Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks 7.05, 7.11 manual Class FCS Cryptographic Support, FCSCKM.1a, FCSCKM.1b, FCSCOP.1a

Models: 7.11 7.05

1 67

Download 67 pages 33.01 Kb

Page 24

Security Target, Version 3.9	March 18, 2008

5.1.2 Class FCS: Cryptographic Support

FCS_CKM.1(a)

Cryptographic key generation (Diffie-Hellman)

Hierarchical to: No other components.

FCS_CKM.1.1(a)

The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [Diffie-Hellman] and specified cryptographic key sizes [1024, 1536 bit keys] that meet the following: [RFC 2631].

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or

FCS_COP.1 Cryptographic operation]

FCS_CKM.4 Cryptographic key destruction

FMT_MSA.2 Secure security attributes

FCS_CKM.1(b)

Cryptographic key generation (RSA)

Hierarchical to: No other components.

FCS_CKM.1.1(b)

The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [RSA] and specified cryptographic key sizes [1024, 2048 bits] that meet the following: [RFC 3447].

Dependencies: [FCS_CKM.2 Cryptographic key distribution, or

FCS_COP.1 Cryptographic operation]

FCS_CKM.4 Cryptographic key destruction

FMT_MSA.2 Secure security attributes

FCS_CKM.4 Cryptographic key destruction

Hierarchical to: No other components.

FCS_CKM.4.1

The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [zeroization] that meets the following: [FIPS 140-2].

Dependencies: [FDP_ITC.1 Import of user data without security attributes, or

FDP_ITC.2 Import of user data with security attributes, or

FCS_CKM.1 Cryptographic key generation]

FMT_MSA.2 Secure security attributes

FCS_COP.1(a)	Cryptographic operation (encryption and decryption)
Hierarchical to: No other components.

Nortel VPN Router v7.05 and Client Workstation v7.11		Page 24 of 67
	© 2008 Nortel Networks

Image 24

Nortel Networks 7.05 Class FCS Cryptographic Support, FCSCKM.1a, Cryptographic key generation Diffie-Hellman, FCSCKM.1b

