Version | Date | Comment |
---|---|---|
1.1 | 2022-11-17 | Updates to reflect Github conversion, compatibility with CPP_ND_V2.2E, and Technical Decisions applied to version 1.0 |
1.0 | 2019-08-23 | Update release |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Attribute | A characterization of an entity (monitored client or the server requested by a monitored client) used in the TLS session establishment policy or the plaintext processing policy implemented by the TOE that describes the entity. Common attributes include IP address, name, and certificates associated to an entity. |
Block operation | A high-level operation of the TLS session establishment policy implemented by the TOE that prevents TLS sessions between a monitored client and the server requested by the client. |
Bypass operation | A high-level operation of the TLS session establishment policy implemented by the TOE that allows a TLS session between a monitored client and the server requested by the client. Alternatively, an operation of the plaintext processing policy implemented by the TOE to bypass certain inspection processing functional components for plaintext data flows established under the SSL/TLS session establishment policy. |
Inspect operation | A high-level operation of the TLS session establishment policy implemented by the TOE that establishes a TLS session thread between a monitored client and a server requested by the monitored client in order to provide security services on the underlying plaintext application data. |
Inspection processing functional components | A discrete set of security functions implemented within a single logical component, internal or external to the TOE that provides security services based on a plaintext data flow controlled by the TOE intended to protect a monitored client from defined security threats, or to enforce a defined policy regarding the servers allowed to be accessed by monitored clients. |
Monitored Client | A TLS client that uses the TOE as an SSL/TLS Inspection Proxy. This device requires a trust anchor to be installed for the internal CA of the TOE, and makes SSL/TLS requests for services external to the enclave. This client makes SSL/TLS requests to a “requested server” through the TOE. |
Requested Server | The target of an SSL/TLS request by a monitored client through the TOE. It is typically a service provider for clients using SSL/TLS. If mutual authentication is to be supported, this device requires a trust anchor to be installed for the internal CA of the TOE. |
Secure Sockets Layer/Transport Layer Security (SSL/TLS) | A set of security protocols defined by IETF RFCs to establish a secure point-to-point channel between a client and a server. The secure channel provides confidentiality, integrity and proof of origin to plaintext application data transferred between the client and server. SSL refers to early implementations of the SSL/TLS protocols that are deprecated. TLS refers to current versions of the SSL/TLS protocol. |
TLS messages | Specific messages defined by TLS protocol standards. The TLS messages addressed in this PP-Module include TLS handshake messages: Client Hello, Server Hello, Server Certificate, Server Key Exchange, Client Key Exchange, Certificate Request, Client Certificate, Client Certificate Verify, Server Finished and Client Finished messages. |
TLS session parameters | The parameters of a TLS session established by the TOE for protecting thru-traffic, minimally to include: the negotiated version, negotiated cipher suite, the size of any key exchange values sent or received in key exchange messages, the server certificate received, (a reference to) the server certificate sent, the client certificate received, (a reference to) the client certificate sent, and other negotiated values determined by the TLS handshake that are not fixed for all TLS sessions established. |
TLS session thread | A connection negotiated by the TOE consisting of a TLS secure point-to-point channel between a monitored client and the TOE, a TLS secure point-to-point channel between the TOE and the requested server, and any traffic flow containing the underlying application plaintext decrypted from one of the SSL/TLS channels, that is transferred within or between inspection processing functional components controlled by the TOE. |
Requirements in this PP-Module are designed to address the security problem in the following use cases. The description of these use cases provide instructions for how the TOE and its OE should be made to support the functionality required by this PP-Module.
This PP-Module permits the inspection of mutually-authenticated TLS sessions between monitored clients and requested servers via exception processing. However, as a best practice, it is recommended instead that this behavior be handled as part of the TLS Inspection Bypass and/or TLS Session Blocking functionality. If the TOE provides inspection processing for mutually authenticated traffic, the ST must claim these optional SFRs.
This PP-Module does not specify routing policies for non-TLS traffic and exception processing should not be used to address functionality otherwise included in the collaborative Protection Profile Module for Stateful Traffic Filter Firewalls.
The TOE functions as a TLS forward proxy for the following operations:
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
All security objectives for the operational environment of the Base-PP also apply to this PP-Module.
OE.NO_THRU_TRAFFIC_PROTECTION is still operative, but only for the interfaces in the TOE that are defined by the Base-PP and not the PP-Module.
OE.RESIDUAL_INFORMATION is still operative, but the residual information is expanded to include information relevant to STIP operation (e.g. decrypted SSL/TLS payload, ephemeral keys).
OE.TRUSTED_ADMIN is still operative, but this PP-Module also allows for the enforcement of administrative role separation, which can be used to limit the impact of malicious use of the TOE.
