8-1 IPSec IS511. 8-2 IPSEC TLS: transport layer IPSec: network layer Network Security.
Functional Package for Transport Layer Security (TLS) · (PP) An implementation-independent set of...
Transcript of Functional Package for Transport Layer Security (TLS) · (PP) An implementation-independent set of...
FunctionalPackageforTransportLayerSecurity(TLS)
Version:1.12019-03-01
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2018-12-17
Firstpublication
1.1 2019-03-01
Clarificationsregardingoverrideforinvalidcertificates,renegotation_infoextension,DTLSversions,andnamedDiffie-HellmangroupsinDTLScontexts
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms
1.3 FormatofthisDocument1.4 CompliantTargetsofEvaluation
2 ConformanceClaims3 SecurityFunctionalRequirements3.1 CryptographicSupport(FCS)
AppendixA- Implementation-DependentRequirementsAppendixB- ReferencesAppendixC- Acronyms
1Introduction
1.1OverviewTransportLayerSecurity(TLS)andtheclosely-relatedDatagramTLS(DTLS)arecryptographicprotocolsdesignedtoprovidecommunicationssecurityoverIPnetworks.Severalversionsoftheprotocolareinwidespreaduseinsoftwarethatprovidesfunctionalitysuchaswebbrowsing,email,instantmessaging,andvoice-over-IP(VoIP).MajorwebsitesuseTLStoprotectcommunicationstoandfromtheirservers.TLSisalsousedtoprotectcommunicationsbetweenhostsandnetworkinfrastructuredevicesforadministration.Theunderlyingplatform,suchasanoperatingsystem,oftenprovidestheactualTLSimplementation.TheprimarygoaloftheTLSprotocolistoprovideconfidentialityandintegrityofdatatransmittedbetweentwocommunicatingendpoints,aswellasauthenticationofatleasttheserverendpoint.TLSsupportsmanydifferentmethodsforexchangingkeys,encryptingdata,andauthenticatingmessageintegrity.ThesemethodsaredynamicallynegotiatedbetweentheclientandserverwhentheTLSconnectionisestablished.Asaresult,evaluatingtheimplementationofbothendpointsistypicallynecessarytoprovideassurancefortheoperatingenvironment.This"FunctionalPackageforTransportLayerSecurity"(shortname"TLS-PKG")definesfunctionalrequirementsfortheimplementationoftheTransportLayerSecurity(TLS)andDatagramTLS(DTLS)protocols.Therequirementsareintendedtoimprovethesecurityofproductsbyenablingtheirevaluation.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
Security ArequirementforsecurityenforcementbytheTOE.
FunctionalRequirement(SFR)
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
TargetofEvaluation(TOE)
Theproductunderevaluation.
1.2.2TechnicalTerms
CertificateAuthority(CA) Issuerofdigitalcertificates
DatagramTransportLayerSecurity(DTLS)
Cryptographicnetworkprotocol,basedonTLS,whichprovidescommunicationssecurityfordatagramprotocols
TransportLayerSecurity(TLS)
CryptographicnetworkprotocolforprovidingcommunicationssecurityoveraTCP/IPnetwork
1.3FormatofthisDocumentSection3SecurityFunctionalRequirementscontainsbaselinerequirementswhichmustbeimplementedintheproductandincludedinanyPP/PP-Module/STthatclaimsconformancetothisPackage.TherearethreeothertypesofrequirementsthatcanbeincludedinaPP/PP-Module/STclaimingconformancetothisPackage:
containsrequirementsthatmayoptionallybeincludedinthePP/PP-Module/ST,butinclusionisatthediscretionofthePP/PP-Module/STauthor.Forrequirementsthathaveselections,ifthePP/PP-Moduleallowstheselection(ortheSTselectsparticularselections),thenthereareadditionalrequirementsbasedontheseselectionscontainedinthisappendixthatwillneedtobeincludedinthePP/PP-Module/ST.containsrequirementsbasedonselectionsintherequirementsinSection3SecurityFunctionalRequirementsorthePP/PP-Module/ST:ifcertainselectionsaremade,thenthecorrespondingrequirementsinthatappendixmustbeincluded.containsrequirementsthatwillbeincludedinthebaselinerequirementsinfutureversionsofthispackage.Earlieradoptionbyvendorsisencouraged.Otherwise,thesearetreatedthesameasOptionalRequirements.
1.4CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPackageisaproductwhichactsasaTLSclientorserver,orboth.ThisPackagedescribesthesecurityfunctionalityofTLSintermsof[CC].ThecontentsofthisPackagemustbeappropriatelycombinedwithaPPorPP-Module.WhenthisPackageisinstantiatedbyaPPorPP-Module,thePackagemustincludeselection-basedrequirementsinaccordancewiththeselectionsorassignmentsindicatedinthePPorPP-Module.ThesemaybeexpandedbythetheSTauthor.ThePPorPP-ModulewhichinstantiatesthisPackagemusttypicallyincludethefollowingcomponentsinordertosatisfydependenciesofthisPackage.ItistheresponsibilityofthePPorPP-ModuleauthorwhoinstantiatesthisPackagetoensurethatdependenceonthesecomponentsissatisfied:
Component Explanation
FCS_CKM.2 TosupportTLSciphersuitesthatuseRSA,DHEorECDHEforkeyexchange,thePPorPP-ModulemustincludeFCS_CKM.2andspecifythecorrespondingalgorithm.
FCS_COP.1 TosupportTLSciphersuitesthatuseAESforencryption/decryption,thePPorPP-modulemustincludeFCS_COP.1(iteratingasneeded)andspecifyAESwithcorrespondingkeysizesandmodes.TosupportTLSciphersuitesthatuseSHAforhashing,thePPorPP-ModulemustincludeFCS_COP.1(iteratingasneeded)andspecifySHAwithcorrespondingdigestsizes.
FCS_RBG_EXT.1 TosupportrandombitgenerationneededfortheTLShandshake,thePPorPP-ModulemustincludeFCS_RBG_EXT.1.
FIA_X509_EXT.1 TosupportvalidationofcertificatesneededduringTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.1.
FIA_X509_EXT.2 TosupporttheuseofX509certificatesforauthenticationinTLSconnectionsetup,thePPorPP-ModulemustincludeFIA_X509_EXT.2.
AnSTmustidentifytheapplicableversionofthePPorPP-ModuleandthisPackageinitsconformanceclaims.
2ConformanceClaimsConformanceStatement
AnSTmustclaimexactconformancetothisPackage,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).
CCConformanceClaimsThisPackageisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.
PPClaimThisPackagedoesnotclaimconformancetoanyProtectionProfile.
PackageClaimThisPackagedoesnotclaimconformancetoanypackages.