Contents

Evaluation Assurance Level EAL 4+ Document Version Prepared forPrepared by Nortel NetworksRevision History VersionModification Date Modified ByTable of Contents TABLE OF CONTENTSTOE SUMMARY SPECIFICATION REVISION HISTORYTable of Figures Table of TablesPROTECTION PROFILE CLAIMS RATIONALE1 Security Target Introduction 1.1 Purpose1.2 Security Target, TOE and CC Identification and Conformance Table 1 - ST, TOE, and CC Identification and Conformance1.3 Conventions, Acronyms, and Terminology 1.3.1 Conventions1.3.2 Terminology Table 2 - TerminologyPrimary Admin password View Nortel VPN Router rightsPage 7 of Figure 1 - VPN Client Deployment Configuration of the TOE 2 TOE Description2.1 Product Type 2.2 Product DescriptionFigure 2 - Branch Office Deployment Configuration of the TOE 2.3 TOE Boundaries and Scope 2.3.1 Physical BoundaryFigure 3 - Physical TOE Boundary Figure 4 - Physical TOE Boundary in Branch Office Tunnel Mode2.3.2 Logical Boundary 2.3.1.1 TOE EnvironmentNortel VPN Switch Software VxWorks OS Contivity Hardware Appliance The WorldSoftware Internet2.3.2.1 Security Audit 2.3.2.2 Cryptographic Support2.3.2.3 User Data Protection 2.3.2.4 Identification and Authentication 2.3.2.5 Security Management2.3.2.6 Protection of the TOE Security Functions 2.3.2.7 Trusted Path/Channels2.3.3 Excluded TOE Functionality 3 TOE Security Environment 3.1 Assumptions3.2 Threats to Security 3.2.1 Threats Addressed by the TOE 3.2.2 Threats Addressed by the TOE EnvironmentT.HACK TE.PHYSICAL4 Security Objectives 4.1 Security Objectives for the TOE4.2 Security Objectives for the Environment 4.2.1 IT Security Objectives4.2.2 Non-IT Security Objectives 5 IT Security Requirements 5.1 TOE Security Functional RequirementsTable 3 - TOE Security Functional Requirements Page 21 of 5.1.1 Class FAU Security Audit FAUGEN.1 Audit Data GenerationFAUSAR.1 Audit review Table 4 - Auditable EventsDependencies FAUGEN.1 Audit data generation Page 23 of5.1.2 Class FCS Cryptographic Support FCSCKM.1aCryptographic key generation Diffie-Hellman FCSCKM.1bCryptographic operation authentication FCSCOP.1bFCSCOP.1d Cryptographic operation random number generationFDPITC.2 Import of user data with security attributes, or FCSCKM.1 Cryptographic key generationFCSCKM.4 Cryptographic key destruction FMTMSA.2 Secure security attributesFDPACC.2 Complete access control FDPACF.1 Security attribute based access control5.1.3 Class FDP User Data Protection FDPIFC.2a Complete information flow control VPNFDPIFC.2b Complete information flow control Firewall FDPIFF.1a Simple security attributes VPNFDPIFF.1b Simple security attributes Firewall FDPUCT.1 Basic data exchange confidentiality FDPUIT.1 Data exchange integrityPage 30 of 5.1.4 Class FIA Identification and Authentication FIAUAU.1 Timing of authenticationFIAUAU.5 Multiple authentication mechanisms FIAUID.2 User identification before any actionPage 32 of 5.1.5 Class FMT Security Management FMTMOF.1a Management of security functions behaviourFMTMOF.1b Management of security functions behaviour FMTMSA.1a Management of security attributesFMTMSA.1c Management of security attributes FMTMSA.2 Secure security attributesFMTMSA.3a Static attribute initialisation Page 34 ofFMTSMF.1 Specification of Management Functions FMTMSA.3b Static attribute initialisationFMTMSA.3c Static attribute initialisation FMTSMR.1 Security rolesThe TSF shall be able to associate users with roles Page 36 ofFPTAMT.1 Abstract machine testing FPTTST.1 TSF testing5.1.6 Class FPT Protection of the TSF FPTRPL.1 Replay detection5.1.7 Class FTP Trusted Path/Channels FTPTRP.1 Trusted path5.2 Security Functional Requirements on the IT Environment FPTRVM.1 Non-bypassability of the TSPFPTSEP.1 TSF domain separation FPTSTM.1 Reliable time stampsPage 40 of 5.3 Assurance Requirements Table 6 - Assurance Components6 TOE Summary Specification 6.1 TOE Security Functions6.1.1 Security Audit Configuration LogAccounting Logs Security LogSystem Log Event LogTOE Security Functional Requirements Satisfied FAUGEN.1, FAUSAR.1 6.1.2 Cryptographic Support Table 8 - FIPS Validated ModulesTable 9 - FIPS-Validated Cryptographic Algorithms 6.1.3 User Data Protection Page 46 of6.1.4 Identification and Authentication 6.1.5 Security Management6.1.6.1 Power-Up Self-Tests 6.1.6 Protection of the TOE Security Functions6.1.6.2 Conditional Self-Tests 6.2 TOE Security Assurance Measures 6.1.7 Trusted Path/Channels8 Augmentation to EAL 4+ assurance level Page 50 of7 Protection Profile Claims 7.1 Protection Profile Reference8 Rationale 8.1 Security Objectives RationaleTable 11 - Relationship of Security Threats to Objectives T.HACK Nortel VPN Router v7.05 and Client Workstation 2008 Nortel NetworksPage 54 of 8.2 Security Functional Requirements Rationale Page 55 ofTable 12 - Relationship of Security Requirements to Objectives ObjectivesRequirements  The Primary Admin access to all the administrative functions that are used to enforce the SFP FMTMSA.3a,b,c O.REPLAY 8.3 Security Assurance Requirements Rationale 8.4 Rationale for Strength of Function8.5 Dependency Rationale Table 13 - Functional Requirements Dependencies9 Met by hierarchical SFR FDPACC.2 Met by hierarchical SFR FDPIFC.2Met by hierarchical SFR FIAUID.2 SFR ID8.6 TOE Summary Specification Rationale FCSCOP.1FDPUCT.1 8.6.2.1 Configuration Management 8.6.2.2 Secure Delivery and Operation8.6.2.3 Development 8.6.2.4 Guidance Documentation 8.6.2.5 Life Cycle Support Documents8.6.2.6 Tests Page 64 of8.7 Strength of Function 8.6.2.7 Vulnerability and TOE Strength of Function Analyses9 Acronyms Table 15 - AcronymsPage 67 of