Archived
TD0420: Conflict in FCS_SSHC_EXT.1.1 and FCS_SSHS_EXT.1.1
Publication Date
2019.05.10
Protection Profiles
PP_SSH_EP_v1.0
Other References
FCS_SSHC_EXT.1.1, FCS_SSHS_EXT.1.1
Issue Description
There is a disconnect between the SFR and the AA of FCS_SSHC_EXT.1.1. The SFR only requires public-key based authentication method and includes the selection of password-based authentication and none. However, the AA requires password-based authentication. Further investigation revealed that FCS_SSHS_EXT.1 has the same problem. Resolution
The Assurance Activity for FCS_SSHC_EXT.1.1 is modified as follows: The evaluator will check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSHC_EXT.1.4, and ensure that password-based authentication methods are also allowed, if supported, are described. ... Test 2 [conditional]: Using the guidance documentation, the evaluator will configure the TOE to perform password-based authentication to an SSH server, and demonstrate that a user can be successfully authenticated by the TOE to an SSH server using a password as an authenticator.
The Assurance Activity for FCS_SSHS_EXT.1.1 is modified as follows: The evaluator will check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSHS_EXT.1.4, and ensure that password-based authentication methods are also allowed, if supported, are described. ... Test 3 [conditional]: Using the guidance documentation, the evaluator will configure the TOE to perform password-based authentication on a client, and demonstrate that a user can be successfully authenticated by the TOE using a password as an authenticator. Test 4 [conditional]: The evaluator shall use an SSH client, enter an incorrect password to attempt to authenticate to the TOE, and demonstrate that the authentication fails. Justification
See issue description. |