Version | Date | Comment |
---|---|---|
1.0 | 2022-03-31 | Initial Release |
0.5 | 2022-01-20 | Conversion to PP-Module; Updated to include WPA 3 and Wi-Fi 6. WPA 3 is required. WPA 2 can additionally be included in the ST. 256 bit keys are required. 128 and 192 bit keys can additionally be included in the ST. |
These Base-PPs are valid because a WLAN Client is a part of either a commercial operating system that can be installed on a general-purpose computer or an operating system that runs on a purpose-built mobile device.
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Access Point (AP) | A device that provides the network interface that enables wireless client hosts to access a wired network. Once authenticated as trusted nodes on the wired infrastructure, the APs provide the encryption service on the wireless network between the wireless client and the radio frequency (RF) interface of the AP. |
Administrator | A user that has administrative privilege to configure the TOE. |
Authentication Credentials | The information the system uses to verify that the user or administrator is authorized to access the TOE or network. Credentials can exist in various forms, such as username/password or digital certificates. |
Authentication Server (AS) | A server on the wired network that receives authentication credentials from wireless clients and determines their validity. |
Critical Security Parameter (CSP) | Security related information, e.g. secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers (PINs), whose disclosure or modification can compromise the security of a cryptographic module. |
Entropy Source | A cryptographic function that provides a seed for a random number generator by accumulating the outputs from one or more noise sources. The functionality includes a measure of the minimum work required to guess a given output and tests to ensure that the noise sources are operating properly. |
Extensible Authentication Protocol (EAP) | An authentication framework, used in wireless networks, that uses Public Key Infrastructure (PKI) to authenticate both the authentication server and the wireless client. |
FIPS-Approved Cryptographic Function | A cryptographic operation that is specified for use by FIPS 140. |
IEEE 802.1X | A standard for port-based network access control that defines an authentication mechanism for WLAN Clients to attach to a wired network. |
A user that has not been granted the ability to use the TOE. |
This document specifies SFRs for a WLAN Client. The TOE defined by this PP-Module is a WLAN Client, a component executing on a client machine (often referred to as a "remote access client"). The TOE establishes a secure wireless tunnel between the client device and a WLAN Access System through which all data will traverse.
A WLAN Client allows remote users to use client machines to establish wireless communication with a private network through a WLAN Access System. IP packets passing between the private network and a WLAN Client are encrypted. The WLAN Client protects the confidentiality and integrity of data in transit between itself and the private network, even though it traverses a wireless connection. The focus of the SFRs in this PP-Module is on the following fundamental aspects of a WLAN Client:
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
This document does not define any additional OSPs.Threat, Assumption, or OSP | Security Objectives | Rationale |
T.TSF_FAILURE | O.SELF_TEST | The threat T.TSF_FAILURE is mitigated by O.SELF_TEST as this defines a mechanism for ensuring the reliability of the TSF by detecting potential failure conditions. |
T.UNAUTHORIZED_ACCESS | O.AUTH_COMM | The threat T.UNAUTHORIZED_ACCESS is mitigated in part by O.AUTH_COMM by ensuring the authenticity of any remote endpoint that the TSF connects to. |
O.CRYPTOGRAPHIC_FUNCTIONS | The threat T.UNAUTHORIZED_ACCESS is mitigated in part by O.CRYPTOGRAPHIC_FUNCTIONS by ensuring the confidentiality and integrity of data in transit to protect against man-in-the-middle attacks. | |
O.TOE_ADMINISTRATION | The threat T.UNAUTHORIZED_ACCESS is mitigated in part by O.TOE_ADMINISTRATION by using the TOE platform's authentication mechanism to ensure that only authorized administrators can configure the TOE's behavior. | |