ConformanceStatementThisPackageservestoprovideProtectionProfileswithadditionalSFRsandassociatedEvaluationActivitiesspecifictoTLSclientsandservers.ThisPackageconformstoCommonCriteria[CC]forInformationTechnologySecurityEvaluation,Version3.1,Revision5.ItisCCPart2extendedconformant.InaccordancewithCCPart1,dependenciesarenotincludedwhentheyareaddressedbyotherSFRs.Theevaluationactivitiesprovideadequateproofthatanydependenciesarealsosatisfied.
3SecurityFunctionalRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
3.1CryptographicSupport(FCS)
FCS_TLS_EXT.1TLSProtocolFCS_TLS_EXT.1.1
Theproductshallimplement[selection:TLSasaclient,TLSasaserver,DTLSasaclient,DTLSasaserver
].
ApplicationNote:IfTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_TLSC_EXT.1.IfTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_TLSS_EXT.1.
IfDTLSasaclientisselected,thentheSTmustincludetherequirementsfromFCS_DTLSC_EXT.1.IfDTLSasaserverisselected,thentheSTmustincludetherequirementsfromFCS_DTLSS_EXT.1.
EvaluationActivities
FCS_TLS_EXT.1:GuidanceTheevaluatorshallensurethattheselectionsindicatedintheSTareconsistentwithselectionsinthedependentcomponents.
FCS_TLSC_EXT.1TLSClientProtocol
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLS_EXT.1.1.
FCS_TLSC_EXT.1.1TheproductshallimplementTLS1.2(RFC5246)and[selection:TLS1.1(RFC4346),noearlierTLSversions]asaclientthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andalsosupportsfunctionalityfor[selection:mutualauthentication,sessionrenegotiation,none
].
ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuite.Theciphersuitestobetestedintheevaluatedconfigurationarelimitedbythisrequirement.However,thisrequirementdoesnotrestricttheTOE'sabilitytoproposeadditionalciphersuitesbeyondtheoneslistedinthisrequirementinitsClientHellomessage.Thatis,theTOEmayproposeanyciphersuitebuttheevaluationwillonlytestciphersuitesfromtheabovelist.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA.
TLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.
TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.
IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.
Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
Ifsessionrenegotiationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSC_EXT.4.IftheTOEimplementssessionrenegotiation,thisselectionmustbemade.
FCS_TLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.
ApplicationNote:TherulesforverificationofidentityaredescribedinSection6ofRFC6125.Thereferenceidentifierisestablishedbytheuser(e.g.enteringaURLintoawebbrowserorclickingalink),byconfiguration(e.g.configuringthenameofamailserverorauthenticationserver),orbyanapplication(e.g.aparameterofanAPI)dependingontheproductservice.Basedonasingularreferenceidentifier’ssourcedomainandapplicationservicetype(e.g.HTTP,SIP,LDAP),theclientestablishesallreferenceidentifierswhichareacceptable,suchasaCommonNamefortheSubjectNamefieldofthecertificateanda(case-insensitive)DNSname,URIname,andServiceNamefortheSubjectAlternativeNamefield.TheclientthencomparesthislistofallacceptablereferenceidentifierstothepresentedidentifiersintheTLSserver’scertificate.ThepreferredmethodforverificationistheSubjectAlternativeNameusingDNSnames,URInames,orServiceNames.VerificationusingtheCommonNameforthepurposesofbackwardscompatibilityisoptional.Additionally,supportforuseofIPaddressesintheSubjectNameorSubjectAlternativenameisdiscouraged,asagainstbestpractices,butmaybeimplemented.Finally,theclientshouldavoidconstructingreferenceidentifiersusingwildcards.However,ifthepresentedidentifiersincludewildcards,theclientmustfollowthebestpracticesregardingmatching;thesebestpracticesarecapturedintheevaluationactivity.
FCS_TLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:
withnoexceptions,exceptwhenoverrideisauthorized
].
ApplicationNote:Validityisdeterminedbytheidentifierverification,certificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1asdefinedinanyPPorPP-ModulewhichinstantiatesthisPackage.
Theselectionthatpermitsoverrideforinvalidcertificatesshouldbeinterpretedasfollows:
explicitadministratororuseractionisneededtoauthorizetheoverride,onaper-certificatebasisoverridemaybesoughtorgrantedatanytime,thoughthistypicallyoccurswhenaninvalidcertificateispresentedduringconnectionsetupoverridedecisionsmaybestoredandthenconsultedlater,topermitconnectionsusingtheseotherwise-invalidcertificatestoestablishtrustedchannelswithoutuseroradministratoraction
AsindicatedinSection1.4CompliantTargetsofEvaluation,notethataPPauthormayinstantiatethisSFRusingonlythefirstselection,preventingtheabilitytoallowoverrides.
EvaluationActivities
FCS_TLSC_EXT.1:TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethattheciphersuitessupportedarespecified.TheevaluatorshallchecktheTSStoensurethattheciphersuitesspecifiedincludethoselistedforthiscomponent.GuidanceTheevaluatorshallalsochecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheproductsothatTLSconformstothedescriptionintheTSS.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorshallestablishaTLSconnectionusingeachoftheciphersuitesspecifiedbytherequirement.Thisconnectionmaybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Test2:ThegoalofthefollowingtestistoverifythattheTOEacceptsonlycertificateswithappropriatevaluesintheextendedKeyUsageextension,andimplicitlythattheTOEcorrectlyparsestheextendedKeyUsageextensionaspartofX.509v3servercertificatevalidation.
TheevaluatorshallattempttoestablishtheconnectionusingaserverwithaservercertificatethatcontainstheServerAuthenticationpurposeintheextendedKeyUsageextensionandverifythataconnectionisestablished.Theevaluatorshallrepeatthistestusingadifferent,butotherwisevalidandtrusted,certificatethatlackstheServerAuthenticationpurposeintheextendedKeyUsageextensionandensurethataconnectionisnotestablished.Ideally,thetwocertificatesshouldbesimilarinstructure,thetypesofidentifiersused,andthechainoftrust.Test3:TheevaluatorshallsendaservercertificateintheTLSconnectionthatdoesnotmatchtheserver-selectedciphersuite(forexample,sendaECDSAcertificatewhileusingtheTLS_RSA_WITH_AES_128_CBC_SHAciphersuiteorsendaRSAcertificatewhileusingoneoftheECDSAciphersuites.)Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver’sCertificatehandshakemessage.Test4:TheevaluatorshallconfiguretheservertoselecttheTLS_NULL_WITH_NULL_NULLciphersuiteandverifythattheclientdeniestheconnection.Test5:Theevaluatorshallperformthefollowingmodificationstothetraffic:
Test5.1:ChangetheTLSversionselectedbytheserverintheServerHellotoanundefinedTLSversion(forexample1.5representedbythetwobytes0306)andverifythattheclientrejectstheconnection.Test5.2:ChangetheTLSversionselectedbytheserverintheServerHellotothemostrecentunsupportedTLSversion(forexample1.1representedbythetwobytes0302)andverifythattheclientrejectstheconnection.Test5.3:[conditional]IfDHEorECDHEciphersuitesaresupported,modifyatleastonebyteintheserver’snonceintheServerHellohandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.4:Modifytheserver’sselectedciphersuiteintheServerHellohandshakemessagetobeaciphersuitenotpresentedintheClientHellohandshakemessage.Theevaluatorshallverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.5:[conditional]IfDHEorECDHEciphersuitesaresupported,modifythesignatureblockintheserver’sKeyExchangehandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.ThistestdoesnotapplytociphersuitesusingRSAkeyexchange.IfaTOEonlysupportsRSAkeyexchangeinconjunctionwithTLS,thenthistestshallbeomitted.
