NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0245:  Updates to FTP_ITC and FTP_TRP for ESM PPs

Publication Date
2017.10.03

Protection Profiles
PP_ESM_AC_V2.1, PP_ESM_ICM_V2.1, PP_ESM_PM_V2.1

Other References
FTP_ITC.1, FTP_TRP.1

Issue Description

The following test exists in FTP_ITC.1 in the ESM PM and ESM AC PP versions referenced above:

“Test 4: The evaluator shall ensure, for each communication channel with an authorized IT entity, modification of the channel data is detected by the TOE.”

This test was removed from FTP_ITC and FTP_TRP in the network device PPs because it is covered in the appropriate protocol testing (e.g., FCS_IPSEC_EXT). In addition, the ESM TC has determined that FTP_ITC.1 and FTP_TRP.1 are not consistent between ESM PPs and that the SFRs and testing are not consistent with those mandated by the NDcPP.

Resolution

This TD was updated on 11/29/2017 to move audit server into the selection for FTP_ITC.1.1 and Test 2 was modified.

FTP_ITC.1 from the ESM PM, AC, and ESM ICM PPs, and FTP_TRP.1 from the ESM PM and ICM PPs, are modified as follows:

FTP_ITC.1.1 The TSF shall be capable of using [selection: IPsec, SSH, TLS, HTTPS] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities:  [selection: audit server, authentication server, [assignment: other capabilities]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

FTP_ITC.1.2 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel.

FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for transfer of policy data, [selection: [assignment: other services or functions for which the TSF is able to initiate communications], no other functions]].

Application Note:

The intent of the above requirements is to provide a means by which a cryptographic protocol may be used to protect external communications with authorized IT entities that the TOE interacts with to perform its functions.

For all protocols listed by the ST author, include the corresponding protocol requirement grouping(s) from Appendix C to reflect the implemented protocols. The table below provides a guide:

 

Protocol selected

Corresponding requirement grouping from Appendix C

IPsec

FCS_IPSEC_EXT.1

SSH

FCS_SSH_EXT.1

TLS

FCS_TLS_EXT.1

HTTPS

FCS_HTTPS_EXT.1

 

For example, if HTTPS is selected, the ST author includes all requirements within FCS_HTTPS_EXT.1 from Appendix C in the ST.

If the TOE implements its own cryptographic primitives (e.g., encryption/decryption, hashing), the ST author also includes the appropriate FCS requirements from Appendix C in the ST.

If the TOE communicates with an authentication server (e.g. RADIUS), then the ST author should choose “authentication server” in FTP_ITC.1.1 and this connection must be capable of being protected by one of the listed protocols. If other authorized IT entities are protected, the ST author makes the appropriate assignments (for those entities) and selections (for the protocols that are used to protect those connections). 

While there are no requirements on the party initiating the communication, the ST author lists in the assignment for FTP_ITC.1.3 the services and/or functions for which the TOE can initiate the communication with the authorized IT entity.

The requirement implies that not only are communications protected when they are initially established, but also on resumption after an outage. It may be the case that some part of the TOE setup involves manually setting up tunnels to protect other communication, and if after an outage the TOE attempts to re-establish the communication automatically with (the necessary) manual intervention, there may be a window created where an attacker might be able to gain critical information or compromise a connection.

Assurance Activity:

The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each communications mechanism is identified in terms of the allowed protocols for that IT entity and the method of assured identification of the non-TSF endpoint. The evaluator shall also confirm that all protocols listed in the TSS are specified and included in the requirements in the ST.

The evaluator shall confirm that the guidance documentation contains instructions for establishing the allowed protocols with each authorized IT entity, and that it contains recovery instructions should a connection be unintentionally broken.

The evaluator shall perform the following tests: 

Test 1: The evaluators shall ensure that communications using each protocol with each authorized IT entity is tested during the course of the evaluation, setting up the connections as described in the guidance documentation and ensuring that communication is successful.

Test 2: For each protocol that the TOE can initiate as defined in the requirement, the evaluator shall follow the guidance documentation to ensure that in fact the communication channel can be initiated from the TOE or the authorized IT entities.

