PP-Module for Bluetooth
Transcript of PP-Module for Bluetooth
PP-ModuleforBluetooth
Version:1.02021-04-15
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2021-04-15 InitialRelease
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 MobileDevicesPPSecurityFunctionalRequirementsDirection5.1.1 ModifiedSFRs5.1.1.1 SecurityManagement(FMT)5.1.2 AdditionalSFRs5.1.2.1 SecurityManagement(FMT)
5.2 GeneralPurposeOperatingSystemsPPSecurityFunctionalRequirementsDirection5.2.1 ModifiedSFRs5.2.1.1 SecurityManagement(FMT)5.2.2 AdditionalSFRs5.2.2.1 SecurityManagement(FMT)
5.3 TOESecurityFunctionalRequirements5.3.1 SecurityAudit(FAU)5.3.2 CryptographicSupport(FCS)5.3.3 IdentificationandAuthentication(FIA)5.3.4 TrustedPath/Channels(FTP)5.4 TOESecurityFunctionalRequirementsRationale5.5 TOESecurityAssuranceRequirements6 ConsistencyRationale6.1 ProtectionProfileforMobileDevices6.1.1 ConsistencyofTOEType6.1.2 ConsistencyofSecurityProblemDefinition6.1.3 ConsistencyofObjectives6.1.4 ConsistencyofRequirements6.2 ProtectionProfileforGeneralPurposeOperatingSystems6.2.1 ConsistencyofTOEType6.2.2 ConsistencyofSecurityProblemDefinition6.2.3 ConsistencyofObjectives6.2.4 ConsistencyofRequirements
AppendixA- OptionalSFRsA.1 StrictlyOptionalRequirementsA.2 ObjectiveRequirementsA.2.1 IdentificationandAuthenticationA.3 Implementation-basedRequirementsAppendixB- Selection-basedRequirementsB.1 TrustedPath/ChannelsAppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsC.2.1 CryptographicSupport(FCS)C.2.1.1 FCS_CKM_EXTCryptographicKeyManagementC.2.2 IdentificationandAuthentication(FIA)C.2.2.1 FIA_BLT_EXTBluetoothPairingC.2.3 TrustedPath/Channels(FTP)C.2.3.1 FTP_BLT_EXTBluetoothTrustedCommunications
AppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentAppendixF- AcronymsAppendixG- Bibliography
1Introduction
1.1OverviewThescopeoftheBluetoothPP-ModuleistodescribethesecurityfunctionalityofBluetoothtechnologyintermsof[CC]andtodefinefunctionalandassurancerequirementsfortheBluetoothcapabilityofmobiledevicesandoperatingsystems.Bluetoothisacommunicationsstandardforshort-rangewirelesstransmissions.Bluetoothisimplementedinmanycommercialdevicesasamethodforwirelesslyconnectingdevicesoraccessories.ThisPP-ModuleisintendedforusewiththefollowingBase-PPs:
GeneralPurposeOperatingSystem(GPOS)ProtectionProfile,Version4.2.1MobileDeviceFundamentals(MDF)ProtectionProfile,Version3.2
TheseBase-PPsarevalidbecauseconsumer-gradedesktopandmobiledevicesmaybothhaveBluetoothhardwareradiosandsobothdesktopandmobileoperatingsystemshavethesoftware/firmwarecapabilitytoallowproductstousethem.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CollaborativeProtectionProfile(cPP)
AProtectionProfiledevelopedbyinternationaltechnicalcommunitiesandapprovedbymultipleschemes
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
ExtendedPackage(EP)
AdeprecateddocumentformforcollectingSFRsthatimplementaparticularprotocol,technology,orfunctionality.SeeFunctionalPackages.
FunctionalPackage(FP)
AdocumentthatcollectsSFRsforaparticularprotocol,technology,orfunctionality.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TargetofEvaluation(TOE)
Theproductunderevaluation.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
1.2.2TechnicalTerms
Authentication VerifyingtheidentityofcommunicatingdevicesbasedontheirBluetoothaddress.Bluetoothdoesnotprovidenativeuserauthentication.
Authorization Allowingthecontrolofresourcesbyensuringthatadeviceisauthorizedtouseaservicebeforepermittingittodoso.
BD_ADDR TheBluetoothdeviceAddress,whichisusedtoidentifyaBluetoothdevice.
BR/EDR Bluetoothbasicrate(BR)andenhanceddatarate(EDR).
BR/EDRController
AtermreferringtotheBluetoothRadio,Baseband,LinkManager,andHCIlayers.
BR/EDRPiconetPhysicalChannel
AChannelthatisdividedintotimeslotsinwhicheachslotisrelatedtoanRFhopfrequency.ConsecutivehopsnormallycorrespondtodifferentRFhopfrequenciesandoccuratastandardhoprateof1600hopspersecond.Theseconsecutivehopsfollowapseudo-randomhoppingsequence,hoppingthrougha79RFchannelset,oroptionallyfewerchannelswhenAdaptiveFrequencyHopping(AFH)isinuse.BR/EDR/LEBluetoothbasicrate(BR),enhanceddatarate(EDR)andlowenergy(LE).
Bluetooth AwirelesscommunicationlinkoperatingintheunlicensedISMbandat2.4GHzusingafrequencyhoppingtransceiver.Itallowsreal-timeAVanddatacommunicationsbetweenBluetoothHosts.Thelinkprotocolisbasedontimeslots.
BluetoothBaseband
ThepartoftheBluetoothsystemthatspecifiesorimplementsthemediumaccessandphysicallayerprocedurestosupporttheexchangeofreal-timevoice,datainformationstreams,andadhocnetworkingbetweenBluetoothdevices.
BluetoothController
AgenerictermreferringtoaPrimaryControllerwithorwithoutaSecondaryController.
BluetoothDevice
Adevicethatiscapableofshort-rangewirelesscommunicationsusingtheBluetoothsystem.
BluetoothDeviceAddress
A48bitaddressusedtoidentifyeachBluetoothdevice.
Connect(toservice)
Theestablishmentofaconnectiontoaservice.Ifnotalreadydone,thisalsoincludesestablishmentofaphysicallink,logicaltransport,logicallinkandL2CAPchannel.
Connectabledevice
ABR/EDRdeviceinrangethatperiodicallylistensonitspagescanphysicalchannelandwillrespondtoapageonthatchannel.AnLEdevicethatisadvertisingusingaconnectableadvertisingevent.
Connecteddevices
TwoBR/EDRdevicesandwithaphysicallinkbetweenthem.ConnectingAphaseinthecommunicationbetweendeviceswhenaconnectionbetweenthedevicesisbeingestablished.Theconnectingphasefollowsafterthelinkestablishmentphaseiscompleted.
Connection AninteractionbetweentwopeerapplicationsorhigherlayerprotocolsmappedontoanL2CAPchannel.
Connectionestablishment
Aprocedureforcreatingaconnectionmappedontoachannel.
Connectionevent
Aseriesofoneormorepairsofinterleavingdatapacketssentbetweenamasterandaslaveonthesamephysicalchannel.
Creationofasecureconnection
Aprocedureofestablishingaconnection,includingauthenticationandencryption.
Creationofatrustedrelationship
Aprocedurewheretheremotedeviceismarkedasatrusteddevice.Thisincludesstoringacommonlinkkeyforfutureauthentication,orpairing,whenalinkkeyisnotavailable.
Devicediscovery
AprocedureforretrievingtheBluetoothdeviceaddress,clock,class-of-devicefieldandusedpagescanmodefromdiscoverabledevices.
DiscoverableMode
ABluetoothdevicethatisperforminginquiryscansinBR/EDRoradvertisingwithadiscoverableorconnectableadvertisingeventwithadiscoverableflagsetinLE.
Discoverabledevice
ABR/EDRdeviceinrangethatperiodicallylistensonaninquiryscanphysicalchannelandwillrespondtoaninquiryonthatchannel.AnLEdeviceinrangethatisadvertisingwithaconnectableorscannableadvertisingeventwithadiscoverableflagsetintheadvertisingdata.Thisdeviceisinthediscoverablemode.
Discoveryprocedure
ABluetoothdevicethatiscarryingouttheinquiryprocedureinBR/EDRorscanningforadvertisersusingadiscoverableorconnectableadvertisingeventwithadiscoverableflagsetinLE.
Host Alogicalentitydefinedasallofthelayersbelowthenon-coreprofilesandabovetheHostControllerinterface(HCI);i.e.BluetoothHostattachedtoaBluetoothControllermaycommunicatewithotherBluetoothHostsattachedtotheirControllersaswell.
L2CAPChannel
AlogicalconnectiononL2CAPlevelbetweentwodevicesservingasingleapplicationorhigherlayerprotocol.
L2CAPChannelestablishment
AprocedureforestablishingalogicalconnectiononL2CAPlevel.
LMPauthentication
AnLMPlevelprocedureforverifyingtheidentityofaremotedevice.
LMPpairing Aprocedurethatauthenticatestwodevicesandcreatesacommonlinkkeythatcanbeusedasabasisforatrustedrelationshipora(single)secureconnection.
Link Shorthandforalogicallink.
Linkestablishment
AprocedureforestablishingthedefaultACLlinkandhierarchyoflinksandchannelsbetweendevices.
Linkkey Asecretthatisknownbytwodevicesandisusedtoauthenticatethelink.
LogicalLinkControlandAdaptationProtocol(L2CAP)
AdatalinkprotocolusedintheBluetoothprotocolstack.
Logicallink ThelowestarchitecturallevelusedtoofferindependentdatatransportservicestoclientsoftheBluetoothsystem.
Namediscovery
Aprocedureforretrievingtheuser-friendlyname(theBluetoothdevicename)ofaconnectabledevice.
OBEXPush AmethodofBluetoothone-wayfiletransferthatisinitiatedbytheentitythatisprovidingthefile.
PIN Auser-friendlyvaluethatcanbeusedtoauthenticateconnectionstoadevicebeforepairinghastakenplace.
Paireddevice ABluetoothdeviceforwhichalinkkeyhasbeencreated(eitherbeforeconnectionestablishmentwasrequestedorduringconnectingphase).
Piconet AcollectionofdevicesoccupyingasharedphysicalchannelwhereoneofthedevicesisthePiconetMasterandtheremainingdevicesareconnectedtoit.
PiconetMaster
TheBR/EDRdeviceinapiconetwhoseBluetoothClockandBluetoothDeviceAddressareusedtodefinethepiconetphysicalchannelcharacteristics.
PiconetSlave AnyBR/EDRdeviceinapiconetthatisnotthePiconetMaster,butisconnectedtothePiconetMaster.
RFCOMM AtransportprotocolusedintheBluetoothprotocolstackthatemulatesRS-232serialportconnections.
Trusted Adevicethathasafixedrelationshipwithanotherdeviceandhasfullaccesstoallservices.
Device
Unknowndevice
ABluetoothdeviceforwhichnoinformation(BluetoothDeviceAddress,linkkeyorother)isstored.
UntrustedDevice
AdevicethatdoesnothaveanestablishedrelationshipwithanotherBluetoothdevice,whichresultsintheuntrusteddevicereceivingrestrictedaccesstoservices.
