ProtectionProfileforApplicationSoftware

Version:1.1
20141105
NationalInformationAssurancePartnership

RevisionHistory
Version Date

Comment

v1.1

20141105

AdditiontoTLSciphersuiteselections

v1.0

20141020

Initialrelease

Contents
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link](FCS)
[Link](FDP)
[Link](FIA)
[Link](FMT)
[Link](FPT)
[Link]/Channel(FTP)
[Link]
[Link]:SecurityTarget
[Link]:Development
[Link]:GuidanceDocumentation
[Link]:LifecycleSupport
[Link]:Tests
[Link]:VulnerabilityAssessment
AppendixA:OptionalRequirements
AppendixB:SelectionBasedRequirements
AppendixC:ObjectiveRequirements
AppendixD:EntropyDocumentationandAssessment
AppendixE:References
AppendixF:Acronyms

[Link]
1.1Overview
ThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofapplicationsoftwarein
termsof[CC][Link],
[Link]
[Link],itis
paramountthatthesecurityofapplicationsbeimprovedtoreducetheriskofcompromise.

1.2Terms
ThefollowingsectionsprovidebothCommonCriteriaandtechnologytermsusedinthisProtectionProfile.

1.2.1CommonCriteriaTerms
CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation.

CommonEvaluation
Methodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurity
Evaluation.

ProtectionProfile(PP)

Animplementationindependentsetofsecurityrequirementsfora
categoryofproducts.

SecurityTarget(ST)

Asetofimplementationdependentsecurityrequirementsforaspecific
product.

TargetofEvaluation(TOE)

[Link],applicationsoftwareandits
supportingdocumentation.

TOESecurityFunctionality
(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification
(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinaST.

SecurityFunctional
Requirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

SecurityAssurance
Requirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

1.2.2TechnologyTerms
Address
Anantiexploitationfeaturewhichloadsmemorymappingsintounpredictablelocations.
SpaceLayout ASLRmakesitmoredifficultforanattackertoredirectcontroltocodethattheyhave
Randomization introducedintotheaddressspaceofanapplicationprocess.
(ASLR)
Application
(app)

Softwarethatrunsonaplatformandperformstasksonbehalfoftheuserorownerofthe
platform,[Link]
interchangeableinthisdocument.

Application
Programming
Interface
(API)

Aspecificationofroutines,datastructures,objectclasses,andvariablesthatallowsan
applicationtomakeuseofservicesprovidedbyanothersoftwarecomponent,suchasa
[Link].

Credential

Datathatestablishestheidentityofauser,[Link].

Data
Execution
Prevention
(DEP)

Anantiexploitationfeatureofmodernoperatingsystemsexecutingonmoderncomputer
hardware,[Link]
pagesofmemoryfromcontainingbothdataandinstructions,whichmakesitmoredifficult
foranattackertointroduceandexecutecode.

Developer

[Link],vendors
anddevelopersarethesame.

MobileCode

Softwaretransmittedfromaremotesystemforexecutionwithinalimitedexecution
[Link],thereisnopersistentinstallationandexecution
beginswithouttheuser'[Link]
technologiesincludeJavaScript,Javaapplets,AdobeFlash,andMicrosoftSilverlight.

Operating
System(OS)

Softwarethatmanageshardwareresourcesandprovidesservicesforapplications.

Personally
Identifiable
Information
(PII)

Anyinformationaboutanindividualmaintainedbyanagency,including,butnotlimitedto,
education,financialtransactions,medicalhistory,andcriminaloremploymenthistoryand
informationwhichcanbeusedtodistinguishortraceanindividual'sidentity,suchastheir
name,socialsecuritynumber,dateandplaceofbirth,mothersmaidenname,biometric
records,etc.,includinganyotherpersonalinformationwhichislinkedorlinkabletoan
individual.[OMB]

Platform

[Link]
system,anexecutionenvironmentwhichrunsatopanoperatingsystem,orsome
combinationofthese.

SensitiveData

Sensitivedatamayincludealluserorenterprisedataormaybespecificapplicationdata
suchasemails,messaging,documents,calendaritems,[Link]
minimallyincludePII,credentials,[Link]
applicationsTSSbytheSTauthor.

StackCookie

Anantiexploitationfeaturethatplacesavalueonthestackatthestartofafunctioncall,
[Link]
toasStackGuard,orStackCanaries.

Vendor

[Link],vendorsand
[Link]
applicationsoftware.

1.3CompliantTargetsofEvaluation
Therequirementsinthisdocumentapplytoapplicationsoftwarewhichrunsonmobiledevices("apps"),as
[Link],which
[Link]
[Link]
specializedapplicationsmaynotbeexpressedasEPsatthistime,thoughtherequirementsinthisdocument
shouldbeseenasobjectivesforthosehighlyspecializedapplications.

Althoughtherequirementsinthisdocumentapplytoawiderangeofapplicationsoftware,consultguidance
fromtherelevantnationalschemestodeterminewhenformalCommonCriteriaevaluationisexpectedfora
[Link]
application.

1.3.1TOEBoundary
Anapplicationisdefinedassoftwarethatrunsonaplatformandperformstasksonbehalfoftheuseror
[Link]
[Link],whichmaybeanoperating
system(Figure1),anexecutionenvironment,orsomecombinationofthese(Figure2).Someassurance
activitiesarespecifictotheparticularplatformonwhichtheapplicationruns,inordertoprovideprecisionand
[Link]
[Link].
Applicationsincludesadiverserangeofsoftwaresuchasofficesuites,thinclients,PDFreaders,and
[Link],even
thosepiecesthatmayextendthefunctionalityoftheunderlyingplatform,[Link]
platformscomebundledwithapplicationssuchaswebbrowsers,emailclientsandmediaplayersandthese
tooshouldbeconsideredsubjecttotherequirementsdefinedinthisdocumentalthoughtheexpectationof
[Link],the
operatingsystemkernel,andothersystemssoftware(anddrivers)providedaspartoftheplatformare
outsidethescopeofthisdocument.

Figure1:TOEasanApplicationandKernelModuleRunningonanOperatingSystem

Figure2:TOEasanApplicationRunninginanExecutionEnvironmentPlusNativeCode

1.4UseCases
RequirementsinthisProtectionProfilearedesignedtoaddressthesecurityprobleminthefollowinguse
[Link],asmanyspecificusecasesexistforapplicationsoftware.
Manyapplicationsmaybeusedincombinationsofthesebroadusecases,andevaluationagainstExtended
PackagesofthisPP,whenavailable,maybemostappropriateforsomeapplicationtypes.
[USECASE1]ContentCreation
Theapplicationallowsausertocreatecontent,[Link]
contentincludestextdocuments,presentations,andimages.
[USECASE2]ContentConsumption
Theapplicationallowsausertoconsumecontent,retrievingitfromeitherlocalorremotestorage.
Examplecontentincludeswebpagesandvideo.
[USECASE3]Communication
Theapplicationallowsforcommunicationinteractivelyornoninteractivelywithotherusersor
[Link],email,
andvoice.

[Link]
ConformanceStatement
TobeconformanttothisPP,aSTmustdemonstrateExactConformance,asubsetofStrict
Conformanceasdefinedin[CC]Part1(ASE_CCL).TheSTmustincludeallcomponentsinthisPP
thatare:
unconditional(whicharealwaysrequired)
selectionbased(whicharerequiredwhencertainselectionsarechosenintheunconditional
requirements)
andmayincludecomponentsthatare
optionalor
objective.
Unconditionalrequirementsarefoundinthemainbodyofthedocument,whileappendicescontainthe
selectionbased,optional,[Link],
butitmustnotincludeanyadditionalcomponent(e.g.fromCCPart2or3oraPPnotconformant
withthisone,orextendedbytheST)[Link]
Section1.3regardingmorespecificPPsthatmayextendthisone.
CCConformanceClaims
ThisPPisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,
Revision4.[CC].
PPClaim
ThisPPdoesnotclaimconformancetoanyotherProtectionProfile.
PackageClaim
ThisPPdoesnotclaimconformancetoanypackages.

[Link]

ThesecurityproblemisdescribedintermsofthethreatsthattheTOEisexpectedtoaddress,assumptions
abouttheoperationalenvironment,andanyorganizationalsecuritypoliciesthattheTOEisexpectedto
enforce.

3.1Threats
T.NETWORK_ATTACK
Anattackerispositionedonacommunicationschannelorelsewhereonthenetworkinfrastructure.
Attackersmayengageincommunicationswiththeapplicationsoftwareoraltercommunications
betweentheapplicationsoftwareandotherendpointsinordertocompromiseit.
T.NETWORK_EAVESDROP
Anattackerispositionedonacommunicationschannelorelsewhereonthenetworkinfrastructure.
Attackersmaymonitorandgainaccesstodataexchangedbetweentheapplicationandother
endpoints.
T.LOCAL_ATTACK
Anattackercanactthroughunprivilegedsoftwareonthesamecomputingplatformonwhichthe
[Link]
offilesorotherlocalcommunications.
T.PHYSICAL_ACCESS
Anattackermaytrytoaccesssensitivedataatrest.

3.2Assumptions
[Link]
[Link]
platformandwhateverruntimeenvironmentitprovidestotheTOE.
A.PROPER_USER
Theuseroftheapplicationsoftwareisnotwillfullynegligentorhostile,andusesthesoftwarein
compliancewiththeappliedenterprisesecuritypolicy.
A.PROPER_ADMIN
Theadministratoroftheapplicationsoftwareisnotcareless,willfullynegligentorhostile,and
administersthesoftwarewithincomplianceoftheappliedenterprisesecuritypolicy.

3.3OrganizationalSecurityPolicies
TherearenoOSPsfortheapplication.

[Link]
4.1SecurityObjectivesfortheTOE
[Link]
ConformantTOEsensuretheintegrityoftheirinstallationandupdatepackages,andalsoleverage
[Link],andthe
abilitytodeploypatchesandupdatestofieldedsoftwarewithintegrityiscriticaltoenterprisenetwork

[Link],compilerdevelopers,executionenvironmentvendors,andoperating
systemvendorshavedevelopedexecutionenvironmentbasedmitigationsthatincreasethecostto
[Link]
takeadvantageofthesemechanismsbyusingAPIsprovidedbytheruntimeenvironmentorby
enablingthemechanismthroughcompilerorlinkeroptions.
Addressedby:FDP_DEC_EXT.1,FMT_CFG_EXT.1,FPT_AEX_EXT.1,FPT_TUD_EXT.1
[Link]
Toensurequalityofimplementation,conformantTOEsleverageservicesandAPIsprovidedbythe
[Link]
especiallyimportantforcryptographicservicesandothercomplexoperationssuchasfileandmedia
[Link].
Addressedby:FMT_MEC_EXT.1,FPT_API_EXT.1,FPT_LIB_EXT.1
[Link]
Tofacilitatemanagementbyusersandtheenterprise,conformantTOEsprovideconsistentand
[Link]
deploymentofapplicationsandapplicationupdatesthroughtheuseofplatformsupporteddeployment
mechanismsandformats,aswellasprovidingmechanismsforconfiguration.
Addressedby:FMT_SMF.1,FPT_IDV_EXT.1,FPT_TUD_EXT.1.5
O.PROTECTED_STORAGE
Toaddresstheissueoflossofconfidentialityofuserdataintheeventoflossofphysicalcontrolofthe
storagemedium,[Link]
keysstoredbytheTOEinordertopreventunauthorizedaccesstothisdata.
Addressedby:FDP_DAR_EXT.1,FCS_STO_EXT.1,FCS_RBG_EXT.1
O.PROTECTED_COMMS
Toaddressbothpassive(eavesdropping)andactive(packetmodification)networkattackthreats,
[Link]
keys,passwords,andanyotherdataspecifictotheapplicationthatshouldnotbeexposedoutsideof
theapplication.
Addressedby:FTP_DIT_EXT.1,FCS_TLSC_EXT.1,FCS_DTLS_EXT.1,FCS_RBG_EXT.1

4.2SecurityObjectivesfortheOperationalEnvironment
ThefollowingsecurityobjectivesfortheoperationalenvironmentassisttheTOEincorrectlyprovidingits
[Link].
[Link]
[Link]
operatingsystemandanydiscreteexecutionenvironmentprovidedtotheTOE.
OE.PROPER_USER
Theuseroftheapplicationsoftwareisnotwillfullynegligentorhostile,andusesthesoftwarewithin
complianceoftheappliedenterprisesecuritypolicy.
OE.PROPER_ADMIN
Theadministratoroftheapplicationsoftwareisnotcareless,willfullynegligentorhostile,and
administersthesoftwarewithincomplianceoftheappliedenterprisesecuritypolicy.

4.3SecurityObjectivesRationale
Thissectiondescribeshowtheassumptions,threats,andorganizationalsecuritypoliciesmaptothesecurity
objectives.

Threat,Assumption,orOSP

SecurityObjectives

Rationale

T.NETWORK_ATTACK

O.PROTECTED_COMMS,
[Link],
[Link]

ThethreatT.NETWORK_ATTACK
iscounteredby
O.PROTECTED_COMMSasthis
providesforintegrityoftransmitted
data.
ThethreatT.NETWORK_ATTACK
[Link]
providesforintegrityofsoftwarethatis
installedontothesystemfromthe
network.
ThethreatT.NETWORK_ATTACK
[Link]
asthisprovidesfortheabilityto
configuretheapplicationtodefend
againstnetworkattack.

T.NETWORK_EAVESDROP

O.PROTECTED_COMMS,
[Link],
[Link]

Thethreat
T.NETWORK_EAVESDROPis
counteredby
O.PROTECTED_COMMSasthis
providesforconfidentialityof
transmitteddata.
[Link]
useofmechanismsthatprovide
protectionagainstnetworkbased
attack.
Thethreat
T.NETWORK_EAVESDROPis
[Link]
thisprovidesfortheabilitytoconfigure
theapplicationtoprotectthe
confidentialityofitstransmitteddata.

T.LOCAL_ATTACK

[Link]

[Link]
againsttheuseofmechanismsthat
weakentheTOEwithregardtoattack
byothersoftwareontheplatform.

T.PHYSICAL_ACCESS

O.PROTECTED_STORAGE Theobjective
O.PROTECTED_STORAGE
protectsagainstunauthorizedattempts
toaccessphysicalstorageusedbythe
TOE.

[Link]

[Link]

Theoperationalenvironmentobjective
[Link]
[Link].

A.PROPER_USER

OE.PROPER_USER

Theoperationalenvironmentobjective
OE.PROPER_USERisrealized
throughA.PROPER_USER.

A.PROPER_ADMIN

OE.PROPER_ADMIN

Theoperationalenvironmentobjective
OE.PROPER_ADMINisrealized
throughA.PROPER_ADMIN.

[Link]
[Link]
comprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowing
notationsareused:
Refinementoperation(denotedbyboldtext):isusedtoadddetailstoarequirement,andthus
furtherrestrictsarequirement.
Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]in
statingarequirement.
Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecified
parameter,[Link]
assignment.
Iterationoperation:areidentifiedwithanumberinsideparentheses(e.g."(1)")

5.1SecurityFunctionalRequirements
TheSecurityFunctionalRequirementsincludedinthissectionarederivedfromPart2oftheCommonCriteria
forInformationTechnologySecurityEvaluation,Version3.1,Revision4,withadditionalextendedfunctional
components.

5.1.1CryptographicSupport(FCS)
FCS_RBG_EXT.1RandomBitGenerationServices
FCS_RBG_EXT.1.1

Theapplicationshall[selection:
usenoDRBGfunctionality,
invokeplatformprovidedDRBGfunctionality,
implementDRBGfunctionality
]foritscryptographicoperations.
ApplicationNote:IfimplementDRBGfunctionalityischosen,then
additionalFCS_RBG_EXT.[Link]
requirement,cryptographicoperationsincludeallcryptographickey
generation/derivation/agreement,IVs(forcertainmodes),aswellasprotocol
specificrandomvalues.
AssuranceActivity
IfusenoDRBGfunctionalityisselected,theevaluatorshallinspect
theapplicationanditsdeveloperdocumentationandverifythatthe
applicationneedsnorandombitgenerationservices.
IfimplementDRBGfunctionalityisselected,theevaluatorshall
ensurethatadditionalFCS_RBG_EXT.2elementsareincludedinthe
ST.
IfinvokeplatformprovidedDRBGfunctionalityisselected,the
evaluationactivitieswillbeperformedasstatedinthefollowing
[Link]
callsusedinacquiringrandomfromeachinstantiationoftheRBG
usedfortheapplication'[Link]
shallensurethatrandombitsareacquiredproperlyfromthe

[Link]:
ForBlackBerry:Theevaluatorshallverifythattheapplication
invokesSecurityBuilderCryptoGSE.
ForAndroid:Theevaluatorshallverifythattheapplicationusesat
[Link]
[Link]/dev/random or
/dev/urandom.
ForWindows:TheevaluatorshallverifythatBCryptGenRandomor
[Link]
[Link]
[Link],
CryptGenRandommayberemovedasanoptionasitisnolongerthe
preferredAPIpervendordocumentation.
ForiOS:Theevaluatorshallverifythattheapplicationinvokes
SecRandomCopyBytesoruses/dev/randomdirectlytoacquire
random.
ForLinux:Theevaluatorshallverifythattheapplicationcollects
randomfrom/dev/randomor/dev/urandom.
ForSolaris:Theevaluatorshallverifythattheapplicationcollects
randomfrom/dev/random.
ForMacOSX:Theevaluatorshallverifythattheapplicationuses
/dev/randomtoacquirerandom.
Ifinvocationofplatformprovidedfunctionalityisachievedin
anotherway,theevaluatorshallensuretheTSSdescribeshowthisis
carriedout,andhowitisequivalenttothemethodslistedhere(e.g.
higherlevelAPIinvokesidenticallowlevelAPI).
FCS_STO_EXT.1StorageofSecrets
FCS_STO_EXT.1.1

Theapplicationshall[selection:
notstoreanycredentials,
invokethefunctionalityprovidedbytheplatformtosecurelystore
[assignment:listofcredentials],
implementfunctionalitytosecurelystore[assignment:listof
credentials]
]tononvolatilememory.
ApplicationNote:Thisrequirementensuresthatpersistentcredentials(secret
keys,PKIprivatekeys,orpasswords)arestoredsecurelywhennotinuse.
Ifimplementfunctionalitytosecurelystorecredentialsisselected,thenthe
followingrequirementsmustbeincludedintheST:FCS_COP.1(1).Ifother
cryptographicoperationsareusedtoimplementthesecurestorageof
credentials,thecorrespondingrequirementsmustbeincludedintheST.
AssuranceActivity
TheevaluatorshallchecktheTSStoensurethatitlistsallpersistent

credentials(secretkeys,PKIprivatekeys,orpasswords)neededto
[Link],the
evaluatorshallconfirmthattheTSSlistsforwhatpurposeitisused,
andhowitisstored.
Forallcredentialsforwhichtheapplicationinvokesplatform
providedfunctionality,theevaluatorshallperformthefollowing
actionswhichvaryperplatform.
ForBlackBerry:Theevaluatorshallverifythattheapplicationuses
theBlackBerryKeyStoreandSecurityBuilderAPIstostore
credentials.
ForAndroid:Theevaluatorshallverifythattheapplicationusesthe
AndroidKeyStoretostorecertificates.
ForWindows:Theevaluatorshallverifythatallcertificatesare
[Link]
thatothersecrets,likepasswords,arestoredintheWindows
CredentialManagerorstoredusingtheDataProtectionAPI
(DPAPI).ForWindowsStoreApps,theevaluatorshallverifythatthe
applicationisusingtheProtectDataclassandstoringcredentialsin
IsolatedStorage.
ForiOS:Theevaluatorshallverifythatallcredentialsarestored
withinaKeychain.
ForLinux:Theevaluatorshallverifythatallkeysarestoredusing
Linuxkeyrings.
ForSolaris:Theevaluatorshallverifythatallkeysarestoredusing
SolarisKey Management Framework (KMF).
ForMacOSX:Theevaluatorshallverifythatallcredentialsare
storedwithinKeychain.

