collaborative Protection Profile for Application Software

FCS_RBG_EXT.1.1 The application shall [selection: use no DRBG functionality, invoke platform-provided DRBG functionality, implement DRBG functionality according to FCS_RBG_EXT.2] for its cryptographic operations.

Application Note 1: In this requirement, cryptographic operations include all cryptographic key generation/derivation/agreement, IVs (for certain modes), as well as protocol-specific random values.

Unless use no DRBG functionality is selected, an Entropy Analaysis Report specified in Appendix D is required.

FCS_STO_EXT.1.1 The application shall [selection: not store any credentials, invoke the functionality provided by the platform to securely store [assignment: list of credentials], implement functionality to securely store [assignment: list of credentials]] according to [selection: FCS_COP.1/DataEncryption, FCS_CKM_EXT.1/Hash, FCS_CKM_EXT.1/KeyedHash, FCS_CKM_EXT.1/PBKDF2] to non-volatile memory.

Application Note 2: This requirement ensures that persistent credentials (secret keys, PKI private keys, or passwords) are stored securely.

FDP_NET_EXT.1.1 The TSF shall restrict network communication to: [_selection: no network communication, user-initiated communication for [assignment: list of functions for which the user can initiate network communication], respond to [assignment: list of remotely initiated communication ], [assignment: list of application-initiated network communication] ].

Application Note 3: This requirement is intended to restrict both inbound and outbound network communications to only those required, or to network communications that are user initiated. It does not apply to network communications in which the application may generically access the filesystem which may result in the platform accessing remotely mounted drives/shares.

FMT_CFG_EXT.1.1 Any default credentials supported by the TSF shall be changed [selection: during installation, before application is operational].

Application Note 4: Manufacturer default credentials are credentials (e.g., passwords, keys) that are automatically (without user interaction) loaded onto the platform during application installation. Credentials generated during or after the installation using requirements laid out in FCS_RBG_EXT.2 are not by definition default credentials. An application is considered operational once initial set-up is complete or at first use.

The changing of default credentials has to be enforced by the application.

FMT_CFG_EXT.1.2 The application shall be configured by default with file permissions which protect it and its data from unauthorized access.

Application Note 5: The precise expectations for file permissions vary per platform but the general intention is that a trust boundary protects the application and its data.

FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:

Application Note 6: This requirement stipulates that an application needs to provide the ability to enable/disable only those functions that it actually implements. The application is not responsible for controlling the behavior of the platform or other applications.

FPT_AEX_EXT.1.1 The application shall not request to map memory at an explicit address except for [selection:

Application Note 7: Requesting a memory mapping at an explicit address subverts address space layout randomization (ASLR).

FPT_AEX_EXT.1.2 The application shall [selection:

Application Note 8: Requesting a memory mapping with both write and execute permissions subverts the platform protection provided by DEP. If the application performs no just-in-time compiling, then the first selection must be chosen.

FPT_AEX_EXT.1.3 The application shall be compatible with security features provided by the platform vendor except for [selection: [assignment: list of explicit exceptions], no exceptions].

Application Note 9: This requirement is designed to ensure that platform security features do not need to be disabled in order for the application to run. The ability to provide exception in in recognition that for certain applications disabling specific security features might be necessary (e.g. an anti-virus application disabling platform provided virus detection features).

FPT_AEX_EXT.1.4 The application shall not write user-modifiable files to directories that contain executable files unless explicitly directed by the user to do so.

Application Note 10: Executables and user-modifiable files may not share the same parent directory but may share directories above the parent.

FPT_AEX_EXT.1.5 The application shall be compiled with stack-based buffer overflow protection enabled.

Application Note 11: Any interpreted code is assumed to have met this requirement by default.

FPT_TUD_EXT.1.1 The application shall [selection: provide the ability, leverage the platform] to report the current version of the application software.

Application Note 12: Version is a unique identifier. For example, it could be a sequence of numbers (e.g. major.minor.build.patch) or a version identifier with an explicit list of patches.

FPT_TUD_EXT.1.2 The application installation package and its updates shall be digitally signed such that the [selection: TOE, platform] can cryptographically verify them prior to installation.

