P2600 SFRs Proposal Brian Smithson / Ricoh Yusuke Ohta / Ricoh Meeting #23, Lexington KY DRAFT NOTE: items marked with @@@ are placeholders, not final text! SUMMARY ............................................................................................................................ 3 FAU SECURITY AUDIT ........................................................................................................ 4 FAU_GEN.1 Audit data generation................................................................................................................................... 4 FAU_GEN.2 User identity association .............................................................................................................................. 4 FAU_SAR.1 Audit review................................................................................................................................................... 4 FAU_SAR.2 Restricted audit review ................................................................................................................................. 4 FAU_STG.1 Protected audit trail storage ......................................................................................................................... 5 FAU_STG.4 Prevention of audit data loss ........................................................................................................................ 5 FCS CRYPTOGRAPHIC SUPPORT ..................................................................................... 6 FCS_CKM.1 Cryptographic key generation .................................................................................................................... 6 FCS_CKM.4 Cryptographic key destruction ................................................................................................................... 6 FCS_COP.1 Cryptographic operation .............................................................................................................................. 6 FDP USER DATA PROTECTION ......................................................................................... 7 FDP_ACC.1 Subset access control..................................................................................................................................... 7 FDP_ACC.2 Complete access control ............................................................................................................................... 7 FDP_ACF.1 Security attribute based access control ....................................................................................................... 7 FDP_IFC.1 Subset information flow control .................................................................................................................... 7 FDP_IFF.1 Simple security attributes ............................................................................................................................... 8 FDP_RIP.1 Subset residual information protection ........................................................................................................ 8 FIA IDENTIFICATION AND AUTHENTICATION .................................................................. 9 FIA_AFL.1 Authentication failure handling .................................................................................................................... 9 FIA_ATD.1 User attribute definition ................................................................................................................................ 9 FIA_SOS.1 Verification of secrets ..................................................................................................................................... 9 P2600 SFRs Proposal (meeting 23) -- 1 -- Smithson, Ohta (Ricoh) FIA_UAU.1 Timing of authentication ............................................................................................................................... 9 FIA_UAU.6 Re-authenticating ......................................................................................................................................... 10 FIA_UAU.7 Protected authentication feedback ............................................................................................................. 10 FIA_UID.1 Timing of identification ................................................................................................................................ 10 FIA_USB.1 User-subject binding ..................................................................................................................................... 10 FMT SECURITY MANAGEMENT ....................................................................................... 12 FMT_MSA.1 Management of security attributes .......................................................................................................... 