Specifications

Security Target Version 1.0 9/29/2014
34
The evaluator shall use tests from “The Counter with Cipher Block Chaining-Message
Authentication Code (CCM) Validation System (CCMVS)” as a guide in testing the requirement
above. This will require that the evaluator have a trusted reference implementation of the
algorithms that can produce test vectors that are verifiable during the test.
Additionally, the evaluator shall use tests from the IEEE 802.11-02/362r6 document “Proposed
Test vectors for IEEE 802.11 TGi”, dated September 10, 2002, Section 2.1 AES-CCMP
Encapsulation Example and Section 2.2 Additional AES CCMP Test Vectors to further verify the
IEEE 802.11-2007 implementation of AES-CCMP.
5.2.2.11 Extended: HTTP Security (HTTPS) (FCS_HTTPS_EXT.1)
FCS_HTTPS_EXT.1.1
The TSF shall implement the HTTPS protocol that complies with RFC 2818.
Assurance Activity:
In order to show that the TSF implements the RFCs correctly, the evaluator shall ensure that the
TSS contains the following information:
For each section of each applicable RFC listed for the FCS_HTTPS_EXT.1 elements, for
all statements that are not 'MUST' (for example, 'MAY', 'SHOULD', 'SHOULD NOT',
etc.), if the TOE implements such options it shall be described in the TSS. If the included
functionality is indicated as 'SHOULD NOT' or 'MUST NOT' in the standard, the TSS
shall provide a rationale for why this will not adversely affect the security policy
implemented by the TOE;
For each section of each RFC, any omission of functionality related to 'MUST' or
'SHOULD' statements shall be described;
Any TOE-specific extensions, processing that is not included in the standard, or
alternative implementations allowed by the standard that may impact the security
requirements the TOE is to enforce shall be described.
FCS_HTTPS_EXT.1.2
The TSF shall implement HTTPS using TLS as specified in FCS_TLS_EXT.1.
Assurance Activity:
The evaluator shall check the TSS to ensure that it is clear on how HTTPS uses TLS to establish
an administrative session, focusing on any client authentication required by the TLS protocol vs.
administrator authentication which may be done at a different level of the processing stack.
Testing for this activity is done as part of the TLS testing; this may result in additional testing if
the TLS tests are done at the TLS protocol level.
5.2.2.12 Extended: Internet Protocol Security (IPsec) Communications (FCS_IPSEC_EXT.1)
FCS_IPSEC_EXT.1.1
The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using the cryptographic
algorithms AES-CBC-128, AES-CBC-256 (both specified by RFC 3602), [AES-GCM-128, AES-
GCM-256 as specified in RFC 4106], and using [IKEv1 as defined in RFCs 2407, 2408, 2409,
RFC 4109, and [RFC 4868 for hash functions]; IKEv2 as defined in RFCs 5996 (with
mandatory support for NAT traversal as specified in section 2.23), 4307, and [RFC 4868 for
hash functions]] for connections to the Authentication Server and [[audit and NTP servers]].
Assurance Activity:
In order to show that the TSF implements the RFCs correctly, the evaluator shall ensure that the
TSS contains the following information:
For each section of each applicable RFC listed for the FCS_IPSEC_EXT.1 elements, for