Specifications

Security Target Version 1.0 9/29/2014

Component Assurance Activity:

The evaluator shall use the key pair generation portions of 'The FIPS 186-3 Digital Signature

Algorithm Validation System (DSA2VS)', 'The FIPS 186-3 Elliptic Curve Digital Signature

Algorithm Validation System (ECDSA2VS)', and 'The RSA Validation System (RSA2VS)' as a

guide in testing the requirement above, depending on the selection performed by the ST author.

This will require that the evaluator have a trusted reference implementation of the algorithms that

can produce test vectors that are verifiable during the test.

In order to show that the TSF implementation complies with 800-56A and/or 800-56B, depending

on the selections made, the evaluator shall ensure that the TSS contains the following information:

The TSS shall list all sections of the appropriate 800-56 standard(s) to which the TOE

complies.

For each applicable section listed in the TSS, for all statements that are not 'shall' (that is,

'shall not', 'should', and 'should not'), if the TOE implements such options it shall be

described in the TSS. If the included functionality is indicated as 'shall not' or 'should not'

in the standard, the TSS shall provide a rationale for why this will not adversely affect the

security policy implemented by the TOE;

For each applicable section of 800-56A and 800-56B (as selected), any omission of

functionality related to 'shall' or 'should' statements shall be described;

Any TOE-specific extensions, processing that is not included in the documents, or

alternative implementations allowed by the documents that may impact the security

requirements the TOE is to enforce shall be described.

5.2.2.3 Cryptographic Key Distribution (PMK) (FCS_CKM.2(1))

FCS_CKM.2.1(1)

Refinement: The TSF shall distribute the 802.11 Pairwise Master Key in accordance with a

specified cryptographic key distribution method: [receive from 802.1X Authorization Server] that

meets the following: [802.11-2007] and does not expose the cryptographic keys.

Component Assurance Activity:

The evaluator shall examine the TSS to determine that it describes how the PMK is transferred

(that is, through what EAP attribute) to the TSF.

The evaluator shall perform the following test:

Test 1: The evaluator shall establish a session between the TOE and a RADIUS server according

to the configuration guidance provided. The evaluator shall then examine the traffic that passes

between the RADIUS server and the TOE during a successful attempt to connect a wireless client

to the TOE to determine that the PMK is not exposed.

5.2.2.4 Cryptographic Key Distribution (GTK) (FCS_CKM.2(2))

FCS_CKM.2.1(2)

Refinement: The TSF shall distribute Group Temporal Key in accordance with a specified

cryptographic key distribution method: [AES Key Wrap in an EAPOL-Key frame] that meets the

following: [RFC 3394 for AES Key Wrap, 802.11-2007 for the packet format and timing

considerations] and does not expose the cryptographic keys.

Component Assurance Activity:

The evaluator shall check the TSS to ensure that it describes how the GTK is wrapped prior to be

distributed using the AES implementation specified in this PP, and also how the GTKs are