12 FMT_MSA.2 Secure security attributes ......................................................................................................................... 12 FMT_MSA.3 Static attribute initialisation ..................................................................................................................... 12 FMT_MTD.1 Management of TSF data ......................................................................................................................... 12 FMT_SMF.1 Specification of Management Functions .................................................................................................. 13 FMT_SMR.1 Security roles .............................................................................................................................................. 13 FPT PROTECTION OF THE TSF........................................................................................ 14 FPT_AMT.1 Abstract machine testing............................................................................................................................ 14 FPT_FLS.1 Failure with preservation of secure state .................................................................................................... 14 FPT_RCV.1 Manual recovery ......................................................................................................................................... 14 FPT_RCV.2 Automated recovery .................................................................................................................................... 14 FPT_STM.1 Reliable time stamps ................................................................................................................................... 14 FPT_TST.1 TSF testing .................................................................................................................................................... 15 FTA TOE ACCESS ............................................................................................................. 16 FTA_SSL.3 TSF-initiated termination ............................................................................................................................ 16 FTP TRUSTED PATHS/CHANNELS .................................................................................. 16 FTP_ITC.1 Inter-TSF trusted channel ........................................................................................................................... 16 P2600 SFRs Proposal (meeting 23) -- 2 -- Smithson, Ohta (Ricoh) Y Y Y Y Y Y Y Y Y Y ? Y Y Y Y PP-D PP-C Y Y Y Y Y Y Y Y Y PP-B SFRs FAU_GEN.1 FAU_GEN.2 FAU_SAR.1 FAU_SAR.2 FAU_STG.1 FAU_STG.4 FCS_CKM.1 FCS_CKM.4 FCS_COP.1 FDP_ACC.1 FDP_ACC.2 FDP_ACF.1 FDP_IFC.1 FDP_IFF.1 FDP_RIP.1 FIA_AFL.1 FIA_ATD.1 FIA_SOS.1 FIA_UAU.1 FIA_UAU.6 FIA_UAU.7 FIA_UID.1 FIA_USB.1 FMT_MSA.1 PP-A Summary PP-A O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.PROTECT O.PROTECT O.PROTECT PP-B O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.MONITOR O.PROTECT O.PROTECT O.PROTECT PP-C O.MONITOR O.MONITOR? O.MONITOR O.MONITOR O.MONITOR O.MONITOR Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y ? Y ? FMT_MSA.2 FMT_MSA.3 FMT_MTD.1 FMT_SMF.1 Y Y Y Y Y Y Y Y Y Y Y Y FMT_SMR.1 Y Y Y Y FPT_AMT.1 FPT_FLS.1 FPT_RCV.1 FPT_RCV.2 FPT_STM.1 FPT_TST.1 FTA_SSL.3 FTP_ITC.1 ADV_ARC.1 ATE_FUN.1 Objectives Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y P2600 SFRs Proposal (meeting 23) PP-D O.ACCESS O.ACCESS O.ACCESS O.NETWORK O.NETWORK O.DELETE O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.ACCESS O.ACCESS O.NETWORK O.NETWORK O.DELETE O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.ACCESS O.NETWORK O.PROTECT O.PROTECT O.NETWORK O.ACCESS O.ACCESS O.NETWORK O.PROTECT O.PROTECT O.NETWORK O.ACCESS O.ACCESS O.NETWORK O.ACCESS O.NETWORK O.ACCESS O.NETWORK O.ACCESS O.NETWORK O.PROTECT O.GENUINE O.RESILIENT O.RESILIENT O.RESILIENT O.MONITOR O.GENUINE O.I&A O.NETWORK O.FAXONLY O.ACCESS O.NETWORK O.PROTECT O.GENUINE O.RESILIENT O.RESILIENT O.RESILIENT O.MONITOR O.GENUINE O.I&A O.NETWORK O.FAXONLY O.ACCESS O.NETWORK O.GENUINE O.RESILIENT O.RESILIENT O.RESILIENT O.MONITOR O.GENUINE O.I&A O.NETWORK O.FAXONLY O.RESILIENT O.RESILIENT O.RESILIENT -- 3 -- O.ACCESS O.ACCESS O.NETWORK O.NETWORK O.I&A O.I&A O.ACCESS O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A O.I&A? O.I&A? O.ACCESS O.NETWORK O.NETWORK O.ACCESS O.ACCESS O.ACCESS Smithson, Ohta (Ricoh) FAU Security Audit FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps {O.MONITOR: A|B|C} The TSF shall be able to generate an audit record of the following auditable events: • Start-up and shutdown of the audit functions; • All auditable events for the [selection, choose one of: minimum, basic, detailed, not specified] level of audit; and • [assignment: other specifically defined auditable events]. FAU_GEN.1.1 The TSF shall record within each audit record at least the following information: • Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and • For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: other audit relevant information]. FAU_GEN.1.2 FAU_GEN.2 User identity association Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification {O.MONITOR: A|B|C?} The TSF shall be able to associate each auditable event with the identity of the user that caused the event. FAU_GEN.2.1 FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation {O.MONITOR: A|B|C} The TSF shall provide [assignment: authorised users] with the capability to read [assignment: list of audit information] from the audit records. FAU_SAR.1.1 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.1.2 FAU_SAR.2 Restricted audit review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit review {O.MONITOR: A|B|C} The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. FAU_SAR.2.1 P2600 SFRs Proposal (meeting 23) -- 4 -- Smithson, Ohta (Ricoh) FAU_STG.1 Protected audit trail storage Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation {O.MONITOR: A|B|C} FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorised deletion. The TSF shall be able to [selection, choose one of: prevent, detect] unauthorised modifications to the stored audit records in the audit trail. FAU_STG.1.2 FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protected audit trail storage {O.MONITOR: A|B|C} The TSF shall [selection, choose one of: “ignore auditable events”, “prevent auditable events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full. FAU_STG.4.1 P2600 SFRs Proposal (meeting 23) -- 5 -- Smithson, Ohta (Ricoh) FCS Cryptographic Support FCS_CKM.1 Cryptographic key generation Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes {O.PROTECT: A|B} The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. FCS_CKM.1.1 FCS_CKM.4 Cryptographic key destruction Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FMT_MSA.2 Secure security attributes {O.PROTECT: A|B} The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. FCS_CKM.4.1 FCS_COP.1 Cryptographic operation Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes {O.PROTECT: A|B} The TSF shall perform [assignment: list of cryptographic operations] in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. FCS_COP.1.1 P2600 SFRs Proposal (meeting 23) -- 6 -- Smithson, Ohta (Ricoh) FDP User Data Protection FDP_ACC.1 Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control {O.ACCESS: D} PP{D} app note: @@@ most likely applies only to administrative objects, so does it belong in FDP?@@@ The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the SFP]. FDP_ACC.1.1 FDP_ACC.2 Complete access control Hierarchical to: FDP_ACC.1 Subset access control Dependencies: FDP_ACF.1 Security attribute based access control {O.ACCESS: A|B|C} The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects and objects] and all operations among subjects and objects covered by the SFP. FDP_ACC.2.1 The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. FDP_ACC.2.2 FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialization {O.ACCESS: A|B|C|D} PP{D} app note: @@@ most likely applies only to administrative objects, so does it belong in FDP?@@@ The TSF shall enforce the [assignment: access control SFP] to objects based on the following: [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the SFP-relevant security attributes, or named groups of SFP-relevant security attributes]. FDP_ACF.1.1 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: rules governing access among controlled subjects and controlled objects using controlled operations on controlled objects]. FDP_ACF.1.2 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]. FDP_ACF.1.3 The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]. FDP_ACF.1.4 FDP_IFC.1 Subset information flow control Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes {O.NETWORK:A|B|C} P2600 SFRs Proposal (meeting 23) -- 7 -- Smithson, Ohta (Ricoh) The TSF shall enforce the [assignment: information flow control SFP] on [assignment: list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP]. FDP_IFC.1.1 FDP_IFF.1 Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization {O.NETWORK:A|B|C} The TSF shall enforce the [assignment: information flow control SFP] based on the following types of subject and information security attributes: [assignment: list of subjects and information controlled under the indicated SFP, and for each, the security attributes]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: for each operation, the security attribute-based relationship that must hold between subject and information