pp-sfrs23c - IEEE Standards Working Group Areas

advertisement
P2600 SFRs Proposal
Brian Smithson / Ricoh
Yusuke Ohta / Ricoh
Meeting #23, Lexington KY
DRAFT NOTE: items marked with @@@ are placeholders, not final text!
SUMMARY ............................................................................................................................ 3
FAU SECURITY AUDIT ........................................................................................................ 4
FAU_GEN.1 Audit data generation................................................................................................................................... 4
FAU_GEN.2 User identity association .............................................................................................................................. 4
FAU_SAR.1 Audit review................................................................................................................................................... 4
FAU_SAR.2 Restricted audit review ................................................................................................................................. 4
FAU_STG.1 Protected audit trail storage ......................................................................................................................... 5
FAU_STG.4 Prevention of audit data loss ........................................................................................................................ 5
FCS CRYPTOGRAPHIC SUPPORT ..................................................................................... 6
FCS_CKM.1 Cryptographic key generation .................................................................................................................... 6
FCS_CKM.4 Cryptographic key destruction ................................................................................................................... 6
FCS_COP.1 Cryptographic operation .............................................................................................................................. 6
FDP USER DATA PROTECTION ......................................................................................... 7
FDP_ACC.1 Subset access control..................................................................................................................................... 7
FDP_ACC.2 Complete access control ............................................................................................................................... 7
FDP_ACF.1 Security attribute based access control ....................................................................................................... 7
FDP_IFC.1 Subset information flow control .................................................................................................................... 7
FDP_IFF.1 Simple security attributes ............................................................................................................................... 8
FDP_RIP.1 Subset residual information protection ........................................................................................................ 8
FIA IDENTIFICATION AND AUTHENTICATION .................................................................. 9
FIA_AFL.1 Authentication failure handling .................................................................................................................... 9
FIA_ATD.1 User attribute definition ................................................................................................................................ 9
FIA_SOS.1 Verification of secrets ..................................................................................................................................... 9
P2600 SFRs Proposal (meeting 23)
-- 1 --
Smithson, Ohta (Ricoh)
FIA_UAU.1 Timing of authentication ............................................................................................................................... 9
FIA_UAU.6 Re-authenticating ......................................................................................................................................... 10
FIA_UAU.7 Protected authentication feedback ............................................................................................................. 10
FIA_UID.1 Timing of identification ................................................................................................................................ 10
FIA_USB.1 User-subject binding ..................................................................................................................................... 10
FMT SECURITY MANAGEMENT ....................................................................................... 12
FMT_MSA.1 Management of security attributes .......................................................................................................... 12
FMT_MSA.2 Secure security attributes ......................................................................................................................... 12
FMT_MSA.3 Static attribute initialisation ..................................................................................................................... 12
FMT_MTD.1 Management of TSF data ......................................................................................................................... 12
FMT_SMF.1 Specification of Management Functions .................................................................................................. 13
FMT_SMR.1 Security roles .............................................................................................................................................. 13
FPT PROTECTION OF THE TSF........................................................................................ 14
FPT_AMT.1 Abstract machine testing............................................................................................................................ 14
FPT_FLS.1 Failure with preservation of secure state .................................................................................................... 14
FPT_RCV.1 Manual recovery ......................................................................................................................................... 14
FPT_RCV.2 Automated recovery .................................................................................................................................... 14
FPT_STM.1 Reliable time stamps ................................................................................................................................... 14
FPT_TST.1 TSF testing .................................................................................................................................................... 15
FTA TOE ACCESS ............................................................................................................. 16
FTA_SSL.3 TSF-initiated termination ............................................................................................................................ 16
FTP TRUSTED PATHS/CHANNELS .................................................................................. 16
FTP_ITC.1 Inter-TSF trusted channel ........................................................................................................................... 16
P2600 SFRs Proposal (meeting 23)
-- 2 --
Smithson, Ohta (Ricoh)
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
?
