Currently, FTP_DIT_EXT.1 in the App PP says that if SSH is selected as a trusted protocol, the SSH EP is also claimed. The SSH EP says that all FCS_SSH* requirements are implemented by "the SSH client". It does not discuss whether this client is TOE-provided or part of the underlying OS platform (unlike the TLS requirements in the App PP which allow the ST author to select between "platform-provided TLS" and "TSF-provided TLS").

This TD supersedes TD0177.

FTP_DIT_EXT.1.1 is modified as follows (changes underlined):

FTP_DIT_EXT.1 The application shall [selection:

not transmit any [selection: data, sensitive data],
encrypt all transmitted sensitive data with [selection: HTTPS, TLS, DTLS, SSH as conforming to the Extended Package for Secure Shell] ,
encrypt all transmitted data with [selection: HTTPS, TLS, DTLS, SSH as conforming to the Extended Package for Secure Shell],
invoke platform-provided functionality to encrypt all transmitted sensitive data with [selection: HTTPS, TLS, DTLS, SSH],
invoke platform-provided functionality to encrypt all transmitted data with [selection: HTTPS. TLS, DTLS, SSH],

] between itself and another trusted IT product.

Application Note: Extended packages may override this requirement to provide for other protocols. Encryption is not required for applications transmitting data that is not sensitive.

If "encrypt all transmitted" is selected and TLS is selected, then evaluation of elements from either FCS_TLSC_EXT.1 or FCS_TLSS_EXT.1 is required.
If "encrypt all transmitted" is selected and HTTPS is selected, then evaluation of elements from FCS_HTTPS_EXT.1 is required.
If "encrypt all transmitted" is selected and DTLS is selected, then evaluation of elements from FCS_DTLS_EXT.1 is required.
If "encrypt all transmitted" is selected and SSH is selected, the TSF shall be validated against the Extended Package for Secure Shell.

Assurance Activity

For platform-provided functionality, the evaluator shall verify the TSS contains the calls to the platform that TOE is leveraging to invoke the functionality.

The evaluator shall perform the following tests.

• Test 1: The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall verify from the packet capture that the traffic is encrypted with HTTPS, TLS or DTLS in accordance with the selection in the ST.
• Test 2: The evaluator shall exercise the application (attempting to transmit data; for example by connecting to remote systems or websites) while capturing packets from the application. The evaluator shall review the packet capture and verify that no sensitive data is transmitted in the clear.
• Test 3: The evaluator shall inspect the TSS to determine if user credentials are transmitted. If credentials are transmitted the evaluator shall set the credential to a known value. The evaluator shall capture packets from the application while causing credentials to be transmitted as described in the TSS. The evaluator shall perform a string search of the captured network packets and verify that the plaintext credential previously set by the evaluator is not found.

For Android: If "not transmit any data" is selected, the evaluator shall ensure that the application's AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform the above Tests 1, 2, or 3, as the platform will not allow the application to perform any network communication.

For iOS: If "encrypt all transmitted data" is selected, the evaluator shall ensure that the application's Info.plist file does not contain the NSAllowsArbitraryLoads or NSExceptionAllowsInsecureHTTPLoads keys, as these keys disable iOS's Application Transport Security feature.

See issue description.