NIAP: View Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0121:  FMT_MEC_EXT.1.1 Configuration Options
Publication Date
  11/04/2016
References
PP_APP_SWFE_EP_v1.0, FMT_MEC_EXT.1.1
Issue Description

The Application Software v1.2 PP requires (via FMT_MEC) that configuration information be stored (for Windows platforms) in the registry.  For a TOE claiming compliance with the File Encryption EP, certain configuration items are stored and protected using the encryption mechanisms provided by the File Encryption TOE, instead of in the registry.

Resolution

When a TOE is claiming compliance to the SWFE EP, it is permitted to use data encryption as an alternate means for protecting configuration information. This is done through the following changes:

FMT_MEC_EXT.1 is added to the SWFE EP as follows:

FMT_MEC_EXT.1 Supported Configuration Mechanism

FMT_MEC_EXT.1.1 The TSF shall [selection: invoke the mechanisms recommended by the platform vendor for storing and setting configuration options, store and protect configuration options as specified in FCS_COP.1(1)].

Application Note:

The ST author replaces FMT_MEC_EXT.1 in the Application Software PP with this requirement, and performs the appropriate selections.  The ST author ensures all configuration options are "covered" by one of the two selections.  It is allowable to have some configuration stored and protected using platform-provided functions and some stored by the TSF and protected using encryption per FCS_COP.1(1).

Assurance Activity

The TSS assurance activity in the Application Software PP for FMT_MEC_EXT.1 applies for either selection.  Additionally, if "store and protect configuration options as specified in FCS_COP.1(1)" is selected, the evaluator shall ensure that the TSS identifies those options, as well as indicates where the encrypted representation of these options is stored.

The test assurance activites in the Application Software PP for FMT_MEC_EXT.1 apply to all configuration options identified as being stored and set using platform mechanisms.  The following test activity applies to any configuration options identified as being stored and protected using encryption per FCS_COP.1(1).

[Conditional] For all configuration options listed in the TSS as being stored and protected using encryption per FCS_COP.1(1), the evaluator shall examine the contents of the configuration option storage (identified in the TSS) to determine that the options have been encrypted.

Justification

Encryption with mechanisms specified in the SWFE PP provides as strong or stronger protection as that provided by the platform mechanisms. While the TOE managing its own configuration information is generally not allowed for ease of administration concerns, limited exceptions associated with options needed for SWFE EP-compliant TOEs should be permitted for additional protection reasons.



 
Site Map              Contact Us              Home