Y
Y
Y
Y
PP-D
PP-C
Y
Y
Y
Y
Y
Y
Y
Y
Y
PP-B
SFRs
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
FAU_SAR.2
FAU_STG.1
FAU_STG.4
FCS_CKM.1
FCS_CKM.4
FCS_COP.1
FDP_ACC.1
FDP_ACC.2
FDP_ACF.1
FDP_IFC.1
FDP_IFF.1
FDP_RIP.1
FIA_AFL.1
FIA_ATD.1
FIA_SOS.1
FIA_UAU.1
FIA_UAU.6
FIA_UAU.7
FIA_UID.1
FIA_USB.1
FMT_MSA.1
PP-A
Summary
PP-A
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.PROTECT
O.PROTECT
O.PROTECT
PP-B
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
O.PROTECT
O.PROTECT
O.PROTECT
PP-C
O.MONITOR
O.MONITOR?
O.MONITOR
O.MONITOR
O.MONITOR
O.MONITOR
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
?
Y
?
FMT_MSA.2
FMT_MSA.3
FMT_MTD.1
FMT_SMF.1
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
FMT_SMR.1
Y
Y
Y
Y
FPT_AMT.1
FPT_FLS.1
FPT_RCV.1
FPT_RCV.2
FPT_STM.1
FPT_TST.1
FTA_SSL.3
FTP_ITC.1
ADV_ARC.1
ATE_FUN.1
Objectives
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
P2600 SFRs Proposal (meeting 23)
PP-D
O.ACCESS
O.ACCESS
O.ACCESS
O.NETWORK
O.NETWORK
O.DELETE
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.ACCESS
O.ACCESS
O.NETWORK
O.NETWORK
O.DELETE
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.ACCESS
O.NETWORK
O.PROTECT
O.PROTECT
O.NETWORK
O.ACCESS
O.ACCESS
O.NETWORK
O.PROTECT
O.PROTECT
O.NETWORK
O.ACCESS
O.ACCESS
O.NETWORK
O.ACCESS
O.NETWORK
O.ACCESS
O.NETWORK
O.ACCESS
O.NETWORK
O.PROTECT
O.GENUINE
O.RESILIENT
O.RESILIENT
O.RESILIENT
O.MONITOR
O.GENUINE
O.I&A
O.NETWORK
O.FAXONLY
O.ACCESS
O.NETWORK
O.PROTECT
O.GENUINE
O.RESILIENT
O.RESILIENT
O.RESILIENT
O.MONITOR
O.GENUINE
O.I&A
O.NETWORK
O.FAXONLY
O.ACCESS
O.NETWORK
O.GENUINE
O.RESILIENT
O.RESILIENT
O.RESILIENT
O.MONITOR
O.GENUINE
O.I&A
O.NETWORK
O.FAXONLY
O.RESILIENT
O.RESILIENT
O.RESILIENT
-- 3 --
O.ACCESS
O.ACCESS
O.NETWORK
O.NETWORK
O.I&A
O.I&A
O.ACCESS
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A
O.I&A?
O.I&A?
O.ACCESS
O.NETWORK
O.NETWORK
O.ACCESS
O.ACCESS
O.ACCESS
Smithson, Ohta (Ricoh)
FAU Security Audit
FAU_GEN.1 Audit data generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
{O.MONITOR: A|B|C}
The TSF shall be able to generate an audit record of the following auditable events:
• Start-up and shutdown of the audit functions;
• All auditable events for the [selection, choose one of: minimum, basic, detailed, not specified] level of
audit; and
• [assignment: other specifically defined auditable events].
FAU_GEN.1.1
The TSF shall record within each audit record at least the following information:
• Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the
event; and
• For each audit event type, based on the auditable event definitions of the functional components
included in the PP/ST, [assignment: other audit relevant information].
FAU_GEN.1.2
FAU_GEN.2 User identity association
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
{O.MONITOR: A|B|C?}
The TSF shall be able to associate each auditable event with the identity of the user that
caused the event.