5.1.2UserDataProtection(FDP)
FDP_DEC_EXT.1AccesstoPlatformResources
FDP_DEC_EXT.1.1

Theapplicationshallprovideuserawarenessofitsintenttoaccess[selection:
nohardwareresources,
networkconnectivity,
camera,
microphone,
locationservices,
NFC,
USB,
Bluetooth,
[assignment:listofadditionalhardwareresources]
].
ApplicationNote:Theevaluatorshouldensurethattheselectioncapturesall
[Link]

requirementiswordedinthiswayduetothediversityofmethodsbywhichuser
awarenesscanbeachieved,[Link]
expressedinamannerconsistentwithhowtheapplicationexpressesitsaccess
[Link],theplatformmayprovide
locationserviceswhichimpliesthepotentialuseofavarietyofhardware
resources([Link],WiFi,cellularradio)yetlocationservicesis
[Link],but
alsobecausetheactualusagemayvarybasedontheparticularplatform.
Resourcesthatdonotneedtobeexplicitlyidentifiedarethosewhichare
ordinarilyusedbyanyapplicationsuchascentralprocessingunits,main
memory,displays,inputdevices([Link],mice),andpersistentstorage
devicesprovidedbytheplatform.
AssuranceActivity
Theevaluatorshallinstallandruntheapplicationandinspectitsuser
documentationtoverifythattheuserisinformedofanyneedto
[Link]
platform.
ForBlackBerry:Theevaluatorshallinstalltheapplicationandrunit
[Link]
[Link]:Ifthe
usergoesto:App permissions > Settings > Security and
Privacy > Application Permissions > Select application
in question,itwilllistwhichplatformresourceare

approved/deniedandcanbechanged.
ForAndroid:Theevaluatorshallinstalltheapplicationandverify
thattheapplicationdisplaystheplatformresourcesitwouldliketo
[Link]
ACCESS_COARSE_LOCATION,ACCESS_FINE_LOCATION,
BLUETOOTH,CAMERA,INTERNET,NFC,
READ_EXTERNAL_STORAGE,RECORD_AUDIO.Acompletelist
ofAndroidpermissionscanbefoundat:
[Link]
[Link]
ForWindows:ForWindowsStoreAppstheevaluatorshallcheckthe
[Link].
Theevaluatorshallverifythattheuserismadeawareoftherequired
[Link]
includespermissionssuchasID_CAP_ISV_CAMERA,
ID_CAP_LOCATION,ID_CAP_NETWORKING,
ID_CAP_MICROPHONE,ID_CAP_PROXIMITYandsoon.A
completelistofWindowsApppermissionscanbefoundat:
[Link]
US/library/windows/apps/[Link]
ForWindowsDesktopApplicationstheevaluatorshallverifythat
eithertheapplicationorthedocumentationprovidetheuserwitha
listoftherequiredhardwareresources.
ForiOS:Theevaluatorshallverifythateithertheapplicationorthe
documentationprovidetheuserwithalistoftherequiredhardware
resources.
ForLinux:Theevaluatorshallverifythateithertheapplication

softwareoritsdocumentationprovidestheuserwithalistofthe
requiredhardwareresources.
ForSolaris:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistofthe
requiredhardwareresources.
ForMacOSX:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistofthe
requiredhardwareresources.
FDP_DEC_EXT.1.2

Theapplicationshallprovideuserawarenessofitsintenttoaccess[selection:
nosensitiveinformationrepositories,
addressbook,
calendar,
calllists,
systemlogs,
[assignment:listofadditionalsensitiveinformationrepositories]
].
ApplicationNote:Sensitiveinformationrepositoriesaredefinedasthose
collectionsofsensitivedatathatcouldbeexpectedtobesharedamongsome
applications,users,oruserroles,buttowhichnotallofthesewouldordinarily
[Link]
capturesallsensitiveinformationrepositorieswhichtheapplicationisintendedto
[Link]
bywhichuserawarenesscanbeachieved,whichvariesperplatform.
AssuranceActivity
Theevaluatorshallensurethattheselectioncapturesallsensitive
informationrepositorieswhichtheapplicationisintendedtoaccess.
Theevaluatorshallinstallandruntheapplicationsoftwareand
inspectitsuserdocumentationtoverifythattheuserisinformedof
[Link]
perplatform.
ForBlackBerry:Theevaluatorshallinstalltheapplicationandrunit
[Link]
displaysallplatformresourcesitwouldliketoaccess.
ForAndroid:Theevaluatorshallinstalltheapplicationandverify
thattheapplicationdisplaysthepermissionsusedtoaccesssystem
[Link]
READ_CALENDAR,READ_CALL_LOG,READ_CONTACTS,
READ_EXTERNAL_STORAGE,READ_LOGS.Acompletelistof
Androidpermissionscanbefoundat:
[Link]
[Link]
ForWindows:ForWindowsStoreAppstheevaluatorshallcheckthe
[Link]
evaluatorshallverifythattheuserismadeawareoftherequired
[Link]

includespermissionssuchas
ID_CAP_CONTACTS,ID_CAP_APPOINTMENTS,ID_CAP_MEDIALIB
[Link]
at:
[Link]
US/library/windows/apps/[Link]
ForWindowsDesktopApplicationtheevaluatorshallverifythat
eithertheapplicationsoftwareoritsdocumentationprovidestheuser
withalistoftherequiredsensitiveinformationrepositories.
ForiOS:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidesprovidestheuserwithalist
oftherequiredsensitiveinformationrepositories.
ForLinux:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistof
requiredsensitiveinformationrepositories.
ForSolaris:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistof
requiredsensitiveinformationrepositories.
ForMacOSX:Theevaluatorshallverifythateithertheapplication
softwareoritsdocumentationprovidestheuserwithalistof
requiredsensitiveinformationrepositories.
FDP_DEC_EXT.1.3

Theapplicationshallonlyseekaccesstothoseresourcesforwhichithas
providedajustificationtoaccess.
AssuranceActivity
Theevaluatorshallreviewdocumentationprovidedbythe
applicationdeveloperandforeachresourcewhichitrequestsaccess
to,identifythejustificationastowhyaccessisrequired.

FDP_DEC_EXT.1.4

Theapplicationshallrestrictnetworkcommunicationto[selection:
nonetworkcommunication,
userinitiatedcommunicationfor[assignment:listoffunctionsfor
whichtheusercaninitiatenetworkcommunication],
respondto[assignment:listofremotelyinitiatedcommunication],
[assignment:listofapplicationinitiatednetworkcommunication]
].
ApplicationNote:Thisrequirementisintendedtorestrictbothinboundand
outboundnetworkcommunicationstoonlythoserequired,ortonetwork
[Link]
communicationsinwhichtheapplicationmaygenericallyaccessthefilesystem
whichmayresultintheplatformaccessingremotelymounteddrives/shares.
AssuranceActivity
Theevaluatorshallperformthefollowingtests:

Test1:[Link]
applicationisrunning,theevaluatorshallsniffnetworktraffic
ignoringallnonapplicationassociatedtrafficandverifythat
anynetworkcommunicationswitnessedaredocumentedinthe
TSSorareuserinitiated.
Test2:[Link]
applicationinitializes,theevaluatorshallrunnetworkport
scanstoverifythatanyportsopenedbytheapplicationhave
beencapturedintheSTforthethirdselectionandits
[Link](e.g.
TCP,DCCP)aswellasconnectionlessprotocols([Link]).

FDP_DEC_EXT.1.5

Theapplicationshall[selection:
nottransmitPIIoveranetwork,
requireuserapprovalbeforeexecuting[assignment:listoffunctions
thattransmitPIIoveranetwork]
].
ApplicationNote:ThisrequirementonlyappliestoPIIthatisspecifically
requestedbytheapplicationitdoesnotapplyiftheuservolunteersPIIwithout
promptingfromtheapplicationintoageneral(orinappropriate)datafield.A
dialogboxthatdeclaresintenttosendPIIpresentedtotheuseratthetimethe
applicationisstartedissufficienttomeetthisrequirement.
AssuranceActivity
TheevaluatorshallinspecttheTSSdocumentationtoidentify
functionalityintheapplicationwherePIIcanbetransmitted,and
performthefollowingtests.
Test1:Theevaluatorshallruntheapplicationandexercisethe
functionalityresponsiblyfortransmittingPIIandverifythat
userapprovalisrequiredbeforetransmissionofthePII.

FDP_DAR_EXT.1EncryptionOfSensitiveApplicationData
FDP_DAR_EXT.1.1

Theapplicationshall[selection:
leverageplatformprovidedfunctionalitytoencryptsensitivedata,
implementfunctionalitytoencryptsensitivedata,
notstoreanysensitivedata
]innonvolatilememory.
ApplicationNote:Ifimplementfunctionalitytoencryptsensitivedatais
selected,thenevaluationisrequiredagainsttheApplicationSoftware
ProtectionProfileExtendedPackage:FileEncryption.
Anyfilethatmaypotentiallycontainsensitivedata(toincludetemporaryfiles)
[Link]
sensitivedatatononprotectedfiles.
AssuranceActivity

Theevaluatorshallinventorythefilesystemlocationswherethe
[Link]
[Link]
thoseareasofthefilesystemtonotewheredatawasstored(ifany),
anddeterminewhetherithasbeenencrypted.
Ifnotstoreanysensitivedataisselected,theevaluatorshallinspect
theTSSandensurethatitdescribeshowsensitivedatacannotbe
[Link]
thisisconsistentwiththefilesystemtestabove.
Ifimplementfunctionalitytoencryptsensitivedataisselected,then
evaluationisrequiredagainsttheApplicationSoftwareProtection
ProfileExtendedPackage:[Link]
ensurethatsuchevaluationisunderway.
Ifleverageplatformprovidedfunctionalityisselected,the
evaluationactivitieswillbeperformedasstatedinthefollowing
requirements,whichvaryonaperplatformbasis:
ForBlackBerry:TheevaluatorshallinspecttheTSSandensurethat
itdescribeshowtheapplicationusestheAdvancedDataatRest
ProtectionAPIandhowtheapplicationusestheappropriatedomain
tostoreandprotecteachdatafile.
ForAndroid:TheevaluatorshallinspecttheTSSandverifythatit
describeshowfilescontainingsensitivedataarestoredwiththe
MODE_PRIVATEflagset.
ForWindows:TheWindowsplatformcurrentlydoesnotprovide
dataatrestencryptionserviceswhichdependuponinvocationby
[Link]
OperationalUserGuidancemakestheneedtoactivateplatform
encryption,suchasBitLockerorEncryptingFileSystem(EFS),clear
totheenduser.
ForiOS:TheevaluatorshallinspecttheTSSandensurethatit
describeshowtheapplicationusestheCompleteProtection,
ProtectedUnlessOpen,orProtectedUntilFirstUserAuthentication
DataProtectionClassforeachdatafilestoredlocally.
ForLinux:TheLinuxplatformcurrentlydoesnotprovidedataat
restencryptionserviceswhichdependuponinvocationbyapplication
[Link]
Guidancemakestheneedtoactivateplatformencryptioncleartothe
enduser.
ForSolaris:TheSolarisplatformcurrentlydoesnotprovidedataat
restencryptionserviceswhichdependuponinvocationbyapplication
[Link]
Guidancemakestheneedtoactivateplatformencryptioncleartothe
enduser.
ForMacOSX:TheMacOSXplatformcurrentlydoesnotprovide
dataatrestencryptionserviceswhichdependuponinvocationby
[Link]
OperationalUserGuidancemakestheneedtoactivateplatform
encryptioncleartotheenduser.

5.1.3IdentificationandAuthentication(FIA)
5.1.4SecurityManagement(FMT)
FMT_MEC_EXT.1SupportedConfigurationMechanism
FMT_MEC_EXT.1.1

Theapplicationshallinvokethemechanismsrecommendedbytheplatform
vendorforstoringandsettingconfigurationoptions.
ApplicationNote:Configurationoptionsthatarestoredremotelyarenot
subjecttothisrequirement.
AssuranceActivity
TheevaluatorshallreviewtheTSStoidentifytheapplication's
configurationoptions([Link])anddeterminewhethertheseare
[Link]
methodofdoingsovariesperplatform.
ForBlackBerry:Theevaluatorshallruntheapplicationandmake
[Link]
checkthatatleastonefileintheappfolderoftheapplication
workingdirectorywasmodifiedtoreflectthechangemade.
ForAndroid:Theevaluatorshallruntheapplicationandmake
[Link]
checkthatatleastoneXMLfileatlocation
/data/data/package/shared_prefs/reflectsthechangesmadetothe
configurationtoverifythattheapplicationusedSharedPreferences
and/orPreferenceActivityclassesforstoringconfigurationdata,
wherepackageistheJavapackageoftheapplication.
ForWindows:Theevaluatorshalldetermineandverifythat
WindowsStoreAppapplicationsuseeitherthe
[Link]
IsolatedStorageSettingsnamespaceforstoringapplicationspecific
[Link],theevaluatorshallrunthe
applicationwhilemonitoringitwiththeSysInternaltoolProcMon
[Link]
thatProcMonlogsshowcorrespondingchangestothetheWindows
Registry.
ForiOS:Theevaluatorshallverifythattheappusestheuser
defaults systemorkey-value storeforstoringallsettings.
ForLinux:Theevaluatorshallruntheapplicationwhilemonitoring
[Link]
[Link]
logscorrespondingchangestoconfigurationfilesthatresidein/etc
(forsystemspecificconfiguration)orintheuser'shomedirectory(for
userspecificconfiguration).
ForSolaris:Theevaluatorshallruntheapplicationwhilemonitoring
[Link]
[Link]

logscorrespondingchangestoconfigurationfilesthatresidein/etc
(forsystemspecificconfiguration)orintheuser'shomedirectory(for
userspecificconfiguration).
ForMacOSX:Theevaluatorshallverifythattheapplicationstores
andretrievessettingsusingtheNSUserDefaultsclass.
FMT_CFG_EXT.1SecurebyDefaultConfiguration
FMT_CFG_EXT.1.1

Theapplicationshallonlyprovideenoughfunctionalitytosetnewcredentials
whenconfiguredwithdefaultcredentialsornocredentials.
ApplicationNote:Defaultcredentialsarecredentials(e.g.,passwords,keys)
thatareautomatically(withoutuserinteraction)loadedontotheplatformduring
[Link]
requirementslaidoutinFCS_RBG_EXT.1arenotbydefinitiondefault
credentials.
AssuranceActivity
TheevaluatorshallchecktheTSStodetermineiftheapplication
requiresanytypeofcredentialsandiftheapplicationsinstallswith
[Link]
evaluatorshallrunthefollowingtests.
Test1:Theevaluatorshallinstallandruntheapplication
withoutgeneratingorloadingnewcredentialsandverifythat
onlytheminimalapplicationfunctionalityrequiredtosetnew
credentialsisavailable.
Test2:Theevaluatorshallattempttoclearallcredentialsand
verifythatonlytheminimalapplicationfunctionalityrequired
tosetnewcredentialsisavailable.
Test3:Theevaluatorshallruntheapplication,establishnew
credentialsandverifythattheoriginaldefaultcredentialsno
longerprovideaccesstotheapplication.

FMT_CFG_EXT.1.2

Theapplicationshallbeconfiguredbydefaultwithfilepermissionswhichprotect
itanditsdatafromunauthorizedaccess.
ApplicationNote:Thepreciseexpectationsforfilepermissionsvaryper
platformbutthegeneralintentionisthatatrustboundaryprotectstheapplication
anditsdata.
AssuranceActivity
[Link]
shallinspectthefilesystemoftheplatform(totheextentpossible)for
anyfilescreatedbytheapplicationandensurethattheirpermissions
[Link]
platform.
ForBlackBerry:Theevaluatorshallrunls -alR|grep -E
'$.......(r|-w|--x)'insidetheapplication'sdatadirectoriesto

ensurethatallfilesarenotworldaccessible(eitherread,write,or
execute).[Link]
alsoverifythatnosensitivedataiswrittentoexternalstoragewhich
couldberead/modifiedbyanyotherapplication.
ForAndroid:Theevaluatorshallrunls -alR|grep -E '$.......
(r|-w|--x)'insidetheapplication'sdatadirectoriestoensurethat
allfilesarenotworldaccessible(eitherread,write,orexecute).The
[Link]
thatnosensitivedataiswrittentoexternalstorageasthisdatacan
beread/modifiedbyanyapplicationcontainingthe
READ_EXTERNAL_STORAGEand/or
WRITE_EXTERNAL_STORAGEpermissions.
ForWindows:TheevaluatorshallruntheSysInternalstools,Process
MonitorandAccessCheck(ortoolsofequivalentcapability,like
[Link])forClassicDesktopapplicationstoverifythatfileswritten
todiskduringanapplicationsinstallationhavethecorrectfile
permissions,suchthatastandardusercannotmodifytheapplication
[Link]
therequirementmetbecauseoftheAppContainersandbox.
ForiOS:Theevaluatorshalldeterminewhethertheapplication
leveragestheappropriateDataProtectionClassforeachdatafile
storedlocally.
ForLinux:Theevaluatorshallrunthecommandfind . -perm
/007insidetheapplication'sdatadirectoriestoensurethatallfiles
arenotworldaccessible(eitherread,write,orexecute).The
commandshouldnotprintanyfiles.
ForSolaris:Theevaluatorshallrunthecommandfind . \( perm -001 -o -perm -002 -o -perm -004 \)insidethe
application'sdatadirectoriestoensurethatallfilesarenotworld
accessible(eitherread,write,orexecute).Thecommandshouldnot
printanyfiles.
ForMacOSX:Theevaluatorshallrunthecommandfind . -perm
+007insidetheapplication'sdatadirectoriestoensurethatallfiles
arenotworldaccessible(eitherread,write,orexecute).The
commandshouldnotprintanyfiles.
FMT_SMF.1SpecificationofManagementFunctions
FMT_SMF.1.1

TheTSFshallbecapableofperformingthefollowingmanagementfunctions
[selection:
nomanagementfunctions,
enable/disablethetransmissionofanyinformationdescribingthe
system'shardware,software,orconfiguration,
enable/disablethetransmissionofanyPII,
enable/disabletransmissionofanyapplicationstate([Link])
information,
enable/disablenetworkbackupfunctionalityto[assignment:listof
enterpriseorcommercialcloudbackupsystems],
[assignment:listofothermanagementfunctionstobeprovidedby

theTSF]
].
ApplicationNote:Thisrequirementstipulatesthatanapplicationneedsto
providetheabilitytoenable/disableonlythosefunctionsthatitactually
[Link]
platformorotherapplications.
AssuranceActivity
Theevaluatorshallverifythateverymanagementfunctionmandated
bythePPisdescribedintheoperationalguidanceandthatthe
descriptioncontainstheinformationrequiredtoperformthe
[Link]
evaluatorshalltesttheapplication'sabilitytoprovidethe
managementfunctionsbyconfiguringtheapplicationandtesting
[Link]
thesefunctionsinallthewaysinwhichtheSTandguidance
documentationstatetheconfigurationcanbemanaged.