Threat, Assumption, or OSP | Security Objectives | Rationale |
T.UNTRUSTED_COMMUNICATION | O.PROTECTED_COMMUNICATIONS | Data traversing the TOE is subject to authenticity and integrity verification. |
T.AUDIT | O.AUDIT_LOSS_RESPONSE | The TOE provides mechanisms to deal with audit trails being unavailable. |
O.SYSTEM_MONITORING | Audit records contain the information necessary to determine cause for concerns. | |
OE.AUDIT | Storage within an external audit server provides increased record capacity. | |
OE.CERT_REPOSITORY | The certificate repository provides a comprehensive set of certificates generated by the TOE that can be searched. | |
OE.CERT_REPOSITORY_SEARCH | Ability to search the audit trail for certificate related events provides confidence in certificate validity and proper use. | |
T.UNAUTHORIZED_USERS | O.TOE_ADMINISTRATION | Use of role separation and authentication mechanisms ensure that only authorized users can access the TOE. |
T.CREDENTIALS | O.CERTIFICATES | The TOE tracks certificates, certificate revocation lists, and certificate status information used by the TSF. |
O.PERSISTENT_KEY_PROTECTION | Keys stored on the TOE are protected from unauthorized use and disclosure. | |
OE.CERT_REPOSITORY | A certificate repository for all certificates issued by the TOE is provided, making verification straightforward. | |
T.SERVICES | O.CERTIFICATES | The TOE verifies certificates, certificate revocation lists, and certificate status information prior to any use. |
O.PROTECTED_COMMUNICATIONS | Data traversing the TOE is subject to authenticity, confidentiality, and integrity verification. | |
O.TOE_ADMINISTRATION | Use of role separation and authentication mechanisms mitigates the risk of misuse and improper disclosure. | |
OE.TRUSTED_ADMIN | Granting TOE access only to trusted administrators mitigates the threat of careless or malicious manipulation of the TSF. | |
T.DEVICE_FAILURE | O.CERTIFICATES | The TOE verifies certificates, certificate revocation lists, and certificate status information are valid. |
O.INTEGRITY_PROTECTION | Software, TSF, and user data are protected via integrity mechanisms. | |
O.PERSISTENT_KEY_PROTECTION | Keys stored on the TOE are protected from unauthorized use and disclosure. | |
O.RECOVERY | Administrators have the ability to restore the TOE to a previous (known-good) state. | |
T.UNAUTHORIZED_DISCLOSURE | O.PROTECTED_COMMUNICATIONS | Data traversing the TOE is subject to authenticity, confidentiality, and integrity verification. |
O.TOE_ADMINISTRATION | Use of role separation and authentication mechanisms mitigates the risk of misuse and ensures the device is properly managed. | |
T.INAPPROPRIATE_ACCESS | O.RESIDUAL_INFORMATION_CLEARING | The TOE’s lack of residual data retention ensures that unauthorized access to information is not possible. |
O.TOE_ADMINISTRATION | Use of role separation and authentication mechanisms mitigates the risk of misuse and improper disclosure. | |
O.TRAFFIC_MONITORING | Enforcement of policies for traffic monitoring ensure that unauthorized data is not subject to transmission through the TOE. | |
P.AUTHORIZATION_TO_INSPECT | O.DISPLAY_BANNER | The TOEs advisory warning includes consent to monitor. |
O.PROTECTED_COMMUNICATIONS | The TSF ensures that data traversing the TOE boundary is protected, alleviating concerns about inspection. | |
O.TOE_ADMINISTRATION | Administrator roles provide separation of activities and ensure inspection is authorized and performed properly. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_GCR_EXT.1 | ||
No events specified | N/A | |
FAU_STG.4 | ||
No events specified | N/A | |
FCS_COP.1/STIP | ||
No events specified | N/A | |
FCS_STG_EXT.1 | ||
No events specified | N/A | |
FCS_TTTC_EXT.1 | ||
Establishment of TLS session | TLS session parameters | |
FCS_TTTC_EXT.5 | ||
No events specified | N/A | |
FCS_TTTS_EXT.1 | ||
Establishment of TLS session | TLS session parameters | |
FDP_CER_EXT.1 | ||
No events specified | N/A | |
FDP_CER_EXT.2 | ||
Linking of issued certificate to validated certificate |
Success: [selection: issued certificate value, issued certificate object identifier ], [selection: validated certificate value, validated certificate object identifier ] Failure: reason for failure | |
FDP_CER_EXT.3 | ||
Certificate generation | Success: [selection: certificate value, certificate object identifier ] | |
FDP_CSIR_EXT.1 | ||
No events specified | N/A | |
FDP_PPP_EXT.1 | ||
Configuration changes to the plaintext processing policy | N/A | |
FDP_PRC_EXT.1 | ||
Plaintext routed to inspection processing functional component | TLS session thread identifier, [assignment: processing element identifier] | |
FDP_RIP.1 | ||
No events specified | N/A | |
FDP_STG_EXT.1 | ||
No events specified | N/A | |
FDP_STIP_EXT.1 | ||
Establishment of a TLS inspection session thread | [assignment: TLS session thread attributes], [assignment: client attributes], and [assignment: server attributes] associated with the thread | |
Establishment of an encrypted TLS data flow | [assignment: Encrypted TLS data flow attributes] | |
Bypass operation invoked | TLS session thread identifier, identifier(s) of processing element(s) bypassed, reason for bypass | |
Block operation invoked | TLS session thread identifier, reason for blocking | |
FDP_TEP_EXT.1 | ||
Mutual authentication authorized | [assignment: client attributes obtained from the validated client certificate] | |
FIA_ENR_EXT.1 | ||
No events specified | N/A | |
FIA_X509_EXT.1/STIP | ||
No events specified | N/A | |
FIA_X509_EXT.2/STIP | ||
No events specified | N/A | |
FMT_MOF.1/STIP | ||
No events specified | N/A | |
FMT_SMF.1/STIP | ||
No events specified | N/A | |
FPT_FLS.1 | ||
Indication of failures under this requirement | Indication that the TSF has failed with the type of failure that occurred | |
FPT_KST_EXT.1 | ||
No events specified | N/A | |
FPT_KST_EXT.2 | ||
All attempts to use the TOE's embedded CA's private signing key and [selection: [assignment: other secret and private keys], no other secret and private keys ] | Identifier of user or process that attempted access | |
FPT_RCV.1 | ||
The fact that a failure or service discontinuity occurred | N/A | |
Resumption of regular operation | TSF failure types that are available on recovery |
keyUsage | extendedKeyUsage |
---|---|
digitalSignature | serverAuth |
digitalSignature, keyEncipherment | serverAuth |
digitalSignature,keyAgreement | serverAuth |
Management Function | Security Administrator | Auditor | Account Manager | CA Operations Staff |
Base-PP Mandatory Management Functions (FMT_SMF.1/STIP) | ||||
Ability to manage user accounts | C | - | CM | - |
Ability to manage remote audit mechanism | M | CM | - | - |
Ability to perform on-demand integrity tests | O | O | O | O |
Ability to import and remove X.509v3 certificates used for STIP into or from the Trust Anchor database | C | - | - | CM |
Ability to configure identifying information for the TOE's embedded CA | C | - | - | CM |
Ability to configure a maximum certificate validity duration | C | - | - | CM |
Ability to manage inspection policy | O | - | - | O |
Ability to configure inspection processing details | O | - | - | O |
Base-PP Selectable Management Functions (FMT_SMF.1/STIP) | ||||
Ability to configure local audit behavior | O | O | - | - |
Ability to configure and manage certificate profiles | C | - | - | CM |
Ability to revoke issued certificates | C | - | - | CM |
Ability to configure certificate status services | C | - | - | CM |
Ability to configure automated process used to approve the revocation of a certificate or information about the revocation of a certificate | C | - | - | CM |
Ability to clear a cache of valid issued certificates | M | - | - | CM |
Ability to configure rules for automated issuance of certificates | C | - | - | CM |
Ability to modify the CRL and/or OCSP configuration | C | - | - | CM |
Ability to import private keys | C | - | - | CM |
Ability to configure the TOE's behavior on validating certificates whose revocation status cannot be determined | M | - | - | CM |
Ability to configure the TOE's behavior when non-supported critical extensions occur in a requested server certificate | C | - | - | CM |
Ability to generate and export PKCS#10 messages | C | - | - | CM |
Ability to configure EST functionality to generate and export EST requests | C | - | - | CM |
Ability to configure TLS error responses for monitored clients | M | - | - | O |
Ability to configure notification and consent message for monitored clients | M | - | - | O |
Ability to configure rules for displaying a notification and consent message for acknowledgement prior to TLS inspection processing | M | - | - | O |
Ability to search the certificate repository | C | CM | - | CM |
This SFR is iterated from the Base-PP to allow for the ability for the STIP functionality to be distributed across multiple administrative roles. If the TOE does not enforce role separation, the ST author selects "no other roles" to indicate that STIP functionality is managed by the same Security Administrator role specified in the Base-PP.
