Specifications

ManualsBrandsAruba ManualsComputer equipment620

Security Target Version 1.0 9/29/2014

may have to be restricted to meet the requirements). The evaluator shall also perform the

following test:

Test 1: The evaluator shall establish a SSH connection using each of the encryption algorithms

specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of

a protocol to satisfy the intent of the test.

FCS_SSH_EXT.1.7

The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public

key algorithms] as its public key algorithm(s).

Assurance Activity:

The assurance activity associated with FCS_SSH_EXT.1.4 verifies this requirement.

FCS_SSH_EXT.1.8

The TSF shall ensure that the data integrity algorithm used in the SSH transport connection is

hmac-sha1 and [hmac-sha1-96].

Assurance Activity:

The evaluator shall check the TSS to ensure that it lists the supported data integrity algorithms,

and that that list corresponds to the list in this component. The evaluator shall also check the

operational guidance to ensure that it contains instructions to the administrator on how to ensure

that only the allowed data integrity algorithms are used in SSH connections with the TOE

(specifically, that the 'none' MAC algorithm is not allowed).

FCS_SSH_EXT.1.9

The TSF shall ensure that diffie-hellman-group14-sha1 is the only allowed key exchange method

used for the SSH protocol.

Assurance Activity:

The evaluator shall ensure that operational guidance contains configuration information that will

allow an authorized administrator to configure the TOE so that all key exchanges for SSH are

performed using DH group 14. If this capability is 'hard-coded' into the TOE, the evaluator shall

check the TSS to ensure that this is stated in the discussion of the SSH protocol. The evaluator

shall also perform the following test:

Test 1: The evaluator shall attempt to perform a diffie-hellman-group1-sha1 key exchange, and

observe that the attempt fails. The evaluator shall then attempt to perform a diffie-hellman-

group14-sha1 key exchange, and observe that the attempt succeeds.

5.2.2.15 Extended: Transport Layer Security (TLS) (FCS_TLS_EXT.1)

FCS_TLS_EXT.1.1

The TSF shall implement one or more of the following protocols [TLS 1.0 (RFC 2246), TLS 1.1

(RFC 4346), and TLS 1.2 (RFC 5246)] supporting the following ciphersuites:

Mandatory Ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA;

Optional Ciphersuites:

[

TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_ SHA256,

TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256,

TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,