5.1.5ProtectionoftheTSF(FPT)
FPT_API_EXT.1UseofSupportedServicesandAPIs
FPT_API_EXT.1.1

TheapplicationshallonlyusesupportedplatformAPIs.
ApplicationNote:Thedefinitionofsupportedmayvarydependingupon
whethertheapplicationisprovidedbyathirdparty(whoreliesupon
documentedplatformAPIs)orbyaplatformvendorwhomaybeableto
guaranteesupportforplatformAPIswhicharenotexternallydocumented.
AssuranceActivity
TheevaluatorshallverifythattheTSSliststheplatformAPIsusedin
[Link]
supportedAPIs([Link],platform
developergroups)andensurethatallAPIslistedintheTSSare
supported.

FPT_AEX_EXT.1AntiExploitationCapabilities
FPT_AEX_EXT.1.1

Theapplicationshallnotrequesttomapmemoryatanexplicitaddressexcept
for[assignment:listofexplicitexceptions].
ApplicationNote:Requestingamemorymappingatanexplicitaddress
subvertsaddressspacelayoutrandomization(ASLR).
AssuranceActivity
TheevaluatorshallensurethattheTSSdescribesthecompilerflags
[Link]
shallperformeitherastaticordynamicanalysistodeterminethatno

memorymappingsareplacedatanexplicitandconsistentaddress.
Themethodofdoingsovariesperplatform.
ForBlackBerry:Theevaluatorshallrunthesameapplicationon
twodifferentBlackBerrysystemsandrunatoolthatwilllistall
[Link]
thenverifythetwodifferentinstancessharenomappinglocations.
ForAndroid:Theevaluatorshallrunthesameapplicationontwo
[Link]
/proc/PID/[Link]
locations.
ForWindows:Theevaluatorshallrunthesameapplicationontwo
differentWindowssystemsandrunatoolthatwilllistallmemory
[Link]
[Link]
Microsoftsysinternalstool,VMMap,couldbeusedtoviewmemory
[Link]
suchasMicrosoft'sBinScopeBinaryAnalyzertoconfirmthatthe
applicationhasASLRenabled.
ForiOS:Theevaluatorshallperformastaticanalysistosearchfor
anymmapcalls(orAPIcallsthatcallmmap),andensurethatno
argumentsareprovidedthatrequestamappingatafixedaddress
ForLinux:Theevaluatorshallrunthesameapplicationontwo
[Link]
memorymapsusingpmap -x PID toensurethetwodifferent
instancessharenomappinglocations.
ForSolaris:Theevaluatorshallrunthesameapplicationontwo
[Link]
memorymapsusingpmap -x PID toensurethetwodifferent
instancessharenomappinglocations.
ForMacOSX:Theevaluatorshallrunthesameapplicationontwo
[Link]
memorymapsusingvmmap PIDtoensurethetwodifferentinstances
sharenomappinglocations.
FPT_AEX_EXT.1.2

Theapplicationshall[selection:
notallocateanymemoryregionwithbothwriteandexecute
permissions,
allocatememoryregionswithwriteandexecutepermissionsforonly
[assignment:listoffunctionsperformingjustintimecompilation]
].
ApplicationNote:Requestingamemorymappingwithbothwriteandexecute
[Link]
performsnojustintimecompiling,thenthefirstselectionmustbechosen.
AssuranceActivity
Theevaluatorshallverifythatnomemorymappingrequestsare

[Link]
variesperplatform.
ForBlackBerry:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythat
mmapisneverinvokedwithboththePROT_WRITEand
PROT_EXECpermissions,and
mprotectisneverinvoked.
ForAndroid:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythat
mmapisneverinvokedwithboththePROT_WRITEand
PROT_EXECpermissions,and
mprotectisneverinvoked.
ForWindows:TheevaluatorshalluseatoolsuchasMicrosoft's
BinScopeBinaryAnalyzertoconfirmthattheapplicationpassesthe
[Link]/NXCOMPATflag
wasusedduringcompilationtoverifythatDEPprotectionsare
enabledfortheapplication.
ForiOS:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatmprotectisneverinvokedwiththe
PROT_EXECpermission.
ForLinux:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatboth
mmapisneverbeinvokedwithboththePROT_WRITEand
PROT_EXECpermissions,and
mprotectisneverinvokedwiththePROT_EXECpermission.
ForSolaris:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatboth
mmapisneverbeinvokedwithboththePROT_WRITEand
PROT_EXECpermissions,and
mprotectisneverinvokedwiththePROT_EXECpermission.
ForMacOSX:Theevaluatorshallperformstaticanalysisonthe
applicationtoverifythatmprotectisneverinvokedwiththe
PROT_EXECpermission.
FPT_AEX_EXT.1.3

Theapplicationshallbecompatiblewithsecurityfeaturesprovidedbythe
platformvendor.
ApplicationNote:Thisrequirementisdesignedtoensurethatplatformsecurity
featuresdonotneedtobedisabledinorderfortheapplicationtorun.
AssuranceActivity
Theevaluatorshallconfiguretheplatformintheascribedmanner
andcarryoutoneoftheprescribedtests:
ForBlackBerry:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionoftheBlackBerryOS.

ForAndroid:Theevaluatorshallensurethattheapplicationcanrun
withSEforAndroidenabledandenforcing.
ForWindows:ForbothclassicdesktopandWindowsStore
applications,theevaluatorshallconfigurethelatestversionof
Microsoft'sEnhancedMitigationExperienceToolkit(EMET)to
[Link]
andverifythattheapplicationdoesnotcrashwhileprotectedby
EMET.
ForiOS:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionofiOS.
ForLinux:Theevaluatorshallensurethattheapplicationcan
successfullyrunonasystemwithSELinuxenabledandenforcing.
ForSolaris:Theevaluatorshallensurethattheapplicationcanrun
withSolarisTrustedExtensionsenabledandenforcing.
ForMacOSX:Theevaluatorshallensurethattheapplicationcan
successfullyrunonthelatestversionofOSX.
FPT_AEX_EXT.1.4

Theapplicationshallnotwriteusermodifiablefilestodirectoriesthatcontain
executablefilesunlessexplicitlydirectedbytheusertodoso.
ApplicationNote:Executablesandusermodifiablefilesmaynotsharethe
sameparentdirectory,butmaysharedirectoriesabovetheparent.
AssuranceActivity
Theevaluatorshallruntheapplicationanddeterminewhereitwrites
[Link],the
evaluatorshallcheckwhetherthedestinationdirectorycontains
[Link]:
ForBlackBerry:Theevaluatorshallconsidertherequirementmet
becausetheplatformforcesapplicationstowritealldatawithinthe
applicationworkingdirectory(sandbox).
ForAndroid:Theevaluatorshallruntheprogram,mimicking
normalusage,[Link]
shallensurethattherearenoexecutablefilesstoredunder
/data/data/package/wherepackageistheJavapackageofthe
application.
ForWindows:ForWindowsStoreAppstheevaluatorshallconsider
therequirementmetbecausetheplatformforcesapplicationstowrite
alldatawithintheapplicationworkingdirectory(sandbox).For
WindowsDesktopApplicationstheevaluatorshallruntheprogram,
mimickingnormalusage,[Link]
evaluatorshallensurethattherearenoexecutablefilesstoredinthe
samedirectoriestowhichtheapplicationwroteandnodatafilesin
theapplicationsinstalldirectory.
ForiOS:Theevaluatorshallconsidertherequirementmetbecause
theplatformforcesapplicationstowritealldatawithinthe

applicationworkingdirectory(sandbox).
ForLinux:Theevaluatorshallruntheprogram,mimickingnormal
usage,[Link]
thattherearenoexecutablefilesstoredinthesamedirectoriesto
whichtheapplicationwrote.
ForSolaris:Theevaluatorshallruntheprogram,mimickingnormal
usage,[Link]
thattherearenoexecutablefilesstoredinthesamedirectoriesto
whichtheapplicationwrote.
ForMacOSX:Theevaluatorshallruntheprogram,mimicking
normalusage,[Link]
shallensurethattherearenoexecutablefilesstoredinthesame
directoriestowhichtheapplicationwrote.
FPT_AEX_EXT.1.5

Theapplicationshallbecompiledwithstackbasedbufferoverflowprotection
enabled.
AssuranceActivity
TheevaluatorshallensurethattheTSSsectionoftheSTdescribes
thecompilerflagusedtoenablestackbasedbufferoverflow
[Link]
analysistoverifythatstackbasedbufferoverflowprotectionis
[Link]:
ForBlackBerry:Theevaluatorshallensurethatthefstack
[Link]
protectorallflagispreferredbutfstackprotectorstrongis
acceptable.
ForAndroid:ApplicationsthatareentirelyJavarunintheJava
[Link]
applicationsusingJavaNativeInterface(JNI),theevaluatorshall
[Link]-fstack-protector-allflagis
preferredbut-fstack-protector-strongisacceptable.
ForWindows:TheevaluatorshallreviewtheTSSandverifythatthe
/[Link],
likeBinScope,thatcanverifythecorrectusageof/GS
ForiOS:IftheapplicationiscompiledusingGCCorXcode,the
[Link]-fstack-protectorallflagispreferredbut-fstack-protector-strongisacceptable.
Iftheapplicationisbuiltusinganyothercompiler,thentheevaluator
shalldeterminethatappropriatestackprotectionhasbeenused
duringthebuildprocess.
ForLinux:IftheapplicationiscompiledusingGCC,theevaluator
[Link]-fstack-protector-allflagis
[Link]

applicationisbuiltusingclang,itmustbecompiledandlinkedwith
the-fsanitize=[Link]
othercompiler,thentheevaluatorshalldeterminethatappropriate
stackprotectionhasbeenusedduringthebuildprocess.
ForSolaris:IftheapplicationiscompiledusingGCC,theevaluator
[Link]-fstack-protector-allflagis
[Link]
applicationisbuiltusingclang,itmustbecompiledandlinkedwith
the-fsanitize=[Link]
othercompiler,thentheevaluatorshalldeterminethatappropriate
stackprotectionhasbeenusedduringthebuildprocess.
ForMacOSX:IftheapplicationiscompiledusingGCCorXcode,
[Link]-fstack-protectorallflagispreferredbut-fstack-protector-strongisacceptable.
Iftheapplicationisbuiltusinganyothercompiler,thentheevaluator
shalldeterminethatappropriatestackprotectionhasbeenused
duringthebuildprocess.
FPT_TUD_EXT.1IntegrityforInstallationandUpdate
FPT_TUD_EXT.1.1

Theapplicationshall[selection:providetheability,leveragetheplatform]to
checkforupdatesandpatchestotheapplicationsoftware.
ApplicationNote:Thisrequirementisabouttheabilityto"check"forupdates.
[Link]
requirementisintendedtoensurethattheapplicationcancheckforupdates
providedbythevendor,asupdatesprovidedbyanothersourcemaycontain
maliciouscode.
AssuranceActivity
Theevaluatorshallcheckforanupdateusingproceduresdescribed
inthedocumentationandverifythattheapplicationdoesnotissuean
[Link]
requirementisconsideredtobemet.

FPT_TUD_EXT.1.2

Theapplicationshallbedistributedusingtheformatoftheplatformsupported
packagemanager.
AssuranceActivity
Theevaluatorshallverifythatapplicationupdatesaredistributedin
[Link]:
ForBlackBerry:Theevaluatorshallensurethattheapplicationis
packagedintheBlackberry(BAR)format.
ForAndroid:Theevaluatorshallensurethattheapplicationis
packagedintheAndroidapplicationpackage(APK)format.

ForWindows:Theevaluatorshallensurethattheapplicationis
packagedintheStandardWindowsInstaller(MSI)formatorthe
WindowsAppStorepackage(APPX)format.
ForiOS:Theevaluatorshallensurethattheapplicationispackaged
intheIPAformat.
ForLinux:Theevaluatorshallensurethattheapplicationis
packagedintheformatofthepackagemanagementinfrastructureof
[Link],applicationsrunningonRed
HatandRedHatderivativesshouldbepackagedinRPMformat.
ApplicationsrunningonDebianandDebianderivativesshouldbe
packagedindebformat.
ForSolaris:Theevaluatorshallensurethattheapplicationis
packagedinthePKGformat.
ForMacOSX:Theevaluatorshallensurethatapplicationis
packagedintheDMGformat,thePKGformat,ortheMPKG
format.
FPT_TUD_EXT.1.3

Theapplicationshallbepackagedsuchthatitsremovalresultsinthedeletionof
alltracesoftheapplication,withtheexceptionofconfigurationsettings,output
files,andaudit/logevents.
ApplicationNote:Applicationsbundledwiththesystem/firmwareimageare
notsubjecttothisrequirementiftheuserisunabletoremovetheapplication
throughmeansprovidedbytheOS.
AssuranceActivity
Theevaluatorshallrecordthepathofeveryfileontheentire
filesystempriortoinstallationoftheapplication,andtheninstalland
[Link],theevaluatorshallthenuninstallthe
application,andcomparetheresultingfilesystemtotheinitialrecord
toverifythatnofiles,otherthanconfiguration,output,andaudit/log
files,havebeenaddedtothefilesystem.

FPT_TUD_EXT.1.4

Theapplicationshallnotdownload,modify,replaceorupdateitsownbinary
code.
ApplicationNote:Thisrequirementappliestothecodeoftheapplicationit
doesnotapplytomobilecodetechnologiesthataredesignedfordownloadand
executionbytheapplication.
AssuranceActivity
Theevaluatorshallverifythattheapplication'sexecutablefilesare
[Link]
followingtest:
Test1:Theevaluatorshallinstalltheapplicationandthen
[Link],for
eachfile,saveoffeitherahashofthefileoracopyofthefile

[Link]
[Link]
evaluatorshallthencompareeachexecutablefilewiththe
[Link]
evaluatorshallverifythattheseareidentical.

FPT_TUD_EXT.1.5

Theapplicationshall[selection,atleastoneof:providetheability,leverage
theplatform]toquerythecurrentversionoftheapplicationsoftware.
AssuranceActivity
Theevaluatorshallquerytheapplicationforthecurrentversionof
thesoftwareaccordingtotheoperationaluserguidance
(AGD_OPE.1)andshallverifythatthecurrentversionmatchesthat
ofthedocumentedandinstalledversion.

FPT_TUD_EXT.1.6

Theapplicationinstallationpackageanditsupdatesshallbedigitallysignedsuch
thatitsplatformcancryptographicallyverifythempriortoinstallation.
ApplicationNote:Thespecificsoftheverificationofinstallationpackagesand
updatesinvolvesrequirementsontheplatform(andnottheapplication),sothese
arenotfullyspecifiedhere.
AssuranceActivity
TheevaluatorshallverifythattheTSSidentifieshowtheapplication
installationpackageandupdatestoitaresignedbyanauthorized
[Link]
[Link](orthe
operationalguidance)describeshowcandidateupdatesareobtained.

FPT_LIB_EXT.1UseofThirdPartyLibraries
FPT_LIB_EXT.1.1

Theapplicationshallbepackagedwithonly[assignment:listofthirdparty
libraries].
ApplicationNote:Theintentionofthisrequirementisfortheevaluatorto
discoveranddocumentwhethertheapplicationisincludingunnecessaryor
[Link]
presentaprivacythreat,aswellasensuringdocumentationofsuchlibrariesin
casevulnerabilitiesarelaterdiscovered.
AssuranceActivity
Theevaluatorshallinstalltheapplicationandsurveyitsinstallation
[Link]
librariesfoundtobepackagedwithoremployedbytheapplication
arelimitedtothoseintheassignment.

5.1.6TrustedPath/Channel(FTP)
FTP_DIT_EXT.1ProtectionofDatainTransit
FTP_DIT_EXT.1.1

Theapplicationshall[selection:
nottransmitanydata,
nottransmitanysensitivedata,
encryptalltransmittedsensitivedatawith[selection,atleastoneof:
HTTPS,TLS,DTLS],
encryptalltransmitteddatawith[selection,atleastoneof:HTTPS,
TLS,DTLS]
]betweenitselfandanothertrustedITproduct.
ApplicationNote:Extendedpackagesmayoverridethisrequirementto
[Link]
transmittingdatathatisnotsensitive.
IfHTTPSisselected,thenevaluationofelementsfromFCS_TLSC_EXT.1is
required.
IfTLSisselected,thenevaluationofelementsfromFCS_HTTPS_EXT.1is
required.
IfDTLSisselected,thenevaluationofelementsfromFCS_DTLS_EXT.1is
required.
AssuranceActivity
Theevaluatorshallperformthefollowingtests.
Test1:Theevaluatorshallexercisetheapplication(attempting
totransmitdataforexamplebyconnectingtoremotesystems
orwebsites)[Link]
evaluatorshallverifyfromthepacketcapturethatthetrafficis
encryptedwithHTTPS,TLSorDTLSinaccordancewiththe
selectionintheST.
Test2:Theevaluatorshallexercisetheapplication(attempting
totransmitdataforexamplebyconnectingtoremotesystems
orwebsites)[Link]
evaluatorshallreviewthepacketcaptureandverifythatno
sensitivedataistransmittedintheclear.
Test3:TheevaluatorshallinspecttheTSStodetermineifuser
[Link]
[Link]
evaluatorshallcapturepacketsfromtheapplicationwhile
causingcredentialstobetransmittedasdescribedintheTSS.
Theevaluatorshallperformastringsearchofthecaptured
networkpacketsandverifythattheplaintextcredential
previouslysetbytheevaluatorisnotfound.