Application Note 13: The specifics of the verification of installation packages and updates involves requirements on the platform (and not the application), so these are not fully specified here.

FTP_DIT_EXT.1.1 The application shall [selection:

between itself and another trusted IT product.

Application Note 14: The selection ‘not transmit any data’ cannot be selected for TOEs being evaluated against the Server or Agent modules.

FCS_CKM_EXT.1.1/Symmetric The TSF shall generate symmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] using a Random Bit Generator as specified in FCS_RBG_EXT.2 and specified cryptographic key sizes [selection: 128 bit, 256 bit]. that meet the following: [assignment: list of standards].

Application Note 15: Symmetric keys may be used to generate keys along the key chain.

FPT_API_EXT.2.1 The application [selection: shall use platform-provided libraries for parsing [assignment: list of formats parsed that are included in the IANA MIME media types], does not perform parsing].

Application Note 16: The IANA MIME types are listed at http://www.iana.org/assignments/media-types and include many image, audio, video, and content file formats. This requirement does not apply if providing parsing services is the purpose of the application.

FCS_RBG_EXT.2.1 The TSF shall perform all deterministic random bit generation services in accordance with ISO/IEC 18031:2011 using [selection: Hash_DRBG (any) in accordance with FCS_COP.1/Hash, HMAC_DRBG (any) in accordance with FCS_COP.1/KeyedHash, CTR_DRBG (AES) in accordance with FCS_COP.1/DataEncryption].

FCS_RBG_EXT.2.2 The deterministic RBG shall be seeded by at least one entropy sources that accumulates entropy from [selection: [assignment: number of software-based sources] software-based noise source(s), [assignment: number of hardware-based sources] hardware-based noise source(s] with a minimum of [selection: 128 bits, 192 bits, 256 bits] of entropy at least equal to the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 “Security Strength Table for Hash Functions”, of the keys and hashes that it will generate.

Application Note 17: This requirement shall be included in STs where "implement DRBG functionality" is selected in FCS_RBG_EXT.1.1.

For the first selection in FCS_RBG_EXT.2.2, the ST author selects at least one of the types of noise sources. If the TOE contains multiple noise sources of the same type, the ST author fills the assignment with the appropriate number for each type of source (e.g., 2 software-based noise sources, 1 hardware-based noise source). The documentation and tests required in the Evaluation Activity for this element should be repeated to cover each source indicated in the ST.

ISO/IEC 18031:2011 contains three different methods of generating random numbers; each of these, in turn, depends on underlying cryptographic primitives (hash functions/ciphers). The ST author will select the function used and include the specific underlying cryptographic primitives used in the requirement. While any of the identified hash functions (SHA-1, SHA-256, SHA-384, SHA-512) are allowed for Hash_DRBG or HMAC_DRBG, only AES-based implementations for CTR_DRBG are allowed.

If the key length for the AES implementation used here is different than that used to encrypt the user data, then FCS_COP.1/DataEncryption may have to be adjusted or iterated to reflect the different key length. For the selection in FCS_RBG_EXT.1.2, the ST author selects the minimum number of bits of entropy that is used to seed the RBG, which must be equal or greater than the security strength of any key generated by the TOE.

FCS_CKM_EXT.1.1 The application shall [selection: generate no asymmetric cryptographic keys, invoke platform-provided functionality for asymmetric key generation, implement asymmetric key generation according to FCS_CKM_EXT.1/Asymmetric].

Application Note 18: This requirement depends upon selection in [TLS Package] and [SSH Package].

FCS_CKM_EXT.1.1/Asymmetric The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm: [selection:

and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards].

Application Note 19: The ST author selects all key generation schemes used for key establishment (including generation of ephemeral keys) and device authentication. When key generation is used for key establishment, the schemes in FCS_CKM.2.1 and selected cryptographic protocols must match the selection. When key generation is used for device authentication, other than SSH-RSA, ECDSA-SHA2-NISTP256, ECDSA-SHA2-NISTP384 and ECDSA-SHA2-NISTP521, the public key is expected to be associated with an X.509v3 certificate.