1.3CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPP-ModuleisaproductthatimplementsBluetoothfunctionality.ThisPP-ModuledescribestheextendedsecurityfunctionalityofBluetoothintermsofCC.ThisPP-ModuleextendstheProtectionProfileforGeneralPurposeOperatingSystemsorMobileDeviceFundamentals.AcompliantTOEwillmeetallmandatorySFRsdefinedinthisPP-ModuleinadditiontothemandatorySFRsofitsclaimedBase-PP.ForeachBase-PP,thisPP-ModulerefinesseveraloftheBase-PP'sSFRssothattheycanaccommodatetheBluetoothfunctionalitydefinedbythePP-Module.AcompliantTOEwillclaimallselection-basedSFRsfromthisPP-ModuleanditsBase-PPasneededbasedontherelevantselectionsinotherrequirementsbeingchosen.Notethat[MDF]evaluationactivitiesrequirecertainteststobeperformedagainstallradiospresentonthedevice.WhentheTOEalsoclaimsconformancetoaPP-ConfigurationthatincludesthisPP-Module,thosetestsareexecutedagainsttheBluetoothradioaswell.AlsonotethateachBase-PPdefinesitsownrequirementsforprotectionofdataatrest.WhentheTOEalsoclaimsconformancetoaPP-ConfigurationthatincludesthisPP-Module,anydatathatisusedbytheTOE'sBluetoothimplementationisexpectedtobestoredusingthesameprotectionmechanisms.
1.3.1TOEBoundaryTheBluetoothimplementationisalogicalcomponentexecutingonanenduserpersonalcomputingormobiledevice.Assuch,theTOEmustrelyheavilyontheTOE'soperationalenvironment(hostplatform,networkstack,andoperatingsystem)foritsexecutiondomainanditsproperusage.TheTOEwillrelyontheITenvironmenttoaddressmuchofthesecurityfunctionalityrelatedtoadministrativefunctions.ThephysicalboundaryoftheTOEincludesthephysicaldeviceonwhichitisinstalled,asthisdevicewillcontainaninternalorexternalBluetoothradiothatisusedasthephysicalmediumfortransmittingandreceivingdataovertheBluetoothlogicalchannel.
1.4UseCasesRequirementsinthisPP-Modulearedesignedtoaddressthesecurityproblemsinatleastthefollowingusecases.Theseusecasesareintentionallyverybroad,asmanyspecificusecasesexistwithintheselargercategories.
[USECASE1]General-PurposeOperatingSystemThisusecaseisforaBluetoothTOEthatispartofageneral-purposeoperatingsystem.Specifically,theBluetoothTOEisexpectedtobepartoftheoperatingsystemitselfandnotastandalonethird-partyapplicationthatisinstalledontopofit.
[USECASE2]MobileDeviceThisusecaseisforaBluetoothTOEthatispartofamobileoperatingsystemthatrunsonamobiledevice.Specifically,theBluetoothTOEisexpectedtobepartofthemobileoperatingsystemitselfandnotastandalonethird-partyapplicationthatisacquiredfromthemobilevendor'sapplicationstore.
2ConformanceClaimsConformanceStatement
ThisPP-ModuleinheritsexactconformanceasrequiredfromthespecifiedBase-PPandasdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPPsandPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP-Module.
PP-ModuleforVPNClient,Version2.2PP-ModuleforMDMAgent,Version1.0
CCConformanceClaimsThisPP-ModuleisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Release5[CC].
PackageClaimsTherearenopackageclaimsforthisPP-Module.
3SecurityProblemDescriptionAllthreats,assumptions,organizationalsecuritypolicies,and/orobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheBase-PP.TheSFRsdefinedinthisPP-ModuleprovideadditionalmechanismsformitigatingthethreatsalreadydefinedintheBase-PPsduetothefactthatincludingaBluetoothimplementationintroducesanewexternalinterfacetotheunderlyinggeneral-purposeOSormobiledeviceplatform.
3.1ThreatsThisPP-ModuledefinesnoadditionalthreatsbeyondthosedefinedinthebasePPs.NotehoweverthattheSFRsdefinedinthisPP-ModulewillassistinthemitigationofthefollowingthreatsdefinedinthebasePPs:
T.NETWORK_EAVESDROPSeeMDFPP,Section3.1andGPOSPP,Section3.1.
T.NETWORK_ATTACKSeeMDFPP,Section3.1andGPOSPP,Section3.1.
3.2AssumptionsThisdocumentdoesnotdefineanyadditionalassumptions.
3.3OrganizationalSecurityPoliciesAnorganizationdeployingtheTOEisexpectedtosatisfytheorganizationalsecuritypolicylistedbelowinadditiontoallorganizationalsecuritypoliciesdefinedbytheclaimedBase-PP.ThisdocumentdoesnotdefineanyadditionalOSPs.
4SecurityObjectives
4.1SecurityObjectivesfortheTOEThisPP-ModuledefinesnoadditionalTOEsecurityobjectivesbeyondthosedefinedinthebasePPs.NotehoweverthattheSFRsdefinedinthisPP-ModulewillassistintheachievementofthefollowingobjectivesdefinedinthebasePP:
O.PROTECTED_COMMSSeeMDFPP,Section4.1andGPOSPP,Section4.1.
4.2SecurityObjectivesfortheOperationalEnvironmentThisPP-ModuledoesnotdefineanyobjectivesfortheOperationalEnvironment.NoenvironmentalsecurityobjectiveshavebeenidentifiedthatarespecifictoBluetoothtechnology.However,anyenvironmentalsecurityobjectivesdefinedintheBase-PPswillalsoapplytotheportionoftheTOEthatimplementsBluetooth.
4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationalsecuritypoliciesmaptothesecurityobjectives.
Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP
SecurityObjectives
Rationale
T.NETWORK_EAVESDROP
O.PROTECTED_COMMS
ThethreatT.NETWORK_EAVESDROPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingBluetoothasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.
T.NETWORK_ATTACK
O.PROTECTED_COMMS
ThethreatT.NETWORK_ATTACKiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingBluetoothasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.
5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
5.1MobileDevicesPPSecurityFunctionalRequirementsDirectionInaPP-ConfigurationthatincludesMobileDevicesPP,theTOEisexpectedtorelyonsomeofthesecurityfunctionsimplementedbytheasawholeandevaluatedagainsttheMobileDevicesPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheMobileDevicesPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.
5.1.1ModifiedSFRsTheSFRslistedinthissectionaredefinedintheMobileDevicesPPandrelevanttothesecureoperationoftheTOE.
5.1.1.1SecurityManagement(FMT)
FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1
ThisPP-ModuledoesnotmodifythisSFRasitisdefinedintheMDFPP.However,notethatthisPP-Modulerequiresthelistofradiosspecifiedintheassignmentformanagementfunction4("enable/disable[assignment:listofallradios]")toincludeBluetoothradios.BluetoothBR/EDRandBluetoothLEwillbelistedseparatelyiftheTSFprovidestheabilitytoenable/disablethemseparately(i.e.,ifmanagementfunctionBT-3belowisclaimed).Otherwise,bothinterfaceswillbetreatedasoneradioforthatassignment.
EvaluationActivities
FMT_SMF_EXT.1ThereisnochangetotheBasePPEAsforthisSFRwhenthisPP-Moduleisclaimed.
5.1.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheMobileDevicesPPisclaimedastheBase-PP.
5.1.2.1SecurityManagement(FMT)
FMT_SMF_EXT.1/BTSpecificationofManagementFunctionsFMT_SMF_EXT.1.1/BT
TheTSFshallbecapableofperformingthefollowingBluetoothmanagementfunctions:
# ManagementFunction Impl. UserOnly
Admin AdminOnly
BT-1 ConfiguretheBluetoothtrustedchannel.
Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modes;
BT-2 ChangetheBluetoothdevicename(separatelyforBR/EDRandLE);
BT-3 ProvideseparatecontrolsforturningtheBR/EDRandLEradiosonandoff;
M O O O
O O O O
O O O O
BT-4 Allow/disallowthefollowingadditionalwirelesstechnologiestobeusedwithBluetooth:[selection:Wi-Fi,NFC,[assignment:otherwirelesstechnologies]];
BT-5 ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE);
BT-6 Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modesseparately;
BT-7 Disable/enabletheConnectablemode(forBR/EDRandLE);
BT-8 Disable/enabletheBluetooth[assignment:listofBluetoothserviceand/orprofilesavailableontheOS(forBR/EDRandLE)];
BT-9 Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE);
ApplicationNote:Asisthecasewiththe[MDFPP],thefirstcolumnliststhemanagementfunction,thesecondcolumnlistswhetheritismandatorytoimplementthefunctionandtheremainingcolumnsindicatewhetheritismandatory,optional,orprohibitedtoimplementthefunctionbyroleasfollows:
Thethirdcolumnindicatesfunctionsthataretoberestrictedtotheuser(i.e.notavailabletotheadministrator).Thefourthcolumnindicatesfunctionsthatareavailabletotheadministrator.Thesefunctionscanstillbeavailabletotheuser,aslongasthefunctionisnotrestrictedtotheadministrator(column5).Thefifthcolumnindicateswhetherthefunctionistoberestrictedtotheadministratorwhenthedeviceisenrolledandtheadministratorappliestheindicatedpolicy(i.e.,MDMadministration).Thisdoesnotpreventtheuserfrommodifyingasettingtomakethefunctionstricter,buttheusercannotundotheconfigurationenforcedbytheadministrator.
Forcolumns2-5,an'M'indicatesthatitismandatory,an'O'indicatesthatitisoptional,anda'-'indicatesthatitisprohibited.(BT-1.)ManagementoftheDiscoverableandAdvertisingmodeandmanagementoftheBluetoothdevicenamearemandatory.AllothermanagementfunctionsforBluetootharecurrentlyobjective.(BT-2.optional)RequiresmanagementoftheBluetoothdevicenameseparatelyforBR/EDRandLEradios.(BT-4.optional)MayincludedisablingWi-FibeingusedasapartofBluetoothHighSpeedand/ordisablingNFCasanOutofBandpairingmethodforBluetooth.Mayalsoincludeotherwirelesstechnologiesbeyondthosealreadyspecified.(BT-8.optional)TheBluetoothservicesand/orprofilesthatmaybedisabledshouldbelistedfortheuseroradministratoreitherbyserviceand/orprofilenameorbythetypesofapplicationsforwhichtheserviceand/orprofileisused.(BT-9.optional)TheminimumlevelofsecuritypermittedmaybeconfigurableforeachindividualpairingorforallBluetoothpairings.
IftheTSFsupportsanyoftheBR/EDRsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1(anylevel);SecurityMode2;(anylevel);SecurityMode3;(anylevel);SecurityMode4;Levels0;1;2(asidefromtheservicespermittedtouseMode4;Level0inBluetoothCoreSpecificationversion4.2;Vol.3;PartC;p.325).IftheTSFsupportsanyoftheLEsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1:Levels1,2;SecurityMode2,(anylevel).Examplesoflevelsofsecurityaretheuseoflegacypairing;theuseofdifferenttypesofSecureSimplePairing;arequirementforMan-in-the-Middleprotection;theenforcementofSecureConnectionsOnlymode;etc.