5.2SecurityAssuranceRequirements
TheSecurityObjectivesfortheTOEinSection5wereconstructedtoaddressthreatsidentifiedinSection
[Link](SFRs)inSection5.1areaformalinstantiationoftheSecurity

[Link](SARs)toframetheextenttowhichthe
evaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.
[Link]
AssuranceActivities(AAs)tobeperformedarespecifiedbothinSection5aswellasinthissection.
ThegeneralmodelforevaluationofTOEsagainstSTswrittentoconformtothisPPisasfollows:
AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility
(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.
TheITSEFisexpectedtoperformactionsmandatedbytheCommonEvaluationMethodology(CEM)for
theASEandALCSARs.TheITSEFalsoperformstheAssuranceActivitiescontainedwithinSection5,
whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothe
specifictechnologyinstantiatedintheTOE.TheAssuranceActivitiesthatarecapturedinSection5also
provideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththe
PP.

5.2.1ClassASE:SecurityTarget
AsperASEactivitiesdefinedin[CEM].

5.2.2ClassADV:Development
TheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswell
[Link]
[Link]
5.1shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSS
section.
ADV_FSP.1BasicFunctionalSpecification(ADV_FSP.1)
ADV_FSP.1.1D
ADV_FSP.1.2D

Thedevelopershallprovideafunctionalspecification.
Thedevelopershallprovideatracingfromthefunctionalspecificationtothe
SFRs.
ApplicationNote:Asindicatedintheintroductiontothissection,thefunctional
specificationiscomprisedoftheinformationcontainedintheAGD_OPEand
AGD_PREdocumentation.Thedevelopermayreferenceawebsiteaccessible
[Link]
functionalrequirementspointtoevidencethatshouldexistinthedocumentation
andTSSsectionsincethesearedirectlyassociatedwiththeSFRs,thetracingin
elementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditional
documentationisnecessary.

ADV_FSP.1.1C

ADV_FSP.1.2C

ADV_FSP.1.3C

ADV_FSP.1.4C

Thefunctionalspecificationshalldescribethepurposeandmethodofusefor
eachSFRenforcingandSFRsupportingTSFI.
Thefunctionalspecificationshallidentifyallparametersassociatedwitheach
SFRenforcingandSFRsupportingTSFI.
Thefunctionalspecificationshallproviderationalefortheimplicitcategorization
ofinterfacesasSFRnoninterfering.

ThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctional
specification.
ADV_FSP.1.1E

ADV_FSP.1.2E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
Theevaluatorshalldeterminethatthefunctionalspecificationisanaccurateand
completeinstantiationoftheSFRs.

5.2.3ClassAGD:GuidanceDocumentation
[Link]
[Link]
[Link]
[Link]
instructionstosuccessfullyinstalltheTSFinthatenvironmentandInstructionstomanagethesecurityofthe
[Link]
securityfunctionalityisalsoprovidedrequirementsonsuchguidancearecontainedintheassuranceactivities
specifiedwitheachrequirement.
AGD_OPE.1OperationalUserGuidance(AGD_OPE.1)
AGD_OPE.1.1D

Thedevelopershallprovideoperationaluserguidance.
ApplicationNote:Theoperationuserguidancedoesnothavetobecontained
[Link],administratorsandapplication
[Link],
theguidancedocumentationisexpressedintheeXtensibleConfiguration
ChecklistDescriptionFormat(XCCDF)[Link]
thanrepeatinformationhere,thedevelopershouldreviewtheassurance
activitiesforthiscomponenttoascertainthespecificsoftheguidancethatthe
[Link]
preparationofacceptableguidance.

AGD_OPE.1.1C

Theoperationaluserguidanceshalldescribe,foreachuserrole,theuser
accessiblefunctionsandprivilegesthatshouldbecontrolledinasecure
processingenvironment,includingappropriatewarnings.
ApplicationNote:Userandadministratoraretobeconsideredinthedefinition
ofuserrole.

AGD_OPE.1.2C

AGD_OPE.1.3C

AGD_OPE.1.4C

Theoperationaluserguidanceshalldescribe,foreachuserrole,howtousethe
availableinterfacesprovidedbytheTOEinasecuremanner.
Theoperationaluserguidanceshalldescribe,foreachuserrole,theavailable
functionsandinterfaces,inparticularallsecurityparametersunderthecontrolof
theuser,indicatingsecurevaluesasappropriate.
Theoperationaluserguidanceshall,foreachuserrole,clearlypresenteachtype
ofsecurityrelevanteventrelativetotheuseraccessiblefunctionsthatneedtobe
performed,includingchangingthesecuritycharacteristicsofentitiesunderthe
controloftheTSF.

AGD_OPE.1.5C

AGD_OPE.1.6C

AGD_OPE.1.7C
AGD_OPE.1.1E

Theoperationaluserguidanceshallidentifyallpossiblemodesofoperationof
theTOE(includingoperationfollowingfailureoroperationalerror),their
consequences,andimplicationsformaintainingsecureoperation.
Theoperationaluserguidanceshall,foreachuserrole,describethesecurity
measurestobefollowedinordertofulfillthesecurityobjectivesforthe
operationalenvironmentasdescribedintheST.
Theoperationaluserguidanceshallbeclearandreasonable.
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
AssuranceActivity
Someofthecontentsoftheoperationalguidancewillbeverifiedby
theassuranceactivitiesinSection5.1andevaluationoftheTOE
accordingtothe[CEM].Thefollowingadditionalinformationisalso
[Link],the
operationalguidanceshallcontaininstructionsforconfiguringthe
cryptographicengineassociatedwiththeevaluatedconfigurationof
[Link]
othercryptographicengineswasnotevaluatednortestedduringthe
[Link]
processforverifyingupdatestotheTOEbyverifyingadigital
signaturethismaybedonebytheTOEortheunderlyingplatform.
Theevaluatorshallverifythatthisprocessincludesthefollowing
steps:[Link]
instructionsformakingtheupdateaccessibletotheTOE(e.g.,
placementinaspecificdirectory).Instructionsforinitiatingthe
updateprocess,aswellasdiscerningwhethertheprocesswas
[Link]
hash/[Link]
functionalitythatdoesnotfallinthescopeofevaluationunderthis
[Link]
whichsecurityfunctionalityiscoveredbytheevaluationactivities.

AGD_PRE.1PreparativeProcedures(AGD_PRE.1)
AGD_PRE.1.1D

ThedevelopershallprovidetheTOE,includingitspreparativeprocedures.
ApplicationNote:Aswiththeoperationalguidance,thedevelopershouldlook
totheassuranceactivitiestodeterminetherequiredcontentwithrespectto
preparativeprocedures.

AGD_PRE.1.1C

AGD_PRE.1.2C

Thepreparativeproceduresshalldescribeallthestepsnecessaryforsecure
acceptanceofthedeliveredTOEinaccordancewiththedeveloper'sdelivery
procedures.
Thepreparativeproceduresshalldescribeallthestepsnecessaryforsecure

installationoftheTOEandforthesecurepreparationoftheoperational
environmentinaccordancewiththesecurityobjectivesfortheoperational
environmentasdescribedintheST.
AGD_PRE.1.1E

AGD_PRE.1.2E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
TheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOE
canbepreparedsecurelyforoperation.
AssuranceActivity
Asindicatedintheintroductionabove,therearesignificant
expectationswithrespecttothedocumentationespeciallywhen
configuringtheoperationalenvironmenttosupportTOEfunctional
[Link]
providedfortheTOEadequatelyaddressesallplatformsclaimedfor
theTOEintheST.

5.2.4ClassALC:LifecycleSupport
AttheassurancelevelprovidedforTOEsconformanttothisPP,lifecyclesupportislimitedtoenduser
visibleaspectsofthelifecycle,ratherthananexaminationoftheTOEvendorsdevelopmentand
[Link]
playincontributingtotheoveralltrustworthinessofaproductrather,itisareflectionontheinformationtobe
madeavailableforevaluationatthisassurancelevel.
ALC_CMC.1LabelingoftheTOE(ALC_CMC.1)
ALC_CMC.1.1D
ALC_CMC.1.1C

ThedevelopershallprovidetheTOEandareferencefortheTOE.
TheTOEshallbelabeledwithauniquereference.
ApplicationNote:Uniquereferenceinformationincludes:
ApplicationName
ApplicationVersion
ApplicationDescription
PlatformonwhichApplicationRuns
SoftwareIdentification(SWID)tags,ifavailable

ALC_CMC.1.1E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
AssuranceActivity

TheevaluatorshallchecktheSTtoensurethatitcontainsan
identifier(suchasaproductname/versionnumber)thatspecifically
[Link],
theevaluatorshallchecktheAGDguidanceandTOEsamples
receivedfortestingtoensurethattheversionnumberisconsistent
[Link]

TOE,theevaluatorshallexaminetheinformationonthewebsiteto
ensurethattheinformationintheSTissufficienttodistinguishthe
product.
ALC_CMS.1TOECMCoverage(ALC_CMS.1)
ALC_CMS.1.1D
ALC_CMS.1.1C

ALC_CMS.1.2C
ALC_CMS.1.1E

ThedevelopershallprovideaconfigurationlistfortheTOE.
Theconfigurationlistshallincludethefollowing:theTOEitselfandthe
evaluationevidencerequiredbytheSARs.
Theconfigurationlistshalluniquelyidentifytheconfigurationitems.
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
AssuranceActivity
The"evaluationevidencerequiredbytheSARs"inthisPPislimited
totheinformationintheSTcoupledwiththeguidanceprovidedto
[Link]
thattheTOEisspecificallyidentifiedandthatthisidentificationis
consistentintheSTandintheAGDguidance(asdoneinthe
assuranceactivityforALC_CMC.1),theevaluatorimplicitly
[Link]
supportistargetedaspectsofthedeveloperslifecycleand
instructionstoprovidersofapplicationsforthedevelopersdevices,
ratherthananindepthexaminationoftheTSFmanufacturers
[Link]
meanttodiminishthecriticalrolethatadeveloperspracticesplayin
contributingtotheoveralltrustworthinessofaproductrather,itsa
reflectionontheinformationtobemadeavailableforevaluation.
Theevaluatorshallensurethatthedeveloperhasidentified(in
guidancedocumentationforapplicationdevelopersconcerningthe
targetedplatform)oneormoredevelopmentenvironments
appropriateforuseindevelopingapplicationsforthedevelopers
[Link],thedeveloper
shallprovideinformationonhowtoconfiguretheenvironmentto
ensurethatbufferoverflowprotectionmechanismsinthe
environment(s)areinvoked(e.g.,compilerflags).Theevaluatorshall
ensurethatthisdocumentationalsoincludesanindicationofwhether
suchprotectionsareonbydefault,orhavetobespecificallyenabled.
TheevaluatorshallensurethattheTSFisuniquelyidentified(with
respecttootherproductsfromtheTSFvendor),andthat
documentationprovidedbythedeveloperinassociationwiththe
requirementsintheSTisassociatedwiththeTSFusingthisunique
identification.

ALC_TSU_EXT.1TimelySecurityUpdates

ALC_TSU_EXT.1.1D

ThedevelopershallprovideadescriptionintheTSSofhowtimelysecurity
[Link]
theirproductsforpurposesoffixingsecurityvulnerabilities.

ALC_TSU_EXT.1.2D

ThedevelopershallprovideadescriptionintheTSSofhowusersarenotified
whenupdateschangesecuritypropertiesortheconfigurationoftheproduct.

ALC_TSU_EXT.1.1C

Thedescriptionshallincludetheprocessforcreatinganddeployingsecurity
updatesfortheTOEsoftware.

ALC_TSU_EXT.1.2C

Thedescriptionshallexpressthetimewindowasthelengthoftime,indays,
betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurity
updatestotheTOE.

ALC_TSU_EXT.1.3C

Thedescriptionshallincludethemechanismspubliclyavailableforreporting
[Link]
websites,emailaddresses,aswellasameanstoprotectthesensitivenatureof
thereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof
ofconceptexploit).

ALC_TSU_EXT.2.1E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
AssuranceActivity
TheevaluatorshallverifythattheTSScontainsadescriptionofthe
timelysecurityupdateprocessusedbythedevelopertocreateand
[Link]
[Link]
verifythat,inadditiontotheTOEdevelopersprocess,anythird
[Link]
shallalsoverifythateachmechanismfordeploymentofsecurity
updatesisdescribed.
Theevaluatorshallverifythat,foreachdeploymentmechanism
describedfortheupdateprocess,theTSSlistsatimebetweenpublic
disclosureofavulnerabilityandpublicavailabilityofthesecurity
updatetotheTOEpatchingthisvulnerability,toincludeanythird
[Link]
thistimeisexpressedinanumberorrangeofdays.
Theevaluatorshallverifythatthisdescriptionincludesthepublicly
availablemechanisms(includingeitheranemailaddressorwebsite)
[Link]
verifythatthedescriptionofthismechanismincludesamethodfor
protectingthereporteitherusingapublickeyforencryptingemailor
atrustedchannelforawebsite.

5.2.5ClassATE:Tests
Testingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignor
implementationweaknesses.TheformerisdonethroughtheATE_INDfamily,whilethelatteristhroughthe

AVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityand
[Link]
evaluationprocessisthetestreportasspecifiedinthefollowingrequirements.
ATE_IND.1IndependentTestingConformance(ATE_IND.1)
ATE_IND.1.1D
ATE_IND.1.1C
ATE_IND.1.1E

ATE_IND.1.2E

ThedevelopershallprovidetheTOEfortesting.
TheTOEshallbesuitablefortesting.
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
TheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesas
specified.
ApplicationNote:Theevaluatorshalltesttheapplicationonthemostcurrent
fullypatchedversionoftheplatform.
AssuranceActivity
Theevaluatorshallprepareatestplanandreportdocumentingthe
testingaspectsofthesystem,includinganyapplicationcrashes
[Link]
[Link]
testplancoversallofthetestingactionscontainedinthe[CEM]and
thebodyofthisPPsAssuranceActivities.
Whileitisnotnecessarytohaveonetestcasepertestlistedinan
AssuranceActivity,theevaluatormustdocumentinthetestplanthat
[Link]
planidentifiestheplatformstobetested,andforthoseplatformsnot
includedinthetestplanbutincludedintheST,thetestplanprovides
[Link]
addressthedifferencesbetweenthetestedplatformsandtheuntested
platforms,andmakeanargumentthatthedifferencesdonotaffect
[Link]
[Link]
platformsclaimedintheSTaretested,thennorationaleisnecessary.
Thetestplandescribesthecompositionofeachplatformtobetested,
andanysetupthatisnecessarybeyondwhatiscontainedintheAGD
[Link]
followtheAGDdocumentationforinstallationandsetupofeach
platformeitheraspartofatestorasastandardpretestcondition.
[Link],
anargument(notjustanassertion)shouldbeprovidedthatthe
driverortoolwillnotadverselyaffecttheperformanceofthe
functionalitybytheTOEanditsplatform.
Thisalsoincludestheconfigurationofthecryptographicenginetobe
[Link]
thosespecifiedbythisPPandusedbythecryptographicprotocols
beingevaluated(IPsec,TLS,SSH).Thetestplanidentifieshighlevel
testobjectivesaswellasthetestprocedurestobefollowedto

[Link].
Thetestreport(whichcouldjustbeanannotatedversionofthetest
plan)detailstheactivitiesthattookplacewhenthetestprocedures
wereexecuted,[Link]
beacumulativeaccount,soiftherewasatestrunthatresultedina
failureafixinstalledandthenasuccessfulrerunofthetest,the
reportwouldshowafailandpassresult(andthesupporting
details),andnotjustthepassresult.

5.2.6ClassAVA:VulnerabilityAssessment
Forthefirstgenerationofthisprotectionprofile,theevaluationlabisexpectedtosurveyopensourcesto
[Link],these
[Link]
anduniformlydistributedtotheevaluationlabs,theevaluatorwillnotbeexpectedtotestforthese
[Link]
[Link]
penetrationtestingtoolsandforthedevelopmentoffutureprotectionprofiles.
AVA_VAN.1VulnerabilitySurvey(AVA_VAN.1)
AVA_VAN.1.1D
AVA_VAN.1.1C

ThedevelopershallprovidetheTOEfortesting.
TheTOEshallbesuitablefortesting.
ApplicationNote:Suitabilityfortestingmeansnotbeingobfuscatedor
packagedinsuchawayastodisrupteitherstaticordyanmicanalysisbythe
evaluator.

AVA_VAN.1.1E

AVA_VAN.1.2E

Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirements
forcontentandpresentationofevidence.
Theevaluatorshallperformasearchofpublicdomainsourcestoidentify
potentialvulnerabilitiesintheTOE.
ApplicationNote:PublicdomainsourcesincludetheCommonVulnerabilities
andExposures(CVE)[Link]
domainsourcesalsoincludesiteswhichprovidefreecheckingoffilesforviruses.

AVA_VAN.1.3E

Theevaluatorshallconductpenetrationtesting,basedontheidentifiedpotential
vulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyan
attackerpossessingBasicattackpotential.
AssuranceActivity
Theevaluatorshallgenerateareporttodocumenttheirfindingswith
[Link]
overalltestreportmentionedinATE_IND,oraseparatedocument.
Theevaluatorperformsasearchofpublicinformationtofind
vulnerabilitiesthathavebeenfoundinsimilarapplicationswitha
particularfocusonnetworkprotocolstheapplicationusesand

[Link]
scannerwiththemostcurrentvirusdefinitionsagainstthe
[Link]
evaluatordocumentsthesourcesconsultedandthevulnerabilities
foundinthereport.
Foreachvulnerabilityfound,theevaluatoreitherprovidesa
rationalewithrespecttoitsnonapplicability,ortheevaluator
formulatesatest(usingtheguidelinesprovidedinATE_IND)to
confirmthevulnerability,[Link]
assessingtheattackvectorneededtotakeadvantageofthe
[Link]
anelectronmicroscope,forinstance,thenatestwouldnotbe
suitableandanappropriatejustificationwouldbeformulated.

[Link]
AsindicatedinSection2,thebaselinerequirements(thosethatmustbeperformedbytheTOE)are
[Link],therearethreeothertypesofrequirementsspecifiedin
AppendixA,AppendixB,[Link](inthisAppendix)arerequirementsthatcanbe
includedintheST,[Link]
(inAppendixB)arerequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,
[Link](inAppendixCare
componentsthatarenotrequiredinordertoconformtothisPP,butwillbeincludedinthebaseline
requirementsinfutureversionsofthisPP,[Link]
responsibleforensuringthatrequirementsthatmaybeassociatedwiththoseinAppendixA,AppendixB,and
AppendixCbutarenotlisted(e.g.,FMTtyperequirements)arealsoincludedintheST.
FCS_TLSC_EXT.1TLSClientProtocol
FCS_TLSC_EXT.1.4

TheapplicationshallsupportmutualauthenticationusingX.509v3certificates.
ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedin
FIA_X509_EXT.[Link]
presentingacertificatetoaTLSserverforTLSmutualauthentication.
AssuranceActivity
TheevaluatorshallensurethattheTSSdescriptionrequiredper
FIA_X509_EXT.2.1includestheuseofclientsidecertificatesforTLS
mutualauthentication.
TheevaluatorshallverifythattheAGDguidancerequiredper
FIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient
sidecertificatesforTLSmutualauthentication.
Theevaluatorshallalsoperformthefollowingtest:
Test1:Theevaluatorshallperformthefollowingmodification
tothetraffic:
Configuretheservertorequiremutualauthentication

andthenmodifyabyteinaCAfieldintheServers
[Link]
CAfieldmustnotbetheCAusedtosigntheclients
[Link]
unsuccessful.