As is the case in the Base-PP, the TOE does not need its roles to have the same names as those defined in this SFR. It is expected that the ST will define the administrative roles and privileges defined by the TSF and map them to the roles listed in this PP-Module.
If “ability to configure local audit storage behavior” is selected in FMT_SMF.1/STIP, the ‘Auditor’ role must be selected here; role separation is required for audit storage functionality.
This PP-Module iterates the SFR defined in the Base-PP to include additional administrative roles. As defined in FMT_MOF.1/STIP, the TSF may provide different privileges to the given roles.
If the TSF supports an Auditor and/or Account Manager role, it is expected that the relevant selections above will be made. It is the intent of this PP-Module that if either or both of these roles are provided, their critical functionality is isolated from any other roles (see FMT_MOF.1/STIP).
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.AUDIT_LOSS_RESPONSE | FAU_STG.4 | This SFR supports the objective by requiring the TSF to disable the execution of auditable events if the audit trail cannot be written to. |
O.CERTIFICATES | FCS_TLSC_EXT.1 (from Base-PP) | This SFR supports the objective because TLS is a mechanism by which its own certificate data may be obtained from an external CA. |
FCS_TLSC_EXT.2 (from Base-PP) | This SFR supports the objective because mutually-authenticated TLS is a mechanism by which its own certificate data may be obtained from an external CA. | |
FIA_X509_EXT.1/Rev (from Base-PP) | This SFR supports the objective by defining the TOE functionality for certificate validation. | |
FIA_X509_EXT.3 (from Base-PP) | This SFR supports the objective by defining the mechanism by which the TOE generates certificate signing requests, which includes validation of the certificate provided in response. | |
FDP_CER_EXT.1 | This SFR supports the objective by defining the rules the TOE must use to generate and issue proxy TLS server certificates from its internal CA. | |
FDP_CER_EXT.2 | This SFR supports the objective by requiring the TOE to link the certificates presented for TLS connectivity with the certificates it issues from its internal CA. | |
FDP_CER_EXT.3 | This SFR supports the objective by defining the rules for the TOE's issuing of proxy TLS server certificates. | |
FDP_CSIR_EXT.1 | This SFR supports the objective by defining how the TOE can ensure the use of fresh certificates. | |
FIA_ENR_EXT.1 | This SFR supports the objective by defining the mechanism by which the TOE requests a certificate for its own embedded CA's signing key. | |
FIA_X509_EXT.1/STIP | This SFR supports the objective by defining the certificate validation rules that must be followed for certificates that are used for proxy TLS connections. | |
FIA_X509_EXT.2/STIP | This SFR supports the objective by defining the certificate authentication behavior for STIP connections. | |
FDP_PIN_EXT.1 (optional) | This SFR supports the objective by defining the optional implementation of certificate pinning. | |
FIA_ESTC_EXT.2 (optional) | This SFR supports the objective by defining requirements for the composition of EST requests if the TOE supports EST. | |
FDP_CER_EXT.4 (selection-based) | This SFR supports the objective by defining the rules the TOE must use to generate and issue proxy TLS client certificates from its internal CA if mutual authentication is supported. | |
FDP_CER_EXT.5 (selection-based) | This SFR supports the objective by defining the rules for the TOE's issuing of proxy TLS client certificates if mutual authentication is supported. | |
FDP_CRL_EXT.1 (selection-based) | This SFR supports the objective by defining rules for the generation of CRLs if the TOE uses this as the mechanism to ensure the freshness of its issued certificates. | |
FDP_CSI_EXT.1 (selection-based) | This SFR supports the objective by defining the revocation echecking method supported by the TOE for the proxy TLS server certificates it issues, if revocation is how the freshness of its issued certificates is assured. | |
FDP_CSI_EXT.2 (selection-based) | This SFR supports the objective by defining the revocation echecking method supported by the TOE for the proxy TLS client certificates it issues, if mutual authentication is supported and revocation is how the freshness of its issued certificates is assured. | |
FDP_OCSP_EXT.1 (selection-based) | This SFR supports the objective by defining rules for the generation of OCSP responses if the TOE uses this as the mechanism to ensure the freshness of its issued certificates. | |
FDP_OCSPS_EXT.1 (selection-based) | This SFR supports the objective by defining rules for the implementation of OCSP stapling if the TOE supports this functionality. | |
FIA_ESTC_EXT.1 (selection-based) | This SFR supports the objective by defining requirements for the implementation of EST if the TOE uses this mechanism to obtain TLS certificates for its own use. | |
O.DISPLAY_BANNER | FTA_TAB.1 (from Base-PP) | This SFR supports the objective by applying a warning banner to any interface used by an administrator to access the TOE. |
FDP_STIP_EXT.1 | This SFR supports the objective by defining the mechanism used to obtain consent to monitor user communications. | |
FTA_TAB.1/TLS (selection-based) | This SFR supports the objective by optionally applying a warning banner to a user whose network activity passes through the TOE for decryption and potential inspection. | |
O.INTEGRITY_PROTECTION | FPT_FLS.1 | This SFR supports the objective by requiring the TSF to take some action to preserve a secure state in the response to a loss of integrity or other potential failure. |
O.PERSISTENT_KEY_PROTECTION | FCS_STG_EXT.1 | This SFR supports the objective by requiring the TOE to implement hardware-based protection for stored keys. |
FDP_STG_EXT.1 | This SFR supports the objective by defining the mechanism used to protect public key data from unauthorized modification. | |
FPT_KST_EXT.1 | This SFR supports the objective by requiring the TSF to enforce the prevention of plaintext key export. | |
FPT_KST_EXT.2 | This SFR supports the objective by preventing the unauthorized use of secret and private keys. | |
FCS_CKM_EXT.5 (selection-based) | This SFR supports the objective by defining the integrity mechanism used to guarantee the integrity of public key data. | |
O.PROTECTED_COMMUNICATIONS | FCS_CKM.4 (from Base-PP) | This SFR supports the objective by ensuring secret and private key data is disposed of immediately after use to prevent unauthorized disclosure of keys. |
FCS_TLSC_EXT.1 (from Base-PP) | This SFR supports the objective by defining the TLS trusted channel used for EST if the TOE supports that functionality. | |
FCS_TLSC_EXT.2 (from Base-PP | This SFR supports the objective by defining support for mutually-authenticated TLS, which the TOE may optionally support for EST. | |