Test5.6:ModifyabyteintheServerFinishedhandshakemessage,andverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Test5.7:SendamessageconsistingofrandombytesfromtheserveraftertheserverhasissuedtheChangeCipherSpecmessageandverifythattheclientdoesnotcompletethehandshakeandnoapplicationdataflows.Themessagemuststillhaveavalid5-byterecordheaderinordertoensurethemessagewillbeparsedasTLS.
TSSTheevaluatorshallensurethattheTSSdescribestheclient’smethodofestablishingallreferenceidentifiersfromtheapplication-configuredreferenceidentifier,includingwhichtypesofreferenceidentifiersaresupported(e.g.CommonName,DNSName,URIName,ServiceName,orotherapplication-specificSubjectAlternativeNames)andwhetherIPaddressesandwildcardsaresupported.Theevaluatorshallensurethatthisdescriptionidentifieswhetherandthemannerinwhichcertificatepinningissupportedorusedbytheproduct.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesinstructionsforsettingthereferenceidentifiertobeusedforthepurposesofcertificatevalidationinTLS.TestsTheevaluatorshallconfigurethereferenceidentifieraccordingtotheAGDguidanceandperformthefollowingtestsduringaTLSconnection:
Test1:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatdoesnotmatchthereferenceidentifieranddoesnotcontaintheSANextension.Theevaluatorshallverifythattheconnectionfails.NotethatsomesystemsmightrequirethepresenceoftheSANextension.InthiscasetheconnectionwouldstillfailbutforthereasonofthemissingSANextensioninsteadofthemismatchofCNandreferenceidentifier.BothreasonsareacceptabletopassTest1.Test2:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatmatchesthereferenceidentifier,containstheSANextension,butdoesnotcontainanidentifierintheSANthatmatchesthereferenceidentifier.Theevaluatorshallverifythattheconnectionfails.TheevaluatorshallrepeatthistestforeachsupportedSANtype.Test3:[conditional]IftheTOEdoesnotmandatethepresenceoftheSANextension,theevaluatorshallpresentaservercertificatethatcontainsaCNthatmatchesthereferenceidentifieranddoesnotcontaintheSANextension.Theevaluatorshallverifythattheconnectionsucceeds.IftheTOEdoesmandatethepresenceoftheSANextension,thisTestshallbeomitted.Test4:TheevaluatorshallpresentaservercertificatethatcontainsaCNthatdoesnotmatchthereferenceidentifierbutdoescontainanidentifierintheSANthatmatches.Theevaluatorshallverifythattheconnectionsucceeds.Test5:Theevaluatorshallperformthefollowingwildcardtestswitheachsupportedtypeofreferenceidentifier.Thesupportforwildcardsisintendedtobeoptional.Ifwildcardsaresupported,thefirst,second,andthirdtestsbelowshallbeexecuted.Ifwildcardsarenotsupported,thenthefourthtestbelowshallbeexecuted.
Test5.1:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardthatisnotintheleft-mostlabelofthepresentedidentifier(e.g.foo.*.example.com)andverifythattheconnectionfails.Test5.2:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabelbutnotprecedingthepublicsuffix(e.g.*.example.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.example.com)andverifythattheconnectionsucceeds.Theevaluatorshallconfigurethereferenceidentifierwithoutaleft-mostlabelasinthecertificate(e.g.example.com)andverifythattheconnectionfails.Theevaluatorshallconfigurethereferenceidentifierwithtwoleft-mostlabels(e.g.bar.foo.example.come)andverifythattheconnectionfails.Test5.3:[conditional]:Ifwildcardsaresupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabelimmediatelyprecedingthepublicsuffix(e.g.*.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.com)andverifythattheconnectionfails.Theevaluatorshallconfigurethereferenceidentifierwithtwoleft-mostlabels(e.g.bar.foo.com)andverifythattheconnectionfails.Test5.4:[conditional]:Ifwildcardsarenotsupported,theevaluatorshallpresentaservercertificatecontainingawildcardintheleft-mostlabel(e.g.*.example.com).Theevaluatorshallconfigurethereferenceidentifierwithasingleleft-mostlabel(e.g.foo.example.com)andverifythattheconnectionfails.
Test6:[conditional]IfURIorServicenamereferenceidentifiersaresupported,theevaluatorshallconfiguretheDNSnameandtheserviceidentifier.TheevaluatorshallpresentaservercertificatecontainingthecorrectDNSnameandserviceidentifierintheURINameorSRVNamefieldsoftheSANandverifythattheconnectionsucceeds.Theevaluatorshallrepeatthistestwiththewrongserviceidentifier(butcorrectDNSname)andverifythattheconnectionfails.Test7:[conditional]Ifpinnedcertificatesaresupportedtheevaluatorshallpresentacertificatethatdoesnotmatchthepinnedcertificateandverifythattheconnectionfails.
TSS
Iftheselectionforauthorizingoverrideofinvalidcertificatesismade,thentheevaluatorshallensurethattheTSSincludesadescriptionofhowandwhenuseroradministratorauthorizationisobtained.TheevaluatorshallalsoensurethattheTSSdescribesanymechanismforstoringsuchauthorizations,suchthatfuturepresentationofsuchotherwise-invalidcertificatespermitsestablishmentofatrustedchannelwithoutuseroradministratoraction.TestsTheevaluatorshalldemonstratethatusinganinvalidcertificate(unlessexcepted)resultsinthefunctionfailingasfollows,unlessexcepted:
Test1:Theevaluatorshalldemonstratethataserverusingacertificatewithoutavalidcertificationpathresultsinanauthenticationfailure.Usingtheadministrativeguidance,theevaluatorshallthenloadthetrustedCAcertificate(s)neededtovalidatetheserver'scertificate,anddemonstratethattheconnectionsucceeds.TheevaluatorthenshalldeleteoneoftheCAcertificates,andshowthattheconnectionfails.Test2:Theevaluatorshalldemonstratethataserverusingacertificatewhichhasbeenrevokedresultsinanauthenticationfailure.Test3:Theevaluatorshalldemonstratethataserverusingacertificatewhichhaspasseditsexpirationdateresultsinanauthenticationfailure.Test4:Theevaluatorshalldemonstratethataserverusingacertificatewhichdoesnothaveavalididentifierresultsinanauthenticationfailure.
