NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0272:  Update to FMT_SMF.1

Publication Date
2017.12.20

Protection Profiles
PP_NDCPP_MACSEC_EP_V1.2

Other References
FMT.SMF.1

Issue Description

Clarification is needed of the EP’s intent regarding the CAK cache related functionality.

Resolution

FMT_SMF.1 is revised as follows:

 

There are additional management functions that serve to extend the FMT_SMF.1 SFR found in the NDcPP. The following functions should be combined with those of the NDcPP in the context of a conforming Security Target:

 

Ability of a Security Administrator to:

 

  • Generate a PSK-based CAK and install it in the device.Generate a PSK and install it in the CAK cache of a device

  • Manage the Key Server to create, delete, and activate MKA participants [selection: as specified in 802.1X, sections 9.13 and 9.16 (cf. MIB object ieee8021XKayMkaParticipantEntry) and section.

    12.2 (cf. function createMKA()), [assignment: other management function]]

  • Specify a lifetime of a CAK

  • Enable, disable, or delete a PSK-based CAK using [selection: the MIB object ieee8021XKayMkaPartActivateControl, [assignment: other management function]] Enable, disable, or delete a PSK in the CAK cache of a device using [selection: the MIB object ieee8021XKayMkaPartActivateControl, [assignment: other management function]]

  • Cause Key Server to generate a new group CAK (i.e., rekey the CA) using [selection: MIB object ieee8021XKeyCreateNewGroup. [assignment: other management function]]

  • Configure the number of failed administrator authentication attempts that will cause an account to be locked out

    [selection

 

  • Manually unlock a locked administrator account ,

  • Configure the time interval for administrator lockout due to excessive authentication failures, [

  • assignment: any additional management functions],

  • No other management functions]

     

     

    Assurance Activity

    TSS

    The evaluator shall verify that the TSS describes the ability of the TOE to provide the management functions defined in this SFR in addition to the management functions required by the base NDcPP.

    AGD

    The evaluator shall examine the operational guidance to determine that it provides instructions on how to perform each of the management functions defined in this SFR in addition to those required by the base NDcPP.

    Test

 

The evaluator shall set up an environment where the TOE can connect to two other MACsec devices, identified as devices B and C, with the ability of pre-shared keys to be distributed between them. The evaluator shall configure the devices so that the TOE will be elected key server and principal actor, i.e., has highest key server priority.

In addition to the tests specified in the NDcPP for this SFR, the evaluator shall follow the relevant operational guidance to perform the tests listed below. Note that if the TOE claims multiple management interfaces, the tests should be performed for each interface that supports the functions.

Test 1: The evaluator shall connect to the PAE of the TOE and install a PSK.  The evaluator shall then specify a CKN and that the PSK is to be used as a CAK. The evaluator shall connect to the PAE of the TOE and install a PSK, initiating the LOGON process, and invoking the cacheCAK(…) function (cf. 802.1X, Section 12.1) to place a PSK in the cache. The evaluator shall use the createMKA() function to specify CKN and the PSK itself as CAK.

·        Repeat this test for both 128-bit and 256-bit key sizes.

·        Repeat this test for a CKN of valid length (1-32 octets), and observe success.

·        Repeat this test again for CKN of invalid lengths zero and 33, and observe failure.

 

Test 2: The evaluator will test the ability of the TOE to enable and disable MKA participants using the management function specified in the ST. The evaluator shall install pre-shared keys in devices B and C, and take any necessary additional steps to create corresponding MKA participants. The evaluator shall install pre-shared keys in devices B and C, using the PAE management function cacheCAK(…), which also creates corresponding MKA participants. The evaluator shall disable the MKA participant on device C, then observe that the TOE can communicate with B but neither the TOE nor B can communicate with device C. The evaluator shall re-enable the MKA participant of device B and observe that the TOE is now able to communicate with devices B and C.

Test 3: For TOEs using only PSKs, the TOE should be the Key Server in both tests and only one peer (B) needs to be tested. The tests are:

Subtest a (Switch to unexpired CKN): TOE and Peer B have CKN1(10 minutes) and CKN2(20 minutes). The TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE distributes a new SAK to the peer using CKN2.

Subtest b (reject CA with expired CKN): TOE has CKN1(10 minutes) and CKN2(20 minutes). Peer B has CKN1(20 minutes). TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE rejects (or ignores) peer’s request to use (or distribute a) SAK using CKN1.

 

Test 4: The evaluator shall connect to the PAE of the TOE, set the management function specified in the ST (e.g., set ieee8021XKeyCreateNewGroup to true), and observe that the TOE distributes a new group CAK.

 

Justification

See issue Description.

 
 
Site Map              Contact Us              Home