User guide

ManualsBrandsAruba ManualsComputer equipment620

Aruba Networks Security Target

Page 55 of 67

NDPP

Source

Requirement

Assurance

Family

values for each trial. The first is a count (0 – 14). The next three are entropy

input, nonce, and personalization string for the instantiate operation. The next

two are additional input and entropy input for the first call to generate. The final

two are additional input and entropy input for the second call to generate. These

values are randomly generated. “generate one block of random bits” means to

generate random bits with number of returned bits equal to the Output Block

Length (as defined in NIST SP 800-90).

If the RBG does not have prediction resistance, each trial consists of (1)

instantiate drbg, (2) generate the first block of random bits (3) reseed, (4)

generate a second block of random bits (5) uninstantiate. The evaluator verifies

that the second block of random bits is the expected value. The evaluator shall

generate eight input values for each trial. The first is a count (0 – 14). The next

three are entropy input, nonce, and personalization string for the instantiate

operation. The fifth value is additional input to the first call to generate. The sixth

and seventh are additional input and entropy input to the call to reseed. The final

value is additional input to the second generate call.

The following paragraphs contain more information on some of the input values

to be generated/selected by the evaluator.

Entropy input: the length of the entropy input value must equal the seed length.

Nonce: If a nonce is supported (CTR_DRBG with no df does not use a nonce),

the nonce bit length is one-half the seed length.

Personalization string: The length of the personalization string must be <=

seed length. If the implementation only supports one personalization string

length, then the same length can be used for both values. If more than one

string length is support, the evaluator shall use personalization strings of two

different lengths. If the implementation does not use a personalization string, no

value needs to be supplied.

Additional input: the additional input bit lengths have the same defaults and

restrictions as the personalization string lengths.

14.

FCS_HTTP

S_EXT.1

The evaluator shall check the TSS to ensure that it is clear on how HTTPS uses

TLS to establish an administrative session, focusing on any client authentication

required by the TLS protocol vs. Security administrator authentication which may

be done at a different level of the processing stack. Testing for this activity is

done as part of the TLS testing; this may result in additional testing if the TLS

tests are done at the TLS protocol level.

ASE_TSS

15.

FCS_TLS_

EXT.1

The evaluator shall check the description of the implementation of this protocol in

the TSS to ensure that optional characteristics (e.g., extensions supported, client

authentication supported) are specified, and the ciphersuites supported are

specified as well. The evaluator shall check the TSS to ensure that the

ciphersuites specified are identical to those listed for this component. The

evaluator shall also check the operational guidance to ensure that it contains

instructions on configuring the TOE so that TLS conforms to the description in

the TSS (for instance, the set of ciphersuites advertised by the TOE may have to

be restricted to meet the requirements). The evaluator shall also perform the

following test:

Test 1: The evaluator shall establish a TLS connection using each of the

ciphersuites specified by the requirement. This connection may be established

ASE_TSS

ATE_IND