TD0652: MACsec CAK Lifetime in FMT_SMF.1
Test 3 for FMT_SMF.1 incorrectly requires two configured CKNs with overlapping lifetimes that can both be used, and should not mandate how the key lifetimes need to be configured.
This TD supersedes TD0512.
FMT_SMF.1 in Extended Package for MACsec v1.2 is replaced as follows:
There are additional management functions that serve to extend the FMT_SMF.1 SFR found in the NDcPP. The following functions must be combined with those of the NDcPP in the context of a conforming Security Target:
Ability of a Security Administrator to:
· Generate a PSK-based CAK and install it in the device.
· Manage the Key Server to create, delete, and activate MKA participants [selection: as specified in 802.1X, sections 9.13 and 9.16 (cf. MIB object ieee8021XKayMkaParticipantEntry) and section.
12.2 (cf. function createMKA()), [assignment: other management function]]
· Specify a lifetime of a CAK
· Enable, disable, or delete a PSK-based CAK using [selection: the MIB object ieee8021XKayMkaPartActivateControl, [assignment: other management function]]
· Configure the number of failed administrator authentication attempts that will cause an account to be locked out
· Cause Key Server to generate a new group CAK (i.e., rekey the CA) using [selection: MIB object ieee8021XKeyCreateNewGroup, [assignment: other management function]]
· Manually unlock a locked administrator account,
· Configure the time interval for administrator lockout due to excessive authentication failures,
· [assignment: any additional management functions],
· No other management functions]
Application Note: IEEE 802.1X specifies MIB objects for management functionality but configuration of management functions via other approved methods is acceptable. The ST author should select either the MIB object or provide the function used to achieve this management functionality.
If "a group CAK" is selected in FCS_MKA_EXT.1.6, then "Cause Key Server to generate a new group CAK..." must be selected.
The evaluator shall verify that the TSS describes the ability of the TOE to provide the management functions defined in this SFR in addition to the management functions required by the base NDcPP.
The evaluator shall examine the operational guidance to determine that it provides instructions on how to perform each of the management functions defined in this SFR in addition to those required by the base NDcPP.
The evaluator shall set up an environment where the TOE can connect to two other MACsec devices, identified as devices B and C, with the ability of pre-shared keys to be distributed between them. The evaluator shall configure the devices so that the TOE will be elected key server and principal actor, i.e., has highest key server priority.
In addition to the tests specified in the NDcPP for this SFR, the evaluator shall follow the relevant operational guidance to perform the tests listed below. Note that if the TOE claims multiple management interfaces, the tests should be performed for each interface that supports the functions.
Test 1: The evaluator shall connect to the PAE of the TOE and install a PSK. The evaluator shall then specify a CKN and that the PSK is to be used as a CAK.
· Repeat this test for both 128-bit and 256-bit key sizes.
· Repeat this test for a CKN of valid length (1-32 octets), and observe success.
· Repeat this test again for CKN of invalid lengths zero and 33, and observe failure.
Test 2: The evaluator will test the ability of the TOE to enable and disable MKA participants using the management function specified in the ST. The evaluator shall install pre-shared keys in devices B and C, and take any necessary additional steps to create corresponding MKA participants. The evaluator shall disable the MKA participant on device C, then observe that the TOE can communicate with B but neither the TOE nor B can communicate with device C. The evaluator shall re-enable the MKA participant of device B and observe that the TOE is now able to communicate with devices B and C.
Test 3: For TOEs using only PSKs, the TOE should be the Key Server in both tests and only one peer (B) needs to be tested. The tests are:
Subtest a (Switch to unexpired CKN): TOE and Peer B have CKN1(10 minutes) and CKN2. CKN2 can either be configured with a longer overlapping lifetime (20 minutes) or be configured with a lifetime starting period of more than 10 minutes after the CKN1 start. The TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE expires SAK1. This can be verified by either 1) seeing the TOE immediately distribute a new SAK to the peer if the lifetime of CKN2 overlaps CKN1, or 2) by terminating the connection with CKN1 and distributing a new SAK once the lifetime period of CKN2 begins.
Subtest b (reject CA with expired CKN): TOE has CKN1(10 minutes). Peer B has CKN1(20 minutes). TOE and Peer B start using CKN1 and after 10 minutes, verify that the TOE rejects (or ignores) peer’s request to use (or distribute a) SAK using CKN1.
Test 4: If “Cause Key Server to generate a new group CAK...” is selected, the evaluator shall connect to the PAE of the TOE, set the management function specified in the ST (e.g., set ieee8021XKeyCreateNewGroup to true), and observe that the TOE distributes a new group CAK.
See issue description.