Function-specificApplicationNotes:
ManagementoftheDiscoverableandAdvertisingmodeandmanagementofthe
O O O O
O O O O
O O O O
O O O O
O O O O
O O O O
Bluetoothdevicenamearemandatory.AllothermanagementfunctionsforBluetootharecurrentlyobjective.FunctionBT-3requiresmanagementoftheBluetoothdevicenameseparatelyforBR/EDRandLEradios.MayincludedisablingWi-FibeingusedasapartofBluetoothHighSpeedand/ordisablingNFCasanOutofBandpairingmethodforBluetooth.Mayalsoincludeotherwirelesstechnologiesbeyondthosealreadyspecified.TheBluetoothservicesand/orprofilesthatmaybedisabledshouldbelistedfortheuseroradministratoreitherbyserviceand/orprofilenameorbythetypesofapplicationsforwhichtheserviceand/orprofileisused.TheminimumlevelofsecuritypermittedmaybeconfigurableforeachindividualpairingorforallBluetoothpairings.
IftheTSFsupportsanyoftheBR/EDRsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1(anylevel);SecurityMode2;(anylevel);SecurityMode3;(anylevel);SecurityMode4;Levels0;1;2(asidefromtheservicespermittedtouseMode4;Level0inBluetoothCoreSpecificationversion4.2;Vol.3;PartC;p.325).IftheTSFsupportsanyoftheLEsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1:Levels1,2;SecurityMode2,(anylevel).Examplesoflevelsofsecurityaretheuseoflegacypairing;theuseofdifferenttypesofSecureSimplePairing;arequirementforMan-in-the-Middleprotection;theenforcementofSecureConnectionsOnlymode;etc.
EvaluationActivities
FMT_SMF_EXT.1/BTTSSTheevaluatorshallensurethattheTSSincludesadescriptionoftheBluetoothprofilesandservicessupportedandtheBluetoothsecuritymodesandlevelssupportedbytheTOE.
GuidanceTheevaluatorshallensurethatthemanagementfunctionsdefinedinthePP-ModulearedescribedintheguidancetothesameextentrequiredfortheBase-PPmanagementfunctions.TestsTheevaluatorshalluseaBluetooth-specificprotocolanalyzertoperformthefollowingtests:ThefollowingEAscorrespondtospecificmanagementfunctions.FunctionBT-1TestsFor,theevaluatorshalldisabletheDiscoverablemodeandshallverifythatotherBluetoothBR/EDRdevicescannotdetecttheTOE.TheevaluatorshallusetheprotocolanalyzertoverifythattheTOEdoesnotrespondtoinquiriesfromotherdevicessearchingforBluetoothdevices.TheevaluatorshallenableDiscoverablemodeandverifythatotherdevicescandetecttheTOEandthattheTOEsendsresponsepacketstoinquiriesfromsearchingdevices.
FunctionBT-2[CONDITIONAL]TestsTheevaluatorshallexamineBluetoothtrafficfromtheTOEtodeterminethecurrentBluetoothdevicename,changetheBluetoothdevicename,andverifythattheBluetoothtrafficfromtheTOEliststhenewname.TheevaluatorshallexamineBluetoothtrafficfromtheTOEtodeterminethecurrentBluetoothdevicenameforBR/EDRandLE.TheevaluatorshallchangetheBluetoothdevicenameforLEindependentlyofthedevicenameforBR/EDR.TheevaluatorshallverifythattheBluetoothtrafficfromtheTOEliststhenewname.
FunctionBT-3[CONDITIONAL]TestsTheevaluatorshalldisableBluetoothBR/EDRandenableBluetoothLE.TheevaluatorshallexamineBluetoothtrafficfromtheTOEtoconfirmthatonlyBluetoothLEtrafficispresent.TheevaluatorshallrepeatthetestwithBluetoothBR/EDRenabledandBluetoothLEdisabled,confirmingthatonlyBluetoothBR/EDRispresent.
FunctionBT-4[CONDITIONAL]TSSIffunctionBT-4,"Allow/disallowadditionalwirelesstechnologiestobeusedwithBluetooth,"isselected,theevaluatorshallverifythattheTSSdescribesanyadditionalwirelesstechnologiesthatmaybeusedwithBluetooth,whichmayincludeWi-FiwithBluetoothHighSpeedand/orNFCasanOutofBandpairingmechanism.Tests(conditional):ForeachadditionalwirelesstechnologythatcanbeusedwithBluetoothasclaimedintheST,theevaluatorshallrevokeBluetoothpermissionsfromthattechnology.Ifthe
setofsupportedwirelesstechnologiesincludesWi-Fi,theevaluatorshallverifythatBluetoothHighSpeedisnotabletosendBluetoothtrafficoverWi-Fiwhendisabled.IfthesetofsupportedwirelesstechnologiesincludesNFC,theevaluatorshallverifythatNFCcannotbeusedforpairingwhendisabled.Foranyothersupportedwirelesstechnology,theevaluatorshallverifythatitcannotbeusedwithBluetoothinthespecifiedmannerwhendisabled.Theevaluatorshallthenre-enableallsupportedwirelesstechnologiesandverifythatallfunctionalitythatwaspreviouslyunavailablehasbeenrestored.
FunctionBT-5[CONDITIONAL]TSSIffunctionBT-5,"ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE),"isselected,theevaluatorshallverifythattheTSSdescribeswhenOutofBandpairingmethodsareallowedandwhichonesareconfigurable.Tests(conditional):TheevaluatorshallattempttopairusingeachoftheOutofBandpairingmethods,verifythatthepairingmethodworks,iterativelydisableeachpairingmethod,andverifythatthepairingmethodfails.
FunctionBT-6[CONDITIONAL]TSSIffunctionBT-8,"Disable/enabletheBluetoothservicesand/orprofilesavailableontheOS(forBR/EDRandLE),"isselected,theevaluatorshallverifythatallsupportedBluetoothservicesarelistedintheTSSasmanageableand,iftheTOEallowsdisablingbyapplicationratherthanbyservicename,thatalistofservicesforeachapplicationisalsolisted.Tests(conditional):TheevaluatorshallenableAdvertisingforBluetoothLE,verifythattheadvertisementsarecapturedbytheprotocolanalyzer,disableAdvertising,andverifythatnoadvertisementsfromthedevicearecapturedbytheprotocolanalyzer.
FunctionBT-7[CONDITIONAL]TestsTheevaluatorshallenableConnectablemodeandverifythatotherBluetoothdevicesmaypairwiththeTOEand(ifthedeviceswerebonded)re-connectafterpairinganddisconnection.ForBR/EDRdevices:TheevaluatorshallusetheprotocolanalyzertoverifythattheTOErespondstopagesfromtheotherdevicesandpermitspairingandre-connection.TheevaluatorshalldisableConnectablemodeandverifythattheTOEdoesnotrespondtopagesfromremoteBluetoothdevices,therebynotpermittingpairingorre-connection.ForLE:TheevaluatorshallusetheprotocolanalyzertoverifythattheTOEsendsconnectableadvertisingeventsandrespondstoconnectionrequests.TheevaluatorshalldisableConnectablemodeandverifythattheTOEstopssendingconnectableadvertisingeventsandstopsrespondingtoconnectionrequestsfromremoteBluetoothdevices.
FunctionBT-8[CONDITIONAL]TestsForeachsupportedBluetoothserviceand/orprofilelistedintheTSS,theevaluatorshallverifythattheserviceorprofileismanageable.Ifthisisconfigurablebyapplicationratherthanbyserviceand/orprofilename,theevaluatorshallverifythatalistofservicesand/orprofilesforeachapplicationisalsolisted.
FunctionBT-9[CONDITIONAL]TSSIffunctionBT-9,"Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE),"isselected,theevaluatorshallverifythattheTSSdescribesthemethodbywhichthelevelofsecurityforpairingsaremanaged,includingwhetherthesettingisperformedforeachpairingorisaglobalsetting.TestsTheevaluatorshallallowlowsecuritymodes/levelsontheTOEandshallinitiatepairingwiththeTOEfromaremotedevicethatallowsonlysomethingotherthanSecurityMode4/Level3orSecurityMode4/Level4(forBR/EDR),orSecurityMode1/Level3(forLE).(Forexample,aremoteBR/EDRdevicemayclaimInput/Outputcapability"NoInputNoOutput"andstatethatman-in-the-middle(MiTM)protectionisnotrequired.AremoteLEdevicemaynotsupportencryption.)TheevaluatorshallverifythatthispairingattemptsucceedsduetotheTOEfallingbacktothelowsecuritymode/level.Theevaluatorshallthenremovethepairingofthetwodevices,prohibittheuseoflowsecuritymodes/levelsontheTOE,thenattempttheconnectionagain.Theevaluatorshallverifythatthepairingattemptfails.Withthelowsecuritymodes/levelsdisabled,theevaluatorshallinitiatepairingfromtheTOEtoaremotedevicethatsupportsSecurityMode4/Level3orSecurityMode4/Level4(forBR/EDR)orSecurityMode1/Level3(forLE).Theevaluatorshallverifythatthispairingissuccessfulandusesthehighsecuritymode/level.
5.2GeneralPurposeOperatingSystemsPPSecurityFunctionalRequirementsDirectionInaPP-ConfigurationthatincludesGeneralPurposeOperatingSystemsPP,theTOEisexpectedtorelyon
someofthesecurityfunctionsimplementedbytheasawholeandevaluatedagainsttheGeneralPurposeOperatingSystemsPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheGeneralPurposeOperatingSystemsPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.
5.2.1ModifiedSFRsTheSFRslistedinthissectionaredefinedintheGeneralPurposeOperatingSystemsPPandrelevanttothesecureoperationoftheTOE.
5.2.1.1SecurityManagement(FMT)
FMT_MOF_EXT.1ManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1
ThereisnochangetothetextofthisSFR.TheSFRreferencesFMT_SMF_EXT.1andstatesthattheOSshallpermittheadministratorroletoperformtherelevantfunctionslistedinFMT_SMF_EXT.1.Thefunction"Enable/DisabletheBluetoothinterface"islistedasanoptionalmanagementfunctioninFMT_SMF_EXT.1forbothusersandadministrators.WhenthisPP-Moduleisclaimed,theadministratororuserrolemustbeabletoenable/disabletheBluetoothinterface.Inotherwords,thefunctionitselfismovedfromoptionaltomandatory,butthisPP-Moduledoesnotrequirethatitbeimplementedbyaspecificrole.IftheSTindicatesthattheadministratorrolecanperformthisfunction,thentherestrictionsimposedbyFMT_MOF_EXT.1willapplytoit.
EvaluationActivities
FMT_MOF_EXT.1ThereisnochangetotheBasePPEAsforthisSFRwhenthisPP-Moduleisclaimed.
FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1
ThisPP-ModuledoesnotmodifythisSFRasitisdefinedintheGPOSPP.However,notethatthisPP-Modulerequiresthefunction"Enable/disableBluetoothinterface"tobeimplemented,thoughthisPP-ModuledoesnotmandatewhetheritbeassignedtotheAdministratororUserrole.