security attributes]. FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow control SFP rules]. FDP_IFF.1.4 The TSF shall provide the following [assignment: list of additional SFP capabilities]. FDP_IFF.1.5 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: rules, based on security attributes, that explicitly authorise information flows]. FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following rules: [assignment: rules, based on security attributes, that explicitly deny information flows]. FDP_IFF.1.1 FDP_RIP.1 Subset residual information protection Hierarchical to: No other components. Dependencies: No dependencies. {O.DELETE: A|B} PP app note: @@@apply to UDD, MD, UFD@@@ The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: allocation of the resource to, deallocation of the resource from] the following objects: [assignment: list of objects]. FDP_RIP.1.1 P2600 SFRs Proposal (meeting 23) -- 8 -- Smithson, Ohta (Ricoh) FIA Identification and Authentication FIA_AFL.1 Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication {O.I&A: A|B|C} PP{C} app note: may only be appropriate for administrator-related authentication events The TSF shall detect when [selection: [assignment: positive integer number], an administrator configurable positive integer within[assignment: range of acceptable values]] unsuccessful authentication attempts occur related to [assignment: list of authentication events]. FIA_AFL.1.1 When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [assignment: list of actions]. FIA_AFL.1.2 FIA_ATD.1 User attribute definition Hierarchical to: No other components. Dependencies: No dependencies. {O.I&A: A|B|C|D} PP app note: @@@minimally, attributes should define roles required by Access Control and Information Flow SFPs, see @@@SFR about roles@@@ PP{D} app note: administrator role may be applicable to front panel controls? The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: list of security attributes]. FIA_ATD.1.1 FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies. {O.I&A: A|B} The TSF shall provide a mechanism to verify that secrets meet [assignment: a defined quality metric]. FIA_SOS.1.1 FIA_UAU.1 Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification {O.I&A: A|B|C|D?} PP app note: if no TSF-mediated actions can be performed on behalf of a user before the user is authenticated, then ST authors shall replace FIA_UAU.1 with FIA_UAU.2 The TSF shall allow [assignment: list of TSF mediated actions] on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other FIA_UAU.1.1 P2600 SFRs Proposal (meeting 23) -- 9 -- Smithson, Ohta (Ricoh) TSF-mediated actions on behalf of that user. FIA_UAU.6 Re-authenticating Hierarchical to: No other components. Dependencies: No dependencies. {O.I&A: A|B|C} The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. FIA_UAU.6.1 PP app note: @@@for example, after inactivity; see @@@session SFR@@@ FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication {O.I&A: A|B|C} The TSF shall provide only [assignment: list of feedback] to the user while the authentication is in progress. FIA_UAU.7.1 FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. {O.I&A: A|B|C|D} {O.NETWORK: A|B|C} PP app note: if no TSF-mediated actions can be performed on behalf of a user before the user is identified, then ST authors shall replace FIA_UID.1 with FIA_UID.2 The TSF shall allow [assignment: list of TSF-mediated actions] on behalf of the user to be performed before the user is identified. FIA_UID.1.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. FIA_UID.1.2 FIA_USB.1 User-subject binding Hierarchical to: No other components. Dependencies: FIA_ATD.1 User attribute definition {O.I&A: A|B|C|D?} The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: list of user security attributes]. FIA_USB.1.1 PP app note: minimally, attributes should define roles required by Access Control and Information Flow SFPs, see @@@SFR about roles@@@ The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: rules for the initial association of attributes]. FIA_USB.1.2 P2600 SFRs Proposal (meeting 23) -- 10 -- Smithson, Ohta (Ricoh) The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: rules for the changing of attributes]. FIA_USB.1.3 P2600 SFRs Proposal (meeting 23) -- 11 -- Smithson, Ohta (Ricoh) FMT Security Management FMT_MSA.1 Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions {O.ACCESS: A|B|C} {O.PROTECT: A|B} {O.NETWORK: A|B|C} The TSF shall enforce the [assignment: access control SFP, information flow control SFP] to restrict the ability to [selection: change_default, query, modify, delete, [assignment: other operations]] the security attributes [assignment: list of security attributes] to [assignment: the authorised identified roles]. FMT_MSA.1.1 FMT_MSA.2 Secure