functional package for transport layer security (tls) · (pp) an implementation-independent set of...

FunctionalPackageforTransportLayerSecurity(TLS)

Version:1.12019-03-01

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2018-12-17

Firstpublication

1.1 2019-03-01

Clarificationsregardingoverrideforinvalidcertificates,renegotation_infoextension,DTLSversions,andnamedDiffie-HellmangroupsinDTLScontexts

Contents

1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms

1.3 FormatofthisDocument1.4 CompliantTargetsofEvaluation

2 ConformanceClaims3 SecurityFunctionalRequirements3.1 CryptographicSupport(FCS)

AppendixA- Implementation-DependentRequirementsAppendixB- ReferencesAppendixC- Acronyms

1Introduction

1.1OverviewTransportLayerSecurity(TLS)andtheclosely-relatedDatagramTLS(DTLS)arecryptographicprotocolsdesignedtoprovidecommunicationssecurityoverIPnetworks.Severalversionsoftheprotocolareinwidespreaduseinsoftwarethatprovidesfunctionalitysuchaswebbrowsing,email,instantmessaging,andvoice-over-IP(VoIP).MajorwebsitesuseTLStoprotectcommunicationstoandfromtheirservers.TLSisalsousedtoprotectcommunicationsbetweenhostsandnetworkinfrastructuredevicesforadministration.Theunderlyingplatform,suchasanoperatingsystem,oftenprovidestheactualTLSimplementation.TheprimarygoaloftheTLSprotocolistoprovideconfidentialityandintegrityofdatatransmittedbetweentwocommunicatingendpoints,aswellasauthenticationofatleasttheserverendpoint.TLSsupportsmanydifferentmethodsforexchangingkeys,encryptingdata,andauthenticatingmessageintegrity.ThesemethodsaredynamicallynegotiatedbetweentheclientandserverwhentheTLSconnectionisestablished.Asaresult,evaluatingtheimplementationofbothendpointsistypicallynecessarytoprovideassurancefortheoperatingenvironment.This"FunctionalPackageforTransportLayerSecurity"(shortname"TLS-PKG")definesfunctionalrequirementsfortheimplementationoftheTransportLayerSecurity(TLS)andDatagramTLS(DTLS)protocols.Therequirementsareintendedtoimprovethesecurityofproductsbyenablingtheirevaluation.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

DistributedTOE

ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

Security ArequirementforsecurityenforcementbytheTOE.

FunctionalRequirement(SFR)

SecurityTarget(ST)

Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

TOESecurityFunctionality(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

TargetofEvaluation(TOE)

Theproductunderevaluation.

1.2.2TechnicalTerms

CertificateAuthority(CA) Issuerofdigitalcertificates

DatagramTransportLayerSecurity(DTLS)

Cryptographicnetworkprotocol,basedonTLS,whichprovidescommunicationssecurityfordatagramprotocols

TransportLayerSecurity(TLS)

CryptographicnetworkprotocolforprovidingcommunicationssecurityoveraTCP/IPnetwork

1.3FormatofthisDocumentSection3SecurityFunctionalRequirementscontainsbaselinerequirementswhichmustbeimplementedintheproductandincludedinanyPP/PP-Module/STthatclaimsconformancetothisPackage.TherearethreeothertypesofrequirementsthatcanbeincludedinaPP/PP-Module/STclaimingconformancetothisPackage:

containsrequirementsthatmayoptionallybeincludedinthePP/PP-Module/ST,butinclusionisatthediscretionofthePP/PP-Module/STauthor.Forrequirementsthathaveselections,ifthePP/PP-Moduleallowstheselection(ortheSTselectsparticularselections),thenthereareadditionalrequirementsbasedontheseselectionscontainedinthisappendixthatwillneedtobeincludedinthePP/PP-Module/ST.containsrequirementsbasedonselectionsintherequirementsinSection3SecurityFunctionalRequirementsorthePP/PP-Module/ST:ifcertainselectionsaremade,thenthecorrespondingrequirementsinthatappendixmustbeincluded.containsrequirementsthatwillbeincludedinthebaselinerequirementsinfutureversionsofthispackage.Earlieradoptionbyvendorsisencouraged.Otherwise,thesearetreatedthesameasOptionalRequirements.

1.4CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPackageisaproductwhichactsasaTLSclientorserver,orboth.ThisPackagedescribesthesecurityfunctionalityofTLSintermsof[CC].ThecontentsofthisPackagemustbeappropriatelycombinedwithaPPorPP-Module.WhenthisPackageisinstantiatedbyaPPorPP-Module,thePackagemustincludeselection-basedrequirementsinaccordancewiththeselectionsorassignmentsindicatedinthePPorPP-Module.ThesemaybeexpandedbythetheSTauthor.ThePPorPP-ModulewhichinstantiatesthisPackagemusttypicallyincludethefollowingcomponentsinordertosatisfydependenciesofthisPackage.ItistheresponsibilityofthePPorPP-ModuleauthorwhoinstantiatesthisPackagetoensurethatdependenceonthesecomponentsissatisfied:

Component Explanation

FCS_CKM.2 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.2andspecifythecorrespondingalgorithm.

FCS_COP.1 TosupportTLSciphersuitesthatuseAESforencryption/decryption,thePPorPP-modulemustincludeFCS_COP.1(iteratingasneeded)andspecifyAESwithcorrespondingkeysizesandmodes.TosupportTLSciphersuitesthatuseSHAforhashing,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifySHAwithcorrespondingdigestsizes.

FCS_RBG_EXT.1 TosupportrandombitgenerationneededfortheTLShandshake,thePPorPP-ModulemustincludeFCS_RBG_EXT.1.

FIA_X509_EXT.1 TosupportvalidationofcertificatesneededduringTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.1.

FIA_X509_EXT.2 TosupporttheuseofX509certificatesforauthenticationinTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.2.