EvaluationActivities
FMT_SMF_EXT.1ThereisnochangetotheBasePPEAsforthisSFRwhenthisPP-Moduleisclaimed.
5.2.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheGeneralPurposeOperatingSystemsPPisclaimedastheBase-PP.
5.2.2.1SecurityManagement(FMT)
FMT_MOF_EXT.1/BTManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1/BT
TheOSshallrestricttheabilitytoperformthefunctionindicatedinthe"Administrator"columninFMT_SMF_EXT.1.1/BTtotheadministrator.
ApplicationNote:ThemanagementfunctionsinFMT_SMF_EXT.1/BTrequirethefunctionBT-1tobesupportedbytheTOEandmanageablebyanAdministratoratminimum.Allothermanagementfunctions,andwhatrolesmayperformthem,areoptional.TheSTmustmakeitclearwhichofthesefunctionsareprovidedbytheTOEandwhichrolesareabletomanagethem.
EvaluationActivities
FMT_MOF_EXT.1/BTTSSTheevaluatorshallexaminetheTSStoensurethatitidentifiestheBluetooth-relatedmanagementfunctionsthataresupportedbytheTOEandtherolesthatareauthorizedtoperformeachfunction.
GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitprovidessufficient
guidanceoneachsupportedBluetoothmanagementfunctiontodescribehowthefunctionisperformedandanyrolerestrictionsonthesubjectsthatareauthorizedtoperformthefunction.TestsForeachfunctionthatisindicatedasrestrictedtotheadministrator,theevaluationshallperformthefunctionasanadministrator,asspecifiedintheOperationalGuidance,anddeterminethatithastheexpectedeffectasoutlinedbytheOperationalGuidanceandtheSFR.Theevaluatorwillthenperformthefunction(orotherwiseattempttoaccessthefunction)asanon-administratorandobservethattheyareunabletoinvokethatfunctionality.
FMT_SMF_EXT.1/BTSpecificationofManagementFunctionsFMT_SMF_EXT.1.1/BT
TheOSshallbecapableofperformingthefollowingBluetoothmanagementfunctions:
Function Administrator User
BT-1.ConfiguretheBluetoothtrustedchannel.Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modes;
X O
BT-2.ChangetheBluetoothdevicename(separatelyforBR/EDRandLE);
O O
BT-3.ProvideseparatecontrolsforturningtheBR/EDRandLEradiosonandoff;
O O
BT-4.Allow/disallowthefollowingadditionalwirelesstechnologiestobeusedwithBluetooth:[selection:Wi-Fi,NFC,[assignment:otherwirelesstechnologies]];
O O
BT-5.ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE);
O O
BT-6.Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modesseparately;
O O
BT-7.Disable/enabletheConnectablemode(forBR/EDRandLE);
O O
BT-8.Disable/enabletheBluetooth[assignment:listofBluetoothserviceand/orprofilesavailableontheOS(forBR/EDRandLE)];
O O
BT-9.Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE);
O O
ApplicationNote:TheSTshouldindicatewhichoftheoptionalmanagementfunctionsareimplementedintheTOE.Thiscanbedonebyadjustingthe"Administrator"and"User"columnsto"X"accordingtowhichcapabilitiesarepresentornotpresent,andforwhichprivilegelevel.(BT-1.)ManagementoftheDiscoverableandAdvertisingmodeandmanagementoftheBluetoothdevicenamearemandatory.AllothermanagementfunctionsforBluetootharecurrentlyobjective.(BT-2.optional)RequiresmanagementoftheBluetoothdevicenameseparatelyforBR/EDRandLEradios.(BT-4.optional)MayincludedisablingWi-FibeingusedasapartofBluetoothHighSpeedand/ordisablingNFCasanOutofBandpairingmethodforBluetooth.Mayalsoincludeotherwirelesstechnologiesbeyondthosealreadyspecified.(BT-8.optional)TheBluetoothservicesand/orprofilesthatmaybedisabledshouldbelistedfortheuseroradministratoreitherbyserviceand/orprofilenameorbythetypesofapplicationsforwhichtheserviceand/orprofileisused.(BT-9.optional)TheminimumlevelofsecuritypermittedmaybeconfigurableforeachindividualpairingorforallBluetoothpairings.
IftheTSFsupportsanyoftheBR/EDRsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1(anylevel);SecurityMode2;(anylevel);SecurityMode3;(anylevel);SecurityMode4;Levels0;1;2(asidefromtheservicespermittedtouseMode4;Level0inBluetoothCoreSpecificationversion4.2;Vol.3;PartC;p.325).IftheTSFsupportsanyoftheLEsecuritymodesinthefollowinglist;it
shouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1:Levels1,2;SecurityMode2,(anylevel).Examplesoflevelsofsecurityaretheuseoflegacypairing;theuseofdifferenttypesofSecureSimplePairing;arequirementforMan-in-the-Middleprotection;theenforcementofSecureConnectionsOnlymode;etc.
EvaluationActivities
FMT_SMF_EXT.1/BTTSSTheevaluatorshallensurethattheTSSincludesadescriptionoftheBluetoothprofilesandservicessupportedandtheBluetoothsecuritymodesandlevelssupportedbytheTOE.IffunctionBT-4,"Allow/disallowadditionalwirelesstechnologiestobeusedwithBluetooth,"isselected,theevaluatorshallverifythattheTSSdescribesanyadditionalwirelesstechnologiesthatmaybeusedwithBluetooth,whichmayincludeWi-FiwithBluetoothHighSpeedand/orNFCasanOutofBandpairingmechanism.IffunctionBT-5,"ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE),"isselected,theevaluatorshallverifythattheTSSdescribeswhenOutofBandpairingmethodsareallowedandwhichonesareconfigurable.IffunctionBT-8,"Disable/enabletheBluetoothservicesand/orprofilesavailableontheOS(forBR/EDRandLE),"isselected,theevaluatorshallverifythatallsupportedBluetoothservicesarelistedintheTSSasmanageableand,iftheTOEallowsdisablingbyapplicationratherthanbyservicename,thatalistofservicesforeachapplicationisalsolisted.IffunctionBT-9,"Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE),"isselected,theevaluatorshallverifythattheTSSdescribesthemethodbywhichthelevelofsecurityforpairingsaremanaged,includingwhetherthesettingisperformedforeachpairingorisaglobalsetting.
GuidanceTheevaluatorshallensurethatthemanagementfunctionsdefinedinthePP-ModulearedescribedintheguidancetothesameextentrequiredfortheBase-PPmanagementfunctions.
TestsTheevaluatorshalluseaBluetooth-specificprotocolanalyzertoperformthefollowingtests:
5.3TOESecurityFunctionalRequirementsThefollowingsectiondescribestheSFRsthatmustbesatisfiedbyanyTOEthatclaimsconformancetothisPP-Module.TheseSFRsmustbeclaimedregardlessofwhichPP-ConfigurationisusedtodefinetheTOE.
5.3.1SecurityAudit(FAU)
FAU_GEN.1/BTAuditDataGeneration(Bluetooth)FAU_GEN.1.1/BT
TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:
a. Start-upandshutdownoftheauditfunctionsb. Allauditableeventsforthe[notselected]levelofauditc. [SpecificallydefinedauditableeventsintheAuditableEventstable].
Table2AuditableEvents
Requirement AuditableEvents AdditionalAuditRecordContents
FCS_CKM_EXT.8 None.
FIA_BLT_EXT.1 FaileduserauthorizationofBluetoothdevice.
Userauthorizationdecision(e.g.,userrejectedconnection,incorrectpinentry).
FaileduserauthorizationforlocalBluetoothService.
Bluetoothaddressandnameofdevice.Bluetoothprofile.Identityoflocalservicewith[selection:serviceID,profilename].
FIA_BLT_EXT.2 InitiationofBluetoothconnection.
Bluetoothaddressandnameofdevice.
FailureofBluetoothconnection.
Reasonforfailure.
FIA_BLT_EXT.3(optional)
Duplicateconnectionattempt.
BD_ADDRofconnectionattempt.
FIA_BLT_EXT.4 None.
FIA_BLT_EXT.5(ifclaimed)
None.
FIA_BLT_EXT.6 None.
FIA_BLT_EXT.7 None.
FTP_BLT_EXT.1 None.
FTP_BLT_EXT.2 None.
FTP_BLT_EXT.3/BR None.
FTP_BLT_EXT.3/LE(ifclaimed)
None.
FAU_GEN.1.2/BTTheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:
a. Dateandtimeoftheeventb. Typeofeventc. Subjectidentityd. Theoutcome(successorfailure)oftheevente. [AdditionalinformationintheAuditableEventstable].
ApplicationNote:ItisnotfeasiblefortheFIA_BLT_EXT.3eventtobeauditediftherejectionisperformedattheHCIlayerbecausetheBluetoothstandarddoesnotprovideanotificationinterfaceforthisbehaviorintheHCI.Thisiswhytheeventislabeledasoptional.However,iftherejectionisperformedabovetheHCIlayer,itisexpectedthataconformantTOEshouldimplementthisfunctionality.
EvaluationActivities
FAU_GEN.1/BTTSSThereareadditionalauditableeventsthatservetoextendtheFAU_GEN.1SFRfoundineachBase-PP.ThisSFRisevaluatedinthesamemannerasdefinedbytheEvaluationActivitiesfortheclaimedBase-PP.TheonlydifferenceisthattheevaluatorshallalsoassesstheauditableeventsrequiredforthisPP-ModuleinadditiontothosedefinedintheclaimedBase-PP.
5.3.2CryptographicSupport(FCS)
FCS_CKM_EXT.8BluetoothKeyGenerationFCS_CKM_EXT.8.1
TheTSFshallgeneratepublic/privateECDHkeypairsevery[assignment:frequencyofand/orcriteriafornewkeypairgeneration].
ApplicationNote:TherearemultipleacceptablewaysofkeepingECDHkeypairsadequatelyfresh,includingatime-basedapproachsuchthatthesamekeypairswillnotbeusedformorethan,forinstance,24hours.Alternatively,thecriteriamightbelinkedtothenumberofpassedorfailedauthenticationattempts.Asastartingpointtodeterminereasonableauthenticationattempt-basedreplacementcriteria,notethattheBluetoothspecification(v4.1,Vol.2,5.1)suggestsmitigatingrepeatedauthenticationattemptsbychangingadevice'sprivatekeyafterthreefailedauthenticationattemptsfromanyBD_ADDR,aftertensuccessfulpairingsfromanyBD_ADDR,orafteracombinationofthesesuchthatanythreesuccessfulpairingscountasonefailedpairing.ThisrequirementalsoappliestoBluetoothLEiftheTOEsupportsLESecureConnections,whichwasintroducedinversion4.2ofthespecification.
