hash:*selectSHA-256
Rule#3If"HMAC-SHA-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-384"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectHMAC-SHA-384
THEN FromFCS_COP.1.1/Hash:*selectSHA-384
Rule#4If"HMAC-SHA-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-512"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectHMAC-SHA-512
THEN FromFCS_COP.1.1/Hash:*selectSHA-512
Rule#5If"SHA-3-224"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-224"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectSHA-3-224
THEN FromFCS_COP.1.1/Hash:*selectSHA-3-224
Rule#6If"SHA-3-256"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-256"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectSHA-3-256
THEN FromFCS_COP.1.1/Hash:*selectSHA-3-256
Rule#7If"SHA-3-384"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-384"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectSHA-3-384
THEN FromFCS_COP.1.1/Hash:*selectSHA-3-384
Rule#8If"SHA-3-512"isselectedinFCS_COP.1/KeyedHashthen"SHA-3-512"mustbeselectedinFCS_COP.1/Hash.
IF FromFCS_COP.1.1/KeyedHash:*selectSHA-3-512
THEN FromFCS_COP.1.1/Hash:*selectSHA-3-512
Rule#9IftheSSHPackageisincludedintheSTthen"AES-CTR(asdefinedinNISTSP800-38A)mode,""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
IF OR
FromFTP_ITC_EXT.1.1:*selectSSHasconformingtotheFunctionalPackageforSecureShell
FromFIA_X509_EXT.2.1:*selectSSH
THENFromFCS_COP.1.1/UDE:*selectAES-CTR(asdefinedinNISTSP800-38A)mode*select128-bitkeysizes*select256-bitkeysizes
Rule#10IftheTOEimplementsIPSecthen"AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,""AES-GCM(asdefinedinNISTSP800-38D),""128-bitkeysizes,"and"256-bitkeysizes"mustbeselectedinFCS_COP.1/UDE.
IF FromFTP_ITC_EXT.1.1:*selectIPsecasconformingtoFCS_IPSEC_EXT.1
FromFCS_COP.1.1/UDE:
THEN*selectAES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode*selectAES-GCM(asdefinedinNISTSP800-38D)*select128-bitkeysizes*select256-bitkeysizes
Rule#11If"directory-based"isselectedanywhereinFIA_UAU.5.1then"Abilitytoconfigurename/addressofdirectoryservertobindwith"mustbeselectedintheClientorServermodulemanagementfunctiontable.
IF OR
FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonX.509certificates*selectdirectory-based
FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential*selectdirectory-based
FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonusernameandpassword*selectdirectory-based
THENFromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigurename/addressofdirectoryservertobindwith
Rule#12If"authenticationbasedonusernameandpassword"isselectedinFIA_UAU.5.1then"AbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1"mustbeselectedintheClientorServermodulemanagementfunctiontable.
IF FromFIA_UAU.5.1:*select[selection:local,directory-based]authenticationbasedonusernameandpassword
THEN OR
FromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1
FromthePP-ModuleforClientVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureAdministratorpasswordpolicyasdefinedinFIA_PMG_EXT.1
Rule#13If"allowtheadministratortochoosewhethertoacceptthecertificateinthesecases"isselectedthen"Abilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate"intheClientorServermodulemanagementfunctiontablemustalsobeselected.
IF FromFIA_X509_EXT.2.2:*selectallowtheadministratortochoosewhethertoacceptthecertificateinthesecases
THEN OR
FromthePP-ModuleforClientVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate
FromthePP-ModuleforServerVirtualization:FromFMT_MOF_EXT.1.2:*selectAbilitytoconfigureactiontakenifunabletodeterminethevalidityofacertificate
Rule#14IfdigitalsignaturemechanismusingcertificatesisselectedinFPT_TUD_EXT.1.3thencodesigningforsystemsoftwareupdatesmustbeselectedinFIA_X509_EXT.2.1.
IF FromFPT_TUD_EXT.1.3:*selectdigitalsignaturemechanismusingcertificates
THEN FromFIA_X509_EXT.2.1:*selectcodesigningforsystemsoftwareupdates
Rule#15If"certificate-basedauthenticationoftheremotepeer"and"TLSasconformingtotheFunctionalPackageforTransportLayerSecurity"areselectedinFTP_ITC_EXT.1.1then"TLS"mustbeselectedinFIA_X509_EXT.2.1.
IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectTLSasconformingtotheFunctionalPackageforTransportLayerSecurity
THEN FromFIA_X509_EXT.2.1:*selectTLS
Rule#16If"certificate-basedauthenticationoftheremotepeer"and"TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1"areselectedinFTP_ITC_EXT.1.1then"HTTPS"mustbeselectedinFIA_X509_EXT.2.1.
IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectTLS/HTTPSasconformingtoFCS_HTTPS_EXT.1
THEN FromFIA_X509_EXT.2.1:*selectHTTPS
Rule#17If"certificate-basedauthenticationoftheremotepeer"and"IPsecasconformingtoFCS_IPSEC_EXT.1"areselectedinFTP_ITC_EXT.1.1then"IPsec"mustbeselectedinFIA_X509_EXT.2.1.
IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectIPsecasconformingtoFCS_IPSEC_EXT.1
THEN FromFIA_X509_EXT.2.1:*selectIPsec
Rule#18If"certificate-basedauthenticationoftheremotepeer"and"SSHasconformingtotheFunctionalPackageforSecureShell"areselectedinFTP_ITC_EXT.1.1then"SSH"mustbeselectedinFIA_X509_EXT.2.1.
IFFromFTP_ITC_EXT.1.1:*selectcertificate-basedauthenticationoftheremotepeer*selectSSHasconformingtotheFunctionalPackageforSecureShell
THEN FromFIA_X509_EXT.2.1:*selectSSH
AppendixH-Acronyms
Acronym Meaning
AES AdvancedEncryptionStandard
Base-PP BaseProtectionProfile
CC CommonCriteria
CEM CommonEvaluationMethodology
CPU CentralProcessingUnit
DEP DataExecutionPrevention
DKM DerivedKeyingMaterial
DSS DigitalSignatureStandard
ECC EllipticCurveCryptography
FFC Finite-FieldCryptography
FIPS FederalInformationProcessingStandard
IEC InternationalElectrotechnicalCommission
IP InternetProtocol
ISO InternationalOrganizationforStandardization
IT InformationTechnology
ITSEF InformationTechnologySecurityEvaluationFacility
KDF KeyDerivationFunction
MAC MessageAuthenticationCode
NIST NationalInstituteofStandardsandTechnology
NVLAP NationalVoluntaryLaboratoryAccreditationProgram
OE OperationalEnvironment
OS OperatingSystem
PKV PublicKeyVerification
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
RSA Rivest,Shamir,Adleman
SAR SecurityAssuranceRequirement
SFR SecurityFunctionalRequirement
SP SpecialPublication
SPD SecurityPolicyDatabase
SSP SystemSecurityPolicy
ST SecurityTarget
SWID SoftwareIdentification
TOE TargetofEvaluation
TPM TrustedPlatformModule
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
VM VirtualMachine
VMM VirtualMachineManager
VS VirtualizationSystem
AppendixI-Bibliography
Identifier Title
[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.