The Network Interpretations Team (NIT) has issued a technical decision regarding physical interruption of trusted path/channel.  

To align with NIT interpretation #201716rev2 the following changes shall be implemented:

The following changes shall be made to the Supporting Document.

FTP_ITC.1, TSS section (ND SD V1.0, ND SD V2.0)

The following paragraph shall be modified:

The evaluator shall examine the TSS to determine that, for all communications with authorized IT entities identified in the requirement, each secure communication mechanism is identified in terms of the allowed protocols for that IT entity, whether the TOE acts as a server or a client, and the method of assured identification of the non-TSF endpoint. The evaluator shall also confirm that all secure communication mechanisms are described in sufficient detail to allow the evaluator to match them to the cryptographic protocol Security Functional Requirements listed in the ST.

FTP_ITC.1 Tests (ND SD V1.0, ND SD V2.0)

The following paragraph shall be added:

The vendor shall provide to the evaluator application layer configuration settings for all secure communication mechanisms specified by the FTP_ITC.1 requirement. This information should be sufficiently detailed to allow the evaluator to determine the application layer timeout settings for each cryptographic protocol. There is no expectation that this information must be recorded in any public-facing document or report.

The following test shall be modified:

d) Test 4:

Objective: The objective of this test is to ensure that the TOE reacts appropriately to any connection outage or interruption of the route to the external IT entities.

The evaluator shall, for each instance where the TOE acts as a client utilizing a secure communication mechanism with a distinct IT entity, physically interrupt the connection of that IT entity for the following durations: i) a duration that exceeds the TOE’s application layer timeout setting, ii) a duration shorter than the application layer timeout but of sufficient length to interrupt the MAC layer.

The evaluator shall ensure that, when the physical connectivity is restored, communications are appropriately protected and no TSF data is sent in plaintext.

In the case where the TOE is able to detect when the cable is removed from the device, another physical network device (e.g. a core switch) shall be used to interrupt the connection between the TOE and the distinct IT entity. The interruption shall not be performed at the virtual node (e.g. virtual switch) and must be physical in nature.

FTP_TRP.1/Admin Tests (ND SD V2.0)

Remove Test 3.

FTP_TRP.1/Join, TSS section (ND SD V2.0)

The following paragraph shall be added to the TSS section:

The evaluator shall examine the TSS to confirm that sufficient information is provided to determine the TOE actions in the case that the initial component joining attempt fails.

FTP_TRP.1/Join, Tests Section (ND SD V2.0)

Modify d) Test 4.

Objective: The objective of this test is to ensure that the TOE reacts appropriately to any connection attempt by a malicious entity impersonating a distributed component attempting to register.

The evaluator shall ensure that, for each different pair of non-equivalent component types that can use the registration channel, i) the successful registration attempt is first recorded, ii) the registered component is physically disconnected for a duration that exceeds the TOE’s application layer timeout setting, iii) the registration attempt is replayed.

If the registration process is automated, the evaluator shall ensure that the replayed registration attempt is rejected and that the TOE generates adequate warnings to alert the administrator of the attempted replay. If the registration process requires administrative action to complete, it is sufficient for the evaluator to confirm that the replayed registration attempt is identified as a duplicate.

The interruption shall not be performed at the virtual node (e.g. virtual switch) and must be physical in nature.

FPT_ITT.1, Tests Section (ND SD V2.0)

Modify c) Test 3

Objective: The objective of this test is to ensure that the TOE reacts appropriately to any connection outage or interruption of the route between distributed components.

The evaluator shall ensure that, for each different pair of non-equivalent component types, the connection is physically interrupted for the following durations: i) a duration that exceeds the TOE’s application layer timeout setting, ii) a duration that is shorter than the application layer timeout but is of sufficient length to interrupt the MAC layer.

The evaluator shall ensure that when physical connectivity is restored, either communications are appropriately protected, or the secure channel is terminated and the registration process (as described in the FTP_TRP.1/Join) re-initiated, with the TOE generating adequate warnings to alert the administrator.

In the case that the TOE is able to detect when the cable is removed from the device, another physical network device (e.g. a core switch) shall be used to interrupt the connection between the components. The interruption shall not be performed at the virtual node (e.g. virtual switch) and must be physical in nature.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201716rev2.pdf.

See issue description.