AnSTmustidentifytheapplicableversionofthePPorPP-ModuleandthisPackageinitsconformanceclaims.

2ConformanceClaimsConformanceStatement

AnSTmustclaimexactconformancetothisPackage,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).

CCConformanceClaimsThisPackageisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.

PPClaimThisPackagedoesnotclaimconformancetoanyProtectionProfile.

PackageClaimThisPackagedoesnotclaimconformancetoanypackages.

ConformanceStatementThisPackageservestoprovideProtectionProfileswithadditionalSFRsandassociatedEvaluationActivitiesspecifictoTLSclientsandservers.ThisPackageconformstoCommonCriteria[CC]forInformationTechnologySecurityEvaluation,Version3.1,Revision5.ItisCCPart2extendedconformant.InaccordancewithCCPart1,dependenciesarenotincludedwhentheyareaddressedbyotherSFRs.Theevaluationactivitiesprovideadequateproofthatanydependenciesarealsosatisfied.

3SecurityFunctionalRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

3.1CryptographicSupport(FCS)

FCS_TLS_EXT.1TLSProtocolFCS_TLS_EXT.1.1

Theproductshallimplement[selection:TLSasaclient,TLSasaserver,DTLSasaclient,DTLSasaserver

].

ApplicationNote:IfTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_TLSC_EXT.1.IfTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_TLSS_EXT.1.

IfDTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_DTLSC_EXT.1.IfDTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_DTLSS_EXT.1.

EvaluationActivities

FCS_TLS_EXT.1:GuidanceTheevaluatorshallensurethattheselectionsindicatedintheSTareconsistentwithselectionsinthedependentcomponents.

FCS_TLSC_EXT.1TLSClientProtocol

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLS_EXT.1.1.

FCS_TLSC_EXT.1.1TheproductshallimplementTLS1.2(RFC5246)and[selection:TLS1.1(RFC4346),noearlierTLSversions]asaclientthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andalsosupportsfunctionalityfor[selection:mutualauthentication,sessionrenegotiation,none

].

ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuite.Theciphersuitestobetestedintheevaluatedconfigurationarelimitedbythisrequirement.However,thisrequirementdoesnotrestricttheTOE'sabilitytoproposeadditionalciphersuitesbeyondtheoneslistedinthisrequirementinitsClientHellomessage.Thatis,theTOEmayproposeanyciphersuitebuttheevaluationwillonlytestciphersuitesfromtheabovelist.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA.

TLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.

TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.

IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.

Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

Ifsessionrenegotiationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.4.IftheTOEimplementssessionrenegotiation,thisselectionmustbemade.

FCS_TLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.

ApplicationNote:TherulesforverificationofidentityaredescribedinSection6ofRFC6125.Thereferenceidentifierisestablishedbytheuser(e.g.enteringaURLintoawebbrowserorclickingalink),byconfiguration(e.g.configuringthenameofamailserverorauthenticationserver),orbyanapplication(e.g.aparameterofanAPI)dependingontheproductservice.Basedonasingularreferenceidentifier’ssourcedomainandapplicationservicetype(e.g.HTTP,SIP,LDAP),theclientestablishesallreferenceidentifierswhichareacceptable,suchasaCommonNamefortheSubjectNamefieldofthecertificateanda(case-insensitive)DNSname,URIname,andServiceNamefortheSubjectAlternativeNamefield.TheclientthencomparesthislistofallacceptablereferenceidentifierstothepresentedidentifiersintheTLSserver’scertificate.ThepreferredmethodforverificationistheSubjectAlternativeNameusingDNSnames,URInames,orServiceNames.VerificationusingtheCommonNameforthepurposesofbackwardscompatibilityisoptional.Additionally,supportforuseofIPaddressesintheSubjectNameorSubjectAlternativenameisdiscouraged,asagainstbestpractices,butmaybeimplemented.Finally,theclientshouldavoidconstructingreferenceidentifiersusingwildcards.However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthebestpracticesregardingmatching;thesebestpracticesarecapturedintheevaluationactivity.

FCS_TLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:

withnoexceptions,exceptwhenoverrideisauthorized

].

ApplicationNote:Validityisdeterminedbytheidentifierverification,certificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1asdefinedinanyPPorPP-ModulewhichinstantiatesthisPackage.

Theselectionthatpermitsoverrideforinvalidcertificatesshouldbeinterpretedasfollows:

explicitadministratororuseractionisneededtoauthorizetheoverride,onaper-certificatebasisoverridemaybesoughtorgrantedatanytime,thoughthistypicallyoccurswhenaninvalidcertificateispresentedduringconnectionsetupoverridedecisionsmaybestoredandthenconsultedlater,topermitconnectionsusingtheseotherwise-invalidcertificatestoestablishtrustedchannelswithoutuseroradministratoraction

AsindicatedinSection1.4CompliantTargetsofEvaluation,notethataPPauthormayinstantiatethisSFRusingonlythefirstselection,preventingtheabilitytoallowoverrides.


FCS_TLSC_EXT.1:TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethattheciphersuitessupportedarespecified.TheevaluatorshallchecktheTSStoensurethattheciphersuitesspecifiedincludethoselistedforthiscomponent.GuidanceTheevaluatorshallalsochecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothatTLSconformstothedescriptionintheTSS.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorshallestablishaTLSconnectionusingeachoftheciphersuitesspecifiedbytherequirement.Thisconnectionmaybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Test2:ThegoalofthefollowingtestistoverifythattheTOEacceptsonlycertificateswithappropriatevaluesintheextendedKeyUsageextension,andimplicitlythattheTOEcorrectlyparsestheextendedKeyUsageextensionaspartofX.509v3servercertificatevalidation.

