Common Criteria for Information Technology Security Evaluation Part 2: Security functional components September 2006 Version 3.1 Revision 1 CCMB-2006-09-002 Foreword This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005. CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed. CC version 3.1 consists of the following parts: − Part 1: Introduction and general model − Part 2: Security functional components − Part 3: Security assurance components Trademarks: − UNIX is a registered trademark of The Open Group in the United States and other countries − Windows is a registered trademark of Microsoft Corporation in the United States and other countries Page 2 of 314 Version 3.1 September 2006 Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non- exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit. Australia/New Zealand: The Defence Signals Directorate and the Government Communications Security Bureau respectively; Canada: Communications Security Establishment; France: Direction Centrale de la Sécurité des Systèmes d'Information; Germany: Bundesamt für Sicherheit in der Informationstechnik; Japan: Information Technology Promotion Agency Netherlands: Netherlands National Communications Security Agency; Spain: Ministerio de Administraciones Públicas and Centro Criptológico Nacional; United Kingdom: Communications-Electronics Security Group; United States: The National Security Agency and the National Institute of Standards and Technology. September 2006 Version 3.1 Page 3 of 314 Table of contents Table of Contents 1 INTRODUCTION 13 2 SCOPE 14 3 NORMATIVE REFERENCES 15 4 TERMS AND DEFINITIONS, SYMBOLS AND ABBREVIATED TERMS 16 5 OVERVIEW 17 5.1 17 Organisation of CC Part 2 6 FUNCTIONAL REQUIREMENTS PARADIGM 18 7 SECURITY FUNCTIONAL COMPONENTS 23 7.1 23 Overview 7.1.1 23 Class structure 7.1.2 24 Family structure 7.1.3 Component structure 25 7.2 27 Component catalogue 7.2.1 28 Component changes highlighting 8 CLASS FAU: SECURITY AUDIT 29 8.1 30 Security audit automatic response (FAU_ARP) 8.2 31 Security audit data generation (FAU_GEN) 8.3 33 Security audit analysis (FAU_SAA) 8.4 37 Security audit review (FAU_SAR) 8.5 39 Security audit event selection (FAU_SEL) 8.6 40 Security audit event storage (FAU_STG) 9 CLASS FCO: COMMUNICATION 43 9.1 44 Non-repudiation of origin (FCO_NRO) 9.2 46 Non-repudiation of receipt (FCO_NRR) 10 CLASS FCS: CRYPTOGRAPHIC SUPPORT 48 10.1 49 Cryptographic key management (FCS_CKM) 10.2 52 Cryptographic operation (FCS_COP) Page 4 of 314 Version 3.1 September 2006 Table of contents 11 CLASS FDP: USER DATA PROTECTION 54 11.1 57 Access control policy (FDP_ACC) 11.2 59 Access control functions (FDP_ACF) 11.3 61 Data authentication (FDP_DAU) 11.4 63 Export from the TOE (FDP_ETC) 11.5 65 Information flow control policy (FDP_IFC) 11.6 67 Information flow control functions (FDP_IFF) 11.7 72 Import from outside of the TOE (FDP_ITC) 11.8 74 Internal TOE transfer (FDP_ITT) 11.9 77 Residual information protection (FDP_RIP) 11.10 79 Rollback (FDP_ROL) 11.11 81 Stored data integrity (FDP_SDI) 11.12 83 Inter-TSF user data confidentiality transfer protection (FDP_UCT) 11.13 84 Inter-TSF user data integrity transfer protection (FDP_UIT) 12 CLASS FIA: IDENTIFICATION AND AUTHENTICATION 87 12.1 89 Authentication failures (FIA_AFL) 12.2 91 User attribute definition (FIA_ATD) 12.3 92 Specification of secrets (FIA_SOS) 12.4 94 User authentication (FIA_UAU) 12.5 99 User identification (FIA_UID) 12.6 101 User-subject binding (FIA_USB) 13 CLASS FMT: SECURITY MANAGEMENT 103 13.1 105 Management of functions in TSF (FMT_MOF) 13.2 106 Management of security attributes (FMT_MSA) 13.3 109 Management of TSF data (FMT_MTD) 13.4 112 Revocation (FMT_REV) 13.5 113 Security attribute expiration (FMT_SAE) 13.6 114 Specification of Management Functions (FMT_SMF) 13.7 115 Security management roles (FMT_SMR) September 2006 Version 3.1 Page 5 of 314 Table of contents 14 CLASS FPR: PRIVACY 117 14.1 118 Anonymity (FPR_ANO) 14.2 120 Pseudonymity (FPR_PSE) 14.3 122 Unlinkability (FPR_UNL) 14.4 123 Unobservability (FPR_UNO) 15 CLASS FPT: PROTECTION OF THE TSF 126 15.1 128 Underlying abstract machine test (FPT_AMT) 15.2 129 Fail secure (FPT_FLS) 15.3 130 Availability of exported TSF data (FPT_ITA) 15.4 131 Confidentiality of exported TSF data (FPT_ITC) 15.5 132 Integrity of exported TSF data (FPT_ITI) 15.6 134 Internal TOE TSF data transfer (FPT_ITT) 15.7 137 TSF physical protection (FPT_PHP) 15.8 140 Trusted recovery (FPT_RCV) 15.9 143 Replay detection (FPT_RPL) 