NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0622:  VPNC MOD FTP_DIT_EXT.1 corrections

Publication Date
2022.02.07

Protection Profiles
MOD_VPNC_V2.2, MOD_VPNC_V2.3

Other References
FTP_DIT_EXT.1

Issue Description

TD0587 (App PP), and TD0601 which replaced it, add “encrypt all transmitted [data, sensitive data] with [IPsec as defined in the PP-Module for VPN Client] to FTP_DIT_EXT.1.1.

The App Note includes: 

- If encrypt all transmitted is selected and IPsec is selected, the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module.

- If encrypt all transmitted is selected the corresponding FCS_COP.1 requirements will be included.

In addition to the above, FIA_X509_EXT.1 and FIA_X509_EXT.2 are required when the following is true:

- encrypt all transmitted is selected and the TOE implements a protocol that requires certificates

However, when applying the VPNC MOD 2.2, FTP_DIT_EXT.1.1 is modified to say:

- The application shall [not encrypt any [sensitive data]] between itself and another trusted IT product.

Therefore, STs implementing the VPNC MOD 2.2 will not include the selections from the App PP which necessitate the selection of FCS_COP.1 or FIA_X509 requirements and the VPNC MOD 2.2 does not include the SFRs which are needed for IPSec.  As such, the traceability is lost.

VPNC MOD 2.3 has the same wording.

Resolution

Under App PP Security Functional Requirements Direction in the VPNC MOD v2.2  and VPNC MOD v.2.3,  FTP_DIT_EXT.1.1 is replaced with the following:

FTP_DIT_EXT.1.1   The application shall encrypt all transmitted [sensitive data] with IPsec and [selection:  HTTPS as a client in accordance with FCS_HTTPS_EXT.1/Client, HTTPS as a server in accordance with FCS_HTTPS_EXT.1/Server, HTTPS as a server with mutual authentication in accordance with FCS_HTTPS_EXT.2, TLS as defined in the TLS Package, DTLS as defined in the TLS Package, SSH as conforming to the Extended Package for Secure Shell, no other protocols] between itself and another trusted IT product.

Application Note: This SFR is identical to what is defined in the App PP except that mandatory support for IPsec is added and the ST author is forced to select the ‘encrypt all transmitted sensitive data’ option. However, since it is possible that a conformant TOE may not use any encryption protocols other than IPsec, “no other protocols” is provided as a selectable option in the list of supported protocols.

Under App PP Assurance/Evaluation Activities in the VPNC MOD v2.2 SD and VPNC MOD v.2.3 SD, the EA for FTP_DIT_EXT.1.1 is replaced with the following:

For IPsec, refer to the Evaluation Activity for FCS_IPSEC_EXT.1 in Section 2.5.1.2. If other protocols are selected for FTP_DIT_EXT.1, refer to the Evaluation Activity for FTP_DIT_EXT.1 in the App PP.

Justification

See issue description

 
 
Site Map              Contact Us              Home