The evaluator shall set up an environment where the TOE can connect to two other MACsec devices, identified as devices B and C, with the ability of pre-shared keys to be distributed between them. The evaluator shall configure the devices so that the TOE will be elected key server and principal actor, i.e., has highest key server priority.
In addition to the tests specified in the NDcPP for this SFR, the evaluator shall follow the relevant operational guidance to perform the tests listed below. Note that if the TOE claims multiple management interfaces, the tests should be performed for each interface that supports the functions.
Test 1: The evaluator shall connect to the PAE of the TOE and install a PSK. The evaluator shall then specify a CKN and that the PSK is to be used as a CAK.
The evaluator shall connect to the PAE of the TOE and install a PSK, initiating the LOGON process, and invoking the cacheCAK(…) function (cf. 802.1X, Section 12.1) to place a PSK in the cache. The evaluator shall use the createMKA() function to specify CKN and the PSK itself as CAK.
· Repeat this test for both 128-bit and 256-bit key sizes.
· Repeat this test for a CKN of valid length (1-32 octets), and observe success.
· Repeat this test again for CKN of invalid lengths zero and 33, and observe failure.
Test 2: The evaluator will test the ability of the TOE to enable and disable MKA participants using the management function specified in the ST. The evaluator shall install pre-shared keys in devices B and C, and take any necessary additional steps to create corresponding MKA participants.
The evaluator shall install pre-shared keys in devices B and C, using the PAE management function cacheCAK(…), which also creates corresponding MKA participants. The evaluator shall disable the MKA participant on device C, then observe that the TOE can communicate with B but neither the TOE nor B can communicate with device C. The evaluator shall re-enable the MKA participant of device B and observe that the TOE is now able to communicate with devices B and C.
Test 3: For TOEs using only PSKs, the TOE should be the Key Server in both tests and only one peer (B) needs to be tested. The tests are:
Subtest a (Switch to unexpired CKN): TOE and Peer B have CKN1(10 minutes) and CKN2(20 minutes). The TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE distributes a new SAK to the peer using CKN2.
Subtest b (reject CA with expired CKN): TOE has CKN1(10 minutes) and CKN2(20 minutes). Peer B has CKN1(20 minutes). TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE rejects (or ignores) peer’s request to use (or distribute a) SAK using CKN1.
Test 4: The evaluator shall connect to the PAE of the TOE, set the management function specified in the ST (e.g., set ieee8021XKeyCreateNewGroup to true), and observe that the TOE distributes a new group CAK.