FTP_ITC.1 (refined from Base-PP) | This SFR supports the objective by defining the TOE interfaces that require protected communications as well as the methods of protection applied to these interfaces. | |
FCS_COP.1/STIP | This SFR supports the objective by defining cryptographic algorithms the TOE must support for decryption and re-encryption of proxy TLS traffic. | |
FCS_TTTC_EXT.1 | This SFR supports the objective by defining requirements for the TOE's implementation of TLS as a client, specifically in the case where the TOE is establishing a proxy connection between itself and the original requested TLS server. | |
FCS_TTTC_EXT.5 | This SFR supports the objective by defining the Supported Groups used by the TOE's proxy TLS client interface. | |
FCS_TTTS_EXT.1 | This SFR supports the objective by defining requirements for the TOE's implementation of TLS as a server, specifically in the case where the TOE is establishing a proxy connection between itself and the original monitored TLS client. | |
FDP_PRC_EXT.1 | This SFR supports the objective by defining requirements for the routing of decrypted plaintext traffic. | |
FDP_STIP_EXT.1 | This SFR supports the objective by defining the TOE's ability to establish proxy TLS sessions between a monitored client and a requested server and to apply appropriate rules to the handling of the decrypted traffic. | |
FDP_TEP_EXT.1 | This SFR supports the objective by defining the TOE's abbility to enforce filtering rules on TLS traffic passing through the TOE. | |
FCS_TTTC_EXT.3 (selection-based) | This SFR supports the objective by defining optional support for TLS mutual authentication that is applied to the TOE's proxy TLS client interface. | |
FCS_TTTC_EXT.4 (selection-based) | This SFR supports the objective by defining optional support for TLS session renegotiation that is applied to the TOE's proxy TLS client interface. | |
FCS_TTTS_EXT.3 (selection-based) | This SFR supports the objective by defining optional support for TLS mutual authentication that is applied to the TOE's proxy TLS server interface. | |
FCS_TTTS_EXT.4 (selection-based) | This SFR supports the objective by defining optional support for TLS session renegotiation that is applied to the TOE's proxy TLS server interface. | |
FDP_STIP_EXT.2 (selection-based) | This SFR supports the objective by defining the optional capability of the TOE to establish a proxy TLS session in the case where mutual authentication is supported. | |
O.RECOVERY | FPT_FLS.1 | This SFR supports the objective by requiring the TSF to preserve a secure state when certain failures occur. |
FPT_RCV.1 | This SFR supports the objective by requiring the TSF to support a maintenance mode of operation that is entered when certain failures occur. | |
O.RESIDUAL_INFORMATION_CLEARING | FDP_RIP.1 | This SFR supports the objective by defining the residual data that is cleared from TOE memory and when the clearing occurs. |
O.SYSTEM_MONITORING | FAU_STG_EXT.1 (from Base-PP) | This SFR supports the objective by defining a mechanism for the secure storage of audit data in the OE. |
FAU_GEN.1/STIP | This SFR supports the objective by defining the auditable events specific to STIP functionality that the TSF must generate. | |
FAU_GCR_EXT.1 | This SFR supports the objective by defining the mechanism the TOE uses to store certificate data. | |
FAU_SAR.3 (optional) | This SFR supports the objective by optionally defining the functionality to search audit records for events associated with a particular certificate. | |
FAU_SCR_EXT.1 (selection-based) | This SFR supports the objective by requiring the TOE to implement a search function for certificate storage if the TSF implements its own certificate store (as opposed to relying on environmental storage). | |
O.TOE_ADMINISTRATION | FMT_MOF.1/STIP | This SFR supports the objective by defining the authorized use of the TOE by association between the supported management functions and the roles that are authorized to perform them. |
FMT_SMF.1/STIP | This SFR supports the objective by defining the TOE's management functions that are specific to STIP functionality. | |
FDP_SMR.2/STIP | This SFR supports the objective by defining additional management roles that the TOE may support that are specific to STIP functionality. | |
O.TRAFFIC_MONITORING | FDP_PPP_EXT.1 | This SFR supports the objective by defining the processing rules that the TOE applies to plaintext traffic once decrypted. |
FDP_TEP_EXT.1 | This SFR supports the objective by defining the processing rules that the TOE applies to encrypted traffic. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNTRUSTED_COMMUNICATION | The threat of untrusted communication can provide unauthorized access to unintended resources if using weak cryptography or use untrusted intermediate systems. This can be mitigated either by protocols defined in this PP-Module or in the Base-PP. |
T.AUDIT | Auditing poses a threat if certain activities aren’t logged, like the issuance of certificates. This threat can be mitigated if proper configurations are in place to prevent the compromise of audit data defined in this PP-Module or the Base-PP. |
T.UNAUTHORIZED_USERS | The threat of unauthorized users attempting to gain access to other users’ credentials can be addressed by placing protections for logged-in users and only allow privileged user access methods defined in this PP-Module or in the Base-PP. |
T.CREDENTIALS | Beyond the Base-PP, the threat of manipulation of the CA signing key can be mitigated by providing access protection to persistent keys. |
T.SERVICES | The threat of misuse or manipulation of services is not defined in the Base-PP, but it is consistent with the general threat of unauthorized manipulation of the TSF. |
T.DEVICE_FAILURE | The failure of the certificate authority or routing traffic to inspection poses a threat not defined in the Base-PP. |
T.UNAUTHORIZED_DISCLOSURE | The Base-PP does not include the threat of unauthorized disclosure to sensitive data that is only intended for the monitored client because this is an interface that the Base-PP cannot assume all conformant TOEs have. |
T.INAPPROPRIATE_ACCESS | The threat of inappropriate access to unintended servers could disclose unauthorized traffic to inspection processes which is not defined in the Base-PP because a generic network device does not necessarily have a traffic inspection functionality. |
P.AUTHORIZATION_TO_INSPECT | The Base-PP cannot define the interactions that an end user will have with a generic device because it may vary depending on the specific device type. This PP-Module defines a policy that is specific to the use case of a STIP device. |