O.WIRELESS_ACCESS_POINT_CONNECTION | The threat T.UNAUTHORIZED_ACCESS is mitigated in part by this objective because it provides a mechanism to restrict the remote entities that the TOE is permitted to communicate with. | |
T.UNDETECTED_ACTIONS | O.SYSTEM_MONITORING | The threat T.UNDETECTED_ACTIONS is mitigated by O.SYSTEM_MONITORING by enforcing an auditing mechanism that can be used to track security-relevant TOE behavior. |
A.NO_TOE_BYPASS | OE.NO_TOE_BYPASS | The operational environment objective OE.NO_TOE_BYPASS is realized through A.NO_TOE_BYPASS. |
A.TRUSTED_ADMIN | OE.TRUSTED_ADMIN | The Operational Environment objective OE.TRUSTED ADMIN is realized through A.TRUSTED_ADMIN. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_GEN.1/WLAN | No events specified. | N/A |
FCS_CKM.1/WPA | No events specified. | N/A |
FCS_CKM.2/WLAN | No events specified. | N/A |
FCS_TLSC_EXT.1/WLAN | Failure to establish an EAP-TLS session. | Reason for failure. Non-TOE endpoint of connection. |
FCS_TLSC_EXT.1/WLAN | Establishment/termination of an EAP-TLS session. | Non-TOE endpoint of connection. |
FCS_WPA_EXT.1 | No events specified. | N/A |
FIA_PAE_EXT.1 | No events specified. | N/A |
FIA_X509_EXT.1/WLAN | Failure to validate X.509v3 certificate. | Reason for failure of validation. |
FIA_X509_EXT.2/WLAN | No events specified. | N/A |
FIA_X509_EXT.6 | Attempts to load certificates. | None. |
FIA_X509_EXT.6 | Attempts to revoke certificates. | None. |
FMT_SMF.1/WLAN | No events specified. | N/A |
FPT_TST_EXT.3/WLAN | Execution of this set of TSF self-tests. | None. |
FPT_TST_EXT.3/WLAN | [selection: Detected integrity violation, None]. | [selection: The TSF binary file that caused the integrity violation
, None]. |
FTA_WSE_EXT.1 | All attempts to connect to access points. | For each access point record the
[selection: Complete SSID and MAC, Certificate Check Message and the last [assignment:
integer greater than or equal to 2]
octets] of the MAC Address Success and failures (including reason for failure). |
FTP_ITC.1/WLAN | All attempts to establish a trusted channel. | Identification of the non-TOE endpoint of the channel. |
If auditing for the WLAN Client cannot be controlled separately from its underlying platform, the "Startup and shutdown of the audit functions" event defined in each Base-PP is sufficient to address that event for this iteration of the SFR.
Auditable events for selection-based SFRs are found in Table 5. If the TOE does not claim a particular selection-based SFR, it is not expected to generate any corresponding audit records for that SFR.
Table 2 includes auditable events for FPT_TST_EXT.3/WLAN. If the TOE does not perform its own self-tests (i.e., "TOE platform" is selected in FPT_TST_EXT.3.1/WLAN and FPT_TST_EXT.3.2/WLAN), the audit record for this event may also be generated by the TOE platform.
The cryptographic key derivation algorithm required by IEEE 802.11-2012 (Section 11.6.1.2) and verified in WPA2 certification is PRF-384, which uses the HMAC-SHA-1 function and outputs 384 bits. The use of GCMP was first defined in IEEE 802.11ac-2014 (Section 11.4.5) but subsequently integrated into 802.11-2012. This protocol requires a key derivation function (KDF) KDF based on HMAC-SHA-256 (for 128-bit symmetric keys) or HMAC-SHA384 (for 256-bit symmetric keys). This KDF outputs 704 bits.
This requirement applies only to the keys that are generated/derived for the communications between the access point and the client once the client has been authenticated. It refers to the derivation of the Pairwise Temporal Key (PTK) from the PMK, which is done using a random value generated by the RBG specified in this PP-Module, the HMAC function using SHA-1 as specified in this PP-Module, as well as other information.
The cipher suites to be tested in the evaluated configuration are limited by this requirement. The ST author should select the optional cipher suites that are supported. It is necessary to limit the cipher suites that can be used in an evaluated configuration administratively on the server in the test environment.
