Specifications

ManualsBrandsBrocade Communications Systems ManualsComputer equipmentNetIron CER Series

Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00

Security Target Version 1., July 15, 2014

Page 25 of 50

FCS_SSH_EXT.1.5

The TSF shall ensure that the SSH transport implementation uses SSH_RSA and [no other public

key algorithms] as its public key algorithm(s).

Assurance Activity:

The assurance activity associated with FCS_SSH_EXT.1.4 verifies this requirement.

FCS_SSH_EXT.1.6

The TSF shall ensure that data integrity algorithms used in SSH transport connection is [hmac-

sha1].

Assurance Activity:

The evaluator shall check the TSS to ensure that it lists the supported data integrity algorithms,

and that that list corresponds to the list in this component. The evaluator shall also check the

operational guidance to ensure that it contains instructions to the administrator on how to ensure

that only the allowed data integrity algorithms are used in SSH connections with the TOE

(specifically, that the 'none' MAC algorithm is not allowed). The evaluator shall also perform the

following test:

Test 1: The evaluator shall establish a SSH connection using each of the integrity

algorithms specified by the requirement. It is sufficient to observe (on the wire) the

successful negotiation of the algorithm to satisfy the intent of the test.

FCS_SSH_EXT.1.7

The TSF shall ensure that diffie-hellman-group14-sha1 and [no other methods] are the only

allowed key exchange method used for the SSH protocol.

Assurance Activity:

The evaluator shall ensure that operational guidance contains configuration information that will

allow the security administrator to configure the TOE so that all key exchanges for SSH are

performed using DH group 14 and any groups specified from the selection in the ST. If this

capability is 'hard-coded' into the TOE, the evaluator shall check the TSS to ensure that this is

stated in the discussion of the SSH protocol. The evaluator shall also perform the following test:

Test 1: The evaluator shall attempt to perform a diffie-hellman-group1-sha1 key

exchange, and observe that the attempt fails. . For each allowed key exchange method,

the evaluator shall then attempt to perform a key exchange using that method, and

observe that the attempt succeeds.

5.1.2.10 Explicit: TLS (FCS_TLS_EXT.1)

FCS_TLS_EXT.1.1

The TSF shall implement one or more of the following protocols [TLS 1.0 (RFC 2246)]

supporting the following ciphersuites:

Mandatory Ciphersuites:

TLS_RSA_WITH_AES_128_CBC_SHA,

Optional Ciphersuites:

[TLS_RSA_WITH_AES_256_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA].

Assurance Activity:

The evaluator shall check the description of the implementation of this protocol in the TSS to

ensure that the ciphersuites supported are specified. The evaluator shall check the TSS to ensure

that the ciphersuites specified are identical to those listed for this component. The evaluator shall