FAU_GEN.2.1
FAU_SAR.1 Audit review
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
{O.MONITOR: A|B|C}
The TSF shall provide [assignment: authorised users] with the capability to read
[assignment: list of audit information] from the audit records.
FAU_SAR.1.1
The TSF shall provide the audit records in a manner suitable for the user to interpret the
information.
FAU_SAR.1.2
FAU_SAR.2 Restricted audit review
Hierarchical to: No other components.
Dependencies: FAU_SAR.1 Audit review
{O.MONITOR: A|B|C}
The TSF shall prohibit all users read access to the audit records, except those users that
have been granted explicit read-access.
FAU_SAR.2.1
P2600 SFRs Proposal (meeting 23)
-- 4 --
Smithson, Ohta (Ricoh)
FAU_STG.1 Protected audit trail storage
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
{O.MONITOR: A|B|C}
FAU_STG.1.1
The TSF shall protect the stored audit records in the audit trail from unauthorised
deletion.
The TSF shall be able to [selection, choose one of: prevent, detect] unauthorised
modifications to the stored audit records in the audit trail.
FAU_STG.1.2
FAU_STG.4 Prevention of audit data loss
Hierarchical to: FAU_STG.3 Action in case of possible audit data loss
Dependencies: FAU_STG.1 Protected audit trail storage
{O.MONITOR: A|B|C}
The TSF shall [selection, choose one of: “ignore auditable events”, “prevent auditable events,
except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”]
and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full.
FAU_STG.4.1
P2600 SFRs Proposal (meeting 23)
-- 5 --
Smithson, Ohta (Ricoh)
FCS Cryptographic Support
FCS_CKM.1 Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FMT_MSA.2 Secure security attributes
{O.PROTECT: A|B}
The TSF shall generate cryptographic keys in accordance with a specified cryptographic
key generation algorithm [assignment: cryptographic key generation algorithm] and specified
cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list
of standards].
FCS_CKM.1.1
FCS_CKM.4 Cryptographic key destruction
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FMT_MSA.2 Secure security attributes
{O.PROTECT: A|B}
The TSF shall destroy cryptographic keys in accordance with a specified cryptographic
key destruction method [assignment: cryptographic key destruction method] that meets the following:
[assignment: list of standards].
FCS_CKM.4.1
FCS_COP.1 Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FMT_MSA.2 Secure security attributes
{O.PROTECT: A|B}
The TSF shall perform [assignment: list of cryptographic operations] in accordance with a
specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes
[assignment: cryptographic key sizes] that meet the following: [assignment: list of standards].
FCS_COP.1.1
P2600 SFRs Proposal (meeting 23)
-- 6 --
Smithson, Ohta (Ricoh)
FDP User Data Protection
FDP_ACC.1 Subset access control
Hierarchical to: No other components.
Dependencies: FDP_ACF.1 Security attribute based access control
{O.ACCESS: D}
PP{D} app note: @@@ most likely applies only to administrative objects, so does it belong in FDP?@@@
The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects,
objects, and operations among subjects and objects covered by the SFP].
FDP_ACC.1.1
FDP_ACC.2 Complete access control
Hierarchical to: FDP_ACC.1 Subset access control
Dependencies: FDP_ACF.1 Security attribute based access control
{O.ACCESS: A|B|C}
The TSF shall enforce the [assignment: access control SFP] on [assignment: list of subjects and
objects] and all operations among subjects and objects covered by the SFP.
FDP_ACC.2.1
The TSF shall ensure that all operations between any subject controlled by the TSF and
any object controlled by the TSF are covered by an access control SFP.
FDP_ACC.2.2
FDP_ACF.1 Security attribute based access control
Hierarchical to: No other components.
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialization
{O.ACCESS: A|B|C|D}
PP{D} app note: @@@ most likely applies only to administrative objects, so does it belong in FDP?@@@
The TSF shall enforce the [assignment: access control SFP] to objects based on the
following: [assignment: list of subjects and objects controlled under the indicated SFP, and for each, the
SFP-relevant security attributes, or named groups of SFP-relevant security attributes].