TheevaluatorshallattempttoestablishtheconnectionusingaserverwithaservercertificatethatcontainstheServerAuthenticationpurposeintheextendedKeyUsageextensionandverifythataconnectionisestablished.Theevaluatorshallrepeatthistestusingadifferent,butotherwisevalidandtrusted,certificatethatlackstheServerAuthenticationpurposeintheextendedKeyUsageextensionandensurethataconnectionisnotestablished.Ideally,thetwocertificatesshouldbesimilarinstructure,thetypesofidentifiersused,andthechainoftrust.Test3:TheevaluatorshallsendaservercertificateintheTLSconnectionthatdoesnotmatchtheserver-selectedciphersuite(forexample,sendaECDSAcertificatewhileusingtheTLS_RSA_WITH_AES_128_CBC_SHAciphersuiteorsendaRSAcertificatewhileusingoneoftheECDSAciphersuites.)Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver’sCertificatehandshakemessage.Test4:TheevaluatorshallconfiguretheservertoselecttheTLS_NULL_WITH_NULL_NULLciphersuiteandverifythattheclientdeniestheconnection.Test5:Theevaluatorshallperformthefollowingmodificationstothetraffic:

Test5.1:ChangetheTLSversionselectedbytheserverintheServerHellotoanundefinedTLSversion(forexample1.5representedbythetwobytes0306)andverifythattheclientrejectstheconnection.Test5.2:ChangetheTLSversionselectedbytheserverintheServerHellotothemostrecentunsupportedTLSversion(forexample1.1representedbythetwobytes0302)andverifythattheclientrejectstheconnection.Test5.3:[conditional]IfDHEorECDHEciphersuitesaresupported,modifyatleastonebyteintheserver’snonceintheServerHellohandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.4:Modifytheserver’sselectedciphersuiteintheServerHellohandshakemessagetobeaciphersuitenotpresentedintheClientHellohandshakemessage.Theevaluatorshallverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.5:[conditional]IfDHEorECDHEciphersuitesaresupported,modifythesignatureblockintheserver’sKeyExchangehandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.ThistestdoesnotapplytociphersuitesusingRSAkeyexchange.IfaTOEonlysupportsRSAkeyexchangeinconjunctionwithTLS,thenthistestshallbeomitted.

Test5.6:ModifyabyteintheServerFinishedhandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.7:SendamessageconsistingofrandombytesfromtheserveraftertheserverhasissuedtheChangeCipherSpecmessageandverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Themessagemuststillhaveavalid5-byterecordheaderinordertoensurethemessagewillbeparsedasTLS.

TSSTheevaluatorshallensurethattheTSSdescribestheclient’smethodofestablishingallreferenceidentifiersfromtheapplication-configuredreferenceidentifier,includingwhichtypesofreferenceidentifiersaresupported(e.g.CommonName,DNSName,URIName,ServiceName,orotherapplication-specificSubjectAlternativeNames)andwhetherIPaddressesandwildcardsaresupported.Theevaluatorshallensurethatthisdescriptionidentifieswhetherandthemannerinwhichcertificatepinningissupportedorusedbytheproduct.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesinstructionsforsettingthereferenceidentifiertobeusedforthepurposesofcertificatevalidationinTLS.TestsTheevaluatorshallconfigurethereferenceidentifieraccordingtotheAGDguidanceandperformthefollowingtestsduringaTLSconnection:

Test1:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatdoesnotmatchthereferenceidentifieranddoesnotcontaintheSANextension.Theevaluatorshallverifythattheconnectionfails.NotethatsomesystemsmightrequirethepresenceoftheSANextension.InthiscasetheconnectionwouldstillfailbutforthereasonofthemissingSANextensioninsteadofthemismatchofCNandreferenceidentifier.BothreasonsareacceptabletopassTest1.Test2:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatmatchesthereferenceidentifier,containstheSANextension,butdoesnotcontainanidentifierintheSANthatmatchesthereferenceidentifier.Theevaluatorshallverifythattheconnectionfails.TheevaluatorshallrepeatthistestforeachsupportedSANtype.Test3:[conditional]IftheTOEdoesnotmandatethepresenceoftheSANextension,theevaluatorshallpresentaservercertificatethatcontainsaCNthatmatchesthereferenceidentifieranddoesnotcontaintheSANextension.Theevaluatorshallverifythattheconnectionsucceeds.IftheTOEdoesmandatethepresenceoftheSANextension,thisTestshallbeomitted.Test4:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatdoesnotmatchthereferenceidentifierbutdoescontainanidentifierintheSANthatmatches.Theevaluatorshallverifythattheconnectionsucceeds.Test5:Theevaluatorshallperformthefollowingwildcardtestswitheachsupportedtypeofreferenceidentifier.Thesupportforwildcardsisintendedtobeoptional.Ifwildcardsaresupported,thefirst,second,andthirdtestsbelowshallbeexecuted.Ifwildcardsarenotsupported,thenthefourthtestbelowshallbeexecuted.

Test5.1:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardthatisnotintheleft-mostlabelofthepresentedidentifier(e.g.foo.*.example.com)andverifythattheconnectionfails.Test5.2:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabelbutnotprecedingthepublicsuffix(e.g.*.example.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.example.com)andverifythattheconnectionsucceeds.Theevaluatorshallconfigurethereferenceidentifierwithoutaleft-mostlabelasinthecertificate(e.g.example.com)andverifythattheconnectionfails.Theevaluatorshallconfigurethereferenceidentifierwithtwoleft-mostlabels(e.g.bar.foo.example.come)andverifythattheconnectionfails.Test5.3:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabelimmediatelyprecedingthepublicsuffix(e.g.*.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.com)andverifythattheconnectionfails.Theevaluatorshallconfigurethereferenceidentifierwithtwoleft-mostlabels(e.g.bar.foo.com)andverifythattheconnectionfails.Test5.4:[conditional]:Ifwildcardsarenotsupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabel(e.g.*.example.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.example.com)andverifythattheconnectionfails.