[Link]
AsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbythe
TOEoritsunderlyingplatform)[Link]
onselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowwill
needtobeincluded.
FCS_RBG_EXT.2RandomBitGenerationfromApplication
FCS_RBG_EXT.2.1

Theapplicationshallperformalldeterministicrandombitgeneration(DRBG)
servicesinaccordancewith[selection,atleastoneof:
NISTSpecialPublication80090Ausing[selection:Hash_DRBG
(any),HMAC_DRBG(any),CTR_DRBG(AES)],
FIPSPub1402AnnexC:X9.31Appendix2.4usingAES
].
ThisrequirementdependsuponselectioninFCS_RBG_EXT.1.1.
ApplicationNote:ThisrequirementshallbeincludedinSTsinwhich
implementDRBGfunctionalityischoseninFCS_RBG_EXT.[Link]
authorshouldselectthestandardtowhichtheRBGservicescomply(eitherSP
80090AorFIPS1402AnnexC).
SP80090Acontainsthreedifferentmethodsofgeneratingrandomnumbers
eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hash
functions/ciphers).TheSTauthorwillselectthefunctionused(ifSP80090Ais
selected),andincludethespecificunderlyingcryptographicprimitivesusedinthe
[Link](SHA1,
SHA224,SHA256,SHA384,SHA512)areallowedforHash_DRBGor
HMAC_DRBG,onlyAESbasedimplementationsforCTR_DRBGare
allowed.
NotethatforFIPSPub1402AnnexC,currentlyonlythemethoddescribedin
NISTRecommendedRandomNumberGeneratorBasedonANSIX9.31
AppendixA.2.4,Section3isvalid.UseofthisDRBGisdisallowedafter2015
[Link],
developersshouldbegintransitioningfromthisDRBGassoonaspossible.
AssuranceActivity
Theevaluatorshallperformthefollowingtests,dependingonthe
standardtowhichtheRBGconforms.

ImplementationsConformingtoFIPS1402AnnexC.
ThereferenceforthetestscontainedinthissectionisTheRandom
NumberGeneratorValidationSystem(RNGVS).Theevaluatorsshall
[Link]"expectedvalues"are
producedbyareferenceimplementationofthealgorithmthatis
[Link].
Test1:[Link]
evaluatorsshallprovideasetof128(Seed,DT)pairstothe
TSFRBGfunction,[Link]
provideakey(ofthelengthappropriatetotheAESalgorithm)
thatisconstantforall128(Seed,DT)[Link]
[Link]
[Link]
returnedbytheTSFmatchtheexpectedvalues.
Test2:[Link]
thistest,theysupplyaninitialSeedandDTvaluetotheTSF
[Link]
alsoprovideakey(ofthelengthappropriatetotheAES
algorithm)[Link]
theninvoketheTSFRBG10,000times,withtheDTvalue
beingincrementedby1oneachiteration,andthenewseedfor
thesubsequentiterationproducedasspecifiedinNIST
RecommendedRandomNumberGeneratorBasedonANSI
X9.31AppendixA.2.4Usingthe3KeyTripleDESandAES
Algorithms,Section3.Theevaluatorsensurethatthe10,000th
valueproducedmatchestheexpectedvalue.
ImplementationsConformingtoNISTSpecialPublication80090A
Test1:Theevaluatorshallperform15trialsfortheRNG
[Link],theevaluatorshall
[Link]
alsoconfirmthattheoperationalguidancecontains
appropriateinstructionsforconfiguringtheRNGfunctionality.
IftheRNGhaspredictionresistanceenabled,eachtrial
consistsof(1)instantiateDRBG,(2)generatethefirstblockof
randombits(3)generateasecondblockofrandombits(4)
[Link]
[Link]
[Link](014).
Thenextthreeareentropyinput,nonce,andpersonalization
[Link]
[Link]
twoareadditionalinputandentropyinputforthesecondcall
[Link]
oneblockofrandombitsmeanstogeneraterandombitswith
numberofreturnedbitsequaltotheOutputBlockLength(as
definedinNISTSP80090A).
IftheRNGdoesnothavepredictionresistance,eachtrial
consistsof(1)instantiateDRBG,(2)generatethefirstblockof
randombits(3)reseed,(4)generateasecondblockofrandom
bits(5)[Link]
[Link]
[Link](0

14).Thenextthreeareentropyinput,nonce,and
[Link]
[Link]
andseventhareadditionalinputandentropyinputtothecall
[Link]
generatecall.
Thefollowingparagraphscontainmoreinformationonsome
oftheinputvaluestobegenerated/selectedbytheevaluator.
Entropyinput:thelengthoftheentropyinputvaluemust
equaltheseedlength.
Nonce:Ifanonceissupported(CTR_DRBGwithno
DerivationFunctiondoesnotuseanonce),thenoncebitlength
isonehalftheseedlength.
Personalizationstring:Thelengthofthepersonalization
[Link]
implementationonlysupportsonepersonalizationstringlength,
[Link]
onestringlengthissupport,theevaluatorshalluse
[Link]
implementationdoesnotuseapersonalizationstring,novalue
needstobesupplied.
Additionalinput:theadditionalinputbitlengthshavethe
samedefaultsandrestrictionsasthepersonalizationstring
lengths.

FCS_RBG_EXT.2.2

ThedeterministicRBGshallbeseededbyanentropysourcethataccumulates
entropyfromaplatformbasedDRBGand[selection:
asoftwarebasednoisesource,
noothernoisesource
]withaminimumof[selection:
128bits,
256bits
]ofentropyatleastequaltothegreatestsecuritystrength(accordingtoNIST
SP80057)ofthekeysandhashesthatitwillgenerate.
ThisrequirementdependsuponselectioninFCS_RBG_EXT.1.1.
ApplicationNote:ThisrequirementshallbeincludedinSTsinwhich
implementDRBGfunctionalityischoseninFCS_RBG_EXT.[Link]
selectioninthisrequirement,theSTauthorselects'softwarebasednoisesource'
ifanyadditionalnoisesourcesareusedasinputtotheapplication'sDRBG.
Notethattheapplicationmustusetheplatform'sDRBGtoseeditsDRBG.
Inthesecondselectioninthisrequirement,theSTauthorselectstheappropriate
numberofbitsofentropythatcorrespondstothegreatestsecuritystrengthof
thealgorithmsincludedintheST.SecuritystrengthisdefinedinTables2and3
[Link],iftheimplementationincludes2048bit

RSA(securitystrengthof112bits),AES128(securitystrength128bits),and
HMACSHA256(securitystrength256bits),thentheSTauthorwouldselect
256bits.
AssuranceActivity
Documentationshallbeproducedandtheevaluatorshallperform
theactivitiesinaccordancewithAppendixDandtheClarification
totheEntropyDocumentationandAssessmentAnnex.
Inthefuture,specificstatisticaltesting(inlinewithNISTSP800
90B)willberequiredtoverifytheentropyestimates.
FCS_CKM_EXT.1CryptographicKeyGenerationServices
FCS_CKM_EXT.1.1

Theapplicationshall[selection:
generatenoasymmetriccryptographickeys,
invokeplatformprovidedfunctionalityforasymmetrickey
generation,
implementasymmetrickeygeneration
].
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.
ApplicationNote:Ifimplementasymmetrickeygenerationorinvoke
platformprovidedfunctionalityforasymmetrickeygenerationischosen,
thenadditionalFCS_CKM.1elementsshallbeincludedintheST.
AssuranceActivity
Theevaluatorshallinspecttheapplicationanditsdeveloper
documentationtodetermineiftheapplicationneedsasymmetrickey
[Link],theevaluatorshallverifythegenerateno
asymmetriccryptographickeysselectionispresentintheST.
Otherwise,theevaluationactivitiesshallbeperformedasstatedin
theselectionbasedrequirements.

FCS_CKM.1CryptographicKeyGeneration
FCS_CKM.1.1

Theapplicationshallgenerateasymmetriccryptographickeysinaccordance
withaspecifiedcryptographickeygenerationalgorithm[selection:
[RSAschemes]usingcryptographickeysizesof[2048bitor
greater]thatmeetthefollowing:[selection:
FIPSPUB1864,DigitalSignatureStandard(DSS),Appendix
B.3,
ANSIX9.311998,Section4.1
],
[ECCschemes]using[NISTcurvesP256,P384and[selection:
P521,noothercurves]]thatmeetthefollowing:[FIPSPUB186

4,DigitalSignatureStandard(DSS),AppendixB.4],
[FFCschemes]usingcryptographickeysizesof[2048bitor
greater]thatmeetthefollowing:[FIPSPUB1864,Digital
SignatureStandard(DSS),AppendixB.1]
].
ThisrequirementdependsuponselectioninFCS_CKM_EXT.1.
ApplicationNote:TheSTauthorshallselectallkeygenerationschemesused
[Link]
keyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographic
[Link]
authentication,thepublickeyisexpectedtobeassociatedwithanX.509v3
certificate.
IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOE
doesnotneedtoimplementRSAkeygeneration.
TheANSIX9.311998optionwillberemovedfromtheselectioninafuture
[Link],theselectionisnotexclusivelylimitedto
theFIPSPUB1864optionsinordertoallowindustrysomefurthertimeto
completethetransitiontothemodernFIPSPUB1864standard.
ECCschemeswillberequiredforproductsenteringevaluationafterJuly1,
2015.
AssuranceActivity
TheevaluatorshallensurethattheTSSidentifiesthekeysizes
[Link],the
evaluatorshallexaminetheTSStoverifythatitidentifiestheusage
foreachscheme.
TheevaluatorshallverifythattheAGDguidanceinstructsthe
administratorhowtoconfiguretheTOEtousetheselectedkey
generationscheme(s)andkeysize(s)forallusesdefinedinthisPP.
Iftheapplicationinvokesplatformprovidedfunctionalityfor
asymmetrickeygeneration,thentheevaluatorshallexaminetheTSS
toverifythatitdescribeshowthekeygenerationfunctionalityis
invoked.
Iftheapplicationimplementsasymmetrickeygeneration,thenthe
followingtestactivitiesshallbecarriedout.
AssuranceActivityNote:Thefollowingtestsmayrequirethe
developertoprovideaccesstoadeveloperenvironmentthatprovides
theevaluatorwithtoolsthataretypicallyavailabletoendusersof
theapplication.
KeyGenerationforFIPSPUB1864RSASchemes
TheevaluatorshallverifytheimplementationofRSAKeyGeneration
[Link]
abilityoftheTSFtocorrectlyproducevaluesforthekeycomponents

includingthepublicverificationexponente,theprivateprimefactors
pandq,thepublicmodulusnandthecalculationoftheprivate
signatureexponentd.KeyPairgenerationspecifies5ways(or
methods)[Link]:
1. RandomPrimes:
Provableprimes
Probableprimes
2. PrimeswithConditions:
Primesp1,p2,q1,q2,pandqshallallbeprovable
primes
Primesp1,p2,q1,andq2shallbeprovableprimesandp
andqshallbeprobableprimes
Primesp1,p2,q1,q2,pandqshallallbeprobable
primes
TotestthekeygenerationmethodfortheRandomProvableprimes
methodandforallthePrimeswithConditionsmethods,the
evaluatormustseedtheTSFkeygenerationroutinewithsufficient
[Link]
randomseed(s),thepublicexponentoftheRSAkey,andthedesired
[Link],theevaluatorshallhave
[Link]
correctnessoftheTSFsimplementationbycomparingvalues
generatedbytheTSFwiththosegeneratedfromaknowngood
implementation.
Ifpossible,theRandomProbableprimesmethodshouldalsobe
verifiedagainstaknowngoodimplementationasdescribedabove.
Otherwise,theevaluatorshallhavetheTSFgenerate10keyspairs
foreachsupportedkeylengthnlenandverify:
n=p*q,
pandqareprobablyprimeaccordingtoMillerRabintests,
GCD(p1,e)=1,
GCD(q1,e)=1,
2^16<=e<=2^256andeisanoddinteger,
|pq|>2^(nlen/2100),
p>=squareroot(2)*(2^(nlen/21)),
q>=squareroot(2)*(2^(nlen/21)),
2^(nlen/2)<d<LCM(p1,q1),
e*d=1modLCM(p1,q1).
KeyGenerationforANSIX9.311998RSASchemes
IftheTSFimplementstheANSIX9.311998scheme,theevaluator
shallchecktoensurethattheTSSdescribeshowthekeypairsare
[Link]
withANSIX9.311998,theevaluatorshallensurethattheTSS
containsthefollowinginformation:
TheTSSshalllistallsectionsofthestandardtowhichtheTOE
complies
ForeachapplicablesectionlistedintheTSS,forallstatements
thatarenot"shall"(thatis,"shallnot","should",and"should
not"),iftheTOEimplementssuchoptionsitshallbedescribed
[Link]"shall
not"or"shouldnot"inthestandard,theTSSshallprovidea
rationaleforwhythiswillnotadverselyaffectthesecurity

policyimplementedbytheTOE
ForeachapplicablesectionofAppendixB,anyomissionof
functionalityrelatedto"shall"orshouldstatementsshallbe
described.
KeyGenerationforEllipticCurveCryptography(ECC)
FIPS1864ECCKeyGenerationTestForeachsupportedNIST
curve,i.e.,P256,P384andP521,theevaluatorshallrequirethe
implementationundertest(IUT)togenerate10private/publickey
[Link]
bitgenerator(RBG).Todeterminecorrectness,theevaluatorshall
submitthegeneratedkeypairstothepublickeyverification(PKV)
functionofaknowngoodimplementation.
FIPS1864PublicKeyVerification(PKV)TestForeachsupported
NISTcurve,i.e.,P256,P384andP521,theevaluatorshall
generate10private/publickeypairsusingthekeygeneration
functionofaknowngoodimplementationandmodifyfiveofthe
publickeyvaluessothattheyareincorrect,leavingfivevalues
unchanged(i.e.,correct).Theevaluatorshallobtaininresponseaset
of10PASS/FAILvalues.
KeyGenerationforFiniteFieldCryptography(FFC)
TheevaluatorshallverifytheimplementationoftheParameters
GenerationandtheKeyGenerationforFFCbytheTOEusingthe
[Link]
abilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,
thecryptographicprimeq(dividingp1),thecryptographicgroup
generatorg,andthecalculationoftheprivatekeyxandpublickeyy.
TheParametergenerationspecifies2ways(ormethods)togenerate
thecryptographicprimeqandthefieldprimep:
CryptographicandFieldPrimes:
Primesqandpshallbothbeprovableprimes
Primesqandfieldprimepshallbothbeprobableprimes
andtwowaystogeneratethecryptographicgroupgeneratorg:
CryptographicGroupGenerator:
Generatorgconstructedthroughaverifiableprocess
Generatorgconstructedthroughanunverifiableprocess.
TheKeygenerationspecifies2waystogeneratetheprivatekeyx:
PrivateKey:
len(q)bitoutputofRBGwhere1<=x<=q1
len(q)+64bitoutputofRBG,followedbyamodq1operation
where1<=x<=q1.
ThesecuritystrengthoftheRBGmustbeatleastthatofthesecurity
[Link]
primegenerationmethodfortheprovableprimesmethodand/orthe
groupgeneratorgforaverifiableprocess,theevaluatormustseed
theTSFparametergenerationroutinewithsufficientdatato
[Link]
supported,theevaluatorshallhavetheTSFgenerate25parameter
[Link]
TSFsimplementationbycomparingvaluesgeneratedbytheTSF
withthosegeneratedfromaknowngoodimplementation.

Verificationmustalsoconfirm
g!=0,1
qdividesp1
g^qmodp=1
g^xmodp=y
foreachFFCparametersetandkeypair.
FCS_CKM.2CryptographicKeyEstablishment
FCS_CKM.2.1

Theapplicationshall[selection:invokeplatformprovidedfunctionality,
implementfunctionality]toperformcryptographickeyestablishmentin
accordancewithaspecifiedcryptographickeyestablishmentmethod:
[RSAbasedkeyestablishmentschemes]thatmeetsthefollowing:[NIST
SpecialPublication80056B,RecommendationforPairWiseKey
EstablishmentSchemesUsingIntegerFactorizationCryptography]
and[selection:
[Ellipticcurvebasedkeyestablishmentschemes]thatmeetsthe
following:[NISTSpecialPublication80056A,Recommendation
forPairWiseKeyEstablishmentSchemesUsingDiscrete
LogarithmCryptography],
[Finitefieldbasedkeyestablishmentschemes]thatmeetsthe
following:[NISTSpecialPublication80056A,Recommendation
forPairWiseKeyEstablishmentSchemesUsingDiscrete
LogarithmCryptography],
Nootherschemes
].
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.1.
ApplicationNote:TheSTauthorshallselectallkeyestablishmentschemes
usedfortheselectedcryptographicprotocols.FCS_TLSC_EXT.1requires
ciphersuitesthatuseRSAbasedkeyestablishmentschemes.
TheRSAbasedkeyestablishmentschemesaredescribedinSection9ofNIST
SP80056Bhowever,Section9reliesonimplementationofothersectionsin
[Link]
scheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
Theellipticcurvesusedforthekeyestablishmentschemeshallcorrelatewiththe
curvesspecifiedinFCS_CKM.[Link]
forproductsenteringevaluationafterJuly1,2015.
Thedomainparametersusedforthefinitefieldbasedkeyestablishmentscheme
arespecifiedbythekeygenerationaccordingtoFCS_CKM.1.1.
AssuranceActivity
Theevaluatorshallensurethatthesupportedkeyestablishment
schemescorrespondtothekeygenerationschemesidentifiedin
FCS_CKM.[Link],the
evaluatorshallexaminetheTSStoverifythatitidentifiestheusage

foreachscheme.
TheevaluatorshallverifythattheAGDguidanceinstructsthe
administratorhowtoconfiguretheTOEtousetheselectedkey
establishmentscheme(s).
AssuranceActivityNote:Thefollowingtestsrequirethedeveloperto
provideaccesstoatestplatformthatprovidestheevaluatorwith
toolsthataretypicallynotfoundonfactoryproducts.
KeyEstablishmentSchemes
Theevaluatorshallverifytheimplementationofthekey
establishmentschemessupportedbytheTOEusingtheapplicable
testsbelow.
SP80056AKeyEstablishmentSchemes
TheevaluatorshallverifyaTOE'simplementationofSP80056Akey
agreementschemesusingthefollowingFunctionandValiditytests.
Thesevalidationtestsforeachkeyagreementschemeverifythata
TOEhasimplementedthecomponentsofthekeyagreementscheme
[Link]
componentsincludethecalculationoftheDLCprimitives(theshared
secretvalueZ)andthecalculationofthederivedkeyingmaterial
(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationis
supported,theevaluatorshallalsoverifythatthecomponentsofkey
confirmationhavebeenimplementedcorrectly,usingthetest
[Link],
thegenerationofMACdataandthecalculationofMACtag.
FunctionTest
TheFunctiontestverifiestheabilityoftheTOEtoimplement
[Link]
evaluatorshallgenerateorobtaintestvectorsfromaknown
[Link]
supportedkeyagreementschemekeyagreementrole
combination,KDFtype,and,ifsupported,keyconfirmation
rolekeyconfirmationtypecombination,thetestershall
[Link]
ofdomainparametervalues(FFC)ortheNISTapprovedcurve
(ECC)[Link],
ephemeralorbothdependingontheschemebeingtested.
TheevaluatorshallobtaintheDKM,thecorrespondingTOEs
publickeys(staticand/orephemeral),theMACtag(s),andany
inputsusedintheKDF,suchastheOtherInformationfieldOI
andTOEidfields.
IftheTOEdoesnotuseaKDFdefinedinSP80056A,the
evaluatorshallobtainonlythepublickeysandthehashedvalue
ofthesharedsecret.
TheevaluatorshallverifythecorrectnessoftheTSFs
implementationofagivenschemebyusingaknowngood
implementationtocalculatethesharedsecretvalue,derivethe
keyingmaterialDKM,andcomparehashesorMACtags
generatedfromthesevalues.