If the TOE acts as a receiver in the key establishment schemes and is not configured to support mutual authentication, the TOE does not need to implement key generation.

FCS_CKM_EXT.1.1/PBKDF2 A password/passphrase shall perform [assignment: Password-based Key Derivation Functions] in accordance with a specified cryptographic algorithm as specified in FCS_COP.1/KeyedHash, with [assignment: positive integer of 1,000 or more] iterations, and output cryptographic key sizes [selection: 128, 256] that meet the following [NIST SP 800-132].

FCS_CKM_EXT.1.2/PBKDF2 The TSF shall generate salts using a RBG that meets FCS_RGB_EXT.1 and with entropy corresponding to the security strength selected for PBKDF in FCS_CKM_EXT.1.1/PBKDF2.

Application Note 20: This should be included if selected in FCS_STO_EXT.1

Conditioning can be performed using one of the identified hash functions or the process described in NIST SP 800-132; the method used is selected by the ST Author. SP 800-132 requires the use of a pseudo-random function (PRF) consisting of HMAC with an approved hash function. The ST author selects the hash function used, also includes the appropriate requirements for HMAC and the hash function.

Appendix A of SP 800-132 recommends setting the iteration count in order to increase the computation needed to derive a key from a password and, therefore, increase the workload of performing a password recovery attack. A significantly higher value is recommended to ensure optimal security. This value is expected to increase to a minimum of 10,000 in a future iteration based on SP 800-63.

FCS_CKM.2.1 The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: [selection:

Application Note 21: This is a refinement of the SFR FCS_CKM.2 to deal with key establishment rather than key distribution.

The ST author selects all key establishment schemes used for the selected cryptographic protocols.

The elliptic curves used for the key establishment scheme correlate with the curves specified in FCS_CKM_EXT.1.1/Asymmetric The domain parameters used for the finite field-based key establishment scheme are specified by the key generation according to FCS_CKM_EXT.1.1/Asymmetric.

Safe-prime groups are covered in Appendix D of SP 800-56A Revision 3, “Appendix D: Approved ECC Curves and FFC Safe-prime Groups”.

FCS_COP.1.1/DataEncryption The TSF shall perform encryption/decryption in accordance with a specified cryptographic algorithm AES used in [selection: CBC, CTR, GCM] mode and cryptographic key sizes [selection: 128 bits, 192 bits, 256 bits] that meet the following: AES as specified in ISO 18033-3, [selection: CBC as specified in ISO 10116, CTR as specified in ISO 10116, GCM as specified in ISO 19772].

Application Note 22: For the first selection of FCS_COP.1.1/DataEncryption, the ST author chooses the mode or modes in which AES operates. For the second selection, the ST author chooses the key sizes that are supported by this functionality. The modes and key sizes selected here correspond to the cipher suite selections made in the trusted channel requirements.

FCS_COP.1.1/SigGen The TSF shall perform cryptographic signature services [selection: generation, verification] in accordance with a specified cryptographic algorithm [selection:

that meet the following: [selection:

Application Note 23: The ST Author chooses the algorithm(s) implemented to perform digital signatures. For the algorithm(s) chosen, the ST author makes the appropriate assignments/selections to specify the parameters that are implemented for that algorithm. The ST author ensures that the assignments and selections for this SFR include all the parameter values necessary for the cipher suites selected for the protocol SFRs (see Appendix B.1.4) that are included in the ST. The ST Author checks for consistency of selections with other FCS requirements, especially when supporting elliptic curves.

FCS_COP.1.1/Hash The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [selection: SHA-1, SHA-256, SHA-384, SHA-512] and cryptographic key sizes [assignment: cryptographic key sizes] message digest sizes [selection: 160, 256, 384, 512] bits that meet the following: ISO/IEC 10118-3:2004.

Application Note 24: Vendors are strongly encouraged to implement updated protocols that support the SHA-2 family; until updated protocols are supported, this cPP allows support for SHA-1 implementations in compliance with SP 800-131A. In a future version of this cPP, SHA-256 will be the minimum requirement for all TOEs.

The hash selection should be consistent with the overall strength of the algorithm used for FCS_COP.1/DataEncryption and FCS_COP.1/SigGen (for example, SHA 256 for 128-bit keys).