While FCS_TLSC_EXT.1.4/WLAN requires that the TOE perform certain checks on the certificate presented by the authentication server, there are corresponding checks that the authentication server will have to perform on the certificate presented by the client; namely that the extendedKeyUsage field of the client certificate includes "Client Authentication" and that the digital signature bit (for the Diffie-Hellman cipher suites) or the key encipherment bit (for RSA cipher suites) be set. Certificates obtained for use by the TOE will have to conform to these requirements in order to be used in the enterprise.
The FIA_X509_EXT.1 requirements defined in each of the possible Base-PPs define requirements that the underlying platform is expected to implement.
This requirement covers the TOE's role as the supplicant in an 802.1X authentication exchange. If the exchange is completed successfully, the TOE will derive the PMK as a result of the EAP-TLS (or other appropriate EAP exchange) and perform the 4-way handshake with the wireless access system (authenticator) to begin 802.11 communications.
As indicated previously, there are at least two communication paths present during the exchange; one with the wireless access system and one with the authentication server that uses the wireless access system as a relay. The TOE establishes an EAP over LAN (EAPOL) connection with the wireless access system as specified in 802.1X-2020. The TOE and authentication server establish an EAP-TLS session (RFC 5216).
The point of performing 802.1X authentication is to gain access to the network (assuming the authentication was successful and that all 802.11 negotiations are performed successfully); in the terminology of 802.1X, this means the TOE will gain access to the "controlled port" maintained by the wireless access system.
# | Management Function | Impl | Admin | User |
WL-1 | configure security policy for each wireless network:
| MMandatory | MMandatory | OOptional |
WL-2 | specify wireless networks (SSIDs) to which the TSF may connect | MMandatory | MMandatory | OOptional |
WL-3 | enable/disable disable wireless network bridging capability (for example, bridging a connection between the WLAN and cellular radios to function as a hotspot) authenticated by [selection: pre-shared key, passcode, no authentication] | MMandatory | MMandatory | OOptional |
WL-4 | enable/disable certificate revocation list checking | OOptional | OOptional | OOptional |
WL-5 | disable ad hoc wireless client-to-client connection capability | OOptional | OOptional | OOptional |
WL-6 | disable roaming capability | OOptional | OOptional | OOptional |
WL-7 | enable/disable IEEE 802.1X pre-authentication | OOptional | OOptional | OOptional |
WL-8 | loading X.509 certificates into the TOE | OOptional | OOptional | OOptional |
WL-9 | revoke X.509 certificates loaded into the TOE | OOptional | OOptional | OOptional |
WL-10 | enable/disable and configure PMK caching: | OOptional | OOptional | OOptional |
For installation, the WLAN Client relies on the underlying platform to authenticate the administrator to the client machine on which the TOE is installed.
For the function "configure the cryptoperiod for the established session keys," the unit of measure for configuring the cryptoperiod must be no greater than an hour. For example: units of measure in seconds, minutes and hours are acceptable and units of measure in days or greater are not acceptable.
The intent of the above requirement is to use the cryptographic protocols identified in the requirement to protect communications between the TOE and the Access Point.
The requirement implies that not only are communications protected when they are initially established, but also on resumption after an outage. It may be the case that some part of the TOE setup involves manually setting up tunnels to protect other communication, and if after an outage the TOE attempts to re-establish the communication automatically with (the necessary) manual intervention, there may be a window created where an attacker might be able to gain critical information or compromise a connection. The following tests are only intended to cover the WLAN communication channel (not other communication channels that may be available on the TOE such as mobile broadband).
