Manualshelf

Hardware manual

ManualsBrandsBrocade Communications Systems ManualsComputer equipmentNetIron CER Series
21222324252627282930
Version 1.1, 03/31/2015
GSS CCT Evaluation Technical Report Page 27 of 56 © 2015 Gossamer Security Solutions, Inc.
Document: AAR-BrocadeNetIron5.8 All rights reserved.
The evaluator shall also perform the following test:
Test 1: The evaluator shall establish a SSH connection using each of the integrity algorithms specified by the
requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the
intent of the test.
This test was completed in conjunction with FCS_SSH_EXT.1.5. The evaluator used the SecureCRT client to connect
to the TOE using ASE 128 and ASE 256 encryption and hmac-sha1 (the only applicable integrity algorithm). The
evaluator captured the network traffic and verified the algorithm.
2.2.9.7 FCS_SSH_EXT.1.7
TSS Assurance Activities: If this capability is 'hard-coded' into the TOE, the evaluator shall check the TSS to ensure
that this is stated in the discussion of the SSH protocol.
Section 6.2 indicates that DH14 is a supported key exchange method.
Guidance Assurance Activities: The evaluator shall ensure that operational guidance contains configuration
information that will allow the security administrator to configure the TOE so that all key exchanges for SSH are
performed using DH group 14 and any groups specified from the selection in the ST.
The ST identifies the ciphers, hashes, and authentication methods as indicated in the TSS findings above.
The Common Criteria Certification (section 3) of the FIPS guide indicates that while operating in CC mode diffie-
hellman-group1-sha1 is disabled and only diffie-hellman-group14-sha1 is supported.
Testing Assurance Activities: The evaluator shall also perform the following test:
Test 1: The evaluator shall attempt to perform a diffie-hellman-group1-sha1 key exchange, and observe that the
attempt fails. For each allowed key exchange method, the evaluator shall then attempt to perform a key exchange
using that method, and observe that the attempt succeeds.
The evaluator was able to observe from previous tests that diffie-hellman-group14-sha1 key exchange was used in
all negotiations. The evaluator attempted a diffie-hellman-group1-sha1 key exchange and the request was
rejected.
2.2.10 EXPLICIT: TLS (FCS_TLS_EXT.1)
2.2.10.1 FCS_TLS_EXT.1.1