TD0444: IPsec selections
App PP v1.3 did not include IPsec in FTP_DIT_EXT or FIA_X509_EXT to accomodate the VPN Client PP-Module.
FTP_DIT_EXT.1.1 is replaced as follows:
FTP_DIT_EXT.1.1 The application shall [selection:
· not transmit any [selection: data, sensitive data] ,
· encrypt all transmitted [selection: sensitive data, data] with [selection: HTTPS in accordance with FCS_HTTPS_EXT.1, TLS as defined in the TLS Package, DTLS as defined in the TLS Package, SSH as conforming to the Extended Package for Secure Shell, IPsec as defined in the PP-Module for VPN Client],
· invoke platform-provided functionality to encrypt all transmitted sensitive data with [selection: HTTPS, TLS, DTLS, SSH] ,
· invoke platform-provided functionality to encrypt all transmitted data with [selection: HTTPS, TLS, DTLS, SSH]
] between itself and another trusted IT product.
Application Note: Encryption is not required for applications transmitting data that is not sensitive.
If encrypt all transmitted is selected and TLS is selected, then evaluation of elements from either FCS_TLSC_EXT.1 or FCS_TLSS_EXT.1 is required.
If encrypt all transmitted is selected and HTTPS is selected, FCS_HTTPS_EXT.1 is required.
If encrypt all transmitted is selected and DTLS is selected, FCS_DTLS_EXT.1 is required.
If encrypt all transmitted is selected and SSH is selected, the TSF shall be validated against the Extended Package for Secure Shell.
If encrypt all transmitted is selected and IPsec is selected, the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module.
If encrypt all transmitted is selected the corresponding FCS_COP.1 requirements will be included.
For platform-provided functionality, the evaluator shall verify the TSS contains the calls to the platform that TOE is leveraging to invoke the functionality.
The evaluator shall perform the following tests.
· Test 1: The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall verify from the packet capture that the traffic is encrypted with HTTPS, TLS, DTLS, SSH, or IPsec in accordance with the selection in the ST.
· Test 2: The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall review the packet capture and verify that no sensitive data is transmitted in the clear.
· Test 3: The evaluator shall inspect the TSS to determine if user credentials are transmitted. If credentials are transmitted the evaluator shall set the credential to a known value. The evaluator shall capture packets from the application while causing credentials to be transmitted as described in the TSS. The evaluator shall perform a string search of the captured network packets and verify that the plaintext credential previously set by the evaluator is not found.
For Android: If "not transmit any data" is selected, the evaluator shall ensure that the application's AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform the above Tests 1, 2, or 3, as the platform will not allow the application to perform any network communication.
For iOS: If "encrypt all transmitted data" is selected, the evaluator shall ensure that the application's Info.plist file does not contain the NSAllowsArbitraryLoads or NSExceptionAllowsInsecureHTTPLoads keys, as these keys disable iOS's Application Transport Security feature.
FIA_X509_EXT.2.1 is replaced as follows:
FIA_X509_EXT.2.1 The application shall use X.509v3 certificates as defined by RFC 5280 to support authentication for [selection: HTTPS , TLS , DTLS, SSH, IPsec ].
Application Note: The ST author's selection shall match the selection in FTP_DIT_EXT.1.1.
There is no change to the Evaluation Activity.
See issue description.