Archived TD0321: Protection of NTP communications
Trusted Channel (FTP_ITC.1) is optional but not mandated for the FPT_STM_EXT.1.2 in cPP_ND_v2.0E and cPP_FW_v2.0E. However, when an NTP server is used to set the TOE clock, the time is considered TSF data, and the authentication and integrity of the NTP communication must be protected.
Updated 5/30/18: The effective date of this Technical Decision is July 1, 2018.
For all NIAP evaluations and CCRA member nations product evaluations posted on the NIAP PCL, when an NTP server is used to set the TOE clock, the time is considered TSF data, and the authentication and integrity of the NTP communication must be protected.
Reliable time stamps are expected to be used with other TSF, e.g. for the generation of audit data to allow the Security Administrator to investigate incidents by checking the order of events and to determine the actual local time when events occurred. The decision about the required level of accuracy of that information is up to the Administrator. The TOE depends on external time and date information, either provided manually by the Security Administrator or through the use of one or more external time sources like NTP servers. The corresponding option(s) shall be chosen from the selection in FPT_STM_EXT.1.2. The use of a local real-time clock and the automatic synchronisation with an external time source (e.g. NTP server) is recommended but not mandated. If a Security Administrator is modifying the system time remotely they must use a protected communication path as specified in FPT_TRP.1/Admin. If the TOE uses an external entity to modify the system time (NTP Server, or non-NTP external entity), such connections must be performed in accordance with FTP_ITC.1. External time source entities that do not use cryptography for authentication and integrity verification are not allowed. The ST author describes in the TSS how the external time and date information is received by the TOE and how this information is maintained.
See issue description.