15.10 144 State synchrony protocol (FPT_SSP) 15.11 146 Time stamps (FPT_STM) 15.12 147 Inter-TSF TSF data consistency (FPT_TDC) 15.13 148 Internal TOE TSF data replication consistency (FPT_TRC) 15.14 149 TSF self test (FPT_TST) 16 CLASS FRU: RESOURCE UTILISATION 151 16.1 152 Fault tolerance (FRU_FLT) 16.2 154 Priority of service (FRU_PRS) 16.3 156 Resource allocation (FRU_RSA) 17 CLASS FTA: TOE ACCESS 158 17.1 159 Limitation on scope of selectable attributes (FTA_LSA) 17.2 160 Limitation on multiple concurrent sessions (FTA_MCS) 17.3 162 Session locking (FTA_SSL) 17.4 165 TOE access banners (FTA_TAB) Page 6 of 314 Version 3.1 September 2006 Table of contents 17.5 166 TOE access history (FTA_TAH) 17.6 167 TOE session establishment (FTA_TSE) 18 CLASS FTP: TRUSTED PATH/CHANNELS 168 18.1 169 Inter-TSF trusted channel (FTP_ITC) 18.2 171 Trusted path (FTP_TRP) A SECURITY FUNCTIONAL REQUIREMENTS APPLICATION NOTES 173 A.1 173 Structure of the notes A.1.1 173 Class structure A.1.2 174 Family structure A.1.3 174 Component structure A.2 175 Dependency tables B FUNCTIONAL CLASSES, FAMILIES, AND COMPONENTS 181 C CLASS FAU: SECURITY AUDIT 182 C.1 182 Audit requirements in a distributed environment C.2 183 Security audit automatic response (FAU_ARP) C.3 184 Security audit data generation (FAU_GEN) C.4 187 Security audit analysis (FAU_SAA) C.5 192 Security audit review (FAU_SAR) C.6 194 Security audit event selection (FAU_SEL) C.7 195 Security audit event storage (FAU_STG) D CLASS FCO: COMMUNICATION 198 D.1 198 Non-repudiation of origin (FCO_NRO) D.2 201 Non-repudiation of receipt (FCO_NRR) E CLASS FCS: CRYPTOGRAPHIC SUPPORT 204 E.1 205 Cryptographic key management (FCS_CKM) E.2 208 Cryptographic operation (FCS_COP) F CLASS FDP: USER DATA PROTECTION 210 F.1 213 Access control policy (FDP_ACC) F.2 216 Access control functions (FDP_ACF) September 2006 Version 3.1 Page 7 of 314 Table of contents F.3 218 Data authentication (FDP_DAU) F.4 219 Export from the TOE (FDP_ETC) F.5 221 Information flow control policy (FDP_IFC) F.6 223 Information flow control functions (FDP_IFF) F.7 229 Import from outside of the TOE (FDP_ITC) F.8 231 Internal TOE transfer (FDP_ITT) F.9 235 Residual information protection (FDP_RIP) F.10 Rollback (FDP_ROL) 237 238 F.11 Stored data integrity (FDP_SDI) 239 F.12 Inter-TSF user data confidentiality transfer protection (FDP_UCT) 240 F.13 Inter-TSF user data integrity transfer protection (FDP_UIT) G CLASS FIA: IDENTIFICATION AND AUTHENTICATION 243 G.1 244 Authentication failures (FIA_AFL) G.2 246 User attribute definition (FIA_ATD) G.3 247 Specification of secrets (FIA_SOS) G.4 248 User authentication (FIA_UAU) G.5 User identification (FIA_UID) 252 G.6 253 User-subject binding (FIA_USB) H CLASS FMT: SECURITY MANAGEMENT 254 H.1 255 Management of functions in TSF (FMT_MOF) H.2 257 Management of security attributes (FMT_MSA) H.3 259 Management of TSF data (FMT_MTD) H.4 261 Revocation (FMT_REV) H.5 262 Security attribute expiration (FMT_SAE) H.6 262 Specification of Management Functions (FMT_SMF) H.7 263 Security management roles (FMT_SMR) I CLASS FPR: PRIVACY 265 I.1 266 Anonymity (FPR_ANO) I.2 268 Pseudonymity (FPR_PSE) Page 8 of 314 Version 3.1 September 2006 Table of contents I.3 273 Unlinkability (FPR_UNL) I.4 275 Unobservability (FPR_UNO) J CLASS FPT: PROTECTION OF THE TSF 279 J.1 281 Underlying abstract machine test (FPT_AMT) J.2 283 Fail secure (FPT_FLS) J.3 284 Availability of exported TSF data (FPT_ITA) J.4 284 Confidentiality of exported TSF data (FPT_ITC) J.5 285 Integrity of exported TSF data (FPT_ITI) J.6 287 Internal TOE TSF data transfer (FPT_ITT) J.7 288 TSF physical protection (FPT_PHP) J.8 290 Trusted recovery (FPT_RCV) J.9 294 Replay detection (FPT_RPL) J.10 State synchrony protocol (FPT_SSP) 295 J.11 296 Time stamps (FPT_STM) J.12 296 Inter-TSF TSF data consistency (FPT_TDC) J.13 297 Internal TOE TSF data replication consistency (FPT_TRC) J.14 298 TSF self test (FPT_TST) K CLASS FRU: RESOURCE UTILISATION 300 K.1 300 Fault tolerance (FRU_FLT) K.2 302 Priority of service (FRU_PRS) K.3 303 Resource allocation (FRU_RSA) L CLASS FTA: TOE ACCESS 306 L.1 307 Limitation on scope of selectable attributes (FTA_LSA) L.2 308 Limitation on multiple concurrent sessions (FTA_MCS) L.3 309 Session locking (FTA_SSL) L.4 310 TOE access banners (FTA_TAB) L.5 311 TOE access history (FTA_TAH) L.6 311 TOE session establishment (FTA_TSE) September 2006 Version 3.1 Page 9 of 314 Table of contents M CLASS FTP: TRUSTED PATH/CHANNELS 313 M.1 313 Inter-TSF trusted channel (FTP_ITC) M.2 314 Trusted path (FTP_TRP) Page 10 of 314 Version 3.1 September 2006 [...]