FDP_ACF.1.1
The TSF shall enforce the following rules to determine if an operation among controlled
subjects and controlled objects is allowed: [assignment: rules governing access among controlled
subjects and controlled objects using controlled operations on controlled objects].
FDP_ACF.1.2
The TSF shall explicitly authorise access of subjects to objects based on the following
additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of
subjects to objects].
FDP_ACF.1.3
The TSF shall explicitly deny access of subjects to objects based on the [assignment: rules,
based on security attributes, that explicitly deny access of subjects to objects].
FDP_ACF.1.4
FDP_IFC.1 Subset information flow control
Hierarchical to: No other components.
Dependencies: FDP_IFF.1 Simple security attributes
{O.NETWORK:A|B|C}
P2600 SFRs Proposal (meeting 23)
-- 7 --
Smithson, Ohta (Ricoh)
The TSF shall enforce the [assignment: information flow control SFP] on [assignment: list of
subjects, information, and operations that cause controlled information to flow to and from controlled
subjects covered by the SFP].
FDP_IFC.1.1
FDP_IFF.1 Simple security attributes
Hierarchical to: No other components.
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialization
{O.NETWORK:A|B|C}
The TSF shall enforce the [assignment: information flow control SFP] based on the following
types of subject and information security attributes: [assignment: list of subjects and information
controlled under the indicated SFP, and for each, the security attributes].
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled
information via a controlled operation if the following rules hold: [assignment: for each operation, the
security attribute-based relationship that must hold between subject and information security attributes].
FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow control SFP rules].
FDP_IFF.1.4 The TSF shall provide the following [assignment: list of additional SFP capabilities].
FDP_IFF.1.5 The TSF shall explicitly authorise an information flow based on the following rules:
[assignment: rules, based on security attributes, that explicitly authorise information flows].
FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following rules: [assignment:
rules, based on security attributes, that explicitly deny information flows].
FDP_IFF.1.1
FDP_RIP.1 Subset residual information protection
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.DELETE: A|B}
PP app note: @@@apply to UDD, MD, UFD@@@
The TSF shall ensure that any previous information content of a resource is made
unavailable upon the [selection: allocation of the resource to, deallocation of the resource from] the
following objects: [assignment: list of objects].
FDP_RIP.1.1
P2600 SFRs Proposal (meeting 23)
-- 8 --
Smithson, Ohta (Ricoh)
FIA Identification and Authentication
FIA_AFL.1 Authentication failure handling
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
{O.I&A: A|B|C}
PP{C} app note: may only be appropriate for administrator-related authentication events
The TSF shall detect when [selection: [assignment: positive integer number], an administrator
configurable positive integer within[assignment: range of acceptable values]] unsuccessful
authentication attempts occur related to [assignment: list of authentication events].
FIA_AFL.1.1
When the defined number of unsuccessful authentication attempts has been met or
surpassed, the TSF shall [assignment: list of actions].
FIA_AFL.1.2
FIA_ATD.1 User attribute definition
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.I&A: A|B|C|D}
PP app note: @@@minimally, attributes should define roles required by Access Control and Information
Flow SFPs, see @@@SFR about roles@@@
PP{D} app note: administrator role may be applicable to front panel controls?
The TSF shall maintain the following list of security attributes belonging to individual
users: [assignment: list of security attributes].
FIA_ATD.1.1
FIA_SOS.1 Verification of secrets
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.I&A: A|B}
The TSF shall provide a mechanism to verify that secrets meet [assignment: a defined
quality metric].
FIA_SOS.1.1
FIA_UAU.1 Timing of authentication
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
{O.I&A: A|B|C|D?}
PP app note: if no TSF-mediated actions can be performed on behalf of a user before the user is
authenticated, then ST authors shall replace FIA_UAU.1 with FIA_UAU.2
The TSF shall allow [assignment: list of TSF mediated actions] on behalf of the user to be
performed before the user is authenticated.
FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other
FIA_UAU.1.1
P2600 SFRs Proposal (meeting 23)
-- 9 --
Smithson, Ohta (Ricoh)
TSF-mediated actions on behalf of that user.
