NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0339:  NIT Technical Decision for Making password-based authentication optional in FCS_SSHS_EXT.1.2

Publication Date
2018.08.02

Protection Profiles
CPP_FW_V2.0E, CPP_ND_V2.0E

Other References
ND SD V2.0, FCS_SSHS_EXT.1.2

Issue Description

The NIT has issued technical decision for making password-based authentication optional in FCS_SSHS_EXT.1.2/

Resolution

 

In NDcPP and FWcPP the following changes shall be applied

 

 

FCS_SSHS_EXT.1.2 shall be modified as follows:

 

 

"FCS_SSHS_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, [selection:

 

password-based, no other method]."

 

 

 

The following application note shall be added to FCS_SSHS_EXT.1.2:

 

 

"If the TOE supports password-based authentication, the option 'password-based' shall be selected. If the TOE supports only public key-based authentication, the option 'no other method' shall be chosen."

 

In ND SD the following changes to the evaluation activities for FCS_SSHS_EXT.1.2 shall be applied

 

 

 

The TSS section shall be replaced as follows:

 

 

"The evaluator shall check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication and that this list conforms to FCS_SSHS_EXT.1.5. and ensure that if password-based authentication methods have been selected in the ST then these are also described."

 

 

 

The Test section for FCS_SSHS_EXT.1.2 shall be replaced as follows:

 

"Test 1: If password-based authentication methods have been selected in the ST then using the guidance documentation, the evaluator shall configure the TOE to accept password-based authentication, and demonstrate that user authentication succeeds when the correct password is provided by the user.

 

 

Test 2: If password-based authentication methods have been selected in the ST then the evaluator shall use an SSH client, enter an incorrect password to attempt to authenticate to the TOE, and demonstrate that the authentication fails.

 

 

Note: Public key authentication is tested as part of testing for FCS_SSHS_EXT.1.5"

 

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201721.pdf

 

 

 

Justification

From a security perspective, a TOE does not necessarily need to support password-based authentication.

 
 
Site Map              Contact Us              Home