Version 1.1, 03/31/2015
GSS CCT Evaluation Technical Report Page 28 of 56 © 2015 Gossamer Security Solutions, Inc.
Document: AAR-BrocadeNetIron5.8 All rights reserved.
TSS Assurance Activities: The evaluator shall check the description of the implementation of this protocol in the
TSS to ensure that the ciphersuites supported are specified. The evaluator shall check the TSS to ensure that the
ciphersuites specified are identical to those listed for this component.
The SFR claims only the required 4 ciphers and those are identified in section 6.2 of the TSS. Section 6.2 also
indicates that TLSv1.0, v1.1, and v1.2 are supported, matching the SFR claim.
The ST includes a statement in section 6.5 “(note that the TOE does not support client authentication)”.
Guidance Assurance Activities: The evaluator shall also check the operational guidance to ensure that it contains
instructions on configuring the TOE so that TLS conforms to the description in the TSS (for instance, the set of
ciphersuites advertised by the TOE may have to be restricted to meet the requirements).
The ST indicates that TLSv1.0, 1.1, and 1.2 is supported and identifies the following required ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
The FIPS Guide suggests that 2048-bit keys are required for private key generation, and also that HTTPS is disabled
(“HTTPS SSL 3.0 : Disabled”).
Testing Assurance Activities: The evaluator shall also perform the following test:
Test 1: The evaluator shall establish a TLS connection using each of the ciphersuites specified by the requirement.
This connection may be established as part of the establishment of a higher-level protocol, e.g., as part of a HTTPS
session. It is sufficient to observe the successful negotiation of a ciphersuite to satisfy the intent of the test; it is
not necessary to examine the characteristics of the encrypted traffic in an attempt to discern the ciphersuite being
used (for example, that the cryptographic algorithm is 128-bit AES and not 256-bit AES).
Test 2: The evaluator shall setup a man-in-the-middle tool between the TOE and the TLS Peer and shall perform
the following modifications to the traffic:
[Conditional: TOE is a server] Modify at least one byte in the server’s nonce in the Server Hello handshake
message, and verify that the server denies the client’s Finished handshake message.
[Conditional: TOE is a client] Modify the server’s selected ciphersuite in the Server Hello handshake message
to be a ciphersuite not presented in the Client Hello handshake message. The evaluator shall verify that the
client rejects the connection after receiving the Server Hello.
[Conditional: TOE is a client] If a DHE or ECDHE ciphersuite is supported, modify the signature block in the
Server’s KeyExchange handshake message, and verify that the client rejects the connection after receiving the
Server KeyExchange.
[Conditional: TOE is a client] Modify a byte in the Server Finished handshake message, and verify that the
client sends a fatal alert upon receipt and does not send any application data.
(17 pages)
(82 pages)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals