|
241 | 241 | <sec:Security_Requirements title="Security Requirements"> |
242 | 242 | <!-- 5.1 TOE Security Functional Requirements --> |
243 | 243 | <base-pp id="bpp-app" name="Application Software" product="Application" short="App" version="2.0"> |
244 | | - </base-pp> |
| 244 | + <git> |
| 245 | + <url>https://github.com/commoncriteria/application</url> |
| 246 | + <branch>release-2.0</branch> |
| 247 | + |
| 248 | + </git> |
| 249 | + <url>https://www.niap-ccevs.org/protectionprofiles/516</url> |
| 250 | + |
| 251 | + <modified-sfrs> |
| 252 | + |
| 253 | + <sec:mod_fcs title="Cryptographic Support (FCS)"> |
| 254 | + <f-component cc-id="fcs_ckm_ext.1" name="Cryptographic Key Generation Services"> |
| 255 | + <consistency-rationale> |
| 256 | + This SFR is changed from its definition in the App PP to remove one of the available selection options because |
| 257 | + it will never apply in the case where the TOE conforms to this PP-Module. |
| 258 | + </consistency-rationale> |
| 259 | + <f-element id="fel-asym-key-gen"> |
| 260 | + <title>The application shall <selectables linebreak="yes"> |
| 261 | + <selectable><h:s>generate no asymmetric cryptographic keys</h:s></selectable> |
| 262 | + <selectable id="sel_invoke_genkey">invoke platform-provided functionality for asymmetric key generation</selectable> |
| 263 | + <selectable id="sel_impl_genkey">implement asymmetric key generation</selectable> |
| 264 | + </selectables>. |
| 265 | + </title> |
| 266 | + <note role="application">This SFR is modified from its Base-PP definition to remove the |
| 267 | + selection for the TOE not requiring asymmetric key generation. |
| 268 | + </note> |
| 269 | + <aactivity> |
| 270 | + <no-tests> |
| 271 | + There is no change to the Base-PP EAs for this SFR when this PP-Module is |
| 272 | + claimed, aside from the fact that the materials for the selections that have been |
| 273 | + refined out of this SFR are not applicable. |
| 274 | + </no-tests> |
| 275 | + </aactivity> |
| 276 | + </f-element> |
| 277 | + </f-component> |
| 278 | + |
| 279 | + <f-component cc-id="fcs_https_ext.1" iteration="Client" name="HTTPS Protocol"> |
| 280 | + <consistency-rationale> |
| 281 | + This SFR is unchanged from its definition in the App PP; |
| 282 | + the SFR is recategorized from selection-based to mandatory |
| 283 | + when the TOE conforms to this PP-Module. |
| 284 | + </consistency-rationale> |
| 285 | + <description> |
| 286 | + This SFR is recategorized from selection-based to mandatory |
| 287 | + when the TOE conforms to this PP-Module, and the modification that this PP-Module makes to FTP_DIT_EXT.1. |
| 288 | + </description> |
| 289 | + </f-component> |
| 290 | + |
| 291 | + <f-component cc-id="fcs_rbg_ext.1" name="Random Bit Generation Services"> |
| 292 | + <consistency-rationale>This SFR is changed from its definition in the App PP to remove one of the available selection options because it will never apply in the case where the TOE conforms to this PP-Module.</consistency-rationale> |
| 293 | + <f-element id="fel-rbg"> |
| 294 | + <title> The application shall |
| 295 | + <selectables linebreak="yes"> |
| 296 | + <selectable><h:s>use no DRBG functionality</h:s></selectable> |
| 297 | + <selectable>invoke platform-provided DRBG functionality</selectable> |
| 298 | + <selectable id="drbg">implement DRBG functionality</selectable> |
| 299 | + </selectables> for its cryptographic operations. </title> |
| 300 | + <note role="application">This SFR is modified from its Base-PP definition to remove the |
| 301 | + selection for the TOE using no DRBG functionality. |
| 302 | + </note> |
| 303 | + <aactivity> |
| 304 | + <no-tests> |
| 305 | + There is no change to the Base-PP EAs for this SFR when this PP-Module is claimed, |
| 306 | + aside from the fact that the materials for the selections that have been |
| 307 | + refined out of this SFR are not applicable. |
| 308 | + </no-tests> |
| 309 | + </aactivity> |
| 310 | + </f-element> |
| 311 | + </f-component> |
| 312 | + |
| 313 | + </sec:mod_fcs> |
| 314 | + |
| 315 | + |
| 316 | + |
| 317 | + |
| 318 | + <sec:mod_ftp title="Trusted Path/Channels (FTP)"> |
| 319 | + <f-component cc-id="ftp_dit_ext.1" name="Protection of Data in Transit"> |
| 320 | + <consistency-rationale>This SFR is changed from its definition in the App PP to mandate the protection of sensitive data using only specified protocols.</consistency-rationale> |
| 321 | + <f-element id="fel-transmit"> |
| 322 | + <title>The application shall |
| 323 | + <selectables linebreak="yes"> |
| 324 | + <selectable><h:s>not transmit any |
| 325 | + <selectables onlyone="yes"> |
| 326 | + <selectable>data</selectable> |
| 327 | + <selectable>sensitive data</selectable></selectables> |
| 328 | + </h:s></selectable> |
| 329 | + <selectable>encrypt all transmitted |
| 330 | + [<h:b>sensitive data</h:b>] |
| 331 | + with |
| 332 | + <selectables> |
| 333 | + <selectable >HTTPS as a client in accordance with FCS_HTTPS_EXT.1<h:b> for web browsing</h:b></selectable> |
| 334 | + <selectable ><h:s>HTTPS as a server in accordance with FCS_HTTPS_EXT.1</h:s></selectable> |
| 335 | + <!-- <selectable id="sel_all_https_ma">HTTPS as a server using mutual authentication in accordance with FCS_HTTPS_EXT.2</selectable> --> |
| 336 | + <selectable ><h:s>TLS as a server as defined in <xref to="pkg-tls"/> and also supports functionality for |
| 337 | + <selectables><selectable>mutual authentication</selectable><selectable>none</selectable></selectables></h:s></selectable> |
| 338 | + <selectable id="sel_all_tlsc">TLS as a client as defined in <xref to="pkg-tls"/></selectable> |
| 339 | + <selectable><h:s>DTLS as a server as defined in <xref to="pkg-tls"/> and also supports functionality for |
| 340 | + <selectables><selectable>mutual authentication</selectable><selectable>none</selectable></selectables></h:s></selectable> |
| 341 | + <selectable id="sel_all_dtlsc">DTLS as a client as defined in <xref to="pkg-tls"/> </selectable> |
| 342 | + <selectable><h:s>SSH as defined in the <xref to="pkg-ssh"/></h:s></selectable> |
| 343 | + <selectable><h:s>IPsec as defined in the |
| 344 | + VPN Client PP-Module, version 2.6</h:s></selectable></selectables> |
| 345 | + for [<h:b>web browsing</h:b>] |
| 346 | + using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> |
| 347 | + Functional Package for X.509</h:a> |
| 348 | + </selectable> |
| 349 | + <selectable>invoke platform-provided functionality to encrypt all transmitted |
| 350 | + sensitive data with |
| 351 | + <selectables> |
| 352 | + <selectable>HTTPS</selectable> |
| 353 | + <selectable>TLS</selectable> |
| 354 | + <selectable>DTLS</selectable> |
| 355 | + <selectable><h:s>SSH</h:s></selectable> |
| 356 | + <selectable><h:s>IPsec</h:s></selectable> |
| 357 | + </selectables> for [<h:b>web browsing</h:b>] |
| 358 | + using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> |
| 359 | + Functional Package for X.509</h:a> |
| 360 | + </selectable> |
| 361 | + <selectable><h:s>invoke platform-provided functionality to encrypt all transmitted |
| 362 | + data with |
| 363 | + <selectables> |
| 364 | + <selectable>HTTPS</selectable> |
| 365 | + <selectable>TLS</selectable> |
| 366 | + <selectable>DTLS</selectable> |
| 367 | + <selectable>SSH</selectable> |
| 368 | + <selectable>IPsec</selectable> |
| 369 | + </selectables> for <assignable>function(s)</assignable> |
| 370 | + using certificates as defined in the <h:a href="https://www.niap-ccevs.org/protectionprofiles/511"> |
| 371 | + Functional Package for X.509</h:a> |
| 372 | + </h:s></selectable> |
| 373 | + </selectables> between itself and another trusted IT product. |
| 374 | + </title> |
| 375 | + <note role="application">This SFR is modified from its definition in the App PP to require |
| 376 | + that the TOE or its platform supports HTTPS, TLS, and DTLS, and that its use of these |
| 377 | + protocols is only limited to sensitive data. |
| 378 | + A conformant TOE must support the use of HTTPS, TLS, and DTLS for secure web browsing |
| 379 | + but is permitted to interact with non-sensitive content over an untrusted channel.<h:p/> |
| 380 | + Either the TOE or its platform is permitted to implement TLS and DTLS. If the TOE |