EvaluationActivities
FCS_CKM_EXT.8TSSTheevaluatorshallensurethattheTSSdescribesthecriteriausedtodeterminethefrequencyofgeneratingnewECDHpublic/privatekeypairs.Inparticular,theevaluatorshallensurethattheimplementationdoesnotpermittheuseofstaticECDHkeypairs.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.TestsTheevaluatorshallperformthefollowingsteps:Step1:PairtheTOEtoaremoteBluetoothdeviceandrecordthepublickeycurrentlyinusebytheTOE.(ThispublickeycanbeobtainedusingaBluetoothprotocolanalyzertoinspectpacketsexchangedduringpairing.)Step2:PerformnecessaryactionstogeneratenewECDHpublic/privatekeypairs.(NotethatthisteststepdependsonhowtheTSSdescribesthecriteriausedtodeterminethefrequencyofgeneratingnewECDHpublic/privatekeypairs.)Step3:PairtheTOEtoaremoteBluetoothdeviceandagainrecordthepublickeycurrentlyinusebytheTOE.Step4:VerifythatthepublickeyinStep1differsfromthepublickeyinStep3.
5.3.3IdentificationandAuthentication(FIA)
FIA_BLT_EXT.1BluetoothUserAuthorizationFIA_BLT_EXT.1.1
TheTSFshallrequireexplicituserauthorizationbeforepairingwitharemoteBluetoothdevice.
ApplicationNote:Userauthorizationincludesexplicitactionslikeaffirmingtheremotedevice'sname,expressinganintenttoconnecttotheremotedevice,andenteringrelevantpairinginformation(e.g.PINs;numericcodes;or"yes/no"responses).Theusermusthavetoexplicitlypermitallpairingattempts;evenwhenbondingisnottakingplace.Becauseexplicituseractionmustberequiredtopermitpairing;itmustnotbepossibleforapplicationstoprogrammaticallyenterpairinginformation(e.g.PINs;numericcodes;or"yes/no"responses)duringthepairingprocess.TheabsenceofpublicAPIsforprogrammaticauthorizationisnotsufficienttomeetthisrequirement;hiddenorprivateAPIsmustbeabsentaswell.
EvaluationActivities
FIA_BLT_EXT.1TSSTheevaluatorshallexaminetheTSStoensurethatitcontainsadescriptionofwhenuserpermissionisrequiredforBluetoothpairing;andthatthisdescriptionmandatesexplicituserauthorizationviamanualinputforallBluetoothpairing;includingapplicationuseoftheBluetoothtrustedchannelandsituationswheretemporary(non-bonded)connectionsareformed.
GuidanceTheevaluatorshallexaminetheAPIdocumentationprovidedasameansofsatisfyingtherequirementsfortheADVassuranceclass(seesection5.2.2intheMDFPPandGPOSPP)andverifythatthisAPIdocumentationdoesnotincludeanyAPIforprogrammaticenteringofpairinginformation(e.g.PINs;numericcodes;or"yes/no"responses)intendedtobypassmanualuserinputduringpairing.TheevaluatorshallexaminetheguidancetoverifythattheseuserauthorizationscreensareclearlyidentifiedandinstructionsaregivenforauthorizingBluetoothpairings.TestsTheevaluatorshallperformthefollowingsteps:Step1:InitiatepairingwiththeTOEfromaremoteBluetoothdevicethatrequestsnoman-in-the-middleprotection;nobonding;andclaimstohaveNoInput/NoOutput(IO)capability.SuchadevicewillattempttoevokebehaviorfromtheTOEthatrepresentstheminimallevelofuserinteractionthattheTOEsupportsduringpairing.Step2:VerifythattheTOEdoesnotpermitanyBluetoothpairingwithoutexplicitauthorizationfromtheuser(e.g.theusermusthavetominimallyanswer"yes"or"allow"inaprompt).
FIA_BLT_EXT.2BluetoothMutualAuthenticationFIA_BLT_EXT.2.1
TheTSFshallrequireBluetoothmutualauthenticationbetweendevicespriorto
anydatatransferovertheBluetoothlink.
ApplicationNote:Ifdevicesarenotalreadypaired,thepairingprocessmustbeinitiated.Ifthedevicesarealreadypaired,mutualauthenticationbasedonthecurrentlinkkeymustsucceedbeforeanydatapassesoverthelink.
EvaluationActivities
FIA_BLT_EXT.2TSSTheevaluatorshallensurethattheTSSdescribeshowdatatransferofanytypeispreventedbeforetheBluetoothpairingiscompleted.TheTSSshallspecificallycalloutanysupportedRFCOMMandL2CAPdatatransfermechanisms.TheevaluatorshallensurethatthedatatransfersareonlycompletedaftertheBluetoothdevicesarepairedandmutuallyauthenticated.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.TestsTheevaluatorshalluseaBluetoothtooltoattempttoaccessTOEfilesusingtheOBEXObjectPushservice(OBEXPush)andverifythatpairingandmutualauthenticationarerequiredbytheTOEbeforeallowingaccess.IftheOBEXObjectPushserviceisunsupportedontheTOE;adifferentservicethattransfersdataoverBluetoothL2CAPand/orRFCOMMmaybeusedinthistest.
FIA_BLT_EXT.3RejectionofDuplicateBluetoothConnectionsFIA_BLT_EXT.3.1
TheTSFshalldiscardpairingandsessioninitializationattemptsfromaBluetoothdeviceaddress(BD_ADDR)towhichanactivesessionalreadyexists.
ApplicationNote:SessionisdefinedasthetimeintervalforwhichtheTSFisactivelyconnectedtoanotherdevice.Thus,thesessionterminateswhenthedevicedisconnectsfromtheTSF.IftheTOEhasanactivesessiontoaremoteBluetoothdevice,newsessioninitializationand/orpairingattemptsfromdevicesclaimingthesameBluetoothdeviceaddressmaybemaliciousandshouldberejected/ignored.OnlyonesessiontoasingleremoteBD_ADDRmaybesupportedatatime.
EvaluationActivities
FIA_BLT_EXT.3TSSTheevaluatorshallensurethattheTSSdescribeshowBluetoothsessionsaremaintainedsuchthatatleasttwodeviceswiththesameBluetoothdeviceaddressarenotsimultaneouslyconnectedandsuchthattheinitialsessionisnotsupersededbyanyfollowingsessioninitializationattempts.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallperformthefollowingsteps:Step1:PairtheTOEwitharemoteBluetoothdevice(DEV1)withaknownaddressBD_ADDR.EstablishanactivesessionbetweentheTOEandDEV1withtheknownaddressBD_ADDR.Step2:AttempttopairasecondremoteBluetoothdevice(DEV2)claimingtohaveaBluetoothdeviceaddressmatchingDEV1BD_ADDRtotheTOE.UsingaBluetoothprotocolanalyzer,verifythatthepairingattemptbyDEV2isnotcompletedbytheTOEandthattheactivesessiontoDEV1isunaffected.Step3:AttempttoinitializeasessiontotheTOEfromDEV2containingaddressDEV1BD_ADDR.UsingaBluetoothprotocolanalyzer,verifythatthesessioninitializationattemptbyDEV2isignoredbytheTOEandthattheinitialsessiontoDEV1isunaffected.
FIA_BLT_EXT.4SecureSimplePairingFIA_BLT_EXT.4.1
TheTOEshallsupportBluetoothSecureSimplePairing,bothinthehostandthecontroller.
FIA_BLT_EXT.4.2TheTOEshallsupportSecureSimplePairingduringthepairingprocess.
ApplicationNote:TheBluetoothhostandcontrollereachsupportaparticularversionoftheBluetoothCoreSpecificationandaparticularsetoffeatures.SupportforvariousfeaturesisindicatedbyeachsideduringtheLinkManager
Protocol(LMP)FeaturesExchange.RefertotheBluetoothspecification[Bluetooth]forfeaturedefinitions,includingthedefinitionsofSecureSimplePairing(ControllerSupport)andSecureSimplePairing(HostSupport).
EvaluationActivities
FIA_BLT_EXT.4TSSTheevaluatorshallverifythattheTSSdescribesthesecuresimplepairingprocess.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.TestsTheevaluatorshallperformthefollowingsteps:Step1:InitiatepairingwiththeTOEfromaremoteBluetoothdevicethatsupportsSecureSimplePairing.Step2:Duringthepairingprocess;observethepacketsinaBluetoothprotocolanalyzerandverifythattheTOEclaimssupportforboth"SecureSimplePairing(HostSupport)"and"SecureSimplePairing(ControllerSupport)"duringtheLMPFeaturesExchange.Step3:VerifythatSecureSimplePairingisusedduringthepairingprocess.
FIA_BLT_EXT.6TrustedBluetoothDeviceUserAuthorizationFIA_BLT_EXT.6.1
TheTSFshallrequireexplicituserauthorizationbeforegrantingtrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].
ApplicationNote:Inadditiontopairing,itmaybeappropriatetorequireexplicituseractiontoauthorizeaparticularremotedevicetoaccesscertainBluetoothservices.TheTSFmaychoosetorequirethisadditionalactionforalldevicesoronlyforthosedevicesthatdonothavearequiredleveloftrust.Itisstronglypreferredthatforeachdevice,theTSFmaintainsalistofdevicestrustedtouseforthatparticularservice.However,theTSFmightdesignatecertaindevicesashavingatrusteddevicerelationshipwiththeTOEandgrantingthem"blanket"accesstoallservices.Furthermore,itmaybethecasethattheTSFallowsmovementofdevicesfromtheuntrustedtothetrustedcategoryforaparticularserviceaftertheuserprovidesexplicitauthorizationforthedevicetousetheservice.Forexample,itmaybeappropriatetorequirethattheuserprovideexplicit,manualauthorizationbeforearemotedevicemayusetheOBEXserviceforanobjecttransferthefirsttime.Theusermightbegiventheoptiontopermitfutureconnectionstothatservicebytheparticulardevicewithoutrequiringexplicitauthorizationeachtime.
EvaluationActivities
FIA_BLT_EXT.6TSSTheevaluatorshallverifythattheTSSdescribesallBluetoothprofilesandassociatedservicesforwhichexplicituserauthorizationisrequiredbeforearemotedevicecangainaccess.TheevaluatorshallalsoverifythattheTSSdescribesanydifferenceinbehaviorbasedonwhetherornotthedevicehasatrustedrelationshipwiththeTOEforthatservice(i.e.whetherthereareanyservicesthatrequireexplicituserauthorizationforuntrusteddevicesthatdonotrequiresuchauthorizationfortrusteddevices).TheevaluatorshallalsoverifythattheTSSdescribesthemethodbywhichadevicecanbecome'trusted'.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.
TestsTheevaluatorshallperformthefollowingtests:
Test1:WhiletheserviceisinactiveusebyanapplicationontheTOE,theevaluatorshallattempttogainaccesstoa"protected"Bluetoothservice(asspecifiedintheassignmentinFIA_BLT_EXT.6.1)froma"trusted"remotedevice.TheevaluatorshallverifythattheuserisexplicitlyaskedforauthorizationbytheTOEtoallowaccesstotheservicefortheparticularremotedevice.TheevaluatorshalldenytheauthorizationontheTOEandverifythattheremoteattempttoaccesstheservicefailsduetolackofauthorization.Test2:TheevaluatorshallrepeatTest1,thistimeallowingtheauthorizationandverifyingthattheremotedevicesuccessfullyaccessestheservice.
FIA_BLT_EXT.7UntrustedBluetoothDeviceUserAuthorizationFIA_BLT_EXT.7.1
TheTSFshallrequireexplicituserauthorizationbeforegrantinguntrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].