The objectives for the TOEs are consistent with the NDcPP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUDIT_LOSS_RESPONSE | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.CERTIFICATES | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.DISPLAY_BANNER | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.INTEGRITY_PROTECTION | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.PERSISTENT_KEY_PROTECTION | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.PROTECTED_COMMUNICATIONS | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.RECOVERY | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.RESIDUAL_INFORMATION_CLEARING | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.SYSTEM_MONITORING | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.TOE_ADMINISTRATION | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
O.TRAFFIC_MONITORING | The Base-PP does not define any TOE objectives so PP-Module objectives do not conflict with it. |
The objectives for the TOE's OE are consistent with the NDcPP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.AUDIT | This objective intends for the TOE’s OE to have adequate storage to retain the TOE's audit records. This objective is not defined in the Base-PP but can be assumed to be consistent with the Base-PP because FAU_STG_EXT.1 requires transmission of audit data to an environmental audit server, which means that there should be some assurance of the security of that server. |
OE.CERT_REPOSITORY | This objective intends for the TOE’s OE to provide a certificate repository. This is not defined in the Base-PP because not all network devices will necessarily need to interface with a certificate repository. |
OE.CERT_REPOSITORY_SEARCH | This objective intends for the TOE’s OE which will provide a certificate repository to also have the capability to search within the repository. This is not defined in the Base-PP because not all network devices will necessarily need to interface with a certificate repository. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
FCS_CKM.4 | The ST author is instructed to include security critical parameters and when key destruction is required. |
FCS_TLSC_EXT.1 | Other than defining an additional selection-based trigger, there is no modification to this SFR. |
FCS_TLSC_EXT.2 | Other than being defined as selection-based, there is no modification to this SFR. |
FIA_X509_EXT.1/Rev | There is no modification to this SFR, but it is mandatory for a TOE that conforms to this PP-Module because the certificate enrollment process always requires the TSF to validate a presented certificate. |
FIA_X509_EXT.3 | There is no change to this SFR. Only its trigger for inclusion is changed because this PP-Module introduces an alternate method of obtaining a certificate for the TOE. |
FTP_ITC.1 | The PP-Module partially completes selections and assignments in this SFR using the available options to specify external interfaces and trusted channels that all STIP products must support at minimum. |
Additional SFRs | |
This PP-Module does not add any requirements when the NDcPP is the base. | |
Mandatory SFRs | |
FAU_GCR_EXT.1 | This SFR applies to storing certificates in a certificate repository which is not listed in the Base-PP. |
FAU_GEN.1/STIP | This SFR is iterated from the Base-PP to add new auditable events for STIP functionality. It does not modify or replace any of the required auditable events defined in the Base-PP under the un-iterated FAU_GEN.1. |
FAU_STG.4 | This SFR applies to the prevention of audit data loss by the inclusion of the auditor role which is not listed in the Base-PP. |
FCS_COP.1/STIP | This SFR provides encryption/decryption cipher suites used in support for the through-traffic processing of the TOE. |
FCS_STG_EXT.1 | This SFR applies to the storage of persistent private and secret keys which is not defined in the Base-PP. |
FCS_TTTC_EXT.1 | This SFR applies to thru-traffic TLS inspection client protocol which is not defined in the Base-PP. |
FCS_TTTC_EXT.5 | This SFR applies to client supported groups extension for thru-traffic TLS inspection. |
FCS_TTTS_EXT.1 | This SFR applies to thru-traffic TLS inspection server protocol which is not defined in the Base-PP. |
FDP_CER_EXT.1 | This SFR applies to how the TOE issues TLS server certificates for STIP traffic, which is an interface that is not defined in the Base-PP. |
FDP_CER_EXT.2 | This SFR requires the TOE to maintain an association between TLS server certificates it receives and TLS server certificates that it issues in their place in support of STIP traffic, which is an interface that is not defined in the Base-PP. |
FDP_CER_EXT.3 | This SFR defines when the TOE will issue TLS server certificates in support of STIP traffic, which is an interface that is not defined in the Base-PP. |
FDP_CSIR_EXT.1 | This SFR applies to the ability to generate certificate status information if the validity period can be configured to last longer than 24 hours. |
FDP_PPP_EXT.1 | This SFR applies to the enforcement of the TLS processing policy which is not defined in the Base-PP. |
FDP_PRC_EXT.1 | This SFR applies to the routing of information flows containing plaintext which is not defined in the Base-PP. |
FDP_RIP.1 | This SFR applies to providing the capability to allocation or deallocation of resources which in this PP-Module is any data buffers used to implement STIP functionality which is not defined in the Base-PP. |
FDP_STG_EXT.1 | This SFR enforces protection of trusted public keys and certificates implemented using access control or integrity mechanism which is not defined in the Base-PP. |
FDP_STIP_EXT.1 | This SFR applies to STIP-specific processing operations which are not defined in an RFC or specified in the Base-PP. |
FDP_TEP_EXT.1 | This SFR applies to the enforcement of the TLS session establishment policy which is not defined by the Base-PP. |
FIA_ENR_EXT.1 | This SFR applies to the ability to generate a certificate request which is not defined in the Base-PP. |
FIA_X509_EXT.1/STIP | This SFR specifies validation of certificates used for connections supporting STIP functions. |
FIA_X509_EXT.2/STIP | The PP-Module iterates this SFR from its definition in the Base-PP to specify minimum required functionality for X.509 authentication based on its use in STIP. The PP-Module also refines the authorized roles that can perform the related management function. |
FMT_MOF.1/STIP | This SFR applies to the restriction of management functions to certain roles that are not defined in the Base-PP, which only requires management functionality to be performed by a security administrator. |
FMT_SMF.1/STIP | This SFR is iterated from the Base-PP to add new management functions for STIP functionality. It does not modify or replace any of the required management functions defined in the Base-PP under the un-iterated FMT_SMF.1. |
