O.INTEGRITY
|
FDP_DEC_EXT.1
|
The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to compromise the integrity of the TOE.
|
FMT_CFG_EXT.1
|
The PP includes FMT_CFG_EXT.1 for the TSF to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and data.
|
FPT_AEX_EXT.1
|
The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that application is compatible with security features provided by the platform vendor and that the application implements platform-provided anti-exploitations such as ASLR and stack overflow protection.
|
FPT_TUD_EXT.1
|
The PP includes FPT_TUD_EXT.1 to ensure that the TOE can be patched and that any updates to the TOE have appropriate integrity protection.
|
O.QUALITY
|
FCS_CKM_EXT.1
|
The PP supports this objective by allowing FCS_CKM_EXT.1 to specify that the TSF may rely on platform-provided key generation services.
|
FCS_RBG_EXT.1
|
The PP supports this objective by allowing FCS_RBG_EXT.1 to specify that the TSF may rely on platform-provided random bit generation services.
|
FCS_STO_EXT.1
|
The PP supports this objective by allowing FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.
|
FDP_DAR_EXT.1
|
The PP supports this objective by allowing FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.
|
FMT_MEC_EXT.1
|
The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.
|
FPT_API_EXT.1
|
The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.
|
FPT_LIB_EXT.1
|
The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.
|
FTP_DIT_EXT.1
|
The PP supports this objective by allowing FTP_DIT_EXT.1 to specify that the TSF may rely on platform-provided services to implement trusted communications.
|
FCS_CKM.1(1) (selection-based)
|
The PP supports this objective by allowing FCS_CKM.1(1) to specify that the TSF may rely on platform-provided asymmetric key generation services.
|
FCS_CKM.2 (selection-based)
|
The PP supports this objective by allowing FCS_CKM.2 to specify that the TSF may rely on platform-provided key establishment services.
|
FIA_X509_EXT.1 (selection-based)
|
The PP supports this objective by allowing FIA_X509_EXT.1 to specify that the TSF may rely on platform-provided X.509 certificate validation services.
|
FPT_TUD_EXT.2 (selection-based)
|
The TSF includes FPT_TUD_EXT.2 to specify that the TOE may leverage the platform-supported package manager for application distribution and leverages platform-provided mechanisms to remove all traces of itself when removed from the platform system.
|
FPT_API_EXT.2 (objective)
|
The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.
|
O.MANAGEMENT
|
FMT_SMF.1
|
The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE.
|
FPR_ANO_EXT.1
|
The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.
|
FPT_IDV_EXT.1
|
The PP includes FPT_IDV_EXT.1 to provide a methodology for identifying the TOE versioning.
|
FPT_TUD_EXT.1
|
The PP includes FPT_TUD_EXT.1 to define how updates to the TOE are deployed and verified.
|
FCS_COP.1(3) (selection-based)
|
The PP includes FCS_COP.1(3) to define the mechanism used to verify TOE updates if the TOE implements this functionality rather than the underlying platform.
|
O.PROTECTED_STORAGE
|
FCS_RBG_EXT.1
|
The PP includes FCS_RBG_EXT.1 to define whether random bit generation services are implemented by the TSF or the platform. Depending on how data at rest is protected, the TOE may rely on the use of a random bit generator to create keys that are subsequently used for data protection.
|
FCS_STO_EXT.1
|
The PP includes FCS_STO_EXT.1 to define the mechanism that the TSF uses or relies upon to protect stored credential data.
|
FDP_DAR_EXT.1
|
The PP includes FDP_DAR_EXT.1 to define the mechanism that the TSF uses or relies upon to protect sensitive data at rest.
|
FCS_CKM.1(2) (optional)
|
The PP includes FCS_CKM.1(2) to define the TOE’s capability to generate symmetric keys. These keys may subsequently be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.
|
FCS_CKM.1(3) (selection-based)
|
The PP includes FCS_CKM.1(3) to define the password-based key derivation function that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.
|
FCS_COP.1(1) (selection-based)
|
The PP includes FCS_COP.1(1) to define the AES cryptographic algorithm that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.
|
FCS_COP.1(2) (selection-based)
|
The PP includes FCS_COP.1(2) to define integrity mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.
|
FCS_COP.1(4) (selection-based)
|
The PP includes FCS_COP.1(2) to define HMAC mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.
|
FCS_RBG_EXT.2 (selection-based)
|
The PP includes FCS_RBG_EXT.2 to define the TOE’s implementation of random bit generation functionality in the event that the TOE provides this function in support of generating keys that are used for data protection.
|
O.PROTECTED_COMMS
|
FCS_RBG_EXT.1
|
The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.
|
FCS_CKM_EXT.1
|
The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.
|
FTP_DIT_EXT.1
|
The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.
|
FCS_CKM.1(1) (selection-based)
|
The PP includes FCS_CKM.1(1) to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.
|
FCS_CKM.2 (selection-based)
|
The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.
|
FCS_COP.1(1) (selection-based)
|
The PP includes FCS_COP.1(1) to define the symmetric encryption algorithms used in support of trusted communications.
|
FCS_COP.1(2) (selection-based)
|
The PP includes FCS_COP.1(2) to define the hash algorithms used in support of trusted communications.
|
FCS_COP.1(3) (selection-based)
|
The PP includes FCS_COP.1(3) to define the digital signature algorithms used in support of trusted communications.
|
FCS_COP.1(4) (selection-based)