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.AUTH_COMM | FCS_TLSC_EXT.1/WLAN | FCS_TLSC_EXT.1/WLAN supports the objective by requiring the TSF to use EAP-TLS to establish a secure connection to a wireless access point, including authentication of the access point. |
FIA_PAE_EXT.1 | FIA_PAE_EXT.1 supports the objective by requiring the TSF to act as the supplicant for 802.1X authentication. | |
FIA_X509_EXT.1/WLAN | FIA_X509_EXT.1/WLAN supports the objective by defining how the TSF determines the validity of presented X.509 certificates. | |
FIA_X509_EXT.2/WLAN | FIA_X509_EXT.2/WLAN supports the objective by requiring the TSF to implement X.509 certificate authentication as the mechanism for authentication EAP-TLS connections. | |
FTP_ITC.1/WLAN | FTP_ITC.1/WLAN supports the objective by requiring the TSF to implement trusted protocols that include authentication of the remote endpoints. | |
FCS_TLSC_EXT.2/WLAN (selection-based) | FCS_TLSC_EXT.2/WLAN supports the objective by optionally requiring the TSF to support only certain elliptic curves if the TOE implements any EAP-TLS cipher suites that rely on ECDHE as the key establishment method. | |
O.CRYPTOGRAPHIC_FUNCTIONS | FCS_CKM.1/WPA | FCS_CKM.1/WPA supports the objective by requiring the TSF to generate symmetric keys used for WPA2 and WPA3 in a specified manner. |
FCS_CKM.2/WLAN | FCS_CKM.2/WLAN supports the objective by requiring the TSF to decrypt group temporal keys used for IEEE 802.11. | |
FCS_WPA_EXT.1 | FCS_WPA_EXT.1 supports this objective by defining the WPA versions that are supported. | |
O.SELF_TEST | FPT_TST_EXT.3/WLAN | FPT_TST_EXT.3/WLAN supports the objective by requiring the TSF to perform self-tests to ensure that it is operating in a known state. |
O.SYSTEM_MONITORING | FAU_GEN.1/WLAN | FAU_GEN.1/WLAN supports the objective by requiring the TSF to generate audit records for security-relevant WLAN behavior. |
O.TOE_ADMINISTRATION | FIA_X509_EXT.6 | FIA_X509_EXT.6 supports the objective by requiring the TSF to securely store certificates in a repository that an administrator can interact with, whether that repository is provided by the WLAN client itself or by a platform storage mechanism defined by the Base-PP portion of the TOE. |
FMT_SMF.1/WLAN | FMT_SMF.1/WLAN supports the objective by requiring the TSF to implement management functionality for security-relevant WLAN behavior. | |
O.WIRELESS_ACCESS_POINT_CONNECTION | FTA_WSE_EXT.1 | FTA_WSE_EXT.1 supports the objective by requiring the TSF to restrict connectivity to allowed wireless networks. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.TSF_FAILURE | The Base-PP defines threats for local attacks and remote attacks, both of which could cause a failure of the TSF. This PP-Module adds a generic TSF failure threat in the event that the WLAN Client fails through unintended system behavior rather than a direct malicious attack. |
T.UNAUTHORIZED_ACCESS | The Base-PP defines threats for local attacks and remote attacks. The threat of unauthorized access to the WLAN Client is a specific threat that results from successful exploitation of one of these Base-PP threats. |
T.UNDETECTED_ACTIONS | The Base-PP defines threats for local attacks and remote attacks. It does not define a threat specifically for undetected actions but it does map the local attack and remote attack threats to a TOE objective for accountability. Therefore, the threat of undetected actions is consistent with the Base-PP because this is a subset of the threats defined in the Base-PP, or a mechanism to increase the likelihood that these threats will successfully be exploited. |
A.NO_TOE_BYPASS | This assumption relates to the deployment of the TOE in relation to the network resources that it interacts with. It does not enforce any restrictions on the TOE's deployment that are contrary to what the Base-PP requires. |
A.TRUSTED_ADMIN | The Base-PP defines A.PROPER_USER and A.PROPER_ADMIN assumptions that serve the same purpose as A.TRUSTED_ADMIN in this PP-Module. |
The objectives for the TOEs are consistent with the General Purpose Operating Systems PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTH_COMM | This objective is specifically for a communications interface that is defined by the PP-Module, but it is consistent with the general O.PROTECTED_COMMS objective specified in the Base-PP. |
