[Public Interpretations Database]

I-0375: Elements Requiring Authentication Mechanism

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0375
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Elements Requiring Authentication Mechanism
APPROVAL POSTING:     [cc-in 00019]

EFFECTIVE:            2001-03-15

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause G.4 FIA_UAU
RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0148

ISSUE:

PP/ST authors should be able to specify the authentication mechanisms that a TOE must supply. This is easily done by using FIA_UAU.5 when there are multiple authentication mechanisms. When there is only one authentication mechanism, however, the CC words do not make it clear how the PP/ST author is to specify the authentication mechanism.

STATEMENT

For interfaces that use a single authentication mechanism, the authentication mechanism is specified through refinement of FIA_UAU.1.2 or FIA_UAU.2.1.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1 Part 2:

  • In Subclause G.4, FIA_UAU.1, "Operations", the following text is added:

    Refinement:

    FIA_UAU.1.2 should be refined to indicate any specific TSF mechanism that must be used for authentication. This levies a requirement on the TSF to provide the specified authentication mechanism.

    Iteration:

    The FIA_UAU.1 component can be iterated, with each iteration changing FIA_UAU.1.2 to provide distinct authentication mechanisms for distinct user interfaces, as long as all user interfaces to the TSF are addressed.

  • In Subclause G.4, FIA_UAU.2, an "Operations" section is added, consisting of the following paragraphs:

    Refinement:

    FIA_UAU.2.1 should be refined to indicate any specific TSF mechanism that must be used for authentication. This levies a requirement on the TSF to provide the specified authentication mechanism.

    Iteration:

    The FIA_UAU.2 component can be iterated, with each iteration changing FIA_UAU.2.1 to provide distinct authentication mechanisms for distinct user interfaces, as long as all user interfaces to the TSF are addressed.

SUPPORT:

This interpretation addresses the ISSUE by using the approach of refining FIA_UAU.1.2 or FIA_UAU.2.1 to indicate the method of authentication that must be used (e.g., "...to be successfully authenticated using a TSF-provided password mechanism..."). Such a refinement implies that the TSF must provide the indicated mechanism.

Additionally, the CC is unclear on how to handle differing authentication mechanisms for different interfaces (e.g., multiple-use passwords on internal network connections and single-use passwords for external accesses). This interpretation provides clarification that iteration to address individual interfaces is the appropriate manner of specification. For example, FIA_UAU.1 might be iterated to require passwords for external connections, but biometric authentication for local connections.