The SFRs for SSH and TLS in NIAP ESM PPs are outdated and do not describe current expectations with respect to these protocols.

This TD supersedes TD245 and TD320.

FTP_ITC.1 is replaced in ESM ICM, PM, and AC PPs as follows.

FTP_ITC.1.1 Refinement: The TSF shall use [selection: IPsec, SSH conforming to the Extended Package for Secure Shell, TLS as defined in the TLS Functional Package, HTTPS in accordance with FCS_HTTPS_EXT.1] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: [selection: audit server, authentication server, [assignment: other capabilities]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification and disclosure.

FTP_ITC.1.2 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel.

FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for transfer of policy data, [selection: [assignment: other services or functions for which the TSF is able to initiate communications], no other functions].

Application Note: The intent of the above requirement is to provide a means by which a cryptographic protocol is used to protect external communications with authorized IT entities that the TOE interacts with to perform its functions. For all protocols listed by the ST author that are selected as being implemented by the TSF, the ST author includes the appropriate protocol requirement(s) to reflect the implemented protocols. If the TOE implements its own cryptographic primitives (e.g., encryption/decryption, hashing), the ST author also includes the appropriate FCS requirements from Appendix C in the ST. 

If the TOE communicates with an authentication server (e.g., RADIUS), then the ST author should choose "authentication server" in FTP_ITC.1.1 and this connection must be capable of being protected by one of the listed protocols. If other authorized IT entities are protected, the ST author makes the appropriate assignments (for those entities) and selections (for the protocols that are used to protect those connections).

While there are no requirements on the party initiating the communication, the ST author must fill out the assignment in FTP_ITC.1.3 with all services and/or functions for which the TOE can initiate the communication with the authorized IT entity.

The requirement implies that not only are communications protected when they are initially established, but also on resumption after an outage. It may be the case that some part of the TOE setup involves manually setting up tunnels to protect other communication, and if after an outage the TOE attempts to re-establish the communication automatically with (the necessary) manual intervention, there may be a window created where an attacker might be able to gain critical information or compromise a connection.

Assurance Activity

The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity and the method of assured identification of the non-TSF endpoint. The evaluator shall also confirm that all protocols listed in the TSS are specified and included in the requirements in the ST.

The evaluator shall confirm that the guidance documentation contains instructions for establishing the allowed protocols with each authorized IT entity, and that it contains recovery instructions should a connection be unintentionally broken.

The evaluator shall also perform the following tests:

Test 1: The evaluators shall ensure that communications using each protocol with each authorized IT entity is tested during the course of the evaluation, setting up the connections as described in the operational guidance and ensuring that communication is successful.

Test 2: For each protocol, the evaluator shall follow the guidance documentation to ensure that in fact the communication channel can be initiated from the TOE or the authorized IT entities.

Test 3: The evaluator shall ensure, for each communication channel with an authorized IT entity, the channel data is not sent in plaintext.

Test 4: The evaluator shall ensure that, for each protocol associated with each authorized IT entity tested during Test 1, the connection is physically interrupted. The evaluator shall then ensure that when physical connectivity is restored, communications are appropriately protected. 

Further assurance activities are associated with the specific protocols.

For distributed TOEs, the evaluators shall perform tests on all TOE components according to the mapping of external secure channels to TOE components in the ST.

FTP_TRP.1 is replaced in ESM ICM and ESM PM PPs as follows.

FTP_TRP.1.1 Refinement: The TSF shall use [selection: IPsec, SSH conforming to the Extended Package for Secure Shell, TLS as defined in the TLS Functional Package, HTTPS in accordance with FCS_HTTPS_EXT.1] to provide a trusted communication path between itself and [remote] users that is logically distinct from other communication channels and provides assured identification of its end points and protection of the communicated data from modification, disclosure, and [selection: [assignment: other types of integrity or confidentiality violation], no other types of integrity or confidentiality violations]. 

FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path.

FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication and execution of management functions.

Application Note: The intent of the above requirement is to provide a means by which a cryptographic protocol is used to protect external communications with authorized remote users that the TOE interacts with to perform its functions. For all protocols listed by the ST author that are selected as being implemented by the TSF, the ST author includes the appropriate protocol requirements to reflect the implemented protocols. If the TOE also implements its own cryptographic primitives, the ST author includes the appropriate FCS requirements from Appendix C in the ST.

Assurance Activity

The evaluator shall check the TSS to ensure that it identifies the protocol(s) used to establish the trusted path and ensure they are consistent with those declared in the ST. In addition, the evaluator shall ensure that the TSS adequately describes the way the trusted communication path is protected.

The evaluator shall also check the TSS to ensure that the ST author specifies whether remote administration is applicable to the TOE and, if applicable, specifies all the methods of remote administration, along with how those communications are protected.  

The evaluator shall confirm the guidance documentation contains instructions for how users will interact with the TOE. The evaluator shall also ensure that the guidance documentation discusses the mechanism by which a trusted path to the TOE is established to include any environmental components the TSF relies on to assist in this establishment.

If remote administration is applicable to the TOE per the TSS, the evaluator shall confirm that the guidance documentation contains instructions for establishing the remote administrative sessions for each supported method.

The evaluator shall perform the following set of tests for each remote administration method:

Test 1: The evaluator shall ensure that communications using each protocol with each authorized IT entity, including each remote administration method, is tested during the course of the evaluation, setting up the connections as described in the guidance documentation and ensuring that communication is successful.

Test 2: For communications using each protocol with each authorized IT entity and method of remote administration supported, the evaluator shall follow the guidance documentation to ensure that there is no available interface that can be used by a remote user to establish a remote administrative session without invoking the trusted path.

Test 3: The evaluator shall ensure that for communications of each protocol with each authorized IT entity, and for each method of remote administration, the channel data is not sent in plaintext.

Test 4: The evaluators shall ensure that, for each protocol and remote administration method combination tested during Test 1, the connection is physically interrupted. The evaluator shall then ensure that when physical connectivity is restored, communications are appropriately protected.

For distributed TOEs, regardless of the tests performed, the evaluator shall perform tests on all TOE components according to the mapping of trusted paths to TOE components in the ST.

FCS_SSH_EXT.1 and FCS_TLS_EXT.1 are removed from Section C.8 of the ESM ICM and PM PPs and from Section C.5 of the ESM AC PP.  FCS_HTTPS_EXT.1 is replaced as follows.

FCS_HTTPS_EXT.1.1  The TSF shall implement the HTTPS protocol in compliance with RFC 2818.

FCS_HTTPS_EXT.1.2  The TSF shall implement HTTPS using TLS as defined in the TLS Functional Package.

Application Note: The ST author must provide enough detail to determine how the implementation is complying with the standards identified.

Assurance Activity

The evaluator shall check the TSS to verify that it describes how the cryptographic functions in the FCS requirements associated with this protocol are being used. For the cryptographic functions that are provided by the Operational Environment, the evaluator shall check the TSS to ensure it describes - for each platform identified in the ST - the interface(s) used by the TOE to invoke this functionality. 

The evaluator shall attempt to establish an HTTPS connection, observe the traffic with a packet analyzer, and verify the connection succeeds and the traffic is identified as TLS or HTTPS. 

Other tests are performed in conjunction with the TLS package.

Updating these SFRs brings them in line with current standards and adds stronger, more commonly used algorithms.