Test6:[conditional]IfURIorServicenamereferenceidentifiersaresupported,theevaluatorshallconfiguretheDNSnameandtheserviceidentifier.TheevaluatorshallpresentaservercertificatecontainingthecorrectDNSnameandserviceidentifierintheURINameorSRVNamefieldsoftheSANandverifythattheconnectionsucceeds.Theevaluatorshallrepeatthistestwiththewrongserviceidentifier(butcorrectDNSname)andverifythattheconnectionfails.Test7:[conditional]Ifpinnedcertificatesaresupportedtheevaluatorshallpresentacertificatethatdoesnotmatchthepinnedcertificateandverifythattheconnectionfails.

TSS

Iftheselectionforauthorizingoverrideofinvalidcertificatesismade,thentheevaluatorshallensurethattheTSSincludesadescriptionofhowandwhenuseroradministratorauthorizationisobtained.TheevaluatorshallalsoensurethattheTSSdescribesanymechanismforstoringsuchauthorizations,suchthatfuturepresentationofsuchotherwise-invalidcertificatespermitsestablishmentofatrustedchannelwithoutuseroradministratoraction.TestsTheevaluatorshalldemonstratethatusinganinvalidcertificate(unlessexcepted)resultsinthefunctionfailingasfollows,unlessexcepted:

Test1:Theevaluatorshalldemonstratethataserverusingacertificatewithoutavalidcertificationpathresultsinanauthenticationfailure.Usingtheadministrativeguidance,theevaluatorshallthenloadthetrustedCAcertificate(s)neededtovalidatetheserver'scertificate,anddemonstratethattheconnectionsucceeds.TheevaluatorthenshalldeleteoneoftheCAcertificates,andshowthattheconnectionfails.Test2:Theevaluatorshalldemonstratethataserverusingacertificatewhichhasbeenrevokedresultsinanauthenticationfailure.Test3:Theevaluatorshalldemonstratethataserverusingacertificatewhichhaspasseditsexpirationdateresultsinanauthenticationfailure.Test4:Theevaluatorshalldemonstratethataserverusingacertificatewhichdoesnothaveavalididentifierresultsinanauthenticationfailure.

FCS_TLSC_EXT.2TLSClientSupportforMutualAuthentication

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1.

FCS_TLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.

ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedinFIA_X509_EXT.2.1.ThisrequirementaddsthataclientmustbecapableofpresentingacertificatetoaTLSserverforTLSmutualauthentication.Presentingacertificateisnotmandatoryinallcircumstances:itmaydependontheconfigurationoftheclientorotherfactors.


FCS_TLSC_EXT.2:TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallalsoensurethattheTSSdescribesanyfactorsbeyondconfigurationthatarenecessaryinorderfortheclienttoengageinmutualauthenticationusingX.509v3certificates.GuidanceTheevaluatorshallensurethattheAGDguidanceincludesanyinstructionsnecessarytoconfiguretheTOEtoperformmutualauthentication.TheevaluatoralsoshallverifythattheAGDguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:Theevaluatorshallestablishaconnectiontoaserverthatisnotconfiguredformutualauthentication(i.e.doesnotsendServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOEdidnotsendClient’sCertificatemessage(type11)duringhandshake.Test2:Theevaluatorshallestablishaconnectiontoaserverwithasharedtrustedrootthatisconfiguredformutualauthentication(i.e.itsendsServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOErespondswithanon-emptyClient’sCertificatemessage(type11)andCertificateVerify(type15)message.

FCS_TLSC_EXT.3TLSClientSupportforSignatureAlgorithmsExtension

Thisisanobjectivecomponent.

FCS_TLSC_EXT.3.1Theproductshallpresentthesignature_algorithmsextensionintheClientHellowiththesupported_signature_algorithmsvaluecontainingthefollowinghashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhashalgorithms.

ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedforthepurposeofdigitalsignatureverificationbytheclientandlimitstheservertothesupportedhashesforthepurposeofdigitalsignaturegenerationbytheserver.Thesignature_algorithmsextensionisonlysupportedbyTLS1.2.


FCS_TLSC_EXT.3:TSSTheevaluatorshallverifythatTSSdescribesthesignature_algorithmextensionandwhethertherequiredbehaviorisperformedbydefaultormaybeconfigured.GuidanceIftheTSSindicatesthatthesignature_algorithmextensionmustbeconfiguredtomeettherequirement,theevaluatorshallverifythatAGDguidanceincludesconfigurationofthesignature_algorithmextension.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorshallconfiguretheservertosendacertificateintheTLSconnectionthatisnotsupportedaccordingtotheClient'sHashAlgorithmenumerationwithinthesignature_algorithmsextension(forexample,sendacertificatewithaSHA-1signature).Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver'sCertificatehandshakemessage.Test2:[conditional]IftheclientsupportsaDHEorECDHEciphersuite,theevaluatorshallconfiguretheservertosendaKeyExchangehandshakemessageincludingasignaturenotsupportedaccordingtotheclient'sHashAlgorithmenumeration(forexample,theserversignedtheKeyExchangeparametersusingaSHA-1signature).Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver'sKeyExchangehandshakemessage.

FCS_TLSC_EXT.4TLSClientSupportforRenegotiation


FCS_TLSC_EXT.4.1Theproductshallsupportsecurerenegotiationthroughuseofthe“renegotiation_info”TLSextensioninaccordancewithRFC5746.

ApplicationNote:RFC5746definesanextensiontoTLSthatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.

