Specifications
Security Target Version 1.0 9/29/2014
86
• FCS_IPSEC_EXT.1: Requires the TOE provide a mechanism that creates a distinct communication
channel between the TOE and both remote administrators and trusted IT entities that protects the data that
traverse this channel from disclosure or modification.
• FCS_SSH_EXT.1: Requires the TOE provide a mechanism that creates a distinct communication channel
between the TOE and both remote administrators and trusted IT entities that protects the data that traverse
this channel from disclosure or modification.
• FCS_TLS_EXT.1: Requires the TOE provide a mechanism that creates a distinct communication channel
between the TOE and both remote administrators and trusted IT entities that protects the data that traverse
this channel from disclosure or modification.
• FIA_PSK_EXT.1: Requires the TOE support the formation of strong pre-shared keys (either though a large
character set for text-based pre-shared keys, or through generation by the TOE's (or an off-box) RBG
function) that can be used to mutually authenticate the TOE and its communication partner.
• FIA_UIA_EXT.1: Requires administrators (including remote administrators) to be identified and
authenticated by the TOE, providing assurance for that end of the communication path.
• FTP_ITC.1: Requires the TOE provide a mechanism that creates a distinct communication channel
between the TOE and both remote administrators and trusted IT entities that protects the data that traverse
this channel from disclosure or modification.
• FTP_TRP.1: Requires the TOE provide a mechanism that creates a distinct communication channel
between the TOE and both remote administrators and trusted IT entities that protects the data that traverse
this channel from disclosure or modification.
8.2.1.2 O.CRYPTOGRAPHIC_FUNCTIONS
The TOE shall provide cryptographic functions (i.e., encryption/decryption and digital signature
operations) to maintain the confidentiality and allow for detection of modification of TSF data that is
transmitted between physically separated portions of the TOE, or stored outside the TOE.
This TOE Security Objective is satisfied by ensuring that:
• FCS_CKM.1(1): Generates symmetric and asymmetric key, respectively. These keys are used by the AES
encryption/decryption functionality specified in FCS_COP.1(5) and used for cryptographic signatures as
specified in FCS_COP.1(2).
• FCS_CKM.1(2): Generates symmetric and asymmetric key, respectively. These keys are used by the AES
encryption/decryption functionality specified in FCS_COP.1(5) and used for cryptographic signatures as
specified in FCS_COP.1(2).
• FCS_CKM.2(1): Assures that the distribution method of cryptographic keys for wireless client
communications are in accordance with a standard and do not get exposed.
• FCS_CKM.2(2): Assures that the distribution method of cryptographic keys for wireless client
communications are in accordance with a standard and do not get exposed.
• FCS_CKM_EXT.4: Provides the functionality for ensuring key and key material is zeroized. This applies
not only to key that resides in the TOE, but also to intermediate areas (physical memory, page files,
memory dumps, etc.) where key material may appear.
• FCS_COP.1(1): Specifies that AES be used to perform encryption and decryption operations for the
various protocols specified in the PP.
• FCS_COP.1(2): Requires a digital signature capability be implemented in the TOE for trusted updates and
certificate operations associated with identification and authentication of authorized IT entities and remote
administrators.
• FCS_COP.1(3): Requires that the TSF provide hashing services using an implementation of the Secure
Hash Algorithm algorithms for data integrity verification and non-data integrity operations.
• FCS_COP.1(4): Requires that the TSF provide hashing services using an implementation of the Secure
Hash Algorithm algorithms for data integrity verification and non-data integrity operations.
• FCS_COP.1(5): Specifies that AES be used to perform encryption and decryption operations for the
various protocols specified in the PP.
• FCS_RBG_EXT.1: Ensures that keying material is robustly generated.
• FIA_X509_EXT.1: Requires that the certificates used to support many of the cryptographic operations
previously mentioned conform to an appropriate standard.