FCS_TLSC_EXT.2TLSClientSupportforMutualAuthentication
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1.
FCS_TLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.
ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedinFIA_X509_EXT.2.1.ThisrequirementaddsthataclientmustbecapableofpresentingacertificatetoaTLSserverforTLSmutualauthentication.Presentingacertificateisnotmandatoryinallcircumstances:itmaydependontheconfigurationoftheclientorotherfactors.
EvaluationActivities
FCS_TLSC_EXT.2:TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallalsoensurethattheTSSdescribesanyfactorsbeyondconfigurationthatarenecessaryinorderfortheclienttoengageinmutualauthenticationusingX.509v3certificates.GuidanceTheevaluatorshallensurethattheAGDguidanceincludesanyinstructionsnecessarytoconfiguretheTOEtoperformmutualauthentication.TheevaluatoralsoshallverifythattheAGDguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:Theevaluatorshallestablishaconnectiontoaserverthatisnotconfiguredformutualauthentication(i.e.doesnotsendServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOEdidnotsendClient’sCertificatemessage(type11)duringhandshake.Test2:Theevaluatorshallestablishaconnectiontoaserverwithasharedtrustedrootthatisconfiguredformutualauthentication(i.e.itsendsServer’sCertificateRequest(type13)message).TheevaluatorobservesnegotiationofaTLSchannelandconfirmsthattheTOErespondswithanon-emptyClient’sCertificatemessage(type11)andCertificateVerify(type15)message.
FCS_TLSC_EXT.3TLSClientSupportforSignatureAlgorithmsExtension
Thisisanobjectivecomponent.
FCS_TLSC_EXT.3.1Theproductshallpresentthesignature_algorithmsextensionintheClientHellowiththesupported_signature_algorithmsvaluecontainingthefollowinghashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhashalgorithms.
ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedforthepurposeofdigitalsignatureverificationbytheclientandlimitstheservertothesupportedhashesforthepurposeofdigitalsignaturegenerationbytheserver.Thesignature_algorithmsextensionisonlysupportedbyTLS1.2.
EvaluationActivities
FCS_TLSC_EXT.3:TSSTheevaluatorshallverifythatTSSdescribesthesignature_algorithmextensionandwhethertherequiredbehaviorisperformedbydefaultormaybeconfigured.GuidanceIftheTSSindicatesthatthesignature_algorithmextensionmustbeconfiguredtomeettherequirement,theevaluatorshallverifythatAGDguidanceincludesconfigurationofthesignature_algorithmextension.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorshallconfiguretheservertosendacertificateintheTLSconnectionthatisnotsupportedaccordingtotheClient'sHashAlgorithmenumerationwithinthesignature_algorithmsextension(forexample,sendacertificatewithaSHA-1signature).Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver'sCertificatehandshakemessage.Test2:[conditional]IftheclientsupportsaDHEorECDHEciphersuite,theevaluatorshallconfiguretheservertosendaKeyExchangehandshakemessageincludingasignaturenotsupportedaccordingtotheclient'sHashAlgorithmenumeration(forexample,theserversignedtheKeyExchangeparametersusingaSHA-1signature).Theevaluatorshallverifythattheproductdisconnectsafterreceivingtheserver'sKeyExchangehandshakemessage.
FCS_TLSC_EXT.4TLSClientSupportforRenegotiation
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLS_EXT.1.1.
FCS_TLSC_EXT.4.1Theproductshallsupportsecurerenegotiationthroughuseofthe“renegotiation_info”TLSextensioninaccordancewithRFC5746.
ApplicationNote:RFC5746definesanextensiontoTLSthatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.
PerRFC5746,theclientmaypresenteitherthe"renegotiation_info"extensionorthesignalingciphersuitevalueTLS_EMPTY_RENEGOTIATION_INFO_SCSVintheinitialClientHellomessagetoindicatesupportforrenegotiation.(Asignalingciphersuitevalue(SCSV)ispresentedasaciphersuite,butitsonlypurposeistoprovideotherinformationandnottoadvertisesupportforaciphersuite.)TheTLS_EMPTY_RENEGOTIATION_INFO_SCSVsignalingciphersuitevalueexistsasanalternativetopresentingthe"renegotation_info"extensionsothatTLSserverimplementationsthatimmediatelyterminatetheconnectionwhentheyencounteranyextensiontheydonotunderstandcanstillproceedwithaconnection.Theclientmaystillchoosetorejecttheconnectionlater,ifitinsistsuponrenegotiationsupportandtheserverdoesnotsupportit.Inanycase,RFC5746statesthatduringanyrenegotiationthe"renegotiation_info"extensionmustbepresentedbythepeerinitiatingrenegotiation,andsotheclientmustsupportuseofthisextension.
EvaluationActivities
FCS_TLSC_EXT.4:TestsTheevaluatorshallperformthefollowingtests:
Test1:Theevaluatorshalluseanetworkpacketanalyzer/sniffertocapturethetrafficbetweenthetwoTLSendpoints.Theevaluatorshallverifythateitherthe“renegotiation_info”fieldortheSCSVciphersuiteisincludedintheClientHellomessageduringtheinitialhandshake.Test2:TheevaluatorshallverifytheClient’shandlingofServerHellomessagesreceivedduringtheinitialhandshakethatincludethe“renegotiation_info”extension.TheevaluatorshallmodifythelengthportionofthisfieldintheServerHellomessagetobenon-zeroandverifythattheclientsendsafailureandterminatestheconnection.Theevaluatorshall
verifythataproperlyformattedfieldresultsinasuccessfulTLSconnection.Test3:TheevaluatorshallverifythatServerHellomessagesreceivedduringsecurerenegotiationcontainthe“renegotiation_info”extension.Theevaluatorshallmodifyeitherthe“client_verify_data”or“server_verify_data”valueandverifythattheclientterminatestheconnection.
FCS_TLSC_EXT.5TLSClientSupportforSupportedGroupsExtension
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1,FCS_DTLSC_EXT.1.1.
FCS_TLSC_EXT.5.1TheproductshallpresenttheSupportedGroupsExtensionintheClientHellowiththesupportedgroups[selection:
secp256r1,secp384r1,secp521r1,ffdhe2048(256),ffdhe3072(257),ffdhe4096(258),ffdhe6144(259),ffdhe8192(260)
].
