TD0483: NIT Technical Decision for Applicability of FPT_APW_EXT.1
Since the Security Administrator as defined in FMT_SMR.2 is the only authorized user covered by NDcPP, the protection of passwords formally also only applies to administrative passwords.
Therefore FPT_APW_EXT.1.1 and FPT_APW_EXT.1.2 shall be modified as follows:
FPT_APW_EXT.1.1 The TSF shall store administrative passwords in non-plaintext form. FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext administrative passwords.
The Application Note for FPT_APW_EXT.1 shall be updated as follows:
The intent of the requirement is that raw password authentication data of Security Administrators is not stored in the clear, and that no user or Administrator is able to read the plaintext password of a Security Administrator through “normal” interfaces. An all-powerful Administrator could directly read memory to capture a password but is trusted not to do so. Passwords should be obscured during entry on the local console in accordance with FIA_UAU.7.
Although this is out-of-scope of this cPP, it is strongly advised to protect all authentication data of the device the same way and/or with similar strength as administrative passwords to reduce the risk of attacks like privilege escalation, etc.
The extended component definition for FPT_APW_EXT.1 shall be updated accordingly.
To further clarify the role of the Security Administrator the following paragraphs shall be added to the Application Note for FMT_SMR.2:
A single user associated with the Security Administrator role does not necessarily have to be able to perform all security management functions defined in FMT_SMF.1 and does not necessarily have to able to perform local and remote administration. All users associated with the Security Administrator role together need to be able to perform all security management functions defined in FMT_SMF.1 (mandatory and selected ones) and need to be able to perform local and remote administration.
This implies that a user that can perform only a single security management function defined in FMT_SMF.1 needs to be regarded as Security Administrator of the TOE.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI201914.pdf