ApplicationNote:FIA_BLT_EXT.7differsfromFIA_BLT_EXT.6becauseaconformantTOEmaydistinguishbetween"trusted"and"untrusted"devicessuchthattheTSFgrants"untrusted"devicesaccesstofewerservicesfollowingpairing.However,thisbehaviorisnotrequired;iftheTSFdoesnottreat"trusted"and"untrusted"devicesanydifferently,theSTauthormaycompletetheassignmentsinFIA_BLT_EXT.6.1andFIA_BLT_EXT.7.1withlistsofBluetoothprofiles.
EvaluationActivities
FIA_BLT_EXT.7TSSTheTSSevaluationactivitiesforthiscomponentareaddressedbyFIA_BLT_EXT.6.
GuidanceTherearenoguidanceevaluationactivitiesforthiscomponent.TestsTheevaluatorshallperformthefollowingtestsiftheTSFdifferentiatesbetween"trusted"and"untrusted"devicesforthepurposeofgrantingaccesstoservices.Ifitdoesnot,thenthetestevaluationactivitiesforFIA_BLT_EXT.6aresufficienttosatisfythiscomponent.
Test1:WhiletheserviceisinactiveusebyanapplicationontheTOE,theevaluatorshallattempttogainaccesstoa"protected"Bluetoothservice(asspecifiedintheassignmentinFIA_BLT_EXT.7.1)froman"untrusted"remotedevice.TheevaluatorshallverifythattheuserisexplicitlyaskedforauthorizationbytheTOEtoallowaccesstotheservicefortheparticularremotedevice.TheevaluatorshalldenytheauthorizationontheTOEandverifythattheremoteattempttoaccesstheservicefailsduetolackofauthorization.Test2:TheevaluatorshallrepeatTest1,thistimeallowingtheauthorizationandverifyingthattheremotedevicesuccessfullyaccessestheservice.Test3:(conditional):Ifthereexistanyservicesthatrequireexplicituserauthorizationforaccessbyuntrusteddevicesbutnotbytrusteddevices(i.e.aservicethatislistedinFIA_BLT_EXT.7.1butnotFIA_BLT_EXT.6.1),theevaluatorshallrepeatTest1fortheseservicesandobservethattheresultsareidentical.Thatis,theevaluatorshallusetheseresultstoverifythatexplicituserapprovalisrequiredforanuntrusteddevicetoaccesstheseservices,andfailuretograntthisapprovalwillresultinthedevicebeingunabletoaccessthem.Test4:(conditional):Iftest3applies,theevaluatorshallrepeatTest2usinganyserviceschoseninTest3andobservethattheresultsareidentical.Thatis,theevaluatorshallusetheseresultstoverifythatexplicituserapprovalisrequiredforanuntrusteddevicetoaccesstheseservices,andgrantingthisapprovalwillresultinthedevicebeingabletoaccessthem.Test5:(conditional):Iftest3applies,theevaluatorshallrepeatTest3exceptthistimedesignatingthedeviceas"trusted"priortoattemptingtoaccesstheservice.Theevaluatorshallverifythataccesstotheserviceisgrantedwithoutexplicituserauthorization(becausethedeviceisnowtrustedandthereforeFIA_BLT_EXT.7.1nolongerappliestoit).Thatis,theevaluatorshallusetheseresultstodemonstratethattheTSFwillgrantadeviceaccesstodifferentservicesdependingonwhetherornotthedeviceistrusted.
5.3.4TrustedPath/Channels(FTP)
FTP_BLT_EXT.1BluetoothEncryptionFTP_BLT_EXT.1.1
TheTSFshallenforcetheuseofencryptionwhentransmittingdataovertheBluetoothtrustedchannelforBR/EDRand[selection:LE,nootherconnections].
ApplicationNote:LEisselectablebecausenotallconformantTOEsincludesupportforLE.IfLEissupported,itisexpectedthattheTSFbeabletoprovideencryptionforthisinterface.SelectionofLEinFTP_BLT_EXT.1.1requirestheinclusionoftheselection-basedSFRFTP_BLT_EXT.3/LE.
FTP_BLT_EXT.1.2TheTSFshallusekeypairsperFCS_CKM_EXT.8forBluetoothencryption.
EvaluationActivities
FTP_BLT_EXT.1
TSSTheevaluatorshallverifythattheTSSdescribestheuseofencryption,thespecificBluetoothprotocol(s)itappliesto,andwhetheritisenabledbydefault.TheevaluatorshallverifythattheTSSincludestheprotocolusedforencryptionofthetransmitteddataandthekeygenerationmechanismused.GuidanceTheevaluatorshallverifythattheoperationalguidanceincludesinstructionsonhowtoconfiguretheTOEtorequiretheuseofencryptionduringdatatransmission(unlessthisbehaviorisenforcedbydefault).
TestsTherearenotestEAsforthiscomponent.TestingforthisSFRisaddressedthroughtheevaluationofFTP_BLT_EXT.3/BRand,ifclaimed,FTP_BLT_EXT.3/LE.
FTP_BLT_EXT.2PersistenceofBluetoothEncryptionFTP_BLT_EXT.2.1
TheTSFshall[selection:restartencryption,terminatetheconnection]iftheremotedevicestopsencryptionwhileconnectedtotheTOE.
ApplicationNote:Permittingdevicestoterminateand/orrestartencryptioninthemiddleofaconnectionweakensuserdataprotection.Notethatanencryptionpauserequest,whichincludesarequesttostopencryption,stopsencryptiononlytemporarily.Thisrequirementisnotintendedtoaddresstheencryptionpausefeature.
EvaluationActivities
FTP_BLT_EXT.2TSSTheevaluatorshallverifythattheTSSdescribestheTSF'sbehaviorifaremotedevicestopsencryptionwhileconnectedtotheTOE.
GuidanceTheevaluatorshallverifythattheoperationalguidancedescribeshowtoenable/disableencryption(ifconfigurable).TestsTheevaluatorshallperformthefollowingstepsusingaBluetoothprotocolanalyzertoobservepacketspertainingtotheencryptionkeysize:Step1:InitiatepairingwiththeTOEfromaremoteBluetoothdevicethathasbeenconfiguredtohaveaminimumencryptionkeysizethatisequaltoorgreaterthanthatoftheTOE.Step2:AfterpairinghassuccessfullyfinishedandwhileaconnectionexistsbetweentheTOEandtheremotedevice;turnoffencryptionontheremotedevice.Thiscanbedoneusingcommercially-availabletools.Step3:VerifythattheTOEeitherrestartsencryptionwiththeremotedeviceorterminatestheconnectionwiththeremotedevice.
FTP_BLT_EXT.3BluetoothEncryptionParametersFTP_BLT_EXT.3.1
TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[assignment:Bluetoothprotocol].
FTP_BLT_EXT.3/BRBluetoothEncryptionParameters(BR/EDR)FTP_BLT_EXT.3.1/BR
TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[BR/EDR]andnotnegotiateencryptionkeysizessmallerthantheminimumsize.
ApplicationNote:EncryptionismandatoryforBR/EDRconnectionswhenbothdevicessupportSecureSimplePairing.MinimumencryptionrequirementswillbesetandverifiedforeachBluetoothprofile/application.
EvaluationActivities
FTP_BLT_EXT.3/BRTSSTheevaluatorshallexaminetheTSSandverifythatitspecifiestheminimumkeysizeforBR/EDRencryption,whetherthisvalueisconfigurable,andthemechanismbywhichtheTOEwillnotnegotiatekeyssizessmallerthantheminimum.
GuidanceTheevaluatorshallverifythattheguidanceincludesinstructionsonhowtoconfiguretheminimumencryptionkeysizeforBR/EDRencryption,ifconfigurable.
TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallperformthefollowingstepsusingaBluetoothprotocolanalyzertoobservepacketspertainingtotheencryptionkeysize:Step1:InitiateBR/EDRpairingwiththeTOEfromaremoteBluetoothdevicethathasbeenconfiguredtohaveaminimumencryptionkeysizethatisequaltoorgreaterthanthatoftheTOE.Thiscanbedoneusingcertaincommercially-availabletoolsthatcansendtheappropriatecommandtocertaincommercially-availableBluetoothcontrollers.Step2:UseaBluetoothpacketsniffertoverifythattheencryptionkeysizenegotiatedfortheconnectionisatleastaslargeastheminimumencryptionkeysizedefinedfortheTOE.Test2:(conditional):Iftheencryptionkeysizeisconfigurable,configuretheTOEtosupportadifferentminimumkeysize,thenrepeatTest1andverifythatthenegotiatedkeysizeisatleastaslargeasthenewminimumvalue.Test3:TheevaluatorshallperformthefollowingstepsusingaBluetoothprotocolanalyzertoobservepacketspertainingtotheencryptionkeysize:Step1:InitiateBR/EDRpairingwiththeTOEfromaremoteBluetoothdevicethathasbeenconfiguredtohaveamaximumencryptionkeysizeof1byte.Thiscanbedoneusingcertaincommercially-availabletoolsthatcansendtheappropriatecommandtocertaincommercially-availableBluetoothcontrollers.Step2:VerifythattheencryptionkeysizesuggestedbytheremotedeviceisnotacceptedbytheTOEandthattheconnectionisnotcompleted.
5.4TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:
Table3:SFRRationaleObjective Addressedby Rationale
O.PROTECTED_COMMS
FIA_BLT_EXT.1 FIA_BLT_EXT.1supportstheobjectivebyensuringthatBluetoothcommunicationsarenotinitiatedwithoutuserapproval.
FIA_BLT_EXT.2 FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoimplementBluetoothmutualauthentication.
FIA_BLT_EXT.3 FIA_BLT_EXT.3supportstheobjectivebypreventingBluetoothspoofingbyrejectingconnectionswithduplicatedeviceaddresses.
FIA_BLT_EXT.4 FIA_BLT_EXT.4supportstheobjectivebydefiningtheTSF'simplementationofBluetoothSecureSimplePairing.
FIA_BLT_EXT.5 FIA_BLT_EXT.5supportstheobjectivebyrequiringtheTSFtosupportSecureConnectionsOnlymodeforthesupportedBluetoothcommunicationchannels.
FIA_BLT_EXT.6 FIA_BLT_EXT.6supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstofortrusteddevices.
FTP_BLT_EXT.1 FTP_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementencryptiontoprotectBluetoothcommunications
FTP_BLT_EXT.2 FTP_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtopreventdatatransmissionoverBluetoothifthepaireddeviceisnotusingencryption.
5.5TOESecurityAssuranceRequirementsThisPP-ModuledoesnotdefineanySARsbeyondthosedefinedwithintheBase-PPstowhichitcanclaimconformance.ItisimportanttonotethataTOEthatisevaluatedagainstthisPP-ModuleisinherentlyevaluatedagainsttheMobileDevicesPP,andGeneralPurposeOperatingSystemsPPaswell.ThesePPsincludeanumberofEAsassociatedwithbothSecurityFunctionalRequirements(SFRs)andSARs.Additionally,thisPP-ModuleincludesanumberofSFR-basedEAsthatsimilarlyrefinetheSARsoftheBase-PPs.TheevaluationlaboratorywillevaluatetheTOEagainstthechosenBase-PPandsupplementthatevaluationwiththenecessarySFRsthataretakenfromthisPP-Module.