| 381 | + implements these protocols, FCS_DTLSC_EXT.1, FCS_DTLSC_EXT.2, FCS_TLS_EXT.1, |
| 382 | + FCS_TLSC_EXT.1, and FCS_TLSC_EXT.2 from the TLS package must be claimed at minimum |
| 383 | + because a web browser is required to support mutually-authenticated TLS and DTLS. |
| 384 | + Dependent claims from the Functional Package for X.509 must be made to support the |
| 385 | + X.509 validation functionality that is required for these protocols.</note> |
| 386 | + <aactivity> |
| 387 | + <no-tests> |
| 388 | + There is no change to the Base-PP EAs for this SFR when this PP-Module is |
| 389 | + claimed, aside from the fact that the materials for the selections that have |
| 390 | + been refined out of this SFR are not applicable. |
| 391 | + </no-tests> |
| 392 | + </aactivity> |
| 393 | + </f-element> |
| 394 | + </f-component> |
| 395 | + |
| 396 | + </sec:mod_ftp> |
| 397 | + |
| 398 | + </modified-sfrs> |
| 399 | + |
| 400 | + <additional-sfrs/> |
| 401 | + |
| 402 | + <con-toe> |
| 403 | + If this PP-Module is used to extend the App PP, the TOE type for the overall TOE is still a software |
| 404 | + application. |
| 405 | + The TOE boundary is simply extended to include the web browser functionality that is built into the |
| 406 | + application so that additional security functionality is claimed within the scope of the TOE. |
| 407 | + <h:p/> |
| 408 | + The only asset for the TOE is the software executable and sensitive data that comprises the TOE. The |
| 409 | + entire TOE as defined by the combination of the |
| 410 | + Base-PP and this PP-Module is a single asset. The only differences to the threat model are that the |
| 411 | + PP-Module introduces the concept of add-ons, which |
| 412 | + introduces the threat of an add-on being flawed in some way, and that the PP-Module introduces the |
| 413 | + concept of a same-origin violation, which |
| 414 | + occurs through a use case specific to web browser applications. |
| 415 | + </con-toe> |
| 416 | + |
| 417 | + <con-sec-prob> |
| 418 | + Listed below are the threats, objectives, and OSPs defined in this PP-Module with rationale for their |
| 419 | + consistency with the App PP. |
| 420 | + The PP-Module shares the |
| 421 | + executable application asset with the App PP but defines additional threats because the PP-Module |
| 422 | + defines a specific type of software application |
| 423 | + with potential exploits that are common to the application type. |
| 424 | + <h:br/><h:br/> |
| 425 | + Note that the PP-Module is implicitly consistent with any claimed functional packages because |
| 426 | + the applicable functional packages do not have |
| 427 | + security problem definitions of their own; per section 2, any claimed functional package is |
| 428 | + intended to support the O.PROTECTED_COMMS objective in the |
| 429 | + App PP, which helps mitigate the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in that PP. |
| 430 | + |
| 431 | + </con-sec-prob> |
| 432 | + <con-obj> |
| 433 | + Listed below are the security objectives defined in this PP-Module with rationale for their |
| 434 | + consistency with the App PP. The PP-Module shares the |
| 435 | + executable application asset with the App PP but defines additional security objectives because |
| 436 | + the PP-Module defines a specific type of software application |
| 437 | + with security functionality that is common to the application type. |
| 438 | + <h:br/><h:br/> |
| 439 | + Note that the PP-Module is implicitly consistent with any claimed functional packages because the |
| 440 | + applicable functional packages do not have |
| 441 | + TOE objectives of their own; per section 2, any claimed functional package is intended to support |
| 442 | + the O.PROTECTED_COMMS objective in the App PP. |
| 443 | + </con-obj> |
| 444 | + <con-op-en> |
| 445 | + This PP-Module does not define any objectives for the TOE's operational environment. |
| 446 | + </con-op-en> |
| 447 | + </base-pp> |
245 | 448 |
|
246 | 449 | <man-sfrs> |
247 | 450 | <!-- 5.1.1 User Data Protection (FDP) --> |
|
0 commit comments