NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0085:  FMT_SMF.1 Specification of Management Functions in MACsec EP

Publication Date
2016.03.08

Protection Profiles
PP_NDCPP_MACSEC_EP_V1.0

Other References
PP_NDCPP_MACSEC_EP_V1.0

Issue Description

The FMT_SMF.1 Specification of Management Functions requirement requires the ability to manage the Key Server using specific implementation solutions such as using MIB objects. 

The specific management functions and the testing activities reference the use of MIBs to manage the TOE as well as in performing the tests.  MIBs are a direct association with SNMPv3 (a selection-based requirement) for remote management of the TOE.

If SSH is selected in FTP_TRP.1 the supported CLI does not support MIB access or capabilities.  SSH does however offer equivalent commands for management of the MKA.  This is also an issue if IPsec, TLS and HTTPS are selected in FTP_TRP.1 Trusted Path for remote administration of the TOE.

Resolution

The revised SFRs, Application Notes, and Assurance Activities for FMT_SMF.1 are noted below. These replace the text in the PPs, effective immediately.

FMT_SMF.1 Specification of Management Functions

 

There are additional management functions that serve to extend the FMT_SMF.1 SFR found in the NDcPP.  The following functions should be combined with those of the NDcPP in the context of a conforming Security Target:

 

Ability of a Security Administrator to:

  • Generate a PSK and install it in the CAK cache of a device
  • Manage the Key Server to create, delete, and activate MKA participants [selection: as specified in 802.1X, sections 9.13 and 9.16 (cf. MIB object ieee8021XKayMkaParticipantEntry) and section 12.2 (cf. function createMKA()), [assignment: other management function]]
  • Specify a lifetime of a CAK
  • Enable, disable, or delete a PSK in the CAK cache of a device using [selection:  the MIB object ieee8021XKayMkaPartActivateControl, [assignment: other management function]]
  • Cause Key Server to generate a new group CAK (i.e., rekey the CA) using [selection: MIB object ieee8021XKeyCreateNewGroup. [assignment: other management function]]
  • Configure the number of failed administrator authentication attempts that will cause an account to be locked out

[selection:

  • Manually unlock a locked administrator account ,
  • Configure the time interval for administrator lockout due to excessive authentication failures, [
  • assignment: any additional management functions],
  • No other management functions]

 

Application Note:  IEEE 802.1X specifies MIB objects for management functionality but configuration of management functions via other approved methods is acceptable.  The ST author should select either the MIB object or provide the function used to achieve this management functionality.

 

 

Assurance Activity

TSS

The evaluator shall verify that the TSS describes the ability of the TOE to provide the management functions defined in this SFR in addition to the management functions required by the base NDcPP.

AGD

The evaluator shall examine the operational guidance to determine that it provides instructions on how to perform each of the management functions defined in this SFR in addition to those required by the base NDcPP.

Test

The evaluator shall set up an environment where the TOE can connect to two other MACsec devices, identified as devices B and C, with the ability of pre-shared keys to be distributed between them. The evaluator shall configure the devices so that the TOE will be elected key server and principal actor, i.e., has highest key server priority.

 

In addition to the tests specified in the NDcPP for this SFR, the evaluator shall follow the relevant operational guidance to perform the tests listed below. Note that if the TOE claims multiple management interfaces, the tests should be performed for each interface that supports the functions.

 

Test 1: The evaluator shall connect to the PAE of the TOE and install a PSK, initiating the LOGON process, and invoking the cacheCAK(…) function (cf. 802.1X, Section 12.1) to place a PSK in the cache.  The evaluator shall use the createMKA() function to specify CKN and the PSK itself as CAK.

  • Repeat this test for both 128-bit and 256-bit key sizes.
  • Repeat this test for a CKN of valid length (1-32 octets), and observe success.
  • Repeat this test again for CKN of invalid lengths zero and 33, and observe failure.

 

Test 2: The evaluator will test the ability of the TOE to enable and disable MKA participants using the management function specified in the ST.  The evaluator shall install pre-shared keys in devices B and C, using the PAE management function cacheCAK(…), which also creates corresponding MKA participants.  The evaluator shall disable the MKA participant on device C, then observe that the TOE can communicate with B but neither the TOE nor B can communicate with device C. The evaluator shall re-enable the MKA participant of device B and observe that the TOE is now able to communicate with devices B and C.

 

Test 3: The evaluator shall install PSK on all 3 devices with a short lifetime.  The evaluator shall disconnect device B from the test network, disable or deactivate the TOE’s listing for device B using the management function specified in the ST, wait for the CAK lifetime to expire, and observe that the TOE generates a new CAK for the TOE and device C. The evaluator shall then reconnect device B to the test network and show that the TOE will not allow device B to join the new CA even though it possesses the original PSK. The evaluator shall then reactivate the TOE’s original listing for device B and observe that the TOE will rekey and B will be able to reconnect with the CA.

 

Test 4: The evaluator shall connect to the PAE of the TOE, set the management function specified in the ST (e.g., set ieee8021XKeyCreateNewGroup to true), and observe that the TOE distributes a new group CAK.

 

Justification

The MACsec EP should define the requirement, not how the requirement is met, as well as how to test the requirement based on selections within the SFR.

 
 
Site Map              Contact Us              Home