FIA_UAU.6 Re-authenticating
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.I&A: A|B|C}
The TSF shall re-authenticate the user under the conditions [assignment: list of conditions
under which re-authentication is required].
FIA_UAU.6.1
PP app note: @@@for example, after inactivity; see @@@session SFR@@@
FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
{O.I&A: A|B|C}
The TSF shall provide only [assignment: list of feedback] to the user while the
authentication is in progress.
FIA_UAU.7.1
FIA_UID.1 Timing of identification
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.I&A: A|B|C|D}
{O.NETWORK: A|B|C}
PP app note: if no TSF-mediated actions can be performed on behalf of a user before the user is identified,
then ST authors shall replace FIA_UID.1 with FIA_UID.2
The TSF shall allow [assignment: list of TSF-mediated actions] on behalf of the user to be
performed before the user is identified.
FIA_UID.1.1
The TSF shall require each user to be successfully identified before allowing any other
TSF-mediated actions on behalf of that user.
FIA_UID.1.2
FIA_USB.1 User-subject binding
Hierarchical to: No other components.
Dependencies: FIA_ATD.1 User attribute definition
{O.I&A: A|B|C|D?}
The TSF shall associate the following user security attributes with subjects acting on the
behalf of that user: [assignment: list of user security attributes].
FIA_USB.1.1
PP app note: minimally, attributes should define roles required by Access Control and Information Flow
SFPs, see @@@SFR about roles@@@
The TSF shall enforce the following rules on the initial association of user security
attributes with subjects acting on the behalf of users: [assignment: rules for the initial association of
attributes].
FIA_USB.1.2
P2600 SFRs Proposal (meeting 23)
-- 10 --
Smithson, Ohta (Ricoh)
The TSF shall enforce the following rules governing changes to the user security attributes
associated with subjects acting on the behalf of users: [assignment: rules for the changing of attributes].
FIA_USB.1.3
P2600 SFRs Proposal (meeting 23)
-- 11 --
Smithson, Ohta (Ricoh)
FMT Security Management
FMT_MSA.1 Management of security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
{O.ACCESS: A|B|C}
{O.PROTECT: A|B}
{O.NETWORK: A|B|C}
The TSF shall enforce the [assignment: access control SFP, information flow control SFP]
to restrict the ability to [selection: change_default, query, modify, delete, [assignment: other operations]]
the security attributes [assignment: list of security attributes] to [assignment: the authorised identified
roles].
FMT_MSA.1.1
FMT_MSA.2 Secure security attributes
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
{O.PROTECT: A|B}
PP app note: @@@applies to MD@@@
FMT_MSA.2.1
The TSF shall ensure that only secure values are accepted for security attributes.
FMT_MSA.3 Static attribute initialisation
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
{O.NETWORK: A|B|C}
The TSF shall enforce the [assignment: access control SFP, information flow control SFP]
to provide [selection, choose one of: restrictive, permissive, [assignment: other property]] default values
for security attributes that are used to enforce the SFP.
FMT_MSA.3.1
The TSF shall allow the [assignment: the authorised identified roles] to specify alternative
initial values to override the default values when an object or information is created.
FMT_MSA.3.2
FMT_MTD.1 Management of TSF data
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
{O.ACCESS: A|B|C}
P2600 SFRs Proposal (meeting 23)
-- 12 --
Smithson, Ohta (Ricoh)
The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear,
[assignment: other operations]] the [assignment: list of TSF data] to [assignment: the authorised
identified roles].
FMT_MTD.1.1
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.ACCESS: A|B|C|D}
{O.NETWORK: A|B|C}
The TSF shall be capable of performing the following management functions: [assignment:
list of management functions to be provided by the TSF].
FMT_SMF.1.1
FMT_SMR.1 Security roles
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
{O.ACCESS: A|B|C|D}
{O.PROTECT: A|B}
{O.NETWORK: A|B|C}
FMT_SMR.1.1
The TSF shall maintain the roles [assignment: the authorised identified roles].
