The FPT_STM_EXT.1 SFR currently mandates support for Autokey per RFC 5906 when using Network Time Protocol (NTP). However, several well publicized weaknesses exist in Autokey such that timestamps could be modified without any indication.

5/22/2019: This TD has been archived and replaced by TD0418.

3/26/2019: The update to the  TD to add TLS was made in error. Both SSH and TLS were not included as protocols to secure the connection with the NTP server as neither support datagram protocols.

3/20/2019: This TD has been updated to fix a typo that left out TLS from the selections in FPT_STM_EXT.1.2.

FPT_STM_EXT.1 and FMT_SMF.1.1 are therfore modified in the ESC EP.

FPT_STM_EXT.1 is updated as follows

FPT_STM_EXT.1: Protection of System Time updates

FPT_STM_EXT.1.1 The TSF shall implement [selection: NTP v3 (RFC 1305), NTP v4 (RFC 5905)] NTP versions.

FPT_STM_EXT.1.2 The TSF shall update its system time [selection:

                Using Symmetric Cryptography [selection: SHA1, SHA256, SHA384, SHA512, AES-CBC-128, AES-CBC-256] as the cryptographic algorithm(s);

                Using [selection: IPsec, DTLS] to provide trusted communication between itself and an NTP time source.

                ].

FPT_STM_EXT.1.3 The TSF shall not update NTP timestamp from broadcast addresses.

FPT_STM_EXT.1.4 The TSF shall support configuration of at least three (3) NTP time sources.

Application note:  The TOE has to support configuration of at least 3 time sources though it is not mandated that the TOE is configured to always use at least 3 time sources.

Assurance Activities:

TSS

The evaluator shall examine the TSS to ensure it describes what approach the TOE uses to ensure the timestamp it receives from an NTP time server (or NTP peer) is from an authenticated source and the integrity of the time has been maintained.
The TOE may use multiple methods, as specified in the SFR, and the evaluator determines that each method selected in the ST is described in the TSS, including the algorithms and protocols used to ensure authenticity and integrity of the timestamp.

Guidance Documentation

The evaluator shall examine the guidance documentation to ensure it provides the administrator instructions on how to configure the multiple NTP servers for the TOE’s time source and how to configure the TOE to use the method(s) that are selected in the ST.
Each primary selection in the SFR contains selections that specify a cryptographic algorithm or cryptographic protocol. For each of these secondary selections made in the ST, the guidance documentation instructs the administrator how to configure the TOE to use the chosen option(s).

Test

The version of NTP specified in the first selection will have to be verified it is supported by the TOE.
The cryptographic algorithms specified in the second selection of this SFR will have been specified in an FCS_COP SFR and tested in the accompanying Evaluation Activity for that SFR. Likewise the cryptographic protocol selected in the second selection of this SFR will have been specified in an FCS SFR and tested in the accompanying Evaluation Activity for that SFR.

The evaluator will perform the following test(s) to verify the TOE implements the selected option(s) correctly:

Test 1: The evaluator shall configure an NTP server to use the NTP version selected by the ST Author to communicate with the NTP client, the TOE. The evaluator configures either the NTP server’s clock or the TOE’s clock such that the TOE will update its time when it receives a packet from the NTP server.  The difference in time must be enough to force a step in time on the TOE and to be observable by examining the TOE’s system time before and after the event.

The evaluator shall use a packet sniffer to capture the network traffic between the TOE and the NTP server. The evaluator uses the captured network traffic, to observe time change of the TOE and uses the TOE’s audit log to determine that the TOE accepted the NTP server’s timestamp update and that the appropriate method(s) and option(s) were used to transmit the packet. The evaluator shall also confirm that the TOE does not synchronize to any other time sources.

Test 1: The evaluator shall configure 3 authorized NTP servers and 1 unauthorized NTP server to use the NTP version selected by the ST Author to communicate with the NTP client, the TOE. For each configured NTP server, the evaluator configures either the NTP server’s clock or the TOE’s clock such that the TOE will update its time when it receives a packet from the NTP server.  The difference in time must be enough to force a step in time on the TOE and to be observable by examining the TOE’s system time before and after the event.

The evaluator shall use a packet sniffer to capture the network traffic between the TOE and each configured authorized NTP server. The evaluator uses the captured network traffic, to observe time change of the TOE and uses the TOE’s audit log to determine that the TOE accepted the NTP server’s timestamp update and that the appropriate method(s) and option(s) were used to transmit the packet. The evaluator shall also confirm that the TOE does not synchronize to the unauthorized NTP server or any other unauthorized time sources.

Test 2:  The evaluator shall configure NTP servers to support periodic time updates to broadcast addresses.  The evaluator shall confirm the TOE is configured to not accept/receive/process broadcast NTP packets.

FMT_SMF.1 SFR is updated as follows:

FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:

·         Ability to administer the TOE locally and remotely;

·         Ability to configure the access banner;

·         Ability to configure the session inactivity time before session termination or locking;

·         Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;

·         Ability to enable/disable voice and video recordings for any registered VVoIP endpoint;

·         Ability to display the real-time connection status of all VVoIP endpoints(hardware and software) and telecommunications devices;

·         Ability to clear all TSF data stored on disk;

·         [selection:

·         Ability to configure audit behavior;

·         Ability to configure the list of TOE-provided services available before an entity is identified and authenticated, as specified in FIA_UIA_EXT.1;

·         Ability to configure the cryptographic functionality;

·         Ability to configure the password policy;

·         Ability to specify the set of audited events;

·         Ability to configure NTP;

·         Ability to configure the behavior of the TOE in response to a self-test failure;

·         No other capabilities.]

Application Note:

The TOE developer is encouraged, but not required, to provide a more sophisticated password strength policy than what is prescribed by FIA_PMG_EXT.1 as defined in the NDcPP. This may include the ability for an administrator to configure the metrics used to define an acceptable password. At minimum, the minimum password length must be configurable.

The selection “Ability to configure NTP” shall be included in the ST if the TOE uses NTP for timestamp configuration.  If selected, FPT_STM_EXT.1 shall be included in the ST as well.

Assurance Activity

In addition to the assurance activities specified in the NDcPP Supporting Documents for this SFR, the evaluator shall perform the following tests:

Tests

Test 1: The evaluator shall deploy a test environment with two or more registered VVoIP endpoints. The evaluator shall choose two endpoints and configure the TOE to disable voice/video recording between them. The evaluator shall place a call between the two selected endpoints, verify that the call is successfully established, then terminate the call and observe that the TSF did not record the call. The evaluator shall then configure the TOE to enable voice/video recording between the same two endpoints, repeat the call, and verify that a recording is generated.

Test 2: The evaluator shall deploy a test environment with two or more registered VVoIP endpoints. The evaluator shall choose two endpoints and configure the TOE to disable voice/video recording between them. The evaluator shall place a call between the two selected endpoints, and verify that the call is successfully established. While the call is active, the evaluator shall use the TSF to review active connections and verify that the call is listed. The evaluator shall discontinue the call and verify that the TSF no longer shows it as active.
 
Test 3 (optional): If “ability to configure the password policy” is selected, the evaluator shall observe what the password strength policy is configured to by default on the TOE and shall verify that it is enforced by defining several weak administrative passwords for a given administrator account that are appropriately rejected by the TSF. The evaluator shall then modify the TOE’s password policy in such a manner that at least one of these weak passwords would now be accepted by the policy. The evaluator shall repeat the attempted password changes and observe that the TSF correctly accepts or rejects the passwords based on the new policy.

See issue description.