O.CRYPTOGRAPHIC_FUNCTIONS | The TOE implements this objective in part by relying on the cryptographic functionality specified in the Base-PP to address the Base-PP's O.PROTECTED_COMMS objective. The PP-Module uses these cryptographic functions for the same purpose as the Base-PP. |
O.SELF_TEST | The Base-PP defines a general O.INTEGRITY objective; this PP-Module defines O.SELF_TEST as a specific method of guaranteeing the integrity of the TOE. |
O.SYSTEM_MONITORING | The Base-PP defines an O.ACCOUNTABILITY objective for system auditing. The O.SYSTEM_MONITORING objective in this PP-Module serves the same purpose. |
O.TOE_ADMINISTRATION | The Base-PP defines an O.MANAGEMENT objective for TOE administration. The O.TOE_ADMINISTRATION objective in this PP-Module serves the same purpose. |
O.WIRELESS_ACCESS_POINT_CONNECTION | This objective relates to behavior that applies to a communications interface defined in this PP-Module and therefore does not relate to the Base-PP's functionality. |
The objectives for the TOE's OE are consistent with the General Purpose Operating Systems PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective relates to the deployment of the TOE in relation to the network resources that it interacts with. It does not enforce any restrictions on the TOE's deployment that are contrary to what the Base-PP requires. |
OE.TRUSTED_ADMIN | The Base-PP defines OE.PROPER_USER and OE.PROPER_ADMIN objectives that serve the same purpose as OE.TRUSTED_ADMIN in this PP-Module. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
This PP-Module does not modify any requirements when the General Purpose Operating Systems PP is the base. | |
Additional SFRs | |
This PP-Module does not add any requirements when the General Purpose Operating Systems PP is the base. | |
Mandatory SFRs | |
FAU_GEN.1/WLAN | The Base-PP defines its own auditing mechanism; this PP-Module can use that mechanism or implement its own to generate audit records for security-relevant events that are specific to this PP-Module. |
FCS_CKM.1/WPA | This SFR requires the TOE to generate cryptographic keys that are only used by the PP-Module's functionality. It invokes Base-PP functionality to do this in a manner that the Base-PP permits. |
FCS_CKM.2/WLAN | This SFR requires the TOE to perform a decryption operation using AES Key Wrap, which is a function that the Base-PP provides. |
FCS_TLSC_EXT.1/WLAN | This SFR requires the TOE to implement EAP-TLS; this protocol relies on the same cryptographic functionality that the Base-PP uses to implement TLS. |
FCS_WPA_EXT.1 | This SFR requires the TOE to specify the WPA versions it supports; this is functionality that is specific to the PP-Module and does not affect any Base-PP functionality. |
FIA_PAE_EXT.1 | This SFR defines the ability of the TOE to implement IEEE 802.1X. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FIA_X509_EXT.1/WLAN | This SFR defines the TOE's X.509 certificate validation specifically when validating EAP-TLS certificates. The Base-PP also defines an iteration of this SFR but the PP-Module requires a separate iteration because EAP-TLS certificates have specific handling requirements that are not present in the Base-PP because the Base-PP does not define implementation of the EAP-TLS protocol. |
FIA_X509_EXT.2/WLAN | This SFR defines the TOE's use of X.509 certificates in EAP-TLS. This function uses the same certificate validation functionality that the Base-PP defines. |
FIA_X509_EXT.6 | This SFR defines behavior for implementing certificate storage. The SFR allows for the possibility that existing platform storage can be used, so it does not conflict with the Base-PP if that portion of the TOE already implements its own storage mechanism. |
FMT_SMF.1/WLAN | This SFR defines the management activities that are specific to this PP-Module. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FPT_TST_EXT.3/WLAN | This SFR defines self-test behavior for the WLAN Client. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FTA_WSE_EXT.1 | This SFR requires the TOE to restrict the wireless networks that it can connect to. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FTP_ITC.1/WLAN | This SFR defines the protocols that the TOE uses for secure wireless communications. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
Optional SFRs | |
This PP-Module does not define any Optional requirements. | |