FMT_SMR.1.2
The TSF shall be able to associate users with roles.
P2600 SFRs Proposal (meeting 23)
-- 13 --
Smithson, Ohta (Ricoh)
FPT Protection of the TSF
FPT_AMT.1 Abstract machine testing
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.GENUINE: A|B|C}
The TSF shall run a suite of tests [selection: during initial start-up, periodically during
normal operation, at the request of an authorised user, [assignment: other conditions]] to demonstrate
the correct operation of the security assumptions provided by the abstract machine that underlies the
TSF.
FPT_AMT.1.1
FPT_FLS.1 Failure with preservation of secure state
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.RESILIENT: A|B|C}
The TSF shall preserve a secure state when the following types of failures occur:
[assignment: list of types of failures in the TSF].
FPT_FLS.1.1
FPT_RCV.1 Manual recovery
Hierarchical to: No other components.
Dependencies: AGD_OPE.1 Operational user guidance
{O.RESILIENT: A|B|C}
PP app note: @@@applies to T.DOS.FAX@@@
After [assignment: list of failures/service discontinuities] the TSF shall enter a maintenance
mode where the ability to return to a secure state is provided.
FPT_RCV.1.1
FPT_RCV.2 Automated recovery
Hierarchical to: FPT_RCV.1 Manual recovery
Dependencies: AGD_OPE.1 Operational user guidance
{O.RESILIENT: A|B|C}
PP app note: @@@applies to T.DOS.NET|PRT@@@
When automated recovery from [assignment: list of failures/service discontinuities] is not
possible, the TSF shall enter a maintenance mode where the ability to return to a secure state is provided.
FPT_RCV.2.1
For [assignment: list of failures/service discontinuities], the TSF shall ensure the return of
the TOE to a secure state using automated procedures.
FPT_RCV.2.2
FPT_STM.1 Reliable time stamps
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.MONITOR: A|B|C}
FPT_STM.1.1
The TSF shall be able to provide reliable time stamps.
P2600 SFRs Proposal (meeting 23)
-- 14 --
Smithson, Ohta (Ricoh)
FPT_TST.1 TSF testing
Hierarchical to: No other components.
Dependencies: FPT_AMT.1 Abstract machine testing
{O.GENUINE: A|B|C}
The TSF shall run a suite of self tests [selection: during initial start-up, periodically during
normal operation, at the request of the authorised user, at the conditions[assignment: conditions under
which self test should occur]] to demonstrate the correct operation of [selection: [assignment: parts of
TSF], the TSF].
FPT_TST.1.1
The TSF shall provide authorised users with the capability to verify the integrity of
[selection: [assignment: parts of TSF], TSF data].
FPT_TST.1.2
The TSF shall provide authorised users with the capability to verify the integrity of stored
TSF executable code.
FPT_TST.1.3
P2600 SFRs Proposal (meeting 23)
-- 15 --
Smithson, Ohta (Ricoh)
FTA TOE Access
FTA_SSL.3 TSF-initiated termination
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.I&A: A|B|C}
FTA_SSL.3.1
The TSF shall terminate an interactive session after a [assignment: time interval of user
inactivity].
FTP Trusted Paths/Channels
FTP_ITC.1 Inter-TSF trusted channel
Hierarchical to: No other components.
Dependencies: No dependencies.
{O.NETWORK: A|B|C}
The TSF shall provide a communication channel between itself and a remote trusted IT
product that is logically distinct from other communication channels and provides assured
identification of its end points and protection of the channel data from modification or disclosure.
FTP_ITC.1.1
The TSF shall permit [selection: the TSF, the remote trusted IT product] to initiate
communication via the trusted channel.
FTP_ITC.1.2
The TSF shall initiate communication via the trusted channel for [assignment: list of
functions for which a trusted channel is required].
FTP_ITC.1.3
P2600 SFRs Proposal (meeting 23)
-- 16 --
Smithson, Ohta (Ricoh)
Download