ApplicationNote:IfanellipticcurveorDiffie-HellmanciphersuiteisselectedinFCS_TLSC_EXT.1.1orFCS_DTLSC_EXT.1.1,thenFCS_TLSC_EXT.5shallbeincludedintheST.Thisrequirementdoesnotlimittheellipticcurvestheclientmayproposeforauthenticationandkeyagreement.TheSupportedGroupsExtensionwaspreviouslyreferredtoastheSupportedEllipticCurvesExtensionandisdescribedinRFC7919.
EvaluationActivities
FCS_TLSC_EXT.5:TSSTheevaluatorshallverifythatTSSdescribestheSupportedGroupsExtension.TestsTheevaluatorshallalsoperformthefollowingtest:
Test1:TheevaluatorshallconfigureaservertoperformkeyexchangeusingeachoftheTOE’ssupportedcurvesand/orgroups.TheevaluatorshallverifythattheTOEsuccessfullyconnectstotheserver.
FCS_TLSS_EXT.1TLSServerProtocol
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLS_EXT.1.1.
FCS_TLSS_EXT.1.1TheproductshallimplementTLS1.2(RFC5246)and[selection:TLS1.1(RFC4346),noearlierTLSversions]asaserverthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthentication,sessionrenegotiation,none
].
ApplicationNote:TheSTauthorshouldselecttheciphersuitesthataresupported,andmustselectatleastoneciphersuite.Itisnecessarytolimittheciphersuitesthatcanbeusedinanevaluatedconfigurationadministrativelyontheserverinthetestenvironment.Ifadministrativestepsneedtobetakensothattheciphersuitesnegotiatedbytheimplementationarelimitedtothoseinthisrequirement,thentheappropriateinstructionsneedtobecontainedintheguidance.GCMciphersuitesarepreferredoverCBCciphersuites,ECDHEpreferredoverRSAandDHE,andSHA256orSHA384overSHA.
TLS_RSA_WITH_AES_128_CBC_SHAisnotrequireddespitebeingmandatedbyRFC5246.
TheserequirementswillberevisitedasnewTLSversionsarestandardizedbytheIETF.
Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
Ifsessionrenegotiationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_TLSS_EXT.4.IftheTOEimplementssessionrenegotiation,thisselectionmustbemade.
FCS_TLSS_EXT.1.2TheproductshalldenyconnectionsfromclientsrequestingSSL2.0,SSL3.0,TLS1.0and[selection:TLS1.1,none].
ApplicationNote:AllSSLversionsaredenied.AnyTLSversionnotselectedinFCS_TLSS_EXT.1.1shouldbeselectedhere.
FCS_TLSS_EXT.1.3TheproductshallperformkeyestablishmentforTLSusing[selection:
RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes],Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersizes],Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups],ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,nootherkeyestablishmentmethods
].
ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.
IftheSTlistsaDHEciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludeeithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.Theselectionfor"Diffie-Hellmanparameters"referstothemethoddefinedbyRFC5246(andRFC4346)Section7.4.3wheretheserverprovidesDiffie-Hellmanparameterstotheclient.TheSupportedGroupsextensiondefinedinRFC7919identifiesparticularDiffie-Hellmangroups,whicharelistedinthefollowingselection.Regardingthisdistinction,itisacceptabletouseDiffie-Hellmangroup14withTLS(thereiscurrentlynoabilitytonegotiategroup14usingtheSupportedGroupsextension,butitcouldbeusedwiththe"Diffie-Hellmanparameters"selection).AsinRFC7919,theterms"DHE"and"FFDHE"arebothusedtorefertothefinite-field-basedDiffie-Hellmanephemeralkeyexchangemechanism,distinctfromelliptic-curve-basedDiffieHellmanephemeralkeyexchange(ECDHE).
IftheSTlistsanECDHEciphersuiteinFCS_TLSS_EXT.1.1,theSTmustincludetheselectionforECDHEusingellipticcurvesintherequirement.
EvaluationActivities
FCS_TLSS_EXT.1:TSSTheevaluatorshallcheckthedescriptionoftheimplementationofthisprotocolintheTSStoensurethattheciphersuitessupportedarespecified.TheevaluatorshallchecktheTSStoensurethattheciphersuitesspecifiedincludethoselistedforthiscomponent.GuidanceTheevaluatorshallalsochecktheoperationalguidancetoensurethatitcontainsinstructionsonconfiguringtheTOEsothatTLSconformstothedescriptionintheTSS.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:TheevaluatorshallestablishaTLSconnectionusingeachoftheciphersuitesspecifiedbytherequirement.Thisconnectionmaybeestablishedaspartoftheestablishmentofahigher-levelprotocol,e.g.,aspartofanEAPsession.Itissufficienttoobservethesuccessfulnegotiationofaciphersuitetosatisfytheintentofthetest;itisnotnecessarytoexaminethecharacteristicsoftheencryptedtrafficinanattempttodiscerntheciphersuitebeingused(forexample,thatthecryptographicalgorithmis128-bitAESandnot256-bitAES).Test2:TheevaluatorshallsendaClientHellototheserverwithalistofciphersuitesthatdoesnotcontainanyoftheciphersuitesintheserver’sSTandverifythattheserverdeniestheconnection.Additionally,theevaluatorshallsendaClientHellototheservercontainingonlytheTLS_NULL_WITH_NULL_NULLciphersuiteandverifythattheserverdeniestheconnection.Test3:IfRSAkeyexchangeisusedinoneoftheselectedciphersuites,theevaluatorshalluseaclienttosendaproperlyconstructedKeyExchangemessagewithamodifiedEncryptedPreMasterSecretfieldduringtheTLShandshake.Theevaluatorshallverifythatthehandshakeisnotcompletedsuccessfullyandnoapplicationdataflows.Test4:Theevaluatorshallperformthefollowingmodificationstothetraffic:
Test4.1:ChangetheTLSversionproposedbytheclientintheClientHellotoanon-supportedTLSversion(forexample1.3representedbythetwobytes0304)andverifythattheserverrejectstheconnection.Test4.2:Modifyabyteinthedataoftheclient'sFinishedhandshakemessage,andverifythattheserverrejectstheconnectionanddoesnotsendanyapplicationdata.Test4.3:DemonstratethattheTOEwillnotresumeasessionforwhichtheclientfailedtocompletethehandshake(independentofTOEsupportforsessionresumption):GenerateaFatalAlertbysendingaFinishedmessagefromtheclientbeforetheclientsendsaChangeCipherSpecmessage,andthensendaClientHellowiththesessionidentifierfromthepreviousincompletesession,andverifythattheserverdoesnotresumethesession.Test4.4:SendamessageconsistingofrandombytesfromtheclientaftertheclienthasissuedtheChangeCipherSpecmessageandverifythattheserverdeniestheconnection.
TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldSSLandTLSversionsconsistentrelativetoselectionsinFCS_TLSS_EXT.1.2.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesanyconfigurationnecessarytomeetthisrequirement.Tests
Test1:TheevaluatorshallsendaClientHellorequestingaconnectionwithversionSSL2.0andverifythattheserverdeniestheconnection.TheevaluatorshallrepeatthistestwithSSL3.0andTLS1.0,andTLS1.1ifitisselected.
TSSTheevaluatorshallverifythattheTSSdescribesthekeyagreementparametersoftheserver'sKeyExchangemessage.GuidanceTheevaluatorshallverifythatanyconfigurationguidancenecessarytomeettherequirementmustbecontainedintheAGDguidance.Tests
Theevaluatorshallconductthefollowingtests.Thetestingcanbecarriedoutmanuallywithapacketanalyzerorwithanautomatedframeworkthatsimilarlycapturessuchempiricalevidence.Notethatthistestingcanbeaccomplishedinconjunctionwithothertestingactivities.Foreachofthefollowingtests,determiningthatthesizematchestheexpectedsizeissufficient.Test1:[conditional]IfRSA-basedkeyestablishmentisselected,theevaluatorshallconfiguretheTOEwithacertificatecontainingasupportedRSAsizeandattemptaconnection.Theevaluatorshallverifythatthesizeusedmatchesthatwhichisconfiguredandthattheconnectionissuccessfullyestablished.TheevaluatorshallrepeatthistestforeachsupportedsizeofRSA-basedkeyestablishment.Test2:[conditional]Iffinite-field(i.e.non-EC)Diffie-Hellmanciphersareselected,theevaluatorshallattemptaconnectionusingaDiffie-Hellmankeyexchangewithasupportedparametersizeorsupportedgroup.Theevaluatorshallverifythatthekeyagreement
parametersintheKeyExchangemessagearetheonesconfigured.Theevaluatorshallrepeatthistestforeachsupportedparametersizeorgroup.Test3:[conditional]IfECDHEciphersareselected,theevaluatorshallattemptaconnectionusinganECDHEciphersuitewithasupportedcurve.TheevaluatorshallverifythatthekeyagreementparametersintheKeyExchangemessagearetheonesconfigured.Theevaluatorshallrepeatthistestforeachsupportedellipticcurve.
FCS_TLSS_EXT.2TLSServerSupportforMutualAuthentication
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSS_EXT.1.1.
FCS_TLSS_EXT.2.1TheproductshallsupportauthenticationofTLSclientsusingX.509v3certificates.
FCS_TLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.
ApplicationNote:TheuseofX.509v3certificatesforTLSisaddressedinFIA_X509_EXT.2.1Thisrequirementaddsthatthisusemustincludesupportforclient-sidecertificatesforTLSmutualauthentication.Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithRFC5280.CertificatevalidityshallbetestedinaccordancewithtestingperformedforFIA_X509_EXT.1.
FCS_TLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.
ApplicationNote:TheclientidentifiermaybeintheSubjectfieldortheSubjectAlternativeNameextensionofthecertificate.Theexpectedidentifiermayeitherbeconfigured,maybecomparedtothedomainname,IPaddress,username,oremailaddressusedbytheclient,ormaybepassedtoadirectoryserverforcomparison.Inthelattercase,thematchingitselfmaybeperformedoutsidetheTOE.
EvaluationActivities
FCS_TLSS_EXT.2:TSSTheevaluatorshallensurethattheTSSdescriptionrequiredperFIA_X509_EXT.2.1includestheuseofclient-sidecertificatesforTLSmutualauthentication.GuidanceTheevaluatorshallverifythattheAGDguidancerequiredperFIA_X509_EXT.2.1includesinstructionsforconfiguringtheclient-sidecertificatesforTLSmutualauthentication.TheevaluatorshallensurethattheAGDguidanceincludesinstructionsforconfiguringtheservertorequiremutualauthenticationofclientsusingthesecertificates.TestsTheevaluatorshalluseTLSasafunctiontoverifythatthevalidationrulesinFIA_X509_EXT.1.1areadheredtoandshallperformthefollowingtests.TheevaluatorshallapplytheAGDguidancetoconfiguretheservertorequireTLSmutualauthenticationofclientsforthefollowingtests,unlessoverriddenbyinstructionsinthetestactivity:
Test1:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclient.Theclientshallsendacertificate_liststructurewhichhasalengthofzero.Theevaluatorshallverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test2:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclient.Theclientshallsendnoclientcertificatemessage,andinsteadsendaclientkeyexchangemessageinanattempttocontinuethehandshake.Theevaluatorshallverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test3:Theevaluatorshallconfiguretheservertosendacertificaterequesttotheclientwithoutthesupported_signature_algorithmusedbytheclient’scertificate.Theevaluatorshallattemptaconnectionusingtheclientcertificateandverifythatthehandshakeisnotfinishedsuccessfullyandnoapplicationdataflows.Test4:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.
Test5:TheaimofthistestistochecktheresponseoftheserverwhenitreceivesaclientidentitycertificatethatissignedbyanimpostorCA(eitherRootCAorintermediateCA).TocarryoutthistesttheevaluatorshallconfiguretheclienttosendaclientidentitycertificatewithanissuerfieldthatidentifiesaCArecognisedbytheTOEasatrustedCA,butwherethekeyusedforthesignatureontheclientcertificatedoesnotinfactcorrespondtotheCAcertificatetrustedbytheTOE(meaningthattheclientcertificateisinvalidbecauseitscertificationpathdoesnotinfactterminateintheclaimedCAcertificate).Theevaluatorshallverifythattheattemptedconnectionisdenied.Test6:TheevaluatorshallconfiguretheclienttosendacertificatewiththeClientAuthenticationpurposeintheextendedKeyUsagefieldandverifythattheserveracceptstheattemptedconnection.TheevaluatorshallrepeatthistestwithouttheClientAuthenticationpurposeandshallverifythattheserverdeniestheconnection.Ideally,thetwocertificatesshouldbeidenticalexceptfortheClientAuthenticationpurpose.Test7:Theevaluatorshallperformthefollowingmodificationstothetraffic:a)Configuretheservertorequiremutualauthenticationandthenmodifyabyteintheclient’scertificate.Theevaluatorshallverifythattheserverrejectstheconnection.b)Configuretheservertorequiremutualauthenticationandthenmodifyabyteinthesignatureblockoftheclient’sCertificateVerifyhandshakemessage.Theevaluatorshallverifythattheserverrejectstheconnection.