Ifkeyconfirmationissupported,theTSFshallperformthe
aboveforeachimplementedapprovedMACalgorithm.
ValidityTest
TheValiditytestverifiestheabilityoftheTOEtorecognize
anotherpartysvalidandinvalidkeyagreementresultswithor
[Link],theevaluator
shallobtainalistofthesupportingcryptographicfunctions
includedintheSP80056Akeyagreementimplementationto
determinewhicherrorstheTOEshouldbeabletorecognize.
Theevaluatorgeneratesasetof24(FFC)or30(ECC)test
vectorsconsistingofdatasetsincludingdomainparameter
valuesorNISTapprovedcurves,theevaluatorspublickeys,the
TOEspublic/privatekeypairs,MACTag,andanyinputsusedin
theKDF,suchastheotherinfoandTOEidfields.
Theevaluatorshallinjectanerrorinsomeofthetestvectorsto
testthattheTOErecognizesinvalidkeyagreementresults
causedbythefollowingfieldsbeingincorrect:thesharedsecret
valueZ,theDKM,theotherinformationfieldOI,thedatatobe
MACed,[Link]
orpartial(onlyECC)publickeyvalidation,theevaluatorwill
alsoindividuallyinjecterrorsinbothpartiesstaticpublickeys,
bothpartiesephemeralpublickeysandtheTOEsstaticprivate
keytoassuretheTOEdetectserrorsinthepublickeyvalidation
functionand/orthepartialkeyvalidationfunction(inECC
only).Atleasttwoofthetestvectorsshallremainunmodified
andthereforeshouldresultinvalidkeyagreementresults(they
shouldpass).
TheTOEshallusethesemodifiedtestvectorstoemulatethekey
[Link]
evaluatorshallcomparetheTOEsresultswiththeresultsusing
aknowngoodimplementationverifyingthattheTOEdetects
theseerrors.
SP80056BKeyEstablishmentSchemes
TheevaluatorshallverifythattheTSSdescribeswhethertheTOE
actsasasender,arecipient,orbothforRSAbasedkeyestablishment
schemes.
IftheTOEactsasasender,thefollowingassuranceactivityshallbe
performedtoensuretheproperoperationofeveryTOEsupported
combinationofRSAbasedkeyestablishmentscheme:
Toconductthistesttheevaluatorshallgenerateorobtaintest
vectorsfromaknowngoodimplementationoftheTOE
[Link]
establishmentschemeanditsoptions(withorwithoutkey
confirmationifsupported,foreachsupportedkeyconfirmation
MACfunctionifkeyconfirmationissupported,andforeach
supportedmaskgenerationfunctionifKTSOAEPissupported),
[Link]
shallincludetheRSApublickey,theplaintextkeyingmaterial,
anyadditionalinputparametersifapplicable,theMacKeyand
MacTagifkeyconfirmationisincorporated,andtheoutputted
[Link],theevaluatorshallperforma

keyestablishmentencryptionoperationontheTOEwiththe
sameinputs(incaseswherekeyconfirmationisincorporated,
thetestshallusetheMacKeyfromthetestvectorinsteadofthe
randomlygeneratedMacKeyusedinnormaloperation)and
ensurethattheoutputtedciphertextisequivalenttothe
ciphertextinthetestvector.
IftheTOEactsasareceiver,thefollowingassuranceactivitiesshall
beperformedtoensuretheproperoperationofeveryTOEsupported
combinationofRSAbasedkeyestablishmentscheme:
Toconductthistesttheevaluatorshallgenerateorobtaintest
vectorsfromaknowngoodimplementationoftheTOE
[Link]
establishmentschemeanditsoptions(withourwithoutkey
confirmationifsupported,foreachsupportedkeyconfirmation
MACfunctionifkeyconfirmationissupported,andforeach
supportedmaskgenerationfunctionifKTSOAEPissupported),
[Link]
shallincludetheRSAprivatekey,theplaintextkeyingmaterial
(KeyData),anyadditionalinputparametersifapplicable,the
MacTagincaseswherekeyconfirmationisincorporated,and
[Link],theevaluator
shallperformthekeyestablishmentdecryptionoperationonthe
TOEandensurethattheoutputtedplaintextkeyingmaterial
(KeyData)isequivalenttotheplaintextkeyingmaterialinthe
[Link],the
evaluatorshallperformthekeyconfirmationstepsandensure
thattheoutputtedMacTagisequivalenttotheMacTaginthe
testvector.
TheevaluatorshallensurethattheTSSdescribeshowtheTOE
[Link]
Publication80056B,theTOEmustnotrevealtheparticularerror
thatoccurred,eitherthroughthecontentsofanyoutputtedorlogged
[Link]
supported,theevaluatorshallcreateseparatecontrivedciphertext
valuesthattriggereachofthethreedecryptionerrorchecks
describedinNISTSpecialPublication80056Bsection7.2.2.3,ensure
thateachdecryptionattemptresultsinanerror,andensurethatany
[Link]
KWSissupported,theevaluatorshallcreateseparatecontrived
ciphertextvaluesthattriggereachofthethreedecryptionerror
checksdescribedinNISTSpecialPublication80056Bsection7.2.3.3,
ensurethateachdecryptionattemptresultsinanerror,andensure
thatanyoutputtedorloggederrormessageisidenticalforeach.
FCS_COP.1(1)CryptographicOperationEncryption/Decryption
FCS_COP.1.1(1)

Theapplicationshallperformencryption/decryptioninaccordancewitha
specifiedcryptographicalgorithm
AESCBC(asdefinedinNISTSP80038A)mode

and[selection:
AESGCM(asdefinedinNISTSP80038D),
noothermodes
]andcryptographickeysizes128bitkeysizesand[selection:256bitkey
sizes,nootherkeysizes].
ThisrequirementdependsuponselectioninFDP_TLSC_EXT.1.1.
ApplicationNote:Forthefirstselection,theSTauthorshouldchoosethe
[Link],theSTauthor
shouldchoosethekeysizesthataresupportedbythisfunctionality.128bitkey
sizeisrequiredinordertocomplywithFCS_TLSC_EXT.1and
FCS_CKM.1(1),ifthoseareselected.
Supportfor256bitkeysizeswillberequiredforproductsenteringevaluation
afterQuarter3,2015.
AssuranceActivity
TheevaluatorcheckstheAGDdocumentstodeterminethatany
configurationthatisrequiredtobedonetoconfigurethe
[Link]
evaluatorshallperformallofthefollowingtestsforeachalgorithm
implementedbytheTSFandusedtosatisfytherequirementsofthis
PP:
AESCBCKnownAnswerTests
TherearefourKnownAnswerTests(KATs),[Link]
KATs,theplaintext,ciphertext,andIVvaluesshallbe128bitblocks.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluator
directlyorbysupplyingtheinputstotheimplementerandreceiving
[Link],theevaluatorshall
comparetheresultingvaluestothoseobtainedbysubmittingthe
sameinputstoaknowngoodimplementation.
[Link],the
evaluatorshallsupplyasetof10plaintextvaluesandobtain
theciphertextvaluethatresultsfromAESCBCencryptionof
thegivenplaintextusingakeyvalueofallzerosandanIVof
allzeros.Fiveplaintextvaluesshallbeencryptedwitha128
bitallzeroskey,andtheotherfiveshallbeencryptedwitha
[Link]
CBC,theevaluatorshallperformthesametestasforencrypt,
using10ciphertextvaluesasinputandAESCBCdecryption.
[Link],the
evaluatorshallsupplyasetof10keyvaluesandobtainthe
ciphertextvaluethatresultsfromAESCBCencryptionofan
allzerosplaintextusingthegivenkeyvalueandanIVofall
zeros.Fiveofthekeysshallbe128bitkeys,andtheotherfive
[Link]
CBC,theevaluatorshallperformthesametestasforencrypt,
usinganallzerociphertextvalueasinputandAESCBC
decryption.
[Link],the
evaluatorshallsupplythetwosetsofkeyvaluesdescribed

belowandobtaintheciphertextvaluethatresultsfromAES
encryptionofanallzerosplaintextusingthegivenkeyvalue
andanIVofallzeros.Thefirstsetofkeysshallhave128128
bitkeys,[Link]
ineachsetshallhavetheleftmostibitsbeonesandthe
rightmostNibitsbezeros,foriin[1,N].Totestthedecrypt
functionalityofAESCBC,theevaluatorshallsupplythetwo
setsofkeyandciphertextvaluepairsdescribedbelowand
obtaintheplaintextvaluethatresultsfromAESCBC
decryptionofthegivenciphertextusingthegivenkeyandan
[Link]/ciphertextpairsshallhave
128128bitkey/ciphertextpairs,andthesecondsetof
key/ciphertextpairsshallhave256256bitkey/ciphertext
[Link]
andtherightmostNibitsbezeros,foriin[1,N].The
ciphertextvalueineachpairshallbethevaluethatresultsin
anallzerosplaintextwhendecryptedwithitscorresponding
key.
[Link],the
evaluatorshallsupplythesetof128plaintextvaluesdescribed
belowandobtainthetwociphertextvaluesthatresultfrom
AESCBCencryptionofthegivenplaintextusinga128bitkey
valueofallzeroswithanIVofallzerosandusinga256bitkey
valueofallzeroswithanIVofallzeros,[Link]
valueiineachsetshallhavetheleftmostibitsbeonesandthe
rightmost128ibitsbezeros,foriin[1,128].
TotestthedecryptfunctionalityofAESCBC,theevaluatorshall
performthesametestasforencrypt,usingciphertextvaluesofthe
sameformastheplaintextintheencrypttestasinputandAESCBC
decryption.
AESCBCMultiBlockMessageTest
Theevaluatorshalltesttheencryptfunctionalitybyencryptingani
blockmessagewhere1<i<=[Link],
anIVandplaintextmessageoflengthiblocksandencryptthe
message,usingthemodetobetested,withthechosenkeyandIV.
Theciphertextshallbecomparedtotheresultofencryptingthesame
plaintextmessagewiththesamekeyandIVusingaknowngood
[Link]
functionalityforeachmodebydecryptinganiblockmessagewhere
1<i<=[Link],anIVandaciphertext
messageoflengthiblocksanddecryptthemessage,usingthemode
tobetested,[Link]
comparedtotheresultofdecryptingthesameciphertextmessage
[Link]
CBCMonteCarloTestsTheevaluatorshalltesttheencrypt
functionalityusingasetof200plaintext,IV,andkey3tuples.100of
theseshalluse128bitkeys,[Link]
plaintextandIVvaluesshallbe128bitblocks.Foreach3tuple,
1000iterationsshallberunasfollows:
# Input: PT, IV, Key
for i = 1 to 1000:
if i == 1:
CT[1] = AES-CBC-Encrypt(Key, IV, PT)
PT = IV
else:
CT[i] = AES-CBC-Encrypt(Key, PT)
PT = CT[i-1]

Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])is
[Link]
running1000iterationswiththesamevaluesusingaknowngood
implementation.
Theevaluatorshalltestthedecryptfunctionalityusingthesametest
asforencrypt,exchangingCTandPTandreplacingAESCBC
EncryptwithAESCBCDecrypt.
AESGCMMonteCarloTests
Theevaluatorshalltesttheauthenticatedencryptfunctionalityof
AESGCMforeachcombinationofthefollowinginputparameter
lengths:
128bitand256bitkeys
[Link]
nonzerointegermultipleof128bits,[Link]
plaintextlengthshallnotbeanintegermultipleof128bits,if
supported.
ThreeAADlengths.OneAADlengthshallbe0,ifsupported.
OneAADlengthshallbeanonzerointegermultipleof128
bits,[Link]
multipleof128bits,ifsupported.
TwoIVlengths.If96bitIVissupported,96bitsshallbeoneof
thetwoIVlengthstested.
Theevaluatorshalltesttheencryptfunctionalityusingasetof10
key,plaintext,AAD,andIVtuplesforeachcombinationofparameter
lengthsaboveandobtaintheciphertextvalueandtagthatresults
[Link]
[Link]
suppliedbytheevaluatorortheimplementationbeingtested,aslong
asitisknown.
Theevaluatorshalltestthedecryptfunctionalityusingasetof10
key,ciphertext,tag,AAD,andIV5tuplesforeachcombinationof
parameterlengthsaboveandobtainaPass/Failresulton
[Link]
includefivetuplesthatPassandfivethatFail.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluator
directlyorbysupplyingtheinputstotheimplementerandreceiving
[Link],theevaluatorshall
comparetheresultingvaluestothoseobtainedbysubmittingthe
sameinputstoaknowngoodimplementation.
FCS_COP.1(2)CryptographicOperationHashing
FCS_COP.1.1(2)

Theapplicationshallperformcryptographichashingservicesinaccordancewith
aspecifiedcryptographicalgorithmSHA1and[selection:
SHA256,
SHA384,
SHA512,
nootheralgorithms

]andmessagedigestsizes160and[selection:
256,
384,
512,
noothermessagedigestsizes
]bitsthatmeetthefollowing:FIPSPub1804.
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.1.
ApplicationNote:PerNISTSP800131A,SHA1forgeneratingdigital
signaturesisnolongerallowed,andSHA1forverificationofdigitalsignaturesis
stronglydiscouragedastheremayberiskinacceptingthesesignatures.
SHA1iscurrentlyrequiredinordertocomplywithFCS_TLSC_EXT.1.
Vendorsarestronglyencouragedtoimplementupdatedprotocolsthatsupport
theSHA2familyuntilupdatedprotocolsaresupported,thisPPallowssupport
forSHA1implementationsincompliancewithSP800131A.
[Link]
[Link]
shouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,
SHA256for128bitkeys).
AssuranceActivity
Theevaluatorshallcheckthattheassociationofthehashfunction
withotherapplicationcryptographicfunctions(forexample,the
digitalsignatureverificationfunction)isdocumentedintheTSS.
TheTSFhashingfunctionscanbeimplementedinoneoftwomodes.
[Link]
hashesmessagesthatareanintegralnumberofbytesinlengthi.e.,
thelength(inbits)[Link]
[Link]
[Link]
mode,anindicationisgiveninthefollowingsectionsforthebit
[Link]
allofthefollowingtestsforeachhashalgorithmimplementedbythe
TSFandusedtosatisfytherequirementsofthisPP.
Thefollowingtestsrequirethedevelopertoprovideaccesstoatest
applicationthatprovidestheevaluatorwithtoolsthataretypically
notfoundintheproductionapplication.
Test1:ShortMessagesTestBitorientedModeTheevaluators
deviseaninputsetconsistingofm+1messages,wheremisthe
[Link]
[Link]
[Link]
messagedigestforeachofthemessagesandensurethatthe
correctresultisproducedwhenthemessagesareprovidedto
theTSF.
Test2:ShortMessagesTestByteorientedModeThe
evaluatorsdeviseaninputsetconsistingofm/8+1messages,
[Link]

ofthemessagesrangesequentiallyfrom0tom/8bytes,with
[Link]
[Link]
computethemessagedigestforeachofthemessagesand
ensurethatthecorrectresultisproducedwhenthemessages
areprovidedtotheTSF.
Test3:SelectedLongMessagesTestBitorientedModeThe
evaluatorsdeviseaninputsetconsistingofmmessages,where
[Link]
ithmessageis512+99*i,[Link]
[Link]
themessagedigestforeachofthemessagesandensurethat
thecorrectresultisproducedwhenthemessagesareprovided
totheTSF.
Test4:SelectedLongMessagesTestByteorientedModeThe
evaluatorsdeviseaninputsetconsistingofm/8messages,
[Link]
oftheithmessageis512+8*99*i,where1im/[Link]
[Link]
evaluatorscomputethemessagedigestforeachofthe
messagesandensurethatthecorrectresultisproducedwhen
themessagesareprovidedtotheTSF.
Test5:PseudorandomlyGeneratedMessagesTestThistestis
[Link]
randomlygenerateaseedthatisnbitslong,wherenisthe
lengthofthemessagedigestproducedbythehashfunctionto
betested.Theevaluatorsthenformulateasetof100messages
andassociateddigestsbyfollowingthealgorithmprovidedin
Figure1of[SHAVS].Theevaluatorsthenensurethatthe
correctresultisproducedwhenthemessagesareprovidedto
theTSF.

FCS_COP.1(3)CryptographicOperationSigning
FCS_COP.1.1(3)

Theapplicationshallperformcryptographicsignatureservices(generationand
verification)inaccordancewithaspecifiedcryptographicalgorithm[selection:
RSAschemesusingcryptographickeysizesof2048bitorgreater
thatmeetthefollowing:FIPSPUB1864,DigitalSignature
Standard(DSS),Section4,
ECDSAschemesusingNISTcurvesP256,P384and[selection:
P521,noothercurves]thatmeetthefollowing:FIPSPUB1864,
DigitalSignatureStandard(DSS),Section5
].
ThisrequirementdependsuponselectioninFCS_COP_EXT.2.1.
ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedto
performdigitalsignaturesifmorethanonealgorithmisavailable,this
[Link]
chosen,theSTauthorshouldmaketheappropriateassignments/selectionsto
[Link]
generationandverificationiscurrentlyrequiredinordertocomplywith

FCS_TLSC_EXT.1.