6ConsistencyRationale
6.1ProtectionProfileforMobileDevices
6.1.1ConsistencyofTOETypeIfthisPP-ModuleisusedtoextendtheMDFPP,theTOEtypefortheoverallTOEisstillamobiledevice.However,oneofthefunctionsofthedevicemustbetheabilityforittohaveBluetoothcapability.TheTOEboundaryissimplyextendedtoincludethatfunctionality.
6.1.2ConsistencyofSecurityProblemDefinitionThethreatsthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheMDFPP.
PP-ModuleThreat,Assumption,OSP ConsistencyRationale
T.NETWORK_EAVESDROP ThisthreatcomesdirectlyfrombothbasePPs.
T.NETWORK_ATTACK ThisthreatcomesdirectlyfrombothbasePPs.
6.1.3ConsistencyofObjectivesTheobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstotheobjectivesgivenintheMDFPP.TheobjectivesfortheTOEsareconsistentwiththeMobileDevicesPPbasedonthefollowingrationale:
PP-ModuleTOEObjective ConsistencyRationale
O.PROTECTED_COMMS ThisobjectivecomesdirectlyfromthePP.
6.1.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheMobileDevicesPPthatareneededtosupportBluetoothfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheMobileDevicesPPisbeingusedforitsintendedpurpose.ThePP-ModulealsoidentifiesanumberofmodifiedSFRsfromtheMobileDevicesPPaswellasnewSFRsthatareusedentirelytoprovidefunctionalityforBluetooth.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheMobileDevicesPPareasfollows:
PP-ModuleRequirement ConsistencyRationale
ModifiedSFRs
FMT_SMF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.
AdditionalSFRs
FMT_SMF_EXT.1/BT TheSTauthorisinstructedtocompleteanassignmentintheSFRwithinformationrelatedtoBluetooth,andtoincludeadditionalmanagementfunctionsinthisSFRbasedontheBluetoothcapabilitydefinedbythePP-Module.
MandatorySFRs
FAU_GEN.1/BT ThePP-ModuledefinesauditableeventsforBluetooththatextendstheauditfunctionalitydefinedineachBase-PP.
FCS_CKM_EXT.8
FIA_BLT_EXT.1
FIA_BLT_EXT.2
FIA_BLT_EXT.3
FIA_BLT_EXT.4
FIA_BLT_EXT.6
FIA_BLT_EXT.7
FTP_BLT_EXT.1
FTP_BLT_EXT.2
FTP_BLT_EXT.3/BR
OptionalSFRs
ThisPP-ModuledoesnotdefineanyOptionalrequirements.
Selection-basedSFRs
FTP_BLT_EXT.3/LE
ObjectiveSFRs
FIA_BLT_EXT.5
Implementation-basedSFRs
ThisPP-ModuledoesnotdefineanyImplementation-basedrequirements.
6.2ProtectionProfileforGeneralPurposeOperatingSystems
6.2.1ConsistencyofTOETypeIfthisPP-Moduleisusedtoextendthe[GPOSPP],theTOEtypefortheoverallTOEisstillagenericoperatingsystem.However,oneofthefunctionsofthegenericoperatingsystemmustbetheabilityforittohaveBluetoothcapability.TheTOEboundaryissimplyextendedtoincludethatfunctionality.
6.2.2ConsistencyofSecurityProblemDefinitionThethreatsthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheGPOSPP.
PP-ModuleThreat,Assumption,OSP ConsistencyRationale
T.NETWORK_EAVESDROP ThisthreatcomesdirectlyfrombothbasePPs.
T.NETWORK_ATTACK ThisthreatcomesdirectlyfrombothbasePPs.
6.2.3ConsistencyofObjectivesTheobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstotheobjectivesgivenintheGPOSPP.TheobjectivesfortheTOEsareconsistentwiththeGeneralPurposeOperatingSystemsPPbasedonthefollowingrationale:
PP-ModuleTOEObjective ConsistencyRationale
O.PROTECTED_COMMS ThisobjectivecomesdirectlyfromthePP.
6.2.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheGeneralPurposeOperatingSystemsPPthatareneededtosupportBluetoothfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheGeneralPurposeOperatingSystemsPPisbeingusedforitsintendedpurpose.ThePP-ModulealsoidentifiesanumberofmodifiedSFRsfromtheGeneralPurposeOperatingSystemsPPaswellasnewSFRsthatareusedentirelytoprovidefunctionalityforBluetooth.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheGeneralPurposeOperatingSystemsPPareasfollows:
PP-ModuleRequirement ConsistencyRationale
ModifiedSFRs
FMT_MOF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.
FMT_SMF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.
AdditionalSFRs
FMT_MOF_EXT.1/BT TheSTauthorisrequiredtoassociateallclaimedmanagementfunctionswiththeadministrativeprivilegesrequiredtoexecutethem.ThisPP-ModulesimplyextendsthisrequirementtoapplytothemanagementfunctionsaddedandmandatedbythePP-Module.
FMT_SMF_EXT.1/BT TheSTauthorisrequiredtoincludeanoptionalmanagementfunctiondefinedintheBase-PPthatrelatestoBluetooth,andtoincludeadditionalmanagementfunctionsinthisSFRbasedontheBluetoothcapabilitydefinedbythePP-Module.
MandatorySFRs
FAU_GEN.1/BT ThePP-ModuledefinesauditableeventsforBluetooththatextendstheauditfunctionalitydefinedineachBase-PP.
FCS_CKM_EXT.8
FIA_BLT_EXT.1
FIA_BLT_EXT.2
FIA_BLT_EXT.3
FIA_BLT_EXT.4
FIA_BLT_EXT.6
FIA_BLT_EXT.7
FTP_BLT_EXT.1
FTP_BLT_EXT.2
FTP_BLT_EXT.3/BR
OptionalSFRs
ThisPP-ModuledoesnotdefineanyOptionalrequirements.
Selection-basedSFRs
FTP_BLT_EXT.3/LE
ObjectiveSFRs
FIA_BLT_EXT.5
Implementation-basedSFRs
ThisPP-ModuledoesnotdefineanyImplementation-basedrequirements.
AppendixA-OptionalSFRs
A.1StrictlyOptionalRequirementsThisPP-ModuledoesnotdefineanyStrictlyOptionalSFRs.
A.2ObjectiveRequirements
A.2.1IdentificationandAuthentication
FIA_BLT_EXT.5BluetoothSecureConnectionsFIA_BLT_EXT.5.1
TheTOEshallsupportSecureConnectionsOnlymodeforBluetoothBR/EDRand[selection:BluetoothLE,nootherBluetoothprotocol].
ApplicationNote:ThespecificationstatesthatSecureConnectionsOnlyMode,alsocalled"FIPSMode,"shouldbeusedwhensecurityismoreimportantthanbackwardscompatibility.Fromthespecification,"TheHostwillenforcethattheP-256ellipticcurveisusedduringpairing;thesecureauthenticationsequencesareused;andAES-CCMisusedforencryption."Also,"ifaBR/EDR/LEdeviceisconfiguredinSecureConnectionsOnlyMode,thenatransportwillonlybeusedwhenSecureConnectionsissupportedbybothdevices."
EvaluationActivities
FIA_BLT_EXT.5TSSTheevaluatorshallensurethattheTSSdescribessupportforSecureConnectionsOnlymodeforBR/EDRand,ifsupported,BluetoothLE.GuidanceTheevaluatorshallensurethattheguidanceincludesinstructionsonhowtoplacetheTOEintoSecureConnectionsOnlymodeforBR/EDRand,ifsupported,BluetoothLE.
TestsTheevaluatorshallperformthefollowingtests,onceforBR/EDRandonceforLE(ifapplicable):
Test1:TheevaluatorshallplacetheTOEintoSecureConnectionsOnlymode.TheevaluatorshallthenattemptapairingtoaremotedevicethatdoesnotsupportSecureConnectionsOnlymodeandverifythattheattemptfails.Test2:TheevaluatorshallplacetheTOEintoSecureConnectionsOnlymode.TheevaluatorshallattemptapairingtoaremotedevicethatsupportsSecureConnectionsOnlymodeandhasitenabled.Theevaluatorshallverifythatthepairingattemptsucceeds.TheevaluatorshallalsouseaBluetoothpacketsniffertoverifythattheparametersofthepairingandencryptionareconsistentwithSecureConnections.
A.3Implementation-basedRequirementsThisPP-ModuledoesnotdefineanyImplementation-basedSFRs.
AppendixB-Selection-basedRequirements
B.1TrustedPath/Channels
FTP_BLT_EXT.3/LEBluetoothEncryptionParameters(LE)
Theinclusionofthisselection-basedcomponentdependsuponselectioninFTP_BLT_EXT.1.1.
FTP_BLT_EXT.3.1/LETheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[LE]andnotnegotiateencryptionkeysizessmallerthantheminimumsize.
ApplicationNote:TheTOEmustimplementencryptionforBluetoothBR/EDRasrequiredbyFTP_BLT_EXT.1.1.AconformantTOEdoesnotneedtosupportBluetoothLE;however,ifitdoes,thenitmustalsosupportencryptionforit.FTP_BLT_EXT.3/LEmustthereforebeclaimedif'LE'isselectedinFTP_BLT_EXT.1.1.
EvaluationActivities
FTP_BLT_EXT.3/LETSSTheevaluatorshallexaminetheTSSandverifythatitspecifiestheminimumkeysizeforLEencryption,whetherthisvalueisconfigurable,andthemechanismbywhichtheTOEwillnotnegotiatekeyssizessmallerthantheminimum.
GuidanceTheevaluatorshallverifythattheguidanceincludesinstructionsonhowtoconfiguretheminimumencryptionkeysizeforLEencryption,ifconfigurable.
TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallperformthefollowingstepsusingaBluetoothprotocolanalyzertoobservepacketspertainingtotheencryptionkeysize:Step1:InitiateLEpairingwiththeTOEfromaremoteBluetoothdevicethathasbeenconfiguredtohaveaminimumencryptionkeysizethatisequaltoorgreaterthanthatoftheTOE.Thiscanbedoneusingcertaincommercially-availabletoolsthatcansendtheappropriatecommandtocertaincommercially-availableBluetoothcontrollers.Step2:UseaBluetoothpacketsniffertoverifythattheencryptionkeysizenegotiatedfortheconnectionisatleastaslargeastheminimumencryptionkeysizedefinedfortheTOE.Test2:(conditional):Iftheencryptionkeysizeisconfigurable,configuretheTOEtosupportadifferentminimumkeysize,thenrepeatTest1andverifythatthenegotiatedkeysizeisatleastaslargeasthenewminimumvalue.Test3:TheevaluatorshallperformthefollowingstepsusingaBluetoothprotocolanalyzertoobservepacketspertainingtotheencryptionkeysize:Step1:InitiateLEpairingwiththeTOEfromaremoteBluetoothdevicethathasbeenconfiguredtohaveamaximumencryptionkeysizeof1byte.Thiscanbedoneusingcertaincommercially-availabletoolsthatcansendtheappropriatecommandtocertaincommercially-availableBluetoothcontrollers.Step2:VerifythattheencryptionkeysizesuggestedbytheremotedeviceisnotacceptedbytheTOEandthattheconnectionisnotcompleted.
AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedintheModule.
C.1ExtendedComponentsTableAllextendedcomponentsspecifiedintheModulearelistedinthistable:
Table4:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents
CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagement
IdentificationandAuthentication(FIA) FIA_BLT_EXTBluetoothPairing
TrustedPath/Channels(FTP) FTP_BLT_EXTBluetoothTrustedCommunications
C.2ExtendedComponentDefinitions
C.2.1CryptographicSupport(FCS)ThisModuledefinesthefollowingextendedcomponentsaspartoftheFCSclassoriginallydefinedbyCCPart2:
C.2.1.1FCS_CKM_EXTCryptographicKeyManagement
FamilyBehaviorComponentsinthisfamilydefinerequirementsforcryptographickeymanagementbeyondthosewhicharespecifiedinthePart2familyFCS_CKM.
ComponentLeveling
FCS_CKM_EXT 8
FCS_CKM_EXT.8,BluetoothKeyGeneration,requirestheTSFtogeneratekeypairsusedforBluetoothoveraspecifiedtimeperiodorinresponsetosomeobservedevent.
Management:FCS_CKM_EXT.8Nospecificmanagementfunctionsareidentified.
Audit:FCS_CKM_EXT.8Therearenoauditableeventsforeseen.
FCS_CKM_EXT.8BluetoothKeyGenerationHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFPT_STM.1ReliableTimeStampsFTP_BLT_EXT.1BluetoothEncryption
FCS_CKM_EXT.8.1
TheTSFshallgeneratepublic/privateECDHkeypairsevery[assignment:frequencyofand/orcriteriafornewkeypairgeneration].
C.2.2IdentificationandAuthentication(FIA)ThisModuledefinesthefollowingextendedcomponentsaspartoftheFIAclassoriginallydefinedbyCCPart2:
C.2.2.1FIA_BLT_EXTBluetoothPairing
FamilyBehaviorComponentsinthisfamilydefineBluetooth-specificidentificationandauthenticationrequirements.
ComponentLeveling
FIA_BLT_EXT
1234675
FIA_BLT_EXT.1,BluetoothUserAuthorization,requirestheTSFtohaveexplicituserauthorizationbeforeallowingaBluetoothpairing.FIA_BLT_EXT.2,BluetoothMutualAuthentication,requirestheTSFtoenforcemutualauthenticationforBluetooth.FIA_BLT_EXT.3,RejectionofDuplicateBluetoothConnections,requirestheTSFtorejectduplicateattemptstoconnecttoBluetooth.FIA_BLT_EXT.4,SecureSimplePairing,requirestheTSFtosupportSecureSimplePairing.FIA_BLT_EXT.6,TrustedBluetoothDeviceUserAuthorization,requirestheTSFtohaveexplicituserauthenticationbeforeassociatingtrustedserviceswithBluetooth.FIA_BLT_EXT.7,UntrustedBluetoothDeviceUserAuthorization,requirestheTSFtohaveexplicituserauthenticationbeforeassociatinguntrustedserviceswithBluetooth.FIA_BLT_EXT.5,BluetoothSecureConnections,requirestheTSFtosupportSecureConnectionsOnlymode.
Management:FIA_BLT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FIA_BLT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
FaileduserauthorizationofBluetoothdevice.FaileduserauthorizationforlocalBluetoothdevice.
FIA_BLT_EXT.1BluetoothUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FIA_BLT_EXT.1.1TheTSFshallrequireexplicituserauthorizationbeforepairingwitharemoteBluetoothdevice.
Management:FIA_BLT_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FIA_BLT_EXT.2ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
InitiationofBluetoothconnection.FailureofBluetoothconnection.
FIA_BLT_EXT.2BluetoothMutualAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.2.1TheTSFshallrequireBluetoothmutualauthenticationbetweendevicespriortoanydatatransferovertheBluetoothlink.
Management:FIA_BLT_EXT.3Nospecificmanagementfunctionsareidentified.
Audit:FIA_BLT_EXT.3ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
Duplicateconnectionattempt.
FIA_BLT_EXT.3RejectionofDuplicateBluetoothConnections
Hierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.3.1TheTSFshalldiscardpairingandsessioninitializationattemptsfromaBluetoothdeviceaddress(BD_ADDR)towhichanactivesessionalreadyexists.
Management:FIA_BLT_EXT.4Nospecificmanagementfunctionsareidentified.
Audit:FIA_BLT_EXT.4Therearenoauditableeventsforeseen.
FIA_BLT_EXT.4SecureSimplePairingHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.4.1TheTOEshallsupportBluetoothSecureSimplePairing,bothinthehostandthecontroller.
FIA_BLT_EXT.4.2TheTOEshallsupportSecureSimplePairingduringthepairingprocess.
Management:FIA_BLT_EXT.6ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Abilitytospecifytheservicesthatrequireexplicituserauthorizationbeforetrusteddevicescanusethem.
Audit:FIA_BLT_EXT.6Therearenoauditableeventsforeseen.
FIA_BLT_EXT.6TrustedBluetoothDeviceUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.6.1TheTSFshallrequireexplicituserauthorizationbeforegrantingtrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].
Management:FIA_BLT_EXT.7ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Abilitytospecifytheservicesthatrequireexplicituserauthorizationbeforeuntrusteddevicescanusethem.
Audit:FIA_BLT_EXT.7Therearenoauditableeventsforeseen.
FIA_BLT_EXT.7UntrustedBluetoothDeviceUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.7.1TheTSFshallrequireexplicituserauthorizationbeforegrantinguntrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].
Management:FIA_BLT_EXT.5Nospecificmanagementfunctionsareidentified.
Audit:FIA_BLT_EXT.5Therearenoauditableeventsforeseen.
FIA_BLT_EXT.5BluetoothSecureConnections
Hierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization
FIA_BLT_EXT.5.1
TheTOEshallsupportSecureConnectionsOnlymodeforBluetoothBR/EDRand[selection:BluetoothLE,nootherBluetoothprotocol].
C.2.3TrustedPath/Channels(FTP)ThisModuledefinesthefollowingextendedcomponentsaspartoftheFTPclassoriginallydefinedbyCCPart2:
C.2.3.1FTP_BLT_EXTBluetoothTrustedCommunications
FamilyBehaviorComponentsinthisfamilydefinerequirementsforBluetoothencryption.
ComponentLeveling
FTP_BLT_EXT123
FTP_BLT_EXT.1,BluetoothEncryption,requirestheTSFtoenforceencryptionwhentransmittingoverBluetooth.FTP_BLT_EXT.2,PersistenceofBluetoothEncryption,requirestheTSFtoensureencryptionforthedurationoftheuseoftheBluetoothchannel.FTP_BLT_EXT.3,BluetoothEncryptionParameters,specifiesthekeysizesusedforBluetooth.
Management:FTP_BLT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FTP_BLT_EXT.1Therearenoauditableeventsforeseen.
FTP_BLT_EXT.1BluetoothEncryptionHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM_EXT.8BluetoothKeyGenerationFIA_BLT_EXT.1BluetoothUserAuthorization
FTP_BLT_EXT.1.1TheTSFshallenforcetheuseofencryptionwhentransmittingdataovertheBluetoothtrustedchannelforBR/EDRand[assignment:listofotherconnectionmodes].
FTP_BLT_EXT.1.2TheTSFshallusekeypairsperFCS_CKM_EXT.8forBluetoothencryption.
Management:FTP_BLT_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FTP_BLT_EXT.2Therearenoauditableeventsforeseen.
FTP_BLT_EXT.2PersistenceofBluetoothEncryptionHierarchicalto:Noothercomponents.Dependenciesto:FTP_BLT_EXT.1BluetoothEncryption
FTP_BLT_EXT.2.1
TheTSFshall[selection:restartencryption,terminatetheconnection]iftheremotedevicestopsencryptionwhileconnectedtotheTOE.
Management:FTP_BLT_EXT.3ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
Specificationofminimumencryptionkeysize.
Audit:FTP_BLT_EXT.3
Therearenoauditableeventsforeseen.
FTP_BLT_EXT.3BluetoothEncryptionParametersHierarchicalto:Noothercomponents.Dependenciesto:FTP_BLT_EXT.1BluetoothEncryption
FTP_BLT_EXT.3.1
TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[assignment:Bluetoothprotocol].
AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP-Module.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePP-Moduleprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.
Requirement RationaleforSatisfaction
FCS_CKM.1-CryptographicKeyGeneration
FCS_CKM_EXT.8hasadependencyonFCS_CKM.1forthegenerationofECDHkeypairs.ThisdependencyisimplicitlysatisfiedinthisPP-ModulebecausebothBase-PPsthePP-ModuleisintendedtoextenddefinethisSFRandspecifyECDHkeygenerationasarequiredcapabilityoftheTOE.Therefore,aconformantTOEwillalwayshavethiscapability.
FPT_STM.1-ReliableTimeStamps
FCS_CKM_EXT.8hasadependencyonFPT_STM.1becausekeygenerationmaybetriggeredbyagiventimeperiodelapsing.WhentheTOEclaimsconformanceto[MDF],thisdependencyissatisfiedexplicitlythroughtheBase-PP'sdefinitionofFPT_STM.1.WhentheTOEclaimsconformanceto[GPOS],thisdependencyissatisfiedimplicitlythroughthatPP'sA.PLATFORMassumptionofatrustworthycomputingplatform,whichcanbereasonablyassumedtoincludeahardwarereal-timeclock.
AppendixE-EntropyDocumentationandAssessmentTheTOEdoesnotrequireanyadditionalsupplementaryinformationtodescribeitsentropysourcesbeyondtherequirementsoutlinedintheBase-PPs.
AppendixF-Acronyms
Acronym Meaning
ACL AsynchronousConnection-Less
AES AdvancedEncryptionStandard
AES-CCM AESCounterwithCBC-MACMode
AFH AdaptiveFrequencyHopping
API ApplicationProgrammingInterface
BR BasicRate
Base-PP BaseProtectionProfile
CC CommonCriteria
CEM CommonEvaluationMethodology
ECDH EllipticCurveDiffie-Hellman
EDR EnhancedDataRate
EP ExtendedPackage
FP FunctionalPackage
FTP FileTransferProtocol
HCI HostControllerInterface
L2CAP LogicalLinkControlandAdaptationProtocol
LE LowEnergy
LMP LinkManagerProtocol
MDF MobileDeviceFundamentals
OBEX ObjectExchange
OE OperationalEnvironment
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
SAR SecurityAssuranceRequirement
SFR SecurityFunctionalRequirement
ST SecurityTarget
TOE TargetofEvaluation
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
cPP CollaborativeProtectionProfile
AppendixG-Bibliography
Identifier Title
[Bluetooth] BluetoothCoreSpecifications,version5.2;December2019,
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.
[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.
[GPOS] ProtectionProfileforGeneralPurposeOperatingSystems,Version4.2.1,April22,2019
[MDF] ProtectionProfileforMobileDeviceFundamentals,Version3.2,April15,2021