FCS_COP.1.1/KeyedHash The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm [selection: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512] and cryptographic key sizes [assignment: key size (in bits) used in HMAC] and message digest sizes [selection: 160, 256, 384, 512] bits that meet the following: ISO/IEC 9797-2:2011, Section 7 “MAC Algorithm 2”.

Application Note 25: The key size [k] in the assignment falls into a range between L1 and L2 (defined in ISO/IEC 10118 for the appropriate hash function). For example, for SHA-256, L1=512, L2=256, where L2⇐k⇐L1.

HTTPS is not a required component of this cPP. If a TOE implements HTTPS, a corresponding selection in FTP_DIT_EXT.1 should have been made that defines what the HTTPS protocol is implemented to protect.

TLS is not a required component of this cPP. If a TOE implements TLS, a corresponding selection in FTP_DIT_EXT.1 should be made to define what the TLS protocol is implemented to protect. If the TOE implements the TLS protocol, the ST author shall include the requirements from [TLS Package]

SSH is not a required component of this cPP. If a TOE implements SSH, a corresponding selection in FTP_DIT_EXT.1 should have been made that defines what the SSH protocol is implemented to protect. If the TOE acts as both a client and server and the selections are different, the ST author should iterate using the identifiers FCS_SSH_EXT.1/Server and FCS_SSH_EXT.1/Client in the [SSH Package].

FIA_AFL.1.1 The TSF shall detect when a configurable positive integer [ assignment: range of acceptable values less than 64 for each password-based authentication mechanism] of unsuccessful authentication attempts occur related to last successful authentication for each password-based authentication mechanism.

FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall [selection: prevent the offending Administrator from successfully establishing a session using the locked authentication method until [assignment: action to unlock] is taken by an Administrator; prevent the offending Administrator from successfully establishing a session using any authentication method until an Administrator-defined time period has elapsed].

FIA_EIP_EXT.1.1 The TSF shall be capable of using [selection: TLS, DTLS] as specified in the [TLS Package] to provide a communication channel between itself and an external identity provider.

FIA_EIP_EXT.1.2 The TSF shall provide a [selection: configurable, externally-managed] mechanism to enroll with the external identity provider.

FIA_EIP_EXT.1.3 The TSF shall establish attribute mapping with the provider for [assignment: list of maintained attributes].

FIA_UIA_EXT.1.1 The TSF shall allow the following actions prior to requiring the administrative user to initiate the identification and authentication process: [selection:

FIA_UIA_EXT.1.2 The TSF shall require each administrative user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that administrative user.

FIA_UAU_EXT.2.1 The TSF shall provide a [selection: password-based, SSH public key-based as specified in the [SSH Package], certificate-based, [assignment: other authentication mechanism]] authentication mechanism to perform administrative user authentication.

FIA_UAU_EXT.5.1 The TSF shall [selection: provide an authentication mechanism, integrate with an external identity provider] to support user authentication.

FIA_UAU_EXT.5.2 The TSF shall consider [selection: password, SSH Public Key, X.509 certificate, [assignment: other authentication mechanism]] as authentication mechanisms.

Application Note 29: If the TOE implements its own authentication mechanism, “provide an authentication mechanism” shall be selected and the following selection-based SFRs shall be include in the ST: FIA_AFL.1, FIA_UAU_EXT.2, FIA_UAU.7, and FMT_SMR.2.

Application Note 30: If the TOE connects to an external authentication service, the selection “integrate with an external identity provider” and the following selection-based SFRs shall be included in the ST: FIA_EIP_EXT.1.

FIA_UAU.7.1 The TSF shall provide only obscured feedback to the administrative user while the authentication is in progress.

Application Note 31: The TSF may permit user interaction to display the input data. However, this may not be the default state and shall revert to an obfuscated state after user interaction.

FIA_X509_EXT.1.1/Rev The application shall [selection: invoke platform-provided functionality, implement functionality] to validate certificates in accordance with the following rules:

FIA_X509_EXT.1.2/Rev The TSF shall only treat a certificate as a CA certificate if the basicConstraints extension is present and the CA flag is set to TRUE.