PerRFC5746,theclientmaypresenteitherthe"renegotiation_info"extensionorthesignalingciphersuitevalueTLS_EMPTY_RENEGOTIATION_INFO_SCSVintheinitialClientHellomessagetoindicatesupportforrenegotiation.(Asignalingciphersuitevalue(SCSV)ispresentedasaciphersuite,butitsonlypurposeistoprovideotherinformationandnottoadvertisesupportforaciphersuite.)TheTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitevalueexistsasanalternativetopresentingthe"renegotation_info"extensionsothatTLSserverimplementationsthatimmediatelyterminatetheconnectionwhentheyencounteranyextensiontheydonotunderstandcanstillproceedwithaconnection.Theclientmaystillchoosetorejecttheconnectionlater,ifitinsistsuponrenegotiationsupportandtheserverdoesnotsupportit.Inanycase,RFC5746statesthatduringanyrenegotiationthe"renegotiation_info"extensionmustbepresentedbythepeerinitiatingrenegotiation,andsotheclientmustsupportuseofthisextension.


FCS_TLSC_EXT.4:TestsTheevaluatorshallperformthefollowingtests:

Test1:Theevaluatorshalluseanetworkpacketanalyzer/sniffertocapturethetrafficbetweenthetwoTLSendpoints.Theevaluatorshallverifythateitherthe“renegotiation_info”fieldortheSCSVciphersuiteisincludedintheClientHellomessageduringtheinitialhandshake.Test2:TheevaluatorshallverifytheClient’shandlingofServerHellomessagesreceivedduringtheinitialhandshakethatincludethe“renegotiation_info”extension.TheevaluatorshallmodifythelengthportionofthisfieldintheServerHellomessagetobenon-zeroandverifythattheclientsendsafailureandterminatestheconnection.Theevaluatorshall

verifythataproperlyformattedfieldresultsinasuccessfulTLSconnection.Test3:TheevaluatorshallverifythatServerHellomessagesreceivedduringsecurerenegotiationcontainthe“renegotiation_info”extension.Theevaluatorshallmodifyeitherthe“client_verify_data”or“server_verify_data”valueandverifythattheclientterminatestheconnection.

FCS_TLSC_EXT.5TLSClientSupportforSupportedGroupsExtension

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1,FCS_DTLSC_EXT.1.1.

FCS_TLSC_EXT.5.1TheproductshallpresenttheSupportedGroupsExtensionintheClientHellowiththesupportedgroups[selection:

secp256r1,secp384r1,secp521r1,ffdhe2048(256),ffdhe3072(257),ffdhe4096(258),ffdhe6144(259),ffdhe8192(260)

].

ApplicationNote:IfanellipticcurveorDiffie-HellmanciphersuiteisselectedinFCS_TLSC_EXT.1.1orFCS_DTLSC_EXT.1.1,thenFCS_TLSC_EXT.5shallbeincludedintheST.Thisrequirementdoesnotlimittheellipticcurvestheclientmayproposeforauthenticationandkeyagreement.TheSupportedGroupsExtensionwaspreviouslyreferredtoastheSupportedEllipticCurvesExtensionandisdescribedinRFC7919.


FCS_TLSC_EXT.5:TSSTheevaluatorshallverifythatTSSdescribestheSupportedGroupsExtension.TestsTheevaluatorshallalsoperformthefollowingtest:

Test1:TheevaluatorshallconfigureaservertoperformkeyexchangeusingeachoftheTOE’ssupportedcurvesand/orgroups.TheevaluatorshallverifythattheTOEsuccessfullyconnectstotheserver.

FCS_TLSS_EXT.1TLSServerProtocol


FCS_TLSS_EXT.1.1TheproductshallimplementTLS1.2(RFC5246)and[selection:TLS1.1(RFC4346),noearlierTLSversions]asaserverthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthentication,sessionrenegotiation,none

].

ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuite.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.Ifadministrativestepsneedtobetakensothattheciphersuitesnegotiatedbytheimplementationarelimitedtothoseinthisrequirement,thentheappropriateinstructionsneedtobecontainedintheguidance.GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA.

TLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.

TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.

Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

Ifsessionrenegotiationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.4.IftheTOEimplementssessionrenegotiation,thisselectionmustbemade.

FCS_TLSS_EXT.1.2TheproductshalldenyconnectionsfromclientsrequestingSSL2.0,SSL3.0,TLS1.0and[selection:TLS1.1,none].

ApplicationNote:AllSSLversionsaredenied.AnyTLSversionnotselectedinFCS_TLSS_EXT.1.1shouldbeselectedhere.

FCS_TLSS_EXT.1.3TheproductshallperformkeyestablishmentforTLSusing[selection:

RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes],Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersizes],Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups],ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,nootherkeyestablishmentmethods

].

ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.

IftheSTlistsaDHEciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludeeithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.Theselectionfor"Diffie-Hellmanparameters"referstothemethoddefinedbyRFC5246(andRFC4346)Section7.4.3wheretheserverprovidesDiffie-Hellmanparameterstotheclient.TheSupportedGroupsextensiondefinedinRFC7919identifiesparticularDiffie-Hellmangroups,whicharelistedinthefollowingselection.Regardingthisdistinction,itisacceptabletouseDiffie-Hellmangroup14withTLS(thereiscurrentlynoabilitytonegotiategroup14usingtheSupportedGroupsextension,butitcouldbeusedwiththe"Diffie-Hellmanparameters"selection).AsinRFC7919,theterms"DHE"and"FFDHE"arebothusedtorefertothefinite-field-basedDiffie-Hellmanephemeralkeyexchangemechanism,distinctfromelliptic-curve-basedDiffieHellmanephemeralkeyexchange(ECDHE).

IftheSTlistsanECDHEciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheselectionforECDHEusingellipticcurvesintherequirement.