TSSIftheproductimplementsmutualauthentication,theevaluatorshallverifythattheTSSdescribeshowtheDNandSANinthecertificateiscomparedtotheexpectedidentifier.GuidanceIftheDNisnotcomparedautomaticallytothedomainname,IPaddress,username,oremailaddress,theevaluatorshallensurethattheAGDguidanceincludesconfigurationoftheexpectedidentifierorthedirectoryserverfortheconnection.Tests
Test1:Theevaluatorshallsendaclientcertificatewithanidentifierthatdoesnotmatchanyoftheexpectedidentifiersandverifythattheserverdeniestheconnection.ThematchingitselfmightbeperformedoutsidetheTOE(e.g.whenpassingthecertificateontoadirectoryserverforcomparison).
FCS_TLSS_EXT.3TLSServerSupportforSignatureAlgorithmsExtension
Thisisanobjectivecomponent.
FCS_TLSS_EXT.3.1TheproductshallpresenttheHashAlgorithmenumerationinsupported_signature_algorithmsintheCertificateRequestwiththefollowinghashalgorithms:[selection:SHA256,SHA384,SHA512]andnootherhashalgorithms.
ApplicationNote:Thisrequirementlimitsthehashingalgorithmssupportedforthepurposeofdigitalsignatureverificationbytheserverandlimitstheclienttothesupportedhashesforthepurposeofdigitalsignaturegenerationbytheclient.Thesupported_signature_algorithmsisonlysupportedbyTLS1.2.
EvaluationActivities
FCS_TLSS_EXT.3:TSSTheevaluatorshallverifythatTSSdescribesthesupported_signature_algorithmsfieldoftheCertificateRequestandwhethertherequiredbehaviorisperformedbydefaultormaybeconfigured.GuidanceIftheTSSindicatesthatthesupported_signature_algorithmsfieldmustbeconfiguredtomeettherequirement,theevaluatorshallverifythatAGDguidanceincludesconfigurationofthesupported_signature_algorithmsfield.TestsTheevaluatorshallalsoperformthefollowingtest:Theevaluatorshallconfiguretheservertosendthesignature_algorithmsextensionintheCertificateRequestmessageindicatingthatthehashalgorithmusedbytheclient’scertificateisnotsupported.Theevaluatorshallattemptaconnectionusingthatclientcertificateandverifythattheserverdeniestheclient’sconnection.
FCS_TLSS_EXT.4TLSServerSupportforRenegotiation
Thisisaselection-basedcomponent.Itsinclusiondependsuponselectionfrom
FCS_TLSS_EXT.1.1.
FCS_TLSS_EXT.4.1Theproductshallsupportthe"renegotiation_info"TLSextensioninaccordancewithRFC5746.
FCS_TLSS_EXT.4.2Theproductshallincludetherenegotiation_infoextensioninServerHellomessages.
ApplicationNote:RFC5746definesanextensiontoTLSthatbindsrenegotiationhandshakestothecryptographyintheoriginalhandshake.
EvaluationActivities
FCS_TLSS_EXT.4:TestsThefollowingtestsrequireconnectionwithaclientthatsupportssecurerenegotiationandthe"renegotiation_info"extension.
Test1:Theevaluatorshalluseanetworkpacketanalyzer/sniffertocapturethetrafficbetweenthetwoTLSendpoints.Theevaluatorshallverifythatthe“renegotiation_info”fieldisincludedintheServerHellomessage.Test2:TheevaluatorshallmodifythelengthportionofthefieldintheClientHellomessageintheinitialhandshaketobenon-zeroandverifythattheserversendsafailureandterminatestheconnection.TheevaluatorshallverifythataproperlyformattedfieldresultsinasuccessfulTLSconnection.Test3:Theevaluatorshallmodifythe"client_verify_data"or"server_verify_data"valueintheClientHellomessagereceivedduringsecurerenegotiationandverifythattheserverterminatestheconnection.
FCS_DTLSC_EXT.1DTLSClientProtocol
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLSC_EXT.1.1.
FCS_DTLSC_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaclientthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andalsosupportsfunctionalityfor[selection:mutualauthentication,none
].
ApplicationNote:IfanyECDHEorDHEciphersuitesareselected,thenFCS_TLSC_EXT.5isrequired.
Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSC_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
DifferencesbetweenDTLS1.2andTLS1.2areoutlinedinRFC6347;otherwisetheprotocolsarethesame.AllapplicationnoteslistedforFCS_TLSC_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.2TheproductshallverifythatthepresentedidentifiermatchesthereferenceidentifieraccordingtoRFC6125.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.1.2thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.3Theproductshallnotestablishatrustedchanneliftheservercertificateisinvalid[selection:withnoexceptions,exceptwhenoverrideisauthorized].
ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.1.3thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSC_EXT.1.4Theproductshall[selection:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.
EvaluationActivities
FCS_DTLSC_EXT.1:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachevaluationactivity.
Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.2.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.1.3.TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSServerfailstheMACintegritycheck.TestsTheevaluatorshallestablishaconnectionusingaserver.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheclientdiscardstherecordorterminatestheDTLSsession.
FCS_DTLSC_EXT.2DTLSClientSupportforMutualAuthentication
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_DTLSC_EXT.1.1.
FCS_DTLSC_EXT.2.1TheproductshallsupportmutualauthenticationusingX.509v3certificates.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSC_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.
EvaluationActivities
FCS_DTLSC_EXT.2:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSC_EXT.2.1.
FCS_DTLSS_EXT.1DTLSServerProtocol
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_TLS_EXT.1.1.
FCS_DTLSS_EXT.1.1TheproductshallimplementDTLS1.2(RFC6347)and[selection:DTLS1.0(RFC4347),noearlierDTLSversions]asaserverthatsupportstheciphersuites[selection:
TLS_RSA_WITH_AES_128_CBC_SHAasdefinedinRFC5246,TLS_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256asdefinedinRFC5246,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5288,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384asdefinedinRFC5289,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384asdefinedinRFC5289
]andnootherciphersuites,andalsosupportsfunctionalityfor[selection:mutualauthentication,none
].
ApplicationNote:Ifmutualauthenticationisselected,thentheSTmustadditionallyincludetherequirementsfromFCS_DTLSS_EXT.2.IftheTOEimplementsmutualauthentication,thisselectionmustbemade.
AllapplicationnoteslistedforFCS_TLSS_EXT.1.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSS_EXT.1.2Theproductshalldenyconnectionsfromclientsrequesting[assignment:listofDTLSprotocolversions].
ApplicationNote:AnyspecificDTLSversionnotselectedinFCS_DTLSS_EXT.1.1shouldbeassignedhere.ThisversionofthePPdoesnotrequiretheservertodenyDTLS1.0,andiftheTOEsupportsDTLS1.0then"none"canbeassigned.InafutureversionofthisPP,DTLS1.0willberequiredtobedenied.