security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles {O.PROTECT: A|B} PP app note: @@@applies to MD@@@ FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for security attributes. FMT_MSA.3 Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles {O.NETWORK: A|B|C} The TSF shall enforce the [assignment: access control SFP, information flow control SFP] to provide [selection, choose one of: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.1 The TSF shall allow the [assignment: the authorised identified roles] to specify alternative initial values to override the default values when an object or information is created. FMT_MSA.3.2 FMT_MTD.1 Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions {O.ACCESS: A|B|C} P2600 SFRs Proposal (meeting 23) -- 12 -- Smithson, Ohta (Ricoh) The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorised identified roles]. FMT_MTD.1.1 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. {O.ACCESS: A|B|C|D} {O.NETWORK: A|B|C} The TSF shall be capable of performing the following management functions: [assignment: list of management functions to be provided by the TSF]. FMT_SMF.1.1 FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification {O.ACCESS: A|B|C|D} {O.PROTECT: A|B} {O.NETWORK: A|B|C} FMT_SMR.1.1 The TSF shall maintain the roles [assignment: the authorised identified roles]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. P2600 SFRs Proposal (meeting 23) -- 13 -- Smithson, Ohta (Ricoh) FPT Protection of the TSF FPT_AMT.1 Abstract machine testing Hierarchical to: No other components. Dependencies: No dependencies. {O.GENUINE: A|B|C} The TSF shall run a suite of tests [selection: during initial start-up, periodically during normal operation, at the request of an authorised user, [assignment: other conditions]] to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the TSF. FPT_AMT.1.1 FPT_FLS.1 Failure with preservation of secure state Hierarchical to: No other components. Dependencies: No dependencies. {O.RESILIENT: A|B|C} The TSF shall preserve a secure state when the following types of failures occur: [assignment: list of types of failures in the TSF]. FPT_FLS.1.1 FPT_RCV.1 Manual recovery Hierarchical to: No other components. Dependencies: AGD_OPE.1 Operational user guidance {O.RESILIENT: A|B|C} PP app note: @@@applies to T.DOS.FAX@@@ After [assignment: list of failures/service discontinuities] the TSF shall enter a maintenance mode where the ability to return to a secure state is provided. FPT_RCV.1.1 FPT_RCV.2 Automated recovery Hierarchical to: FPT_RCV.1 Manual recovery Dependencies: AGD_OPE.1 Operational user guidance {O.RESILIENT: A|B|C} PP app note: @@@applies to T.DOS.NET|PRT@@@ When automated recovery from [assignment: list of failures/service discontinuities] is not possible, the TSF shall enter a maintenance mode where the ability to return to a secure state is provided. FPT_RCV.2.1 For [assignment: list of failures/service discontinuities], the TSF shall ensure the return of the TOE to a secure state using automated procedures. FPT_RCV.2.2 FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. {O.MONITOR: A|B|C} FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. P2600 SFRs Proposal (meeting 23) -- 14 -- Smithson, Ohta (Ricoh) FPT_TST.1 TSF testing Hierarchical to: No other components. Dependencies: FPT_AMT.1 Abstract machine testing {O.GENUINE: A|B|C} The TSF shall run a suite of self tests [selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions[assignment: conditions under which self test should occur]] to demonstrate the correct operation of [selection: [assignment: parts of TSF], the TSF]. FPT_TST.1.1 The TSF shall provide authorised users with the capability to verify the integrity of [selection: [assignment: parts of TSF], TSF data]. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of stored TSF executable code. FPT_TST.1.3 P2600 SFRs Proposal (meeting 23) -- 15 -- Smithson, Ohta (Ricoh) FTA TOE Access FTA_SSL.3 TSF-initiated termination Hierarchical to: No other components. Dependencies: No dependencies. {O.I&A: A|B|C} FTA_SSL.3.1 The TSF shall terminate an interactive session after a [assignment: time interval of user inactivity]. FTP Trusted Paths/Channels FTP_ITC.1 Inter-TSF trusted channel Hierarchical to: No other components. Dependencies: No dependencies. {O.NETWORK: A|B|C} The TSF shall provide a communication channel between itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.1 The TSF shall permit [selection: the TSF, the remote trusted IT product] to initiate communication via the trusted channel. FTP_ITC.1.2 The TSF shall initiate communication via the trusted channel for [assignment: list of functions for which a trusted channel is required]. FTP_ITC.1.3 P2600 SFRs Proposal (meeting 23) -- 16 -- Smithson, Ohta (Ricoh)