Selection-based SFRs | |
FCS_TLSC_EXT.2/WLAN | This SFR requires the TOE to validate a specific TLS extension when establishing EAP-TLS communications. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
Objective SFRs | |
This PP-Module does not define any Objective requirements. | |
Implementation-based SFRs | |
This PP-Module does not define any Implementation-based requirements. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.TSF_FAILURE | The Base-PP defines the T.FLAWAPP threat for the threat that application failures may pose to the device as a whole. The T.TSF_FAILURE threat from this PP-Module is a specific example of the T.FLAWAPP threat, though it relates to the WLAN Client as an intrinsic part of the mobile device rather than a third-party application installed on top of it. The Base-PP also defines the T.PERSISTENT threat, which is another specific case of TSF failure. |
T.UNAUTHORIZED_ACCESS | The Base-PP defines threats for network eavesdropping and network attacks. Exploiting either threat could allow an attacker to exploit the T.UNAUTHORIZED_ACCESS threat defined by this PP-Module. |
T.UNDETECTED_ACTIONS | The Base-PP defines threats for persistent access to the TOE and flawed applications on the TOE. It does not define a threat specifically for undetected actions but the threat of undetected actions defined by this PP-Module could increase the likelihood that the Base-PP threats can be successfully exploited. |
A.NO_TOE_BYPASS | This assumption relates to the deployment of the TOE in relation to the network resources that it interacts with. It does not enforce any restrictions on the TOE's deployment that are contrary to what the Base-PP requires. |
A.TRUSTED_ADMIN | The Base-PP defines the A.TRUSTED_ADMIN assumptions that expects administrators will configure the TOE correctly, which also implies they are non-malicious. |
The objectives for the TOEs are consistent with the Mobile Devices PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTH_COMM | This objective is specifically for a communications interface that is defined by the PP-Module, but it is consistent with the general O.COMMS objective specified in the Base-PP. |
O.CRYPTOGRAPHIC_FUNCTIONS | The TOE implements this objective in part by relying on the cryptographic functionality specified in the Base-PP to address the Base-PP's O.COMMS objective. The PP-Module uses these cryptographic functions for the same purpose as the Base-PP. |
O.SELF_TEST | The Base-PP defines a general O.INTEGRITY objective; this PP-Module defines O.SELF_TEST as a specific method of guaranteeing the integrity of the TOE. |
O.SYSTEM_MONITORING | The Base-PP defines an O.INTEGRITY objective that includes system auditing as a method of asserting the TOE's integrity. The O.SYSTEM_MONITORING objective in this PP-Module serves the same purpose. |
O.TOE_ADMINISTRATION | The Base-PP defines an O.CONFIG objective for TOE administration. The O.TOE_ADMINISTRATION objective in this PP-Module serves the same purpose. |
O.WIRELESS_ACCESS_POINT_CONNECTION | This objective relates to behavior that applies to a communications interface defined in this PP-Module and therefore does not relate to the Base-PP's functionality. |
The objectives for the TOE's OE are consistent with the Mobile Devices PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective relates to the deployment of the TOE in relation to the network resources that it interacts with. It does not enforce any restrictions on the TOE's deployment that are contrary to what the Base-PP requires. |
OE.TRUSTED_ADMIN | The Base-PP defines the OE.CONFIG objective that expects administrators will configure the TOE correctly, which also implies they are non-malicious. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
This PP-Module does not modify any requirements when the Mobile Devices PP is the base. | |
Additional SFRs | |
This PP-Module does not add any requirements when the Mobile Devices PP is the base. | |
Mandatory SFRs | |
FAU_GEN.1/WLAN | The Base-PP defines its own auditing mechanism; this PP-Module can use that mechanism or implement its own to generate audit records for security-relevant events that are specific to this PP-Module. |