FCS_DTLSS_EXT.1.3TheproductshallnotproceedwithaconnectionhandshakeattemptiftheDTLSClientfailsvalidation.
ApplicationNote:TheprocesstovalidatetheIPaddressofaDTLSclientisspecifiedinsection4.2.1ofRFC6347(DTLS1.2)andRFC4347(DTLS1.0).TheservervalidatestheDTLSclientduringConnectionEstablishment(Handshaking)andpriortosendingaServerHellomessage.AfterreceivingaClientHello,theDTLSServersendsaHelloVerifyRequestalongwithacookie.Thecookieisasignedmessageusingakeyedhashfunction.TheDTLSClientthensendsanotherClientHellowiththecookieattached.IftheDTLSserversuccessfullyverifiesthesignedcookie,theClientisnotusingaspoofedIPaddress.
FCS_DTLSS_EXT.1.4TheproductshallperformkeyestablishmentforDTLSusing[selection:
RSAwithsize[selection:2048bits,3072bits,4096bits,noothersizes],Diffie-Hellmanparameterswithsize[selection:2048bits,3072bits,4096bits,6144bits,8192bits,noothersize],Diffie-Hellmangroups[selection:ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192,noothergroups],ECDHEparametersusingellipticcurves[selection:secp256r1,secp384r1,secp521r1]andnoothercurves,nootherkeyestablishmentmethods
].
ApplicationNote:IftheSTlistsanRSAciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheRSAselectionintherequirement.IftheSTlistsaDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustinclude
eithertheDiffie-Hellmanselectionforparametersofacertainsize,orforparticularDiffie-Hellmangroups.IftheSTlistsanECDHEciphersuiteinFCS_DTLSS_EXT.1.1,theSTmustincludetheNISTcurvesselectionintherequirement.
FCS_DTLSS_EXT.1.5Theproductshall[selection:terminatetheDTLSsession,silentlydiscardtherecord]ifamessagereceivedcontainsaninvalidMACorifdecryptionfailsinthecaseofGCMandotherAEADciphersuites.
EvaluationActivities
FCS_DTLSS_EXT.1:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.1,butensuringthatDTLS(andnotTLS)isusedineachstageoftheevaluationactivities.
Fortestswhichinvolveversionnumbers,notethatinDTLStheon-the-wirerepresentationisthe1'scomplementofthecorrespondingtextualDTLSversionnumbers.ThisisdescribedinSection4.1ofRFC6347andRFC4347.Forexample,DTLS1.0isrepresentedbythebytes0xfe0xff,whiletheundefinedDTLS1.4wouldberepresentedbythebytes0xfe0xfb.Thefollowingevaluationactivitiesshallbeconductedunless"none"isassigned.
TSSTheevaluatorshallverifythattheTSScontainsadescriptionofthedenialofoldDTLSversionsconsistentrelativetoselectionsinFCS_DTLSS_EXT.1.2.GuidanceTheevaluatorshallverifythattheAGDguidanceincludesanyconfigurationnecessarytomeetthisrequirement.Tests
Test1:TheevaluatorshallsendaClientHellorequestingaconnectionwitheachversionofDTLSspecifiedintheselectionandverifythattheserverdeniestheconnection.
TSSTheevaluatorshallverifythattheTSSdescribeshowtheDTLSClientIPaddressisvalidatedpriortoissuingaServerHellomessage.TestsModifyatleastonebyteinthecookiefromtheServer'sHelloVerifyRequestmessage,andverifythattheServerrejectstheClient'shandshakemessage.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.1.3.TSSTheevaluatorshallverifythattheTSSdescribestheactionsthattakeplaceifamessagereceivedfromtheDTLSclientfailstheMACintegritycheck.TestsTheevaluatorshallestablishaconnectionusingaclient.Theevaluatorwillthenmodifyatleastonebyteinarecordmessage,andverifythattheserverdiscardstherecordorterminatestheDTLSsession.
FCS_DTLSS_EXT.2DTLSServerSupportforMutualAuthentication
Thisisaselection-basedcomponent.ItsinclusiondependsuponselectionfromFCS_DTLSS_EXT.1.1.
FCS_DTLSS_EXT.2.1TheproductshallsupportmutualauthenticationofDTLSclientsusingX.509v3certificates.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.1thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSS_EXT.2.2Theproductshallnotestablishatrustedchanneliftheclientcertificateisinvalid.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.2thatarerelevanttoDTLSapplytothisrequirement.
FCS_DTLSS_EXT.2.3TheproductshallnotestablishatrustedchanneliftheDistinguishedName(DN)orSubjectAlternativeName(SAN)containedinacertificatedoesnotmatchoneoftheexpectedidentifiersfortheclient.
ApplicationNote:AllapplicationnoteslistedforFCS_TLSS_EXT.2.3thatarerelevanttoDTLSapplytothisrequirement.
EvaluationActivities
FCS_DTLSS_EXT.2:TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.1.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.2.TestsTheevaluatorshallperformtheevaluationactivitieslistedforFCS_TLSS_EXT.2.3.
AppendixA-Implementation-DependentRequirementsImplementation-DependentRequirementsaredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.
AppendixB-Referencesext-comp-def
Identifier Title
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1,Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1,Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1,Revision5,April2017.
AppendixC-Acronyms
Acronym Meaning
AES AdvancedEncryptionStandard
Base-PP BaseProtectionProfile
CA CertificateAuthority
CA CertificateAuthority
CBC CipherBlockChaining
CC CommonCriteria
CEM CommonEvaluationMethodology
CN CommonName
DHE Diffie-HellmanEphemeral
DN DistinguishedName
DNS DomainNameServer
DTLS DatagramTransportLayerSecurity
DTLS DatagramTransportLayerSecurity
EAP ExtensibleAuthenticationProtocol
ECDHE EllipticCurveDiffie-HellmanEphemeral
ECDSA EllipticCurveDigitalSignatureAlgorithm
GCM Galois/CounterMode
HTTP HypertextTransferProtocol
IETF InternetEngineeringTaskForce
IP InternetProtocol
LDAP LightweightDirectoryAccessProtocol
NIST NationalInstituteofStandardsandTechnology
OE OperationalEnvironment
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
RFC RequestforComment(IETF)
RSA RivestShamirAdelman
SAN SubjectAlternativeName
SAR SecurityAssuranceRequirement
SCSV SignalingCipherSuiteValue
SFR SecurityFunctionalRequirement
SHA SecureHashAlgorithm
SIP SessionInitiationProtocol
ST SecurityTarget
TCP TransmissionControlProtocol
TLS TransportLayerSecurity
TOE TargetofEvaluation
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
UDP UserDatagramProtocol
URI UniformResourceIdentifier
URL UniformResourceLocator