NIAP: View Technical Decision Details

NIAP

»»

Protection Profiles

»»

Technical Decisions

»»

View Details

Archived TD0706: FIA_UAU.6 Iterations

Publication Date

2022.12.28

Protection Profiles

PP_MDF_V3.2

Other References

FIA_UAU.6, Table 2, Table 8

Issue Description

MDF v3.2 incorrectly combines two FIA_UAU.6 iterations into one SFR with two elements.

Resolution

PP_MDF_V3.2 is modified as follows:

FIA_UAU.6 Re-authentication in Section 5.1.5 is removed and replaced with the following two SFRs:

FIA_UAU.6/CREDENTIAL Re-authenticating (Credential Change)

FIA_UAU.6.1/CREDENTIAL The TSF shall re-authenticate the user via the Password Authentication Factor under the conditions [attempted change to any supported authentication mechanisms].

Application Note: The password authentication factor must be entered before either the password or biometric authentication factor, if selected in FIA_UAU_5.1, can be changed.

TSS

There are no TSS evaluation activities for this element.

Guidance

There are no guidance evaluation activities for this element.

Tests

· Test 1: The evaluator shall configure the TSF to use the Password Authentication Factor according to the AGD guidance. The evaluator shall change Password Authentication Factor according to the AGD guidance and verify that the TSF requires the entry of the Password Authentication Factor before allowing the factor to be changed.

· Test 2: [conditional] For each BAF selected in FIA_UAU.5.1, the evaluator shall configure the TSF to use the BAF, which includes configurating the Password Authentication Factor, according to the AGD guidance. The evaluator shall change the BAF according to the AGD guidance and verify that the TSF requires the entry of the Password Authentication Factor before allowing the BAF to be changed.

· Test 3: [conditional] If “hybrid” is selected in FIA_UAU.5.1, the evaluator shall configure the TSF to use the BAF and PIN or password, which includes configuring the Password Authentication Factor, according to the AGD guidance. The evaluator shall change the BAF and PIN according to the AGD guidance and verify that the TSF requires the entry of the Password Authentication Factor before allowing the factor to be changed.

FIA_UAU.6/LOCKED Re-authenticating (TSF Lock)

FIA_UAU.6.1/LOCKED The TSF shall re-authenticate the user via the authentication factor defined in FIA_UAU.5.1 under the conditions TSF-initiated lock, user-initiated lock, [assignment: other conditions].

Application Note: Depending on the selections made in FIA_UAU.5.1, either the password (at a minimum), biometric authentication or hybrid authentication mechanisms can be used to unlock the device. TSF-initiated and user-initiated locking is described in FTA_SSL_EXT.1.

TSS

There are no TSS evaluation activities for this element.

Guidance

There are no guidance evaluation activities for this element.

Tests

· Test 1: The evaluator shall configure the TSF to transition to the locked state after a time of inactivity (FMT_SMF.1) according to the AGD guidance. The evaluator shall wait until the TSF locks and then verify that the TSF requires the entry of the Password Authentication Factor before transitioning to the unlocked state.

· Test 2: [conditional] For each BAF selected in FIA_UAU.5.1, the evaluator shall repeat Test 1 verifying that the TSF requires the entry of the BAF before transitioning to the unlocked state.

· Test 3: [conditional] If “hybrid” is selected in FIA_UAU.5.1, the evaluator shall repeat Test 1 verifying that the TSF requires the entry of the BAF and PIN/password before transitioning to the unlocked state.

· Test 4: The evaluator shall configure user-initiated locking according to the AGD guidance. The evaluator shall lock the TSF and then verify that the TSF requires the entry of the Password Authentication Factor before transitioning to the unlocked state.

· Test 5: [conditional] For each BAF selected in FIA_UAU.5.1, the evaluator shall repeat Test 4 verifying that the TSF requires the entry of the BAF before transitioning to the unlocked state.

· Test 6: [conditional] If “hybrid” is selected in FIA_UAU.5.1, the evaluator shall repeat Test 4 verifying that the TSF requires the entry of the BAF and PIN/password before transitioning to the unlocked state.