FMT_SMR.2/STIP | This SFR defines additional management roles that the TOE may define to enforce role separation for STIP functionality. It does not apply to Base-PP management functionality, which is managed by the Security Administrator defined in FMT_SMR.2 in the Base-PP. |
FPT_FLS.1 | This SFR applies to preserving a secure state when different failures occur which is not defined in the Base-PP. |
FPT_KST_EXT.1 | This SFR applies to the prevention of plaintext key export which is not defined in the Base-PP. |
FPT_KST_EXT.2 | This SFR applies to the prevention of unauthorized use of private and secret keys which is not defined in the Base-PP. |
FPT_RCV.1 | This SFR applies to the maintenance mode that provides the ability to return to a secure state is provided which is not defined in the Base-PP. |
Optional SFRs | |
FAU_SAR.1 | This SFR applies to who can view all the audit records which includes the added role of the auditor, which is not defined in the Base-PP. |
FAU_SAR.3 | This SFR applies to the ability to search within audit records based on various identifiers which is not defined in the Base-PP. |
FDP_PIN_EXT.1 | This SFR applies to certificate pinning which is not defined in the Base-PP. |
Objective SFRs | |
FIA_ESTC_EXT.2 | This SFR applies to the implementation of EST, which is a method of acquiring certificates that is not defined in the Base-PP. |
Implementation-based SFRs | |
This PP-Module does not define any Implementation-based requirements. | |
Selection-based SFRs | |
FDP_CRL_EXT.1 | This SFR applies to ability of the TOE to manage its own CRL, which is not defined in the Base-PP. |
FDP_CSI_EXT.1 | This SFR applies to ability of the TOE to generate status information for its own issued certificates, which is not defined in the Base-PP. |
FDP_OCSP_EXT.1 | This SFR applies to ability of the TOE to manage its own OCSP responder, which is not defined in the Base-PP. |
FDP_OCSPS_EXT.1 | This SFR applies to ability of the TOE to implement OCSP stapling for its own issued certificates, which is not defined in the Base-PP. This SFR applies to OCSP stapling which is not defined in the Base-PP. |
FIA_ESTC_EXT.1 | This SFR applies to the implementation of EST, which is a method of acquiring certificates that is not defined in the Base-PP. |
FTA_TAB.1/TLS | This SFR applies to having a notice and consent warning message at the start of an SSL/TLS inspection session which is not defined in the Base-PP. |
FCS_TTTC_EXT.3 | This SFR applies to thru-traffic TLS Inspection Client Protocol with mutual authentication which is not defined in the Base-PP. |
FCS_TTTS_EXT.3 | This SFR applies to thru-traffic TLS Inspection Server Protocol with mutual authentication which is not defined in the Base-PP. |
FDP_CER_EXT.4 | This SFR applies to how the TOE issues TLS client certificates for STIP traffic, which is an interface that is not defined in the Base-PP. |
FDP_CER_EXT.5 | This SFR defines when the TOE will issue TLS client certificates in support of STIP traffic, which is an interface that is not defined in the Base-PP. |
FDP_CSI_EXT.2 | This SFR applies to ability of the TOE to generate status information for its own issued certificates, which is not defined in the Base-PP. |
FDP_STIP_EXT.2 | This SFR applies to the TLS session implementation of the inspection operation that is not defined in the Base-PP. |
FAU_SCR_EXT.1 | This SFR applies to providing the capability to search the certificate repository which is not defined by the Base-PP. |
FCS_CKM_EXT.5 | This SFR applies to the protection of persistent public keys from undetected modification which is not defined in the Base-PP. |
FCS_TTTC_EXT.4 | This SFR applies to session renegotiation for thru-traffic TLS inspection (client-side). |
FCS_TTTS_EXT.4 | This SFR applies to session renegotiation for thru-traffic TLS inspection (server-side). |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_SAR.1 | ||
No events specified | N/A | |
FAU_SAR.3 | ||
No events specified | N/A | |
FDP_PIN_EXT.1 | ||
No events specified | N/A |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FIA_ESTC_EXT.2 | ||
No events specified | N/A |
This PP-Module does not define any Implementation-based SFRs.
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_SCR_EXT.1 | ||
No events specified | N/A | |
FCS_TTTC_EXT.3 | ||
Mutual authentication authorized | [selection: client certificate value, client certificate object identifier ] | |
Mutual authentication not authorized | N/A | |
FCS_TTTC_EXT.4 | ||
No events specified | N/A | |
FCS_TTTS_EXT.3 | ||
Mutual authentication required and valid client certificate received | Client certificate | |
Mutual authentication not authorized | N/A | |
FCS_TTTS_EXT.4 | ||
No events specified | N/A | |
FDP_CER_EXT.4 | ||
No events specified | N/A | |
FDP_CER_EXT.5 | ||
Certificate generation | Success: [selection: certificate value, certificate object identifier ] | |
FDP_CRL_EXT.1 | ||
Failure to generate CRL | N/A | |
FDP_CSI_EXT.1 | ||
No events specified | N/A | |
FDP_CSI_EXT.2 | ||
No events specified | N/A | |
FDP_OCSPS_EXT.1 | ||
Failure to include certificate status information in TLS handshake message | N/A | |
FDP_OCSP_EXT.1 | ||
Failure to generate certificate status information | N/A | |
FDP_STIP_EXT.2 | ||
No events specified | N/A | |
FIA_ESTC_EXT.1 | ||
EST requests | N/A | |
FTA_TAB.1/TLS | ||
No events specified | N/A |
keyUsage | extendedKeyUsage |
---|---|
digitalSignature | clientAuth |
digitalSignature, keyEncipherment | clientAuth |
digitalSignature,keyAgreement | clientAuth |
Functional Class | Functional Components |
---|---|
Certificate Enrollment | FIA_ESTC_EXT Enrollment over Secure Transport Client Protocol |
Certificate Pinning | FDP_PIN_EXT Certificate Pinning |
Certificate Status Information | FDP_CRL_EXT Certificate Revocation List FDP_CSI_EXT Certificate Status Information FDP_OCSPS_EXT Online Certificate Status Protocol Stapling FDP_OCSP_EXT Online Certificate Status Protocol |
Cryptographic Support (FCS) | FCS_STG_EXT Cryptographic Key Storage FCS_TTTC_EXT Thru-Traffic TLS Inspection Client Protocol FCS_TTTS_EXT Thru-Traffic TLS Inspection Server Protocol |
Identification and Authentication (FIA) | FIA_ENR_EXT Certificate Enrollment |
Other Selection-based SFRs | FAU_SCR_EXT Certificate Repository Review FCS_CKM_EXT Cryptographic Key Management |
Protection of the TSF (FPT) | FPT_KST_EXT Key Storage |
Security Audit (FAU) | FAU_GCR_EXT Generation of Certificate Repository |
User Data Protection (FDP) | FDP_CER_EXT Certificate Usage FDP_CSIR_EXT Certificate Status Information Required FDP_PPP_EXT Plaintext Processing Policy FDP_PRC_EXT Plaintext Routing Control FDP_STG_EXT User Data Storage FDP_STIP_EXT SSL/TLS Inspection Proxy Functions FDP_TEP_EXT TLS Establishment Policy |
FIA_ESTC_EXT.1, Enrollment over Secure Transport (EST) Client, defines the ability of the TSF to perform Enrollment over Secure Transport (EST) as a client connecting to an external CA.