AssuranceActivity
Theevaluatorshallperformthefollowingactivitiesbasedonthe
selectionsintheST.
Thefollowingtestsrequirethedevelopertoprovideaccesstoatest
applicationthatprovidestheevaluatorwithtoolsthataretypically
notfoundintheproductionapplication.
ECDSAAlgorithmTests
Test1:[Link]
eachsupportedNISTcurve(i.e.,P256,P384andP521)and
SHAfunctionpair,theevaluatorshallgenerate101024bit
longmessagesandobtainforeachmessageapublickeyand
[Link]
correctness,theevaluatorshallusethesignatureverification
functionofaknowngoodimplementation.
Test2:[Link]
eachsupportedNISTcurve(i.e.,P256,P384andP521)and
SHAfunctionpair,theevaluatorshallgenerateasetof10
1024bitmessage,publickeyandsignaturetuplesandmodify
oneofthevalues(message,publickeyorsignature)infiveof
the10tuples.Theevaluatorshallobtaininresponseasetof10
PASS/FAILvalues.
RSASignatureAlgorithmTests
Test1:[Link]
theimplementationofRSASignatureGenerationbytheTOE
[Link]
evaluatormustgenerateorobtain10messagesfromatrusted
referenceimplementationforeachmodulussize/SHA
[Link]
theTOEusetheirprivatekeyandmodulusvaluetosignthese
[Link]
TSFssignatureusingaknowngoodimplementationandthe
associatedpublickeystoverifythesignatures.
Test2:[Link]
performtheSignatureVerificationtesttoverifytheabilityof
theTOEtorecognizeanotherpartysvalidandinvalid
[Link]
vectorsproducedduringtheSignatureVerificationTestby
introducingerrorsinsomeofthepublickeys,e,messages,IR
format,and/[Link]
signaturesandreturnssuccessorfailure.

FCS_COP.1(4)CryptographicOperationKeyedHashMessageAuthentication
FCS_COP.1.1(4)

Theapplicationshallperformkeyedhashmessageauthenticationinaccordance
withaspecifiedcryptographicalgorithm
HMACSHA256
and[selection:
SHA1,

SHA384,
SHA512,
nootheralgorithms
]withkeysizes[assignment:keysize(inbits)usedinHMAC]andmessage
digestsizes256and[selection:160,384,512,noothersize]bitsthatmeetthe
following:FIPSPub1981TheKeyedHashMessageAuthenticationCode
andFIPSPub1804SecureHashStandard.
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.1.
ApplicationNote:Theintentofthisrequirementistospecifythekeyedhash
messageauthenticationfunctionusedforkeyestablishmentpurposesforthe
variouscryptographicprotocolsusedbytheapplication(e.g.,trustedchannel).
[Link]
selectionshouldbeconsistentwiththeoverallstrengthofthealgorithmusedfor
FCS_COP.1(1).HMACSHA256isrequiredinordertocomplywiththe
requiredciphersuitesinFCS_TLSC_EXT.1.
AssuranceActivity
Theevaluatorshallperformthefollowingactivitiesbasedonthe
selectionsintheST.
Foreachofthesupportedparametersets,theevaluatorshall
[Link]
[Link]
[Link]
comparedtotheresultofgeneratingHMACtagswiththesamekey
andIVusingaknowngoodimplementation.
FCS_TLSC_EXT.1TLSClientProtocol
FCS_TLSC_EXT.1.1

Theapplicationshall[selection:invokeplatformprovidedTLS1.2,
implementTLS1.2(RFC5246)]supportingthefollowingciphersuites:
MandatoryCiphersuites:TLS_RSA_WITH_AES_128_CBC_SHAasdefined
inRFC5246
OptionalCiphersuites:[selection:
TLS_DHE_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC
5246,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC
5246,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAasdefinedin
RFC4492,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedin
RFC5289,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefined
inRFC5289,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAasdefinedin
RFC4492,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedin
RFC5289,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefined
inRFC5289,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC
4492,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedin
RFC5289,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC
4492,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedin
RFC5289,
TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,
TLS_RSA_WITH_AES_256_CBC_SHAasdefinedinRFC5246,
TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,
nootherciphersuite
].
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Theciphersuitestobetestedintheevaluatedconfiguration
[Link]
ciphersuitesthataresupportediftherearenociphersuitessupportedotherthan
themandatorysuites,[Link]
ciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyonthe
[Link](RFC6460)
arethepreferredalgorithmsforimplementation.
TLS_RSA_WITH_AES_128_CBC_SHAisrequiredinordertoensure
compliancewithRFC5246.
TheserequirementswillberevisitedasnewTLSversionsarestandardizedby
theIETF.
IfanyciphersuitesareselectedusingECDHE,thenFCS_TLSC_EXT.1.5is
required.
IfimplementTLS1.2(RFC5246)isselected,thenFCS_CKM.2.1,
FCS_COP.1.1(1),FCS_COP.1.1(2),FCS_COP.1.1(3),andFCS_COP.1.1(4)
arerequired.
AssuranceActivity
Theevaluatorshallcheckthedescriptionoftheimplementationof
thisprotocolintheTSStoensurethattheciphersuitessupportedare
[Link]
[Link]
evaluatorshallalsochecktheoperationalguidancetoensurethatit
containsinstructionsonconfiguringtheTOEsothatTLSconformsto
[Link]
followingtests:
Test1:TheevaluatorshallestablishaTLSconnectionusing

[Link]
connectionmaybeestablishedaspartoftheestablishmentofa
higherlevelprotocol,e.g.,[Link]
sufficienttoobservethesuccessfulnegotiationofaciphersuite
tosatisfytheintentofthetestitisnotnecessarytoexamine
thecharacteristicsoftheencryptedtrafficinanattemptto
discerntheciphersuitebeingused(forexample,thatthe
cryptographicalgorithmis128bitAESandnot256bitAES).
Test2:Theevaluatorshallattempttoestablishtheconnection
usingaserverwithaservercertificatethatcontainstheServer
AuthenticationpurposeintheextendedKeyUsagefieldand
[Link]
verifythattheclientrejectsanotherwisevalidserver
certificatethatlackstheServerAuthenticationpurposeinthe
extendedKeyUsagefieldandaconnectionisnotestablished.
Ideally,thetwocertificatesshouldbeidenticalexceptforthe
extendedKeyUsagefield.
Test3:TheevaluatorshallsendaservercertificateintheTLS
connectionthatdoesnotmatchtheserverselectedciphersuite
(forexample,sendaECDSAcertificatewhileusingthe
TLS_RSA_WITH_AES_128_CBC_SHAciphersuiteorsenda
RSAcertificatewhileusingoneoftheECDSAciphersuites.)
TheevaluatorshallverifythattheTOEdisconnectsafter
receivingtheserversCertificatehandshakemessage.
Test4:Theevaluatorshallconfiguretheservertoselectthe
TLS_NULL_WITH_NULL_NULLciphersuiteandverifythat
theclientdeniestheconnection.
Test5:Theevaluatorshallperformthefollowingmodifications
tothetraffic:
Test5.1:ChangetheTLSversionselectedbytheserver
intheServerHellotoanonsupportedTLSversion(for
example1.3representedbythetwobytes0304)and
verifythattheclientrejectstheconnection.
Test5.2:Modifyatleastonebyteintheserversnoncein
theServerHellohandshakemessage,andverifythatthe
clientrejectstheServerKeyExchangehandshake
message(ifusingaDHEorECDHEciphersuite)orthat
theserverdeniestheclientsFinishedhandshake
message.
Test5.3:Modifytheserversselectedciphersuiteinthe
ServerHellohandshakemessagetobeaciphersuitenot
[Link]
evaluatorshallverifythattheclientrejectsthe
connectionafterreceivingtheServerHello.
Test5.4:ModifythesignatureblockintheServersKey
Exchangehandshakemessage,andverifythattheclient
rejectstheconnectionafterreceivingtheServerKey
Exchangemessage.
Test5.5:ModifyabyteintheServerFinishedhandshake
message,andverifythattheclientsendsafatalalert
uponreceiptanddoesnotsendanyapplicationdata.
Test5.6:SendangarbledmessagefromtheServerafter
theServerhasissuedtheChangeCipherSpecmessage
andverifythattheclientdeniestheconnection.

FCS_TLSC_EXT.1.2

Theapplicationshallverifythatthepresentedidentifiermatchesthereference
identifieraccordingtoRFC6125.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:TherulesforverificationofidentityaredescribedinSection
[Link]([Link]
aURLintoawebbrowserorclickingalink),byconfiguration([Link]
thenameofamailserverorauthenticationserver),orbyanapplication(e.g.a
parameterofanAPI)[Link]
referenceidentifierssourcedomainandapplicationservicetype([Link],
SIP,LDAP),theclientestablishesallreferenceidentifierswhichareacceptable,
suchasaCommonNamefortheSubjectNamefieldofthecertificateanda
(caseinsensitive)DNSname,URIname,andServiceNamefortheSubject
[Link]
referenceidentifierstothepresentedidentifiersintheTLSserverscertificate.
ThepreferredmethodforverificationistheSubjectAlternativeNameusing
DNSnames,URInames,[Link]
[Link],
supportforuseofIPaddressesintheSubjectNameorSubjectAlternative
[Link],
theclientshouldavoidconstructingreferenceidentifiersusingwildcards.
However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthe
bestpracticesregardingmatchingthesebestpracticesarecapturedinthe
assuranceactivity.
AssuranceActivity
TheevaluatorshallensurethattheTSSdescribestheclientsmethod
ofestablishingallreferenceidentifiersfromtheapplication
configuredreferenceidentifier,includingwhichtypesofreference
identifiersaresupported([Link],DNSName,URI
Name,ServiceName,orotherapplicationspecificSubject
AlternativeNames)andwhetherIPaddressesandwildcardsare
[Link]
whetherandthemannerinwhichcertificatepinningissupportedor
usedbytheTOE.
TheevaluatorshallverifythattheAGDguidanceincludes
instructionsforsettingthereferenceidentifiertobeusedforthe
purposesofcertificatevalidationinTLS.
Theevaluatorshallconfigurethereferenceidentifieraccordingtothe
AGDguidanceandperformthefollowingtestsduringaTLS
connection:
Test1:Theevaluatorshallpresentaservercertificatethat
doesnotcontainanidentifierineithertheSubjectAlternative
Name(SAN)orCommonName(CN)thatmatchesthe
[Link]
connectionfails.
Test2:Theevaluatorshallpresentaservercertificatethat
containsaCNthatmatchesthereferenceidentifier,contains
theSANextension,butdoesnotcontainanidentifierinthe
[Link]

[Link]
testforeachsupportedSANtype.
Test3:Theevaluatorshallpresentaservercertificatethat
containsaCNthatmatchesthereferenceidentifieranddoes
[Link]
theconnectionsucceeds.
Test4:Theevaluatorshallpresentaservercertificatethat
containsaCNthatdoesnotmatchthereferenceidentifierbut
[Link]
evaluatorshallverifythattheconnectionsucceeds.
Test5:Theevaluatorshallperformthefollowingwildcard
testswitheachsupportedtypeofreferenceidentifier:
Test5.1:Theevaluatorshallpresentaservercertificate
containingawildcardthatisnotintheleftmostlabelof
thepresentedidentifier([Link].*.[Link])and
verifythattheconnectionfails.
Test5.2:Theevaluatorshallpresentaservercertificate
containingawildcardintheleftmostlabelbutnot
precedingthepublicsuffix(e.g.*.[Link]).The
evaluatorshallconfigurethereferenceidentifierwitha
singleleftmostlabel([Link])andverify
[Link]
configurethereferenceidentifierwithoutaleftmost
labelasinthecertificate([Link])andverify
[Link]
thereferenceidentifierwithtwoleftmostlabels(e.g.
[Link])andverifythattheconnection
fails.
Test5.3:Theevaluatorshallpresentaservercertificate
containingawildcardintheleftmostlabelimmediately
precedingthepublicsuffix(e.g.*.com).Theevaluator
shallconfigurethereferenceidentifierwithasingleleft
mostlabel([Link])andverifythattheconnection
[Link]
identifierwithtwoleftmostlabels([Link])and
verifythattheconnectionfails.
Test6:[conditional]IfURIorServicenamereference
identifiersaresupported,theevaluatorshallconfiguretheDNS
[Link]
servercertificatecontainingthecorrectDNSnameandservice
identifierintheURINameorSRVNamefieldsoftheSANand
[Link]
thistestwiththewrongserviceidentifier(butcorrectDNS
name)andverifythattheconnectionfails.
Test7:[conditional]Ifpinnedcertificatesaresupportedthe
evaluatorshallpresentacertificatethatdoesnotmatchthe
pinnedcertificateandverifythattheconnectionfails.

FCS_TLSC_EXT.1.3

Theapplicationshallonlyestablishatrustedchannelifthepeercertificateis
valid.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.

ApplicationNote:Validityisdeterminedbytheidentifierverification,certificate
path,theexpirationdate,andtherevocationstatusinaccordancewithRFC
[Link]
FIA_X509_EXT.1.
ForTLSconnections,thischannelshallnotbeestablishedifthepeercertificate
[Link](FCS_HTTPS_EXT.1)requiresdifferent
behavior,[Link]
nonHTTPSTLSconnections.
AssuranceActivity
TheevaluatorshalluseTLSasafunctiontoverifythatthevalidation
rulesinFIA_X509_EXT.1.1areadheredtoandshallperformthe
followingadditionaltest:
Test1:Theevaluatorshalldemonstratethatapeerusinga
certificatewithoutavalidcertificationpathresultsinan
[Link],the
evaluatorshallthenloadthetrustedCAcertificate(s)needed
tovalidatethepeer'scertificate,anddemonstratethatthe
[Link]
CAcertificates,andshowthattheconnectionfails.

FCS_TLSC_EXT.1.5

TheapplicationshallpresentthesupportedEllipticCurvesExtensioninthe
ClientHellowiththefollowingNISTcurves:[selection:secp256r1,secp384r1,
secp521r1]andnoothercurves.
ThisrequirementdependsuponselectioninFCS_TLSC_EXT.1.1.
ApplicationNote:Thisrequirementlimitstheellipticcurvesallowedfor
authenticationandkeyagreementtotheNISTcurvesfromFCS_COP.1(3)and
FCS_CKM.1andFCS_CKM.[Link]
EllipticCurveciphersuites.
AssuranceActivity
TheevaluatorshallverifythatTSSdescribesthesupportedElliptic
CurvesExtensionandwhethertherequiredbehaviorisperformedby
[Link]
EllipticCurvesExtensionmustbeconfiguredtomeetthe
requirement,theevaluatorshallverifythatAGDguidanceincludes
configurationofthesupportedEllipticCurvesExtension.
Theevaluatorshallalsoperformthefollowingtests:
Test1:Theevaluatorshallconfiguretheservertoperforman
ECDHEkeyexchangemessageintheTLSconnectionusinga
nonsupportedECDHEcurve(forexample,P192)andshall
verifythattheTOEdisconnectsafterreceivingtheserver'sKey
Exchangehandshakemessage.

FCS_DTLS_EXT.1DTLSImplementation
FCS_DTLS_EXT.1.1

TheapplicationshallimplementtheDTLSprotocolinaccordancewithDTLS
1.2(RFC6347).
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.

AssuranceActivity
Test1:Theevaluatorshallattempttoestablishaconnection
withaDTLSserver,observethetrafficwithapacketanalyzer,
andverifythattheconnectionsucceedsandthatthetrafficis
identifiedasDTLS.
OthertestsareperformedinconjunctionwiththeAssurance
ActivitylistedforFCS_TLSC_EXT.1.

FCS_DTLS_EXT.1.2

TheapplicationshallimplementtherequirementsinTLS(FCS_TLSC_EXT.1)
fortheDTLSimplementation,exceptwherevariationsareallowedaccordingto
DTLS1.2(RFC6347).
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:DifferencesbetweenDTLS1.2andTLS1.2areoutlinedin
[Link],forthe
applicablesecuritycharacteristicsdefinedfortheTSF,thetwoprotocolsdonot
[Link],allapplicationnotesandassuranceactivitiesthatarelistedfor
TLSapplytotheDTLSimplementation.
AssuranceActivity
Theevaluatorshallperformtheassuranceactivitieslistedfor
FCS_TLSC_EXT.1.

FCS_DTLS_EXT.1.3

Theapplicationshallnotestablishatrustedcommunicationchannelifthepeer
certificateisdeemedinvalid.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Validityisdeterminedbythecertificatepath,theexpiration
date,andtherevocationstatusinaccordancewithRFC5280.
AssuranceActivity

Certificatevalidityshallbetestedinaccordancewithtesting
performedforFIA_X509_EXT.1,andtheevaluatorshallperformthe
followingtest.
Test1:Theevaluatorshalldemonstratethatusingacertificate
withoutavalidcertificationpathresultsinthefunctionfailing.
Usingtheadministrativeguidance,theevaluatorshallthen
loadacertificateorcertificatestotheTrustAnchorDatabase
neededtovalidatethecertificatetobeusedinthefunction,
[Link]
thenshalldeleteoneofthecertificates,andshowthatthe
functionfails.

FCS_HTTPS_EXT.1HTTPSProtocol
FCS_HTTPS_EXT.1.1

TheapplicationshallimplementtheHTTPSprotocolthatcomplieswithRFC
2818.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.

AssuranceActivity
TheevaluatorshallattempttoestablishanHTTPSconnectionwitha
webserver,observethetrafficwithapacketanalyzer,andverifythat
theconnectionsucceedsandthatthetrafficisidentifiedasTLSor
HTTPS.
FCS_HTTPS_EXT.1.2

TheapplicationshallimplementHTTPSusingTLS(FCS_TLSC_EXT.1).
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.

AssuranceActivity
OthertestsareperformedinconjunctionwithFCS_TLSC_EXT.1.
FCS_HTTPS_EXT.1.3

Theapplicationshallnotifytheuserand[selection:notestablishthe
connection,requestapplicationauthorizationtoestablishtheconnection,
nootheraction]ifthepeercertificateisdeemedinvalid.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Validityisdeterminedbythecertificatepath,theexpiration
date,andtherevocationstatusinaccordancewithRFC5280.

AssuranceActivity
Certificatevalidityshallbetestedinaccordancewithtesting
performedforFIA_X509_EXT.1,andtheevaluatorshallperformthe
followingtest:
Test1:Theevaluatorshalldemonstratethatusingacertificate
withoutavalidcertificationpathresultsinanapplication
[Link],theevaluator
shallthenloadacertificateorcertificatestotheTrustAnchor
Databaseneededtovalidatethecertificatetobeusedinthe
function,[Link]
evaluatorthenshalldeleteoneofthecertificates,andshow
thattheapplicationisnotifiedofthevalidationfailure.