FCS_TLSS_EXT.1:TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethattheciphersuitessupportedarespecified.TheevaluatorshallchecktheTSStoensurethattheciphersuitesspecifiedincludethoselistedforthiscomponent.GuidanceTheevaluatorshallalsochecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheTOEsothatTLSconformstothedescriptionintheTSS.TestsTheevaluatorshallalsoperformthefollowingtests:

Test1:TheevaluatorshallestablishaTLSconnectionusingeachoftheciphersuitesspecifiedbytherequirement.Thisconnectionmaybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Test2:TheevaluatorshallsendaClientHellototheserverwithalistofciphersuitesthatdoesnotcontainanyoftheciphersuitesintheserver’sSTandverifythattheserverdeniestheconnection.Additionally,theevaluatorshallsendaClientHellototheservercontainingonlytheTLS_NULL_WITH_NULL_NULLciphersuiteandverifythattheserverdeniestheconnection.Test3:IfRSAkeyexchangeisusedinoneoftheselectedciphersuites,theevaluatorshalluseaclienttosendaproperlyconstructedKeyExchangemessagewithamodifiedEncryptedPreMasterSecretfieldduringtheTLShandshake.Theevaluatorshallverifythatthehandshakeisnotcompletedsuccessfullyandnoapplicationdataflows.Test4:Theevaluatorshallperformthefollowingmodificationstothetraffic:

Test4.1:ChangetheTLSversionproposedbytheclientintheClientHellotoanon-supportedTLSversion(forexample1.3representedbythetwobytes0304)andverifythattheserverrejectstheconnection.Test4.2:Modifyabyteinthedataoftheclient'sFinishedhandshakemessage,andverifythattheserverrejectstheconnectionanddoesnotsendanyapplicationdata.Test4.3:DemonstratethattheTOEwillnotresumeasessionforwhichtheclientfailedtocompletethehandshake(independentofTOEsupportforsessionresumption):GenerateaFatalAlertbysendingaFinishedmessagefromtheclientbeforetheclientsendsaChangeCipherSpecmessage,andthensendaClientHellowiththesessionidentifierfromthepreviousincompletesession,andverifythattheserverdoesnotresumethesession.Test4.4:SendamessageconsistingofrandombytesfromtheclientaftertheclienthasissuedtheChangeCipherSpecmessageandverifythattheserverdeniestheconnection.

TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldSSLandTLSversionsconsistentrelativetoselectionsinFCS_TLSS_EXT.1.2.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesanyconfigurationnecessarytomeetthisrequirement.Tests

Test1:TheevaluatorshallsendaClientHellorequestingaconnectionwithversionSSL2.0andverifythattheserverdeniestheconnection.TheevaluatorshallrepeatthistestwithSSL3.0andTLS1.0,andTLS1.1ifitisselected.

TSSTheevaluatorshallverifythattheTSSdescribesthekeyagreementparametersoftheserver'sKeyExchangemessage.GuidanceTheevaluatorshallverifythatanyconfigurationguidancenecessarytomeettherequirementmustbecontainedintheAGDguidance.Tests

Theevaluatorshallconductthefollowingtests.Thetestingcanbecarriedoutmanuallywithapacketanalyzerorwithanautomatedframeworkthatsimilarlycapturessuchempiricalevidence.Notethatthistestingcanbeaccomplishedinconjunctionwithothertestingactivities.Foreachofthefollowingtests,determiningthatthesizematchestheexpectedsizeissufficient.Test1:[conditional]IfRSA-basedkeyestablishmentisselected,theevaluatorshallconfiguretheTOEwithacertificatecontainingasupportedRSAsizeandattemptaconnection.Theevaluatorshallverifythatthesizeusedmatchesthatwhichisconfiguredandthattheconnectionissuccessfullyestablished.TheevaluatorshallrepeatthistestforeachsupportedsizeofRSA-basedkeyestablishment.Test2:[conditional]Iffinite-field(i.e.non-EC)Diffie-Hellmanciphersareselected,theevaluatorshallattemptaconnectionusingaDiffie-Hellmankeyexchangewithasupportedparametersizeorsupportedgroup.Theevaluatorshallverifythatthekeyagreement

parametersintheKeyExchangemessagearetheonesconfigured.Theevaluatorshallrepeatthistestforeachsupportedparametersizeorgroup.Test3:[conditional]IfECDHEciphersareselected,theevaluatorshallattemptaconnectionusinganECDHEciphersuitewithasupportedcurve.TheevaluatorshallverifythatthekeyagreementparametersintheKeyExchangemessagearetheonesconfigured.Theevaluatorshallrepeatthistestforeachsupportedellipticcurve.

FCS_TLSS_EXT.2TLSServerSupportforMutualAuthentication

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSS_EXT.1.1.

FCS_TLSS_EXT.2.1TheproductshallsupportauthenticationofTLSclientsusingX.509v3certificates.

FCS_TLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.

ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedinFIA_X509_EXT.2.1Thisrequirementaddsthatthisusemustincludesupportforclient-sidecertificatesforTLSmutualauthentication.Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1.

FCS_TLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.

ApplicationNote:TheclientidentifiermaybeintheSubjectfieldortheSubjectAlternativeNameextensionofthecertificate.Theexpectedidentifiermayeitherbeconfigured,maybecomparedtothedomainname,IPaddress,username,oremailaddressusedbytheclient,ormaybepassedtoadirectoryserverforcomparison.Inthelattercase,thematchingitselfmaybeperformedoutsidetheTOE.


FCS_TLSS_EXT.2:TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.GuidanceTheevaluatorshallverifythattheAGDguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallensurethattheAGDguidanceincludesinstructionsforconfiguringtheservertorequiremutualauthenticationofclientsusingthesecertificates.TestsTheevaluatorshalluseTLSasafunctiontoverifythatthevalidationrulesinFIA_X509_EXT.1.1areadheredtoandshallperformthefollowingtests.TheevaluatorshallapplytheAGDguidancetoconfiguretheservertorequireTLSmutualauthenticationofclientsforthefollowingtests,unlessoverriddenbyinstructionsinthetestactivity:

Test1:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclient.Theclientshallsendacertificate_liststructurewhichhasalengthofzero.Theevaluatorshallverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test2:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclient.Theclientshallsendnoclientcertificatemessage,andinsteadsendaclientkeyexchangemessageinanattempttocontinuethehandshake.Theevaluatorshallverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test3:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclientwithoutthesupported_signature_algorithmusedbytheclient’scertificate.Theevaluatorshallattemptaconnectionusingtheclientcertificateandverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test4:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.