FIA_ESTC_EXT.2, Client Use of TLS-Unique Value, requires the TSF to generate tls-unique values as part of the EST process.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation
FCS_TLSC_EXT.1 TLS Client Protocol without Mutual Authentication FCS_TLSC_EXT.2 TLS Client Support for Mutual Authentication FIA_ENR_EXT.1 Certificate Enrollment FIA_X509_EXT.1 X.509 Certificate Validation FMT_SMR.1 Security RolesNo specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FIA_ESTC_EXT.1 Enrollment over Secure Transport (EST) Client
FDP_PIN_EXT.1, Certificate Pinning, requires the TSF to have the ability to associate certificate information with external servers and to take some action if one of these servers identifies itself using an unknown certificate.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FMT_SMR.1 Security Roles
FDP_CRL_EXT.1, Certificate Revocation List Generation, requires the TSF to include specific information in any certificate revocation lists that it creates.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation
FDP_CSI_EXT.1 Certificate Status InformationFDP_CSI_EXT.1, Certificate Status Information, requires the TSF to generate certificate status information using a supported method and to define conditions in which this information can be modified.
FDP_CSI_EXT.2, Certificate Status Information for Client Certificates, requires the TSF to generate certificate status information for client certificates (e.g. for mutually-authenticated TLS) using a supported method and to define conditions in which this information can be modified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: [FDP_CRL_EXT.1 Certificate Revocation List Generation OR
FDP_OCSP_EXT.1 OCSP Basic Response Generation] FDP_OCSPS_EXT.1 OCSP Stapling FMT_SMR.1 Security RolesThere are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.4 Certificate Profiles for Client Certificates
FDP_CSI_EXT.1 Certificate Status Information [FDP_CRL_EXT.1 Certificate Revocation List Generation OR FDP_OCSP_EXT.1 OCSP Basic Response Generation] FDP_OCSPS_EXT.1 OCSP Stapling FMT_SMR.1 Security RolesFDP_OCSP_EXT.1, OCSP Basic Response Generation, requires the TSF to include specific information in any OCSP response that it creates.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Support
FDP_CSI_EXT.1 Certificate Status InformationFDP_OCSPS_EXT.1, OCSP Stapling, requires the TSF to perform OCSP Stapling by including OCSP response information in a TLS Certificate Status Message.
No specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FDP_OCSP_EXT.1 OCSP Basic Response Generation
FCS_STG_EXT.1, Cryptographic Key Storage, requires the TSF to store persistent secret and private keys using a hardware-protected storage mechanism.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: No dependencies.
FCS_TTTC_EXT.1, Thru-Traffic TLS Inspection Client Protocol, defines the types of TLS client connections the TSF can support when acting as a proxy.
FCS_TTTC_EXT.5, Thru-Traffic TLS Inspection Client Support for Supported Groups Extension, requires the TSF to use the TLS Supported Groups Extension when establishing a proxy connection to a requested server to ensure the use of appropriate key establishment parameters
FCS_TTTC_EXT.3, Thru-Traffic TLS Inspection Client Protocol with Mutual Authentication Representing Monitored Clients,
FCS_TTTC_EXT.4, STIP Client-Side Support for Renegotiation, requires the TSF to support session renegotiation when acting as a TLS client for a proxy connection.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_CKM.1 Cryptographic Key Generation
FCS_CKM.2 Cryptographic Key Distribution FCS_COP.1 Cryptographic Operation FCS_RBG_EXT.1 Random Bit Generation FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server Protocol FIA_X509_EXT.1 X.509 Certificate Validation FIA_X509_EXT.2 X.509 Certificate AuthenticationNo specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
No specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
FDP_CER_EXT.5 Certificate Issuance Rules for Client CertificatesNo specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
FCS_TTTS_EXT.1, Thru-Traffic TLS Inspection Server Protocol, defines the types of TLS server connections the TSF can support when acting as a proxy.
FCS_TTTS_EXT.3, Thru-Traffic TLS Inspection Server Protocol with Mutual Authentication of Monitored Clients, requires the TSF to validate a TLS client certificate when receiving a connection from a monitored client as part of establishing a TLS proxy connection.
FCS_TTTS_EXT.4, STIP Server-Side Support for Renegotiation, requires the TSF to support session renegotiation when acting as a TLS server for a proxy connection.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_CKM.1 Cryptographic Key Generation
FCS_CKM.2 Cryptographic Key Distribution FCS_COP.1 Cryptographic Operation FCS_RBG_EXT.1 Random Bit Generation FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol FIA_X509_EXT.1 X.509 Certificate Validation FIA_X509_EXT.2 X.509 Certificate AuthenticationNo specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server Protocol
FDP_TEP_EXT.1 SSL/TLS Inspection Proxy PolicyNo specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server Protocol
FIA_ENR_EXT.1, Certificate Enrollment, requires the TSF to support PKCS#10 or Enrollment over Secure Transport as a method of requesting a certificate from an external CA.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: [FIA_ESTC_EXT.1 Enrollment over Secure Transport (EST) Client, OR
FIA_X509_EXT.3 X.509 Certificate Requests]FAU_SCR_EXT.1, Certificate Repository Review, requires a conformant TOE to support the searching of a certificate repository based on the values of specific certificate fields.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FAU_GCR_EXT.1 Generation of Certificate Repository
FCS_CKM_EXT.5, Public Key Integrity, requires the TSF to apply a cryptographic integrity validation method to public keys in persistent storage.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation
FPT_KST_EXT.1, No Plaintext Key Export, requires the TSF to prevent unauthorized disclosure of all TSF secret and private keys.
