TD0512: Group CAKs for establishing multiple MKA connections is not mandated
In MACSEC EP v1.2, the SFR FCS_MKA_EXT.1.6 allows the distribution of SAK by the key server via selection of 2 methods: [selection: a group CAK, pairwise CAKs].
At the same time, the SFR FMT_SMF.1 has a fifth bullet point (that is mandatory), which assumes that “a group CAK” was selected in SFR FCS_MKA_EXT.1.6 or it implies that “a group CAK” functionality is mandatory for a MACSEC supporting TOE.
This TD supersedes TD0272.
FMT_SMF.1 is replaced as follows:
There are additional management functions that serve to extend the FMT_SMF.1 SFR found in the NDcPP. The following functions must be combined with those of the NDcPP in the context of a conforming Security Target:
Ability of a Security Administrator to:
· Generate a PSK-based CAK and install it in the device.
· Manage the Key Server to create, delete, and activate MKA participants [selection: as specified in 802.1X, sections 9.13 and 9.16 (cf. MIB object ieee8021XKayMkaParticipantEntry) and section.
12.2 (cf. function createMKA()), [assignment: other management function]]
· Specify a lifetime of a CAK
· Enable, disable, or delete a PSK-based CAK using [selection: the MIB object ieee8021XKayMkaPartActivateControl, [assignment: other management function]]
· Configure the number of failed administrator authentication attempts that will cause an account to be locked out
· Cause Key Server to generate a new group CAK (i.e., rekey the CA) using [selection: MIB object ieee8021XKeyCreateNewGroup, [assignment: other management function]]
· Manually unlock a locked administrator account,
· Configure the time interval for administrator lockout due to excessive authentication failures,
· [assignment: any additional management functions],
· No other management functions]
Application Note: IEEE 802.1X specifies MIB objects for management functionality but configuration of management functions via other approved methods is acceptable. The ST author should select either the MIB object or provide the function used to achieve this management functionality.
If "a group CAK" is selected in FCS_MKA_EXT.1.6, then "Cause Key Server to generate a new group CAK..." must be selected.
The evaluator shall verify that the TSS describes the ability of the TOE to provide the management functions defined in this SFR in addition to the management functions required by the base NDcPP.
The evaluator shall examine the operational guidance to determine that it provides instructions on how to perform each of the management functions defined in this SFR in addition to those required by the base NDcPP.
The evaluator shall set up an environment where the TOE can connect to two other MACsec devices, identified as devices B and C, with the ability of pre-shared keys to be distributed between them. The evaluator shall configure the devices so that the TOE will be elected key server and principal actor, i.e., has highest key server priority.
In addition to the tests specified in the NDcPP for this SFR, the evaluator shall follow the relevant operational guidance to perform the tests listed below. Note that if the TOE claims multiple management interfaces, the tests should be performed for each interface that supports the functions.
Test 1: The evaluator shall connect to the PAE of the TOE and install a PSK. The evaluator shall then specify a CKN and that the PSK is to be used as a CAK.
· Repeat this test for both 128-bit and 256-bit key sizes.
· Repeat this test for a CKN of valid length (1-32 octets), and observe success.
· Repeat this test again for CKN of invalid lengths zero and 33, and observe failure.
Test 2: The evaluator will test the ability of the TOE to enable and disable MKA participants using the management function specified in the ST. The evaluator shall install pre-shared keys in devices B and C, and take any necessary additional steps to create corresponding MKA participants. The evaluator shall disable the MKA participant on device C, then observe that the TOE can communicate with B but neither the TOE nor B can communicate with device C. The evaluator shall re-enable the MKA participant of device B and observe that the TOE is now able to communicate with devices B and C.
Test 3: For TOEs using only PSKs, the TOE should be the Key Server in both tests and only one peer (B) needs to be tested. The tests are:
Subtest a (Switch to unexpired CKN): TOE and Peer B have CKN1(10 minutes) and CKN2(20 minutes). The TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE distributes a new SAK to the peer using CKN2.
Subtest b (reject CA with expired CKN): TOE has CKN1(10 minutes) and CKN2(20 minutes). Peer B has CKN1(20 minutes). TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE rejects (or ignores) peer’s request to use (or distribute a) SAK using CKN1.
Test 4: If “Cause Key Server to generate a new group CAK...” is selected, the evaluator shall connect to the PAE of the TOE, set the management function specified in the ST (e.g., set ieee8021XKeyCreateNewGroup to true), and observe that the TOE distributes a new group CAK.
FMT_SMF.1 should be changed to be consistent with FCS_MKA_EXT.1.6.