FCS_CKM.1/WPA | This SFR requires the TOE to generate cryptographic keys that are only used by the PP-Module's functionality. It invokes Base-PP functionality to do this in a manner that the Base-PP permits.This SFR requires the TOE to generate cryptographic keys that are only used by the PP-Module's functionality. It invokes Base-PP functionality to do this in a manner that the Base-PP permits. |
FCS_CKM.2/WLAN | This SFR requires the TOE to perform a decryption operation using AES Key Wrap, which is a function that the Base-PP provides. |
FCS_TLSC_EXT.1/WLAN | This SFR requires the TOE to implement EAP-TLS; this protocol relies on the same cryptographic functionality that the Base-PP uses to implement TLS. |
FCS_WPA_EXT.1 | This SFR requires the TOE to specify the WPA versions it supports; this is functionality that is specific to the PP-Module and does not affect any Base-PP functionality. |
FIA_PAE_EXT.1 | This SFR defines the ability of the TOE to implement IEEE 802.1X. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FIA_X509_EXT.1/WLAN | This SFR defines the TOE's X.509 certificate validation specifically when validating EAP-TLS certificates. The Base-PP also defines an iteration of this SFR but the PP-Module requires a separate iteration because EAP-TLS certificates have specific handling requirements that are not present in the Base-PP because the Base-PP does not define implementation of the EAP-TLS protocol. |
FIA_X509_EXT.2/WLAN | This SFR defines the TOE's use of X.509 certificates in EAP-TLS. This function uses the same certificate validation functionality that the Base-PP defines. |
FIA_X509_EXT.6 | This SFR defines behavior for implementing certificate storage. The SFR allows for the possibility that existing platform storage can be used, so it does not conflict with the Base-PP if that portion of the TOE already implements its own storage mechanism. |
FMT_SMF.1/WLAN | This SFR defines the management activities that are specific to this PP-Module. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FPT_TST_EXT.3/WLAN | This SFR defines self-test behavior for the WLAN Client. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FTA_WSE_EXT.1 | This SFR requires the TOE to restrict the wireless networks that it can connect to. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
FTP_ITC.1/WLAN | This SFR defines the protocols that the TOE uses for secure wireless communications. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
Optional SFRs | |
This PP-Module does not define any Optional requirements. | |
Selection-based SFRs | |
FCS_TLSC_EXT.2/WLAN | This SFR requires the TOE to validate a specific TLS extension when establishing EAP-TLS communications. This behavior relates entirely to the PP-Module and does not affect the ability of the Base-PP to implement its security functionality. |
Objective SFRs | |
This PP-Module does not define any Objective requirements. | |
Implementation-based SFRs | |
This PP-Module does not define any Implementation-based requirements. |
This PP-Module does not define any Strictly Optional SFRs.
This PP-Module does not define any Objective SFRs.
This PP-Module does not define any Implementation-dependent SFRs.
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FCS_TLSC_EXT.2/WLAN | No events specified. | N/A |
This requirement must be claimed if any cipher suites beginning with 'TLS_ECDHE' are selected in FCS_TLSC_EXT.1.1/WLAN.
This requirement does not limit the elliptic curves the client may propose for authentication and key agreement. Rather, it asks the ST author to define which of the NIST curves from FCS_COP.1/SIGN (defined in each supported Base-PP) and FCS_CKM.1/WPA and FCS_CKM.2/WLAN (each defined in this PP-Module) can be used for TLS key establishment.
Functional Class | Functional Components |
---|---|
Identification and Authentication (FIA) | FIA_PAE_EXT Port Access Entity Authentication FIA_X509_EXT X.509 Certificate Use and Management |
Protection of the TSF (FPT) | FPT_TST_EXT TSF Self-Test |
TOE Access (FTA) | FTA_WSE_EXT Wireless Network Access |
Cryptographic Support (FCS) | FCS_TLSC_EXT TLS Client Protocol |
FIA_PAE_EXT.1, Port Access Entity Authentication, describes the ability of the TOE to act as a supplicant for 802.1X authentication.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
FIA_X509_EXT.6, X.509 Certificate Storage and Management, requires the TOE to implement the ability to store X.509 certificates.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: No dependencies.