FPT_KST_EXT.2, TSF Key Protection, requires the TSF to prevent unauthorized usage of all TSF secret and private keys.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: No dependencies.
No specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
FAU_GCR_EXT.1, Generation of Certificate Repository, requires a conformant TOE to specify how it stores certificates that are issued by the TSF.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.1 Certificate Profiles for Server Certificates
FDP_CER_EXT.3 Certificate Issuance Rules for Server CertificatesFDP_CER_EXT.1, Certificate Profiles for Server Certificates, requires the TSF to implement a certificate profile function and to issue TLS server certificates that conform to profiles when acting as a CA.
FDP_CER_EXT.2, Certificate Request Matching of Server Certificates, requires the TSF to maintain a linkage between external certificates that it has validated and internal certificates that it has issued to represent the entities presenting those certificates when the TOE is acting as a proxy for a TLS connection to or from those entities.
FDP_CER_EXT.3, Certificate Issuance Rules for Server Certificates, requires the TSF to issue certificates in response to validated server certificates based on certain rules.
FDP_CER_EXT.4, Certificate Profiles for Client Certificates, requires the TSF to implement a certificate profile function and to issue TLS client certificates that conform to profiles when acting as a CA.
FDP_CER_EXT.5, Certificate Issuance Rules for Client Certificates, requires the TSF to issue certificates in response to validated client certificates based on certain rules.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_CKM.1 Cryptographic Key Generation
FCS_COP.1 Cryptographic Operation FMT_SMR.1 Security RoleskeyUsage | extendedKeyUsage |
---|---|
digitalSignature | serverAuth |
digitalSignature, keyEncipherment | serverAuth |
digitalSignature,keyAgreement | serverAuth |
No specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.1 Certificate Profiles for Server Certificates
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.1 Certificate Profiles for Server Certificates
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation
FMT_SMR.1 Security RoleskeyUsage | extendedKeyUsage |
---|---|
digitalSignature | clientAuth |
digitalSignature, keyEncipherment | clientAuth |
digitalSignature,keyAgreement | clientAuth |
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.4 Certificate Profiles for Client Certificates
FDP_CSIR_EXT.1, Certificate Status Information Required, requires the TSF to maintain certificate status information for its issued certificates or to ensure that any certificates it issues are valid for a sufficiently short period of time that status information is unnecessary.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FDP_CER_EXT.1 Certificate Profiles for Server Certificates
FDP_CER_EXT.3 Certificate Issuance Rules for Server CertificatesFDP_PPP_EXT.1, Plaintext Processing Policy, requires the TSF to apply rules to decrypted TLS traffic and take some information flow processing action against the traffic based on these rules.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server ProtocolFDP_PRC_EXT.1, Plaintext Routing Control, requires the TSF to route decrypted TLS traffic based on the results of applicable plaintext processing policy rules.
No specific management functions are identified.
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FDP_PPP_EXT.1 Plaintext Processing Policy
FDP_STG_EXT.1, Certificate Data Storage, requires the TSF to protect public key and certificate data using either access controlled storage or a cryptographic integrity mechanism.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FCS_CKM_EXT.5 Public Key Integrity
FDP_STIP_EXT.1, SSL/TLS Inspection Proxy Functions, requires the TSF to establish itself as a proxy for SSL/TLS connections between remote endpoints such that the TOE can observe the contents of the SSL/TLS traffic.
FDP_STIP_EXT.2, Mutual Authentication Inspection Operation, defines the ability of the TSF to act as an SSL/TLS inspection proxy for mutually authenticated SSL/TLS sessions.
Management: FDP_STIP_EXT.1 The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server Protocol FDP_PPP_EXT.1 Plaintext Processing Policy FDP_PRC_EXT.1 Plaintext Routing Control FTA_TAB.1 Default TOE Access BannersNo specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FDP_STIP_EXT.1 SSL/TLS Inspection Proxy Functions
FDP_CER_EXT.5 Certificate Issuance Rules for Client CertificatesFDP_TEP_EXT.1, SSL/TLS Inspection Proxy Policy, requires the TSF perform SSL/TLS inspection and enforce SSL/TLS inspection proxy rules that define how SSL/TLS traffic received by the TOE is decrypted, inspected, re-encrypted, forwarded, discarded, or logged, depending on the applicable rules.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN.1 Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TTTC_EXT.1 Thru-Traffic TLS Inspection Client Protocol
FCS_TTTC_EXT.3 Thru-Traffic TLS Inspection Client Protocol with Mutual Authentication Representing Monitored Clients FCS_TTTC_EXT.5 Thru-Traffic TLS Inspection Client Support for Supported Groups Extension FCS_TTTS_EXT.1 Thru-Traffic TLS Inspection Server Protocol FCS_TTTS_EXT.3 Thru-Traffic TLS Inspection Server Protocol with Mutual Authentication of Monitored Clients FDP_PPP_EXT.1 Plaintext Processing Policy FIA_X509_EXT.1 X.509 Certificate Validation FIA_X509_EXT.2 X.509 Certificate AuthenticationThis appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated.
Table 8: Implicitly Satisfied RequirementsRequirement | Rationale for Satisfaction |
FPT_STM.1 - Reliable Time Stamps | FAU_GEN.1/STIP has a dependency on FPT_STM.1 for applying accurate timestamps to audit records. The extended SFR FPT_STM_EXT.1 that is defined in the Base-PP provides equivalent functionality to FPT_STM.1 and therefore satisfies this dependency. |
Acronym | Meaning |
---|---|
Base-PP | Base Protection Profile |
CA | Certificate Authority |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
EP | Extended Package |
FP | Functional Package |
HTTP | HyperText Transfer Protocol |
OE | Operational Environment |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
SSL/TLS | Secure Sockets Layer/Transport Layer Security |
ST | Security Target |
STIP | SSL/TLS Inspection Proxy |
TA | Trust Anchor (Trust Store) |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
URL | Uniform Resource Locator |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[ND-SD] | Supporting Document - Mandatory Technical Document - Evaluation Activities for Network Device cPP, Version 2.2, December 2019 |
[NDcPP] | collaborative Protection Profile for Network Devices, Version 2.2E, March 2020 |