Test 3: The evaluator shall ensure, for each communication channel with an authorized IT entity, the channel data is not sent in plaintext.

Test 4: The evaluators shall ensure that, for each protocol associated with each authorized IT entity tested during test 1, the connection is physically interrupted[HD1] [MS2] . The evaluator shall then ensure that when physical connectivity is restored, communications are appropriately protected.

Further assurance activities are associated with the specific protocols.

For distributed TOEs, the evaluator shall perform tests on all TOE components according to the mapping of external secure channels to TOE components in the Security Target.

FTP_TRP.1 The TSF shall be capable of using [selection: IPsec, SSH, TLS, HTTPS] to provide a communication path between itself and remote users that is logically distinct from other communication channels and provides assured identifications of its end points and protection of the communicated data from modification, disclosure, and [selection: [assignment: other types of integrity or confidentiality violation], no other types of integrity or confidentiality violations].

FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path.

FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication and execution of management functions.

Application Note:

The intent of the above requirements is to provide a means by which a cryptographic protocol is used to protect external communications with authorized IT entities that the TOE interacts with to perform its functions.

For all protocols listed by the ST author, include the corresponding protocol requirement grouping(s) from Appendix C to reflect the implemented protocols. The table below provides a guide:

 

Protocol selected

Corresponding requirement grouping from Appendix C

IPsec

FCS_IPSEC_EXT.1

SSH

FCS_SSH_EXT.1

TLS

FCS_TLS_EXT.1

HTTPS

FCS_HTTPS_EXT.1

 

For example, if HTTPS is selected, the ST author includes all requirements within FCS_HTTPS_EXT.1 from Appendix C in the ST.

If the TOE implements its own cryptographic primitives (e.g., encryption/decryption, hashing), the ST author also includes the appropriate FCS requirements from Appendix C in the ST.

Assurance Activity:

The evaluator shall check the TSS to ensure that it identifies the protocol(s) used to establish the trusted path and ensure they are consistent with those declared in the ST. In addition, the evaluator shall ensure that the TSS adequately describes the way the trusted communication path is protected.

The evaluator shall also check the TSS to ensure that the ST author specifies whether remote administration is applicable to the TOE and if applicable, specifies all the methods of remote administration, along with how those communications are protected.

The evaluator shall confirm that the guidance documentation contains instructions for how users will interact with the TOE such as a web application via HTTPS. The evaluator shall also ensure that the guidance documentation discusses the mechanism by which a trusted path to the TOE is established and which environmental components (if any) the TSF relies on to assist in this establishment.

If remote administration is applicable to the TOE per the TSS, the evaluator shall confirm that the guidance documentation contains instructions for establishing the remote administrative sessions for each supported method.

The evaluator shall perform the following set of tests and where applicable, repeat for each remote administration method:

Test 1: The evaluator shall ensure that communications using each protocol with each authorized IT entity, including each remote administration method, is tested during the course of the evaluation, setting up the connections as described in the guidance documentation and ensuring that communication is successful.

Test 2: For communications using each protocol with each authorized IT entity and method of remote administration supported, the evaluator shall follow the guidance documentation to ensure that there is no available interface that can be used by a remote user to establish a remote administrative session without invoking the trusted path.

Test 3: The evaluator shall ensure that for communications of each protocol with each authorized IT entity, and for each method of remote administration, the channel data is not sent in plaintext.

Test 4: The evaluators shall ensure that, for each protocol and remote administration method combination tested during Test 1, the connection is physically interrupted. The evaluator shall then ensure that when physical connectivity is restored, communications are appropriately protected.

For distributed TOEs, regardless of the tests performed, the evaluator shall perform tests on all TOE components according to the mapping of trusted paths to TOE components in the Security Target.

Assurance Activity Note: If data transmitted between the user and the TOE is obfuscated, the trusted path can be assumed to have been established.

Justification

Consistency with newer PPs while allowing for functionality provided by ESM products. 

 
 
Site Map              Contact Us              Home