Specifications
Security Target Version 1.0 9/29/2014
45
specified in the requirement. The evaluator shall then, for each set of rules, compose passwords
that both meet the requirements, and fail to meet the requirements, in some way. For each
password, the evaluator shall verify that the composition rules are enforced. While the evaluator is
not required (nor is it feasible) to test all possible composition rules, the evaluator shall ensure that
all characters, rule characteristics, and a minimum length listed in the requirement are supported,
and justify the subset of those characters chosen for testing.
Test 2: The evaluator shall ensure that the operational guidance contains instructions on setting the
maximum password lifetime. The evaluator shall then configure this lifetime to several values, and
ensure that it is enforced for each of those values.
Test 3: The evaluator shall test that a minimum of 4 character changes from previous passwords is
enforced. This shall be done for more than one password.
5.2.4.4 Extended: Pre-Shared Key Composition (FIA_PSK_EXT.1)
FIA_PSK_EXT.1.1
The TSF shall be able to use pre-shared keys for IPsec and [WPA2].
FIA_PSK_EXT.1.2
The TSF shall be able to accept text-based pre-shared keys that: are 22 characters and [maximum
64 characters] composed of any combination of upper and lower case letters, numbers, and
special characters (that include: '!', '@', '#', '$', '%', '^', '&', '*', '(', and ')').
FIA_PSK_EXT.1.3
The TSF shall condition the text-based pre-shared keys by using [PBKDF2].
FIA_PSK_EXT.1.4
The TSF shall be able to [accept] bit-based pre-shared keys.
Component Assurance Activity:
The evaluator shall examine the operational guidance to determine that it provides guidance to
administrators on the composition of strong text-based pre-shared keys, and (if the selection
indicates keys of various lengths can be entered) that it provides information on the merits of
shorter or longer pre-shared keys. The guidance must specify the allowable characters for pre-
shared keys, and that list must be a super-set of the list contained in FIA_PSK_EXT.1.2.
The evaluator shall examine the TSS to ensure that it identifies all protocols that allow both text-
based and bit-based pre-shared keys, and states that text-based pre-shared keys of 22 characters
are supported. For each protocol identified by the requirement, the evaluator shall confirm that the
TSS states the conditioning that takes place to transform the text-based pre-shared key from the
key sequence entered by the user (e.g., ASCII representation) to the bit string used by the protocol,
and that this conditioning is consistent with the last selection in the FIA_PSK_EXT.1.3
requirement.
The evaluator shall confirm the operational guidance contains instructions for either entering bit-
based pre-shared keys for each protocol identified in the requirement, or generating a bit-based
pre-shared key (or both). The evaluator shall also examine the TSS to ensure it describes the
process by which the bit-based pre-shared keys are generated (if the TOE supports this
functionality), and confirm that this process uses the RBG specified in FCS_RBG_EXT.1.
The evaluator shall also perform the following tests for each protocol (or instantiation of a
protocol, if performed by a different implementation on the TOE). Note that one or more of these
tests can be performed with a single test case.
Test 1: The evaluator shall compose a pre-shared key of 22 characters that contains a combination
of the allowed characters in accordance with the operational guidance, and demonstrates that a
successful protocol negotiation can be performed with the key.
Test 2 [conditional]: If the TOE supports pre-shared keys of multiple lengths, the evaluator shall