The FIA_UAU.6 entry in Table 3: Additional Auditable Events is modified as follows:

FIA_UAU.6/CREDENTIAL

User changes Password Authentication Factor.

No additional information.

The O.AUTH entry in Table 8: SFR Rationale is modified as follows:

O.AUTH

FDP_PBA_EXT.1 (Sel-Based),

FIA_AFL_EXT.1,

FIA_BLT_EXT.1 (Bluetooth Module),

FIA_BLT_EXT.2 (Bluetooth Module),

FIA_BMG_EXT.1 (Sel-Based),

FIA_BMG_EXT.2 (Objective),

FIA_BMG_EXT.3 (Objective),

FIA_BMG_EXT.4 (Objective),

FIA_BMG_EXT.5 (Objective),

FIA_BMG_EXT.6 (Objective),

FIA_PMG_EXT.1,

FIA_TRT_EXT.1,

FIA_UAU_EXT.1,

FIA_UAU_EXT.2,

FIA_UAU_EXT.4 (Optional),

FIA_UAU.5,

FIA_UAU.6/CREDENTIAL,

FIA_UAU.6/LOCKED,

FIA_UAU.7,

FIA_X509_EXT.2,

FTA_SSL_EXT.1

FDP_PBA_EXT.1 supports the objective by defining the mechanism that the TSF uses to protect stored biometric templates.

FIA_AFL_EXT.1 supports the objective by defining the authentication mechanisms that are subject to lockout behavior and how the TSF handles repeated failed authentication attempts.

FIA_BLT_EXT.1 supports the objective by requiring a user to authorize all Blueooth pairings.

FIA_BLT_EXT.2 supports the objective by requiring the TSF to enforce mutual authentication for Bluetooth.

FIA_BMG_EXT.1 supports the objective by defining the minimum accuracy of biometric authentication methods that the TSF must support.

FIA_BMG_EXT.2 supports the objective by requiring the TSF to enforce a minimum quality standard on the biometric data used for enrollment.

FIA_BMG_EXT.3 supports the objective by defining the quality metrics used by the TSF to enforce minimum quality for biometric data.

FIA_BMG_EXT.4 supports the objective by requiring the TSF to generate enrollment and authentication templates using data that exceeds a minimum quality threshold.

FIA_BMG_EXT.5 supports the objective by defining how the TSF handles biometric data that does not match expected parameters.

FIA_BMG_EXT.6 supports the objective by requiring the TSF to detect spoofed biometric data.

FIA_PMG_EXT.1 supports the objective by defining the minimum quality threshold for passwords that the TSF must enforce.

FIA_TRT_EXT.1 supports the objective by enforcing an authentication throttling mechanism that limits the rate at which authentication attempts can be made to the TOE.

FIA_UAU_EXT.1 supports the objective by requiring the TSF to be provided with a valid password before access to protected data is granted.

FIA_UAU_EXT.2 supports the objective by defining the TOE functions that can be accessed without authentication such that all other services require authentication.

FIA_UAU_EXT.4 supports the objective by defining a secondary authentication mechanism for Enterprise resources.

FIA_UAU.5 supports the objective by defining all authentication factors the TSF supports and rules for how these authentication factors are used to gain access to the TSF.

FIA_UAU.6/CREDENTIAL supports the objective by requiring the TSF to re-authenticate users with their password prior to allowing them to change any other authentication data.

FIA_UAU.6/LOCKED supports the objective by requiring the TSF to re-authenticate users with a valid credential prior to allowing a locked device to be unlocked.

FIA_UAU.7 supports the objective by ensuring that TSF does not disclose user authentication data as it is being input to the TOE.

FIA_X509_EXT.2 supports the objective by defining the functions for which the TSF uses X.509 certificates as an authentication mechanism.

FTA_SSL_EXT.1 supports the objective by requiring the TSF to ensure that an idle user session is terminated after a given period of time.

Justification

FIA_UAU.6 only has one element.

Site Map Contact Us Home