NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0420:  Conflict in FCS_SSHC_EXT.1.1 and FCS_SSHS_EXT.1.1

Publication Date
2019.05.10

Protection Profiles
PP_SSH_EP_v1.0

Other References
FCS_SSHC_EXT.1.1, FCS_SSHS_EXT.1.1

Issue Description

There is a disconnect between the SFR and the AA of FCS_SSHC_EXT.1.1.  The SFR only requires public-key based authentication method and includes the selection of password-based authentication and none.  However, the AA requires password-based authentication.

Further investigation revealed that FCS_SSHS_EXT.1 has the same problem.

Resolution

The Assurance Activity for FCS_SSHC_EXT.1.1 is modified as follows:

The evaluator will check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSHC_EXT.1.4, and ensure that password-based authentication methods are also allowed, if supported, are described.

...

Test 2 [conditional]: Using the guidance documentation, the evaluator will configure the TOE to perform password-based authentication to an SSH server, and demonstrate that a user can be successfully authenticated by the TOE to an SSH server using a password as an authenticator.

 

The Assurance Activity for FCS_SSHS_EXT.1.1 is modified as follows:

The evaluator will check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSHS_EXT.1.4, and ensure that password-based authentication methods are also allowed, if supported, are described.

...

Test 3 [conditional]: Using the guidance documentation, the evaluator will configure the TOE to perform password-based authentication on a client, and demonstrate that a user can be successfully authenticated by the TOE using a password as an authenticator.

Test 4 [conditional]: The evaluator shall use an SSH client, enter an incorrect password to attempt to authenticate to the TOE, and demonstrate that the authentication fails.

Justification

See issue description.

 
 
Site Map              Contact Us              Home