Application Note 32: This requirement applies to certificates that are used and processed by the TSF and restricts the certificates that may be added as trusted CA certificates.

FIA_X509_EXT.2.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for [selection: HTTPS, SSH as defined in the [SSH Package], TLS as defined in the [TLS Package], DTLS as defined in the [TLS Package], code signing for system software updates, code signing for integrity verification, [assignment: other uses]].

FIA_X509_EXT.2.2 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall [selection: allow the Administrator to choose whether to accept the certificate in these cases, accept the certificate, not accept the certificate].

Application Note 33: In FIA_X509_EXT.2.1, the ST author’s selection includes TLS, or HTTPS if these protocols are included in FTP_DIT_EXT.1.1. SSH should be included if SSH authentication methods include X.509v3. Certificates may optionally be used for trusted updates of system software (FPT_TUD_EXT.1.2).

Often a connection must be established to check the revocation status of a certificate - either to download a CRL or to perform a lookup using OCSP. In FIA_X509_EXT.2.2 the selection is used to describe the behavior in the event that such a connection cannot be established (for example, due to a network error). If the TOE has determined the certificate is valid according to all other rules in FIA_X509_EXT.1, the behavior indicated in the selection determines the validity. The TOE must not accept the certificate if it fails any of the other validation rules in FIA_X509_EXT.1. If the Administrator-configured option is selected by the ST Author, the ST Author also selects the corresponding function in FMT_SMF.1. The selection should be consistent with the validation requirements in [TLS Package, FCS_TLSC_EXT.1.3].

The ST author must include FIA_X509_EXT.2 in all instances except when only SSH is selected within FTP_DIT_EXT.1 and SSH authentication methods do not include X.509v3. Additionally, FIA_X509_EXT.2 must be included if FPT_TUD_EXT digital signatures make use of X.509 certificates and the TOE performs the verification.

FTA_TAB.1.1 Before establishing an administrative user session the TSF shall display a Security Administrator-specified advisory notice and consent warning message regarding use of the TOE.

Application Note 34: This requirement shall be included if the selection for a warning banner is made within FIA_UIA_EXT.1.

Defined in [CC2].

FCS_CKM_EXT.1 defines whether asymmetric keys are generated and if so whether the TOE or the platform generates the asymmetric cryptographic keys.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No dependencies

FCS_CKM_EXT.1.1 The application shall [selection: generate no asymmetric cryptographic keys, invoke platform-provided functionality for asymmetric key generation, implement asymmetric key generation according to FCS_CKM_EXT.1/Asymmetric].

FCS_CKM_EXT.1/Asymmetric

The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm: [selection:

and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards].

FCS_CKM_EXT.1.1/Symmetric The TSF shall generate symmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] using a Random Bit Generator as specified in FCS_RBG_EXT.2 and specified cryptographic key sizes [selection: 128 bit, 256 bit]. that meet the following: [assignment: list of standards].

FCS_CKM_EXT.1.1/PBKDF2 A password/passphrase shall perform [assignment: Password-based Key Derivation Functions] in accordance with a specified cryptographic algorithm as specified in FCS_COP.1/KeyedHash, with [assignment: positive integer of 1,000 or more] iterations, and output cryptographic key sizes [selection: 128, 256] that meet the following [NIST SP 800-132].

FCS_CKM_EXT.1.2/PBKDF2 The TSF shall generate salts using a RBG that meets FCS_RGB_EXT.1 and with entropy corresponding to the security strength selected for PBKDF in FCS_CKM_EXT.1.1/PBKDF2.

Components in this family define the requirements for protecting remote management sessions between the TOE and a Security Administrator. This family describes how HTTPS will be implemented. This is a new family defined for the FCS Class.

FCS_HTTPS_EXT.1 HTTPS requires that HTTPS be implemented according to RFC 2818 and supports TLS.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No dependencies

FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818.

FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS.

FCS_HTTPS_EXT.1.3 If a peer certificate is presented, the TSF shall [selection: not require client authentication, not establish the connection, request authorization to establish the connection, [assignment: other action]] if the peer certificate is deemed invalid.