FIA_X509_EXT.1X.509CertificateValidation
FIA_X509_EXT.1.1

Theapplicationshall[selection:invokedplatformprovidedfunctionality,
implementfunctionality]tovalidatecertificatesinaccordancewiththe
followingrules:
RFC5280certificatevalidationandcertificatepathvalidation.
ThecertificatepathmustterminatewithatrustedCAcertificate.
Theapplicationshallvalidateacertificatepathbyensuringthepresenceof
thebasicConstraintsextensionandthattheCAflagissettoTRUEforall
CAcertificates.
Theapplicationshallvalidatetherevocationstatusofthecertificateusing
[selection:theOnlineCertificateStatusProtocol(OCSP)as
specifiedinRFC2560,aCertificateRevocationList(CRL)as
specifiedinRFC5759].
TheapplicationshallvalidatetheextendedKeyUsagefieldaccordingto
thefollowingrules:
Certificatesusedfortrustedupdatesandexecutablecodeintegrity
verificationshallhavetheCodeSigningpurpose(idkp3withOID
[Link].[Link].3)intheextendedKeyUsagefield.
ServercertificatespresentedforTLSshallhavetheServer
Authenticationpurpose(idkp1withOID1.[Link].[Link])inthe
extendedKeyUsagefield.
ClientcertificatespresentedforTLSshallhavetheClient
Authenticationpurpose(idkp2withOID1.[Link].[Link])inthe
extendedKeyUsagefield.
S/MIMEcertificatespresentedforemailencryptionandsignature
shallhavetheEmailProtectionpurpose(idkp4withOID
[Link].[Link].4)intheextendedKeyUsagefield.
OCSPcertificatespresentedforOCSPresponsesshallhavethe
OCSPSigningpurpose(idkp9withOID1.[Link].[Link])in
theextendedKeyUsagefield.
ServercertificatespresentedforESTshallhavetheCMC
RegistrationAuthority(RA)purpose(idkpcmcRAwithOID
[Link].[Link].28)intheextendedKeyUsagefield.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.

ApplicationNote:FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.
TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPor
CRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforHTTPS,TLS
andDTLSthisuserequiresthattheextendedKeyUsagerulesareverified.
Regardlessoftheselectionofimplementfunctionalityorinvokeplatform
providedfunctionality,thevalidationisexpectedtoendinatrustedrootCA
certificateinarootstoremanagedbytheplatform.
AssuranceActivity
TheevaluatorshallensuretheTSSdescribeswherethecheckof
[Link]
alsoprovidesadescriptionofthecertificatepathvalidation
algorithm.
Thetestsdescribedmustbeperformedinconjunctionwiththeother
certificateservicesassuranceactivities,includingthefunctionsin
FIA_X509_EXT.[Link]
[Link]
evaluatorshallcreateachainofatleastfourcertificates:thenode
certificatetobetested,twoIntermediateCAs,andtheselfsigned
RootCA.
Test1:Theevaluatorshalldemonstratethatvalidatinga
certificatewithoutavalidcertificationpathresultsinthe
[Link]
certificatesastrustedCAsneededtovalidatethecertificateto
beusedinthefunction,anddemonstratethatthefunction
[Link]
certificates,andshowthatthefunctionfails.
Test2:Theevaluatorshalldemonstratethatvalidatingan
expiredcertificateresultsinthefunctionfailing.
Test3:TheevaluatorshalltestthattheTOEcanproperly
handlerevokedcertificatesconditionalonwhetherCRLor
OCSPisselectedifbothareselected,thenatestshallbe
[Link]
ofthenodecertificateandrevocationoftheintermediateCA
certificate([Link]
revokedbytherootCA).Theevaluatorshallensurethata
validcertificateisused,andthatthevalidationfunction
[Link]
certificatethathasbeenrevoked(foreachmethodchosenin
theselection)toensurewhenthecertificateisnolongervalid
thatthevalidationfunctionfails.
Test4:IfOCSPisselected,theevaluatorshallconfigurethe
OCSPserveroruseamaninthemiddletooltopresenta
certificatethatdoesnothavetheOCSPsigningpurposeand
[Link]
selected,theevaluatorshallconfiguretheCAtosignaCRL
withacertificatethatdoesnothavethecRLsignkeyusagebit
set,andverifythatvalidationoftheCRLfails.
Test5:Theevaluatorshallmodifyanybyteinthefirsteight
bytesofthecertificateanddemonstratethatthecertificate
failstovalidate.(Thecertificatewillfailtoparsecorrectly.)
Test6:Theevaluatorshallmodifyanybyteinthelastbyteof
thecertificateanddemonstratethatthecertificatefailsto
validate.(Thesignatureonthecertificatewillnotvalidate.)

Test7:Theevaluatorshallmodifyanybyteinthepublickeyof
thecertificateanddemonstratethatthecertificatefailsto
validate.(Thesignatureonthecertificatewillnotvalidate.)

FIA_X509_EXT.1.2

TheapplicationshallonlytreatacertificateasaCAcertificateifthe
basicConstraintsextensionispresentandtheCAflagissettoTRUE.
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Thisrequirementappliestocertificatesthatareusedand
processedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrusted
CAcertificates.
AssuranceActivity
Thetestsdescribedmustbeperformedinconjunctionwiththeother
certificateservicesassuranceactivities,includingthefunctionsin
FIA_X509_EXT.[Link]
certificates:thenodecertificatetobetested,twoIntermediateCAs,
andtheselfsignedRootCA.
Test1:Theevaluatorshallconstructacertificatepath,such
thatthecertificateoftheCAissuingtheTOE'scertificatedoes
[Link]
thecertificatepathfails.
Test2:Theevaluatorshallconstructacertificatepath,such
thatthecertificateoftheCAissuingtheTOE'scertificatehas
[Link]
validationofthecertificatepathfails.
Test3:Theevaluatorshallconstructacertificatepath,such
thatthecertificateoftheCAissuingtheTOE'scertificatehas
[Link]
validationofthecertificatepathsucceeds.

FIA_X509_EXT.2X.509CertificateAuthentication
FIA_X509_EXT.2.1

TheapplicationshalluseX.509v3certificatesasdefinedbyRFC5280to
supportauthenticationfor[selection:HTTPS,TLS,DTLS].
ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:TheSTauthor'sselectionshallmatchtheselectionin
FTP_DIT_EXT.1.1.

FIA_X509_EXT.2.2

Whentheapplicationcannotestablishaconnectiontodeterminethevalidityofa
certificate,theapplicationshall[selection:allowtheadministratortochoose
whethertoacceptthecertificateinthesecases,acceptthecertificate,not
acceptthecertificate].

ThisrequirementdependsuponselectioninFTP_DIT_EXT.1.1.
ApplicationNote:Oftenaconnectionmustbeestablishedtoperforma
verificationoftherevocationstatusofacertificateeithertodownloadaCRL
[Link]
thatsuchaconnectioncannotbeestablished(forexample,duetoanetwork
error).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrules
inFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethe
[Link]
validationrulesinFIA_X509_EXT.1.
AssuranceActivity
TheevaluatorshallchecktheTSStoensurethatitdescribeshowthe
TOEchooseswhichcertificatestouse,andanynecessaryinstructions
intheadministrativeguidanceforconfiguringtheoperating
environmentsothattheTOEcanusethecertificates.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthe
behavioroftheTOEwhenaconnectioncannotbeestablishedduring
thevaliditycheckofacertificateusedinestablishingatrusted
[Link]
[Link]
administratorisabletospecifythedefaultaction,thentheevaluator
shallensurethattheoperationalguidancecontainsinstructionson
howthisconfigurationactionisperformed.
Theevaluatorshallperformthefollowingtestforeachtrusted
channel:
Test1:Theevaluatorshalldemonstratethatusingavalid
certificatethatrequirescertificatevalidationcheckingtobe
performedinatleastsomepartbycommunicatingwithanon
[Link]
environmentsothattheTOEisunabletoverifythevalidityof
thecertificate,andobservethattheactionselectedin
FIA_X509_EXT.[Link]
administratorconfigurable,thentheevaluatorshallfollowthe
operationalguidancetodeterminethatallsupported
administratorconfigurableoptionsbehaveintheirdocumented
manner.

[Link]
[Link]
requirementsarenotcurrentlymandatedinthebodyofthisPPastheydescribesecurityfunctionalitynotyet
[Link],theserequirementsmaybeincludedintheSTsuchthat
theTOEisstillconformanttothisPP,anditisexpectedthattheybeincludedassoonaspossible.
FCS_TLSC_EXT.1TLSClientProtocol

FCS_TLSC_EXT.1.6

Theapplicationshallpresentthesignature_algorithmsextensionintheClient
Hellowiththesupported_signature_algorithmsvaluecontainingthefollowing
hashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhash
algorithms.
ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedfor
thepurposeofdigitalsignatureverificationbytheclientandlimitstheserverto
thesupportedhashesforthepurposeofdigitalsignaturegenerationbythe
server.Thesignature_algorithmextensionisonlysupportedbyTLS1.2.
AssuranceActivity
TheevaluatorshallverifythatTSSdescribesthesignature_algorithm
extensionandwhethertherequiredbehaviorisperformedbydefault
[Link]
signature_algorithmextensionmustbeconfiguredtomeetthe
requirement,theevaluatorshallverifythatAGDguidanceincludes
configurationofthesignature_algorithmextension.
Theevaluatorshallalsoperformthefollowingtest:
Test1:Theevaluatorshallconfiguretheservertosenda
certificateintheTLSconnectionthatisnotsupported
accordingtotheClientsHashAlgorithmenumerationwithin
thesignature_algorithmsextension(forexample,senda
certificatewithaSHA1signature).Theevaluatorshallverify
thattheTOEdisconnectsafterreceivingtheservers
Certificatehandshakemessage.

FPT_API_EXT.1UseofSupportedServicesandAPIs
FPT_API_EXT.1.2

Theapplication[selection:shalluseplatformprovidedlibraries,doesnot
implementfunctionality]forparsing[assignment:listofformatsparsedthat
areincludedintheIANAMIMEmediatypes].
ApplicationNote:TheIANAMIMEtypesarelistedat
[Link]
video,[Link]
parsingservicesisthepurposeoftheapplication.
AssuranceActivity
TheevaluatorshallverifythattheTSSliststheIANAMIMEmedia
types(asdescribedby[Link]
forallformatstheapplicationprocessesandthatitmapsthose
formatstoparsingservicesprovidedbytheplatform.

FPT_IDV_EXT.1SoftwareIdentificationandVersions
FPT_IDV_EXT.1.1

TheapplicationshallincludeSWIDtagsthatcomplywiththeminimum
requirementsforSWIDtagfromISO/IEC197702:2009standard.

Thisrequirementisscheduledtobemandatoryforapplications
enteringevaluationsafterJuly1,2015.
ApplicationNote:ValidSWIDtagsmustcontainaSoftwareIdentityelement
andanEntityelementasdefinedintheISO/IEC197702:2009standard.
[Link]
ISO/IEC197702:2009.
AssuranceActivity
Theevaluatorshallinstalltheapplication,thencheckforthe
[Link]
thefileandverifythatiscontainsatleastaSoftwareIdentityelement
andanEntityelement.

[Link]
Assessment
ThisappendixdescribestherequiredsupplementaryinformationfortheentropysourceusedbytheTOE.
Thedocumentationoftheentropysourceshouldbedetailedenoughthat,afterreading,theevaluatorwill
[Link]
documentationshouldincludemultipledetailedsections:designdescription,entropyjustification,operating
conditions,[Link].

D.1DesignDescription
Documentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofall
[Link]
foranythirdpartyentropysourcesthatareincludedintheproduct.
Thedocumentationwilldescribetheoperationoftheentropysourcetoinclude,howentropyisproduced,
andhowunprocessed(raw)[Link]
documentationshouldwalkthroughtheentropysourcedesignindicatingwheretheentropycomesfrom,
wheretheentropyoutputispassednext,anypostprocessingoftherawoutputs(hash,XOR,etc.),if/where
itisstored,andfinally,[Link](e.g.,
blocking)[Link].
Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceanda
descriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffectthe
entropyrate.
Ifimplemented,thedesigndescriptionshallincludeadescriptionofhowthirdpartyapplicationscanadd
[Link]
included.

D.2EntropyJustification
Thereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythere
isconfidenceintheentropysourcedeliveringsufficiententropyfortheusesmadeoftheRBGoutput(bythis
particularTOE).Thisargumentwillincludeadescriptionoftheexpectedminentropyrate([Link]
entropy(inbits)perbitorbyteofsourcedata)andexplainthatsufficiententropyisgoingintotheTOE
[Link]
reliedupontoproducebitswithentropy.
Theamountofinformationnecessarytojustifytheexpectedminentropyratedependsonthetypeofentropy
sourceincludedintheproduct.
Fordeveloperprovidedentropysources,inordertojustifytheminentropyrate,itisexpectedthatalarge
numberofrawsourcebitswillbecollected,statisticaltestswillbeperformed,andtheminentropyrate
[Link],itisexpected
thatsometestingisnecessaryinordertodeterminetheamountofminentropyineachoutput.
Forthirdpartyprovidedentropysources,inwhichtheTOEvendorhaslimitedaccesstothedesignandraw
entropydataofthesource,thedocumentationwillindicateanestimateoftheamountofminentropyobtained
[Link],however,
[Link],theminentropyestimate
mustbespecifiedandtheassumptionincludedintheST.
Regardlessoftypeofentropysource,thejustificationwillalsoincludehowtheDRBGisinitializedwiththe
entropystatedintheST,forexamplebyverifyingthattheminentropyrateismultipliedbytheamountof
sourcedatausedtoseedtheDRBGorthattherateofentropyexpectedbasedontheamountofsourcedata
[Link]
notclearorthecalculatedrateisnotexplicitlyrelatedtotheseed,thedocumentationwillnotbeconsidered
complete.
Theentropyjustificationshallnotincludeanydataaddedfromanythirdpartyapplicationorfromanystate
savingbetweenrestarts.

D.3OperatingConditions
[Link],
voltage,frequency,temperature,andelapsedtimeafterpoweronarejustafewofthefactorsthatmayaffect
[Link],documentationwillalsoincludetherangeofoperating
[Link]
measuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunder
[Link],documentationshalldescribetheconditionsunderwhichtheentropysourceis
[Link]
shallbeincluded.

D.4HealthTesting
Morespecifically,[Link]
descriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,at
startup,continuously,orondemand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhy
eachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.

[Link]
Identifier Title
[CC]

CommonCriteriaforInformationTechnologySecurityEvaluation
Part1:IntroductionandGeneralModel,CCMB201209001,Version3.1Revision
4,September2012.
Part2:SecurityFunctionalComponents,CCMB201209002,Version3.1Revision
4,September2012.
Part3:SecurityAssuranceComponents,CCMB201209003,Version3.1Revision
4,September2012.

[CEM]

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation
Methodology,CCMB201209004,Version3.1,Revision4,September2012.

[CESG]

CESGEndUserDevicesSecurityandConfigurationGuidance

[CSA]

ComputerSecurityActof1987,H.R.145,June11,1987.

[OMB]

ReportingIncidentsInvolvingPersonallyIdentifiableInformationandIncorporatingtheCost
forSecurityinAgencyInformationTechnologyInvestments,OMBM0619,July12,2006.

[Link]
Acronym Meaning
ADB

AndroidDebugBridge

AES

AdvancedEncryptionStandard

ANSI

AmericanNationalStandardsInstitute

API

ApplicationProgrammingInterface

APK

AndroidApplicationPackage

APPX

WindowsStoreApplicationPackage

API

ApplicationProgrammingInterface

ASLR

AddressSpaceLayoutRandomization

BAR

BlackberryApplicationPackage

BIOS

BasicInput/OutputSystem

CDSA

CommonDataSecurityArchitecture

CESG

CommunicationsElectronicsSecurityGroup

CMC

CertificateManagementoverCMS

CMS

CryptographicMessageSyntax

CN

CommonNames

CRL

CertificateRevocationList

CSA

ComputerSecurityAct

DEP

DataExecutionPrevention

DES

DataEncryptionStandard

DHE

DiffieHellmanEphemeral

DMG

AppleDiskImage

DNS

DomainNameSystem

DPAPI

DataProtectionApplicationProgrammingInterface

DRBG

DeterministicRandomBitGenerator

DSS

DigitalSignatureStandard

DT

Date/TimeVector

DTLS

DatagramTransportLayerSecurity

EAP

ExtensibleAuthenticationProtocol

ECDHE

EllipticCurveDiffieHellmanEphemeral

ECDSA

EllipticCurveDigitalSignatureAlgorithm

EMET

EnhancedMitigationExperienceToolkit

EST

EnrollmentoverSecureTransport

FIPS

FederalInformationProcessingStandards

DSS

DigitalSignatureStandard

GPS

GlobalPositioningSystem

HMAC

HashbasedMessageAuthenticationCode

HTTP

HypertextTransferProtocol

HTTPS

HypertextTransferProtocolSecure

DSS

DigitalSignatureStandard

IANA

InternetAssignedNumberAuthority

IEC

InternationalElectrotechnicalCommission

IETF

InternetEngineeringTaskForce

IP

InternetProtocol

IPA

iOSPackagearchive

IR

IntermediateInteger

ISO

InternationalOrganizationforStandardization

IT

InformationTechnology

ITSEF

InformationTechnologySecurityEvaluationFacility

JNI

JavaNativeInterface

LDAP

LightweightDirectoryAccessProtocol

MIME

MultipurposeInternetMailExtensions

MPKG

MetaPackage

MSI

MicrosoftInstaller

NFC

NearFieldCommunication

NIAP

NationalInformationAssurancePartnership

NIST

NationalInstituteofStandardsandTechnology

OCSP

OnlineCertificateStatusProtocol

OID

ObjectIdentifier

OMB

OfficeofManagementandBudget

OS

OperatingSystem

PDF

PortableDocumentFormat

PID

ProcessIdentifier

PII

PersonallyIdentifiableInformation

PKG

Packagefile

PKI

PublicKeyInfrastructure

PP

ProtectionProfile

IT

InformationTechnology

RBG

RandomBitGenerator

RFC

RequestforComment

RNG

RandomNumberGenerator

RNGVS

RandomNumberGeneratorValidationSystem

SAN

SubjectAlternativeName

SAR

SecurityAssuranceRequirement

SE

SecurityEnhancements

SFR

SecurityFunctionalRequirement

SHA

SecureHashAlgorithm

S/MIME

Secure/MultipurposeInternetMailExtensions

SIP

SessionInitiationProtocol

SP

SpecialPublication

SSH

SecureShell

SWID

SoftwareIdentification

TLS

TransportLayerSecurity

UI

UserInterface

URI

UniformResourceIdentifier

URL

UniformResourceLocator

USB

UniversalSerialBus

XCCDF

eXtensibleConfigurationChecklistDescriptionFormat

XOR

ExclusiveOr