Test5:TheaimofthistestistochecktheresponseoftheserverwhenitreceivesaclientidentitycertificatethatissignedbyanimpostorCA(eitherRootCAorintermediateCA).TocarryoutthistesttheevaluatorshallconfiguretheclienttosendaclientidentitycertificatewithanissuerfieldthatidentifiesaCArecognisedbytheTOEasatrustedCA,butwherethekeyusedforthesignatureontheclientcertificatedoesnotinfactcorrespondtotheCAcertificatetrustedbytheTOE(meaningthattheclientcertificateisinvalidbecauseitscertificationpathdoesnotinfactterminateintheclaimedCAcertificate).Theevaluatorshallverifythattheattemptedconnectionisdenied.Test6:TheevaluatorshallconfiguretheclienttosendacertificatewiththeClientAuthenticationpurposeintheextendedKeyUsagefieldandverifythattheserveracceptstheattemptedconnection.TheevaluatorshallrepeatthistestwithouttheClientAuthenticationpurposeandshallverifythattheserverdeniestheconnection.Ideally,thetwocertificatesshouldbeidenticalexceptfortheClientAuthenticationpurpose.Test7:Theevaluatorshallperformthefollowingmodificationstothetraffic:a)Configuretheservertorequiremutualauthenticationandthenmodifyabyteintheclient’scertificate.Theevaluatorshallverifythattheserverrejectstheconnection.b)Configuretheservertorequiremutualauthenticationandthenmodifyabyteinthesignatureblockoftheclient’sCertificateVerifyhandshakemessage.Theevaluatorshallverifythattheserverrejectstheconnection.

TSSIftheproductimplementsmutualauthentication,theevaluatorshallverifythattheTSSdescribeshowtheDNandSANinthecertificateiscomparedtotheexpectedidentifier.GuidanceIftheDNisnotcomparedautomaticallytothedomainname,IPaddress,username,oremailaddress,theevaluatorshallensurethattheAGDguidanceincludesconfigurationoftheexpectedidentifierorthedirectoryserverfortheconnection.Tests

Test1:Theevaluatorshallsendaclientcertificatewithanidentifierthatdoesnotmatchanyoftheexpectedidentifiersandverifythattheserverdeniestheconnection.ThematchingitselfmightbeperformedoutsidetheTOE(e.g.whenpassingthecertificateontoadirectoryserverforcomparison).

FCS_TLSS_EXT.3TLSServerSupportforSignatureAlgorithmsExtension

Thisisanobjectivecomponent.

FCS_TLSS_EXT.3.1TheproductshallpresenttheHashAlgorithmenumerationinsupported_signature_algorithmsintheCertificateRequestwiththefollowinghashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhashalgorithms.

ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedforthepurposeofdigitalsignatureverificationbytheserverandlimitstheclienttothesupportedhashesforthepurposeofdigitalsignaturegenerationbytheclient.Thesupported_signature_algorithmsisonlysupportedbyTLS1.2.


FCS_TLSS_EXT.3:TSSTheevaluatorshallverifythatTSSdescribesthesupported_signature_algorithmsfieldoftheCertificateRequestandwhethertherequiredbehaviorisperformedbydefaultormaybeconfigured.GuidanceIftheTSSindicatesthatthesupported_signature_algorithmsfieldmustbeconfiguredtomeettherequirement,theevaluatorshallverifythatAGDguidanceincludesconfigurationofthesupported_signature_algorithmsfield.TestsTheevaluatorshallalsoperformthefollowingtest:Theevaluatorshallconfiguretheservertosendthesignature_algorithmsextensionintheCertificateRequestmessageindicatingthatthehashalgorithmusedbytheclient’scertificateisnotsupported.Theevaluatorshallattemptaconnectionusingthatclientcertificateandverifythattheserverdeniestheclient’sconnection.

FCS_TLSS_EXT.4TLSServerSupportforRenegotiation

Thisisaselection-basedcomponent.Itsinclusiondependsuponselectionfrom

FCS_TLSS_EXT.1.1.

FCS_TLSS_EXT.4.1Theproductshallsupportthe"renegotiation_info"TLSextensioninaccordancewithRFC5746.

FCS_TLSS_EXT.4.2Theproductshallincludetherenegotiation_infoextensioninServerHellomessages.

ApplicationNote:RFC5746definesanextensiontoTLSthatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.


FCS_TLSS_EXT.4:TestsThefollowingtestsrequireconnectionwithaclientthatsupportssecurerenegotiationandthe"renegotiation_info"extension.

Test1:Theevaluatorshalluseanetworkpacketanalyzer/sniffertocapturethetrafficbetweenthetwoTLSendpoints.Theevaluatorshallverifythatthe“renegotiation_info”fieldisincludedintheServerHellomessage.Test2:TheevaluatorshallmodifythelengthportionofthefieldintheClientHellomessageintheinitialhandshaketobenon-zeroandverifythattheserversendsafailureandterminatestheconnection.TheevaluatorshallverifythataproperlyformattedfieldresultsinasuccessfulTLSconnection.Test3:Theevaluatorshallmodifythe"client_verify_data"or"server_verify_data"valueintheClientHellomessagereceivedduringsecurerenegotiationandverifythattheserverterminatestheconnection.

FCS_DTLSC_EXT.1DTLSClientProtocol

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1.

FCS_DTLSC_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaclientthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andalsosupportsfunctionalityfor[selection:mutualauthentication,none

].

ApplicationNote:IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.

Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

DifferencesbetweenDTLS1.2andTLS1.2areoutlinedinRFC6347;otherwisetheprotocolsarethesame.AllapplicationnoteslistedforFCS_TLSC_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.

ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.1.2thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorized].


FCS_DTLSC_EXT.1.4Theproductshall[selection:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.


FCS_DTLSC_EXT.1:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachevaluationactivity.

Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.2.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.3.TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSServerfailstheMACintegritycheck.TestsTheevaluatorshallestablishaconnectionusingaserver.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheclientdiscardstherecordorterminatestheDTLSsession.

FCS_DTLSC_EXT.2DTLSClientSupportforMutualAuthentication

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_DTLSC_EXT.1.1.

FCS_DTLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.



FCS_DTLSC_EXT.2:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.2.1.

FCS_DTLSS_EXT.1DTLSServerProtocol


FCS_DTLSS_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaserverthatsupportstheciphersuites[selection:

TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289

]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthentication,none

].

ApplicationNote:Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.

AllapplicationnoteslistedforFCS_TLSS_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSS_EXT.1.2Theproductshalldenyconnectionsfromclientsrequesting[assignment:listofDTLSprotocolversions].

ApplicationNote:AnyspecificDTLSversionnotselectedinFCS_DTLSS_EXT.1.1shouldbeassignedhere.ThisversionofthePPdoesnotrequiretheservertodenyDTLS1.0,andiftheTOEsupportsDTLS1.0then"none"canbeassigned.InafutureversionofthisPP,DTLS1.0willberequiredtobedenied.

FCS_DTLSS_EXT.1.3TheproductshallnotproceedwithaconnectionhandshakeattemptiftheDTLSClientfailsvalidation.

ApplicationNote:TheprocesstovalidatetheIPaddressofaDTLSclientisspecifiedinsection4.2.1ofRFC6347(DTLS1.2)andRFC4347(DTLS1.0).TheservervalidatestheDTLSclientduringConnectionEstablishment(Handshaking)andpriortosendingaServerHellomessage.AfterreceivingaClientHello,theDTLSServersendsaHelloVerifyRequestalongwithacookie.Thecookieisasignedmessageusingakeyedhashfunction.TheDTLSClientthensendsanotherClientHellowiththecookieattached.IftheDTLSserversuccessfullyverifiesthesignedcookie,theClientisnotusingaspoofedIPaddress.

FCS_DTLSS_EXT.1.4TheproductshallperformkeyestablishmentforDTLSusing[selection:

RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes],Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersize],Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups],ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,nootherkeyestablishmentmethods

].

ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.IftheSTlistsaDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustinclude

eithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.IftheSTlistsanECDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheNISTcurvesselectionintherequirement.

FCS_DTLSS_EXT.1.5Theproductshall[selection:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.


FCS_DTLSS_EXT.1:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachstageoftheevaluationactivities.

Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.Thefollowingevaluationactivitiesshallbeconductedunless"none"isassigned.

TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldDTLSversionsconsistentrelativetoselectionsinFCS_DTLSS_EXT.1.2.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesanyconfigurationnecessarytomeetthisrequirement.Tests

Test1:TheevaluatorshallsendaClientHellorequestingaconnectionwitheachversionofDTLSspecifiedintheselectionandverifythattheserverdeniestheconnection.

TSSTheevaluatorshallverifythattheTSSdescribeshowtheDTLSClientIPaddressisvalidatedpriortoissuingaServerHellomessage.TestsModifyatleastonebyteinthecookiefromtheServer'sHelloVerifyRequestmessage,andverifythattheServerrejectstheClient'shandshakemessage.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.3.TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSclientfailstheMACintegritycheck.TestsTheevaluatorshallestablishaconnectionusingaclient.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheserverdiscardstherecordorterminatestheDTLSsession.

FCS_DTLSS_EXT.2DTLSServerSupportforMutualAuthentication

Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_DTLSS_EXT.1.1.

FCS_DTLSS_EXT.2.1TheproductshallsupportmutualauthenticationofDTLSclientsusingX.509v3certificates.

ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.

FCS_DTLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.


FCS_DTLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.



FCS_DTLSS_EXT.2:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.1.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.2.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.3.

AppendixA-Implementation-DependentRequirementsImplementation-DependentRequirementsaredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.

AppendixB-Referencesext-comp-def

Identifier Title

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1,Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1,Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1,Revision5,April2017.

http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf



AppendixC-Acronyms

Acronym Meaning

AES AdvancedEncryptionStandard

Base-PP BaseProtectionProfile

CA CertificateAuthority

CA CertificateAuthority

CBC CipherBlockChaining

CC CommonCriteria

CEM CommonEvaluationMethodology

CN CommonName

DHE Diffie-HellmanEphemeral

DN DistinguishedName

DNS DomainNameServer

DTLS DatagramTransportLayerSecurity

DTLS DatagramTransportLayerSecurity

EAP ExtensibleAuthenticationProtocol

ECDHE EllipticCurveDiffie-HellmanEphemeral

ECDSA EllipticCurveDigitalSignatureAlgorithm

GCM Galois/CounterMode

HTTP HypertextTransferProtocol

IETF InternetEngineeringTaskForce

IP InternetProtocol

LDAP LightweightDirectoryAccessProtocol

NIST NationalInstituteofStandardsandTechnology

OE OperationalEnvironment

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

RFC RequestforComment(IETF)

RSA RivestShamirAdelman

SAN SubjectAlternativeName

SAR SecurityAssuranceRequirement

SCSV SignalingCipherSuiteValue

SFR SecurityFunctionalRequirement

SHA SecureHashAlgorithm

SIP SessionInitiationProtocol

ST SecurityTarget

TCP TransmissionControlProtocol

TLS TransportLayerSecurity

TOE TargetofEvaluation

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

UDP UserDatagramProtocol

URI UniformResourceIdentifier

URL UniformResourceLocator

functional package for transport layer security (tls) · (pp) an implementation-independent set of...

Documents