Components in this family address the requirements for random bit/number generation. This is a new family defined for the FCS class.

FCS_RBG_EXT.1 Random Bit Generation requires random bit generation to be performed in accordance with selected standards and seeded by an entropy source.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No dependencies

FCS_RBG_EXT.2.1 The TSF shall perform all deterministic random bit generation services in accordance with ISO/IEC 18031:2011 using [selection: Hash_DRBG (any), HMAC_DRBG (any), CTR_DRBG (AES)].

FCS_RBG_EXT.2.2 The deterministic RBG shall be seeded by at least one entropy source that accumulates entropy from [selection: [assignment: number of software-based sources] software-based noise source, [assignment: number of hardware-based sources] hardware-based noise source] with a minimum of [selection: 128 bits, 192 bits, 256 bits] of entropy at least equal to the greatest security strength, according to ISO/IEC 18031:2011 Table C.1 “Security Strength Table for Hash Functions”, of the keys and hashes that it will generate.

Hierarchical to: No other components

Dependencies: No dependencies

FCS_RBG_EXT.2.1 The application shall [selection: use no DRBG functionality, invoke platform-provided DRBG functionality, implement DRBG functionality] for its cryptographic operations.

Components in this family address the requirements for storage of credentials such as secret keys, PKI private keys, or passwords. This is a new family defined for the FCS class.

FCS_STO_EXT.1 identifies whether the TOE stores credentials and if so how to store them securely.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No dependencies

FCS_STO_EXT.1.1 The application shall [selection: not store any credentials, invoke the functionality provided by the platform to securely store [assignment: list of credentials], implement functionality to securely store [assignment: list of credentials]] according to [selection: FCS_COP.1/DataEncryption, FCS_CKM_EXT.1/Hash, FCS_CKM_EXT.1/KeyedHash, FCS_CKM_EXT.1/PBKDF2] to non-volatile memory.

Components in this family address restrictions to network communications. This is a new family defined for the FDP class.

FDP_NET_EXT.1 identifies whether the TOE has outbound or inbound connections.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No other components

FDP_NET_EXT.1.1 The TSF shall restrict network communication to: [selection: no network communication, outbound connections, in-bound connections].

Hierarchical to: No other components.

Dependencies: FIA_UAU_EXT.5.

FIA_EIP_EXT.1.1 The TSF shall be capable of using [selection: TLS, DTLS] to provide a communication channel between itself and an external identity provider.

FIA_EIP_EXT.1.2 The TSF shall provide a [selection: configurable, externally-managed] mechanism to enroll with the external identity provider.

FIA_EIP_EXT.1.3 The TSF shall establish attribute mapping with the provider for [assignment: list of maintained attributes].

The TSF allows certain specified actions before the non-TOE entity goes through the identification and authentication process.

FIA_UIA_EXT.1 User Identification and Authentication requires Administrators (including remote Administrators) to be identified and authenticated by the TOE, providing assurance for that end of the communication path. It also ensures that every user is identified and authenticated before the TOE performs any mediated functions

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components.

Dependencies: FTA_TAB.1 Default TOE Access Banners

FIA_UIA_EXT.1.1 The TSF shall allow the following actions prior to requiring the administrative user to initiate the identification and authentication process: [selection:

FIA_UIA_EXT.1.2 The TSF shall require each administrative user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that administrative user.

FIA_UAU_EXT.2 User Authentication

Hierarchical to: No other components.

Dependencies: No other components.

FIA_UAU_EXT.2.1 The TSF shall provide a [selection: password-based, SSH public key-based, certificate-based, [assignment: other authentication mechanism]] authentication mechanism to perform administrative user authentication.

FIA_UAU_EXT.5 User Authentication Mechanisms

Hierarchical to: No other components.

Dependencies: FIA_UAU_EXT.2 User Authentication.

FIA_UAU_EXT.5.1 The TSF shall [selection: provide an authentication mechanism, integrate with an external identity provider] to support user authentication.

FIA_UAU_EXT.5.2 The TSF shall consider [selection: password, SSH Public Key, X.509 certificate, [assignment: other authentication mechanism]] as authentication mechanisms.