... Introduction 1 Security functional components, as defined in this CC Part 2, are the basis for the security functional requirements expressed in a Protection Profile (PP) or a Security Target (ST) These requirements describe the desired security behaviour expected of a Target of Evaluation (TOE) and are intended to meet the security objectives as stated in a PP or an ST These requirements describe security. .. should use this part of the CC to assist in determining whether a given TOE satisfies stated requirements September 2006 Version 3.1 Page 13 of 314 Scope 2 Scope 4 This part of the CC defines the required structure and content of security functional components for the purpose of security evaluation It includes a catalogue of functional components that will meet the common security functionality requirements... the functional requirement components in CC Part 2 In those cases the PP/ST author may choose to consider using functional requirements not taken from the CC (referred to as extensibility), as explained in annexes A and B of CC Part 1 5.1 Organisation of CC Part 2 10 Chapter 6 describes the paradigm used in the security functional requirements of CC Part 2 11 Chapter 7 introduces the catalogue of CC Part. .. 314 Version 3.1 September 2006 Security functional components 7 Security functional components 7.1 Overview 43 This chapter defines the content and presentation of the functional requirements of the CC, and provides guidance on the organisation of the requirements for new components to be included in an ST The functional requirements are expressed in classes, families, and components 7.1.1 Class structure... groups may use this part of the CC as follows: • Consumers, who use this CC Part 2 when selecting components to express functional requirements to satisfy the security objectives expressed in a PP or ST CC Part 1 Section 7 provides more detailed information on the relationship between security objectives and security requirements • Developers, who respond to actual or perceived consumer security requirements... to users in selecting an appropriate functional component once the family has been identified as being a necessary or useful part of their security requirements Page 24 of 314 Version 3.1 September 2006 Security functional components 52 This section of the functional family description describes the components available, and their rationale The exact details of the components are contained within each... those requirements in this part of the CC They can also use the contents of this part of the CC as a basis for further defining the TOE security functionality and mechanisms that comply with those requirements • Evaluators, who use the functional requirements defined in this part of the CC in verifying that the TOE functional requirements expressed in the PP or ST satisfy the IT security objectives and... chapter 2 of CC Part 1 for relevant structures, rules, and guidance: • CC Part 1, chapter 4 defines the terms used in the CC • CC Part 1, annex A defines the structure for STs • CC Part 1, annex B defines the structure for PPs September 2006 Version 3.1 Page 17 of 314 Functional requirements paradigm 6 Functional requirements paradigm 15 This chapter describes the paradigm used in the security functional. .. sufficient and relies upon the functionality of, or interaction with, another component for its own proper functioning 70 Each functional component provides a complete list of dependencies to other functional and assurance components Some components may list “No dependencies” The components depended upon may in turn have dependencies on other components The list provided in the components will be the direct... 2006 Overview 5 Overview 7 The CC and the associated security functional requirements described herein are not meant to be a definitive answer to all the problems of IT security Rather, the CC offers a set of well understood security functional requirements that can be used to create trusted products reflecting the needs of the market These security functional requirements are presented as the current . Part 1: Introduction and general model − Part 2: Security functional components − Part 3: Security assurance components Trademarks: − UNIX is a registered. Common Criteria for Information Technology Security Evaluation Part 2: Security functional components September 2006 Version 3.1 Revision