FPT_TST_EXT.3/WLAN, TSF Cryptographic Functionality Testing (WLAN Client), requires the TOE or its platform to perform power on self-tests to verify its functionality and the integrity of its stored executable code.
No management functions are foreseen.
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation
FTA_WSE_EXT.1, Wireless Network Access, describes the ability of the TOE to apply administrative limits on the wireless networks that it can connect to.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FMT_SMF.1 Specification of Management Functions
FCS_TLSC_EXT.1/WLAN, TLS Client Protocol (EAP-TLS for WLAN), describes the ability of the TOE to implement the EAP-TLS protocol as a client.
FCS_TLSC_EXT.2/WLAN, TLS Client Support for Supported Groups Extension (EAP-TLS for WLAN), describes the ability of the TOE to present certain values in the Supported Groups extension when attempting to establish a TLS connection as a client.
There are no specific management functions identified.
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_CKM.1 Cryptographic Key Generation
FCS_CKM.1 Cryptographic Key Generation
FCS_CKM.2 Cryptographic Key Distribution
FCS_COP.1 Cryptographic Operation
FCS_RBG_EXT.1 Random Bit Generation
FIA_X509_EXT.1 X.509 Certificate Validation
FMT_SMR.1 Security Roles
There are no specific management functions identified.
There are no auditable events foreseen.
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this Module. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP provides evidence that these controls are present and have been evaluated.
This PP-Module has no implicitly satisfied requirements. All SFR dependencies are explicitly met either through SFRs defined by the PP-Module, SFRs inherited from the Base-PPs, or SFRs that are hierarchical to the listed dependency.Acronym | Meaning |
---|---|
AES | Advanced Encryption Standard |
AP | Access Point |
AS | Authentication Server |
Base-PP | Base Protection Profile |
CA | Certification Authority |
CBC | Cipher Block Chaining |
CC | Common Criteria |
CCEVS | Common Criteria Evaluation and Validation Scheme |
CCMP | Counter mode CBC-MAC Protocol |
CCTL | Common Criteria Test Laboratory |
CEM | Common Evaluation Methodology |
CSP | Critical Security Parameter |
EAP | Extensible Authentication Protocol |
EAPOL | EAP over LAN |
EP | Extended Package |
FIPS | Federal Information Processing Standards |
FP | Functional Package |
FQDN | Fully Qualified Domain Name |
GPOS | General-Purpose Operating System |
GTK | Group Temporal Key |
HMAC | Hash-Based Message Authentication Code |
IEC | International Electrotechnical Commission |
IEEE | Institute of Electrical and Electronics Engineers |
ISO | International Organization for Standardization |
IT | Information Technology |
KDF | Key Derivation Function |
LAN | Local Area Network |
MAC | Message Authentication Code (cryptography) or Media Control Address (system property) |
MDF | Mobile Device Fundamentals |
NIAP | National Information Assurance Partnership |
NVLAP | National Voluntary Laboratory Accreditation Program |
OE | Operational Environment |
OSP | Organizational Security Policy |
PAE | Port Access Entity |
PIN | Personal Identification Number |
PKI | Public Key Infrastructure |
PMK | Pairwise Master Key |
PP | Protection Profile |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
PRF | Pseudo-Random Function |
PTK | Pairwise Temporal Key |
RBG | Random Bit Generator |
RF | Radio Frequency |
RFC | Request for Comment |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
SFR | Security Functional Requirement |
SHA | Secure Hash Algorithm |
SSID | Service Set Identifier |
ST | Security Target |
ST | Security Target |
TLS | Transport Layer Security |
TOE | Target of Evaluation |
TOE | Target of Evaluation |
TSF | TOE Security Function |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
TSS | TOE Summary Specification |
WLAN | Wireless Local Area Network |
WPA | Wireless Protected Access |
cPP | Collaborative Protection Profile |