This family defines the behaviour, management, and use of X.509 certificates for functions to be performed by the TSF. Components in this family require validation of certificates according to a specified set of rules, use of certificates for authentication for protocols and integrity verification, and the generation of certificate requests.

FIA_X509_EXT.1 X509 Certificate Validation, requires the TSF to check and validate certificates in accordance with the RFCs and rules specified in the component.

FIA_X509_EXT.2 X509 Certificate Authentication, requires the TSF to use certificates to authenticate peers in protocols that support certificates, as well as for integrity verification and potentially other functions that require certificates.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: FIA_X509_EXT.2 X.509 Certificate Authentication

FIA_X509_EXT.1.1/Rev The application shall [selection: invoke platform-provided functionality, implement functionality] to validate certificates in accordance with the following rules:

FIA_X509_EXT.1.2 The TSF shall only treat a certificate as a CA certificate if the basicConstraints extension is present and the CA flag is set to TRUE.

Hierarchical to: No other components

Dependencies: FIA_X509_EXT.1 X.509 Certificate Authentication

FIA_X509_EXT.2.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for [selection: HTTPS, SSH, TLS, DTLS], and [selection: code signing for system software updates, code signing for integrity verification, [assignment: other uses], no additional uses].

FIA_X509_EXT.2.2 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall [selection: allow the Administrator to choose whether to accept the certificate in these cases, accept the certificate, not accept the certificate].

Components in this family address requirements for secure default configuration. This is a new family defined for the FMT class.

FMT_CFG_EXT.1 identifies whether the TOE has default credentials and if so the default credentials can be changed.

The following actions could be considered for the management functions in FMT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No other components

FMT_CFG_EXT.1.1 Any default credentials supported by the TSF shall be changed [selection: during installation, before application is operational].

FMT_CFG_EXT.1.2 The application shall be configured by default with file permissions which protect it and its data from unauthorized access.

Components in this family address requirements to ensure the TOE is not susceptible to commonly used exploitation methods. Additionally, it ensures that the application doesn’t circumvent security functionality provided by the platform. This is a new family defined for the FPT class.

FPT_AEX_EXT.1 ensures the TOE is not susceptible to commonly used exploitation methods and that it doesn’t circumvent security functionality provided by the platform.

The following actions could be considered for the management functions in FPT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No other components

FPT_AEX_EXT.1.1 The application shall not request to map memory at an explicit address except for [selection:

FPT_AEX_EXT.1.2 The application shall [selection:

FPT_AEX_EXT.1.3 The application shall be compatible with security features provided by the platform vendor except for [selection: [assignment: list of explicit exceptions], no exceptions].

FPT_AEX_EXT.1.4 The application shall not write user-modifiable files to directories that contain executable files unless explicitly directed by the user to do so.

FPT_AEX_EXT.1.5 The application shall be compiled with stack-based buffer overflow protection enabled.

Components in this family address requirements to ensure the TOE uses platform services and APIs that are supported by the platform vendor.

FPT_API_EXT.2 ensures the TOE is not dependent on services and APIs that are not supported by the platform vendor and would be difficult to maintain as the underlying platform is upgraded/changed.

The following actions could be considered for the management functions in FPT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components

Dependencies: No other components

FPT_API_EXT.2.1 The application [selection: shall use platform-provided libraries for parsing [assignment: list of formats parsed that are included in the IANA MIME media types], does not perform parsing].

Components in this family address the requirements for updating the TOE software.

FPT_TUD_EXT.1 ensures that there are tools available to view the version of the TOE and update the TOE either using the TOE itself or the platform.

The following actions could be considered for the management functions in FPT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Components in this family address requirements to ensure the TOE either doesn’t transmit data or if it does transmit sensitive data such data is transmitted in a secure tunnel.

FTP_DIT_EXT.1 ensures that if the TOE transmits sensitive data it is done so inside of a secure tunnel protected by HTTPs, TLS, DTLS or SSH.

The following actions could be considered for the management functions in FPT:

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

Hierarchical to: No other components Dependencies: No other components

FTP_DIT_EXT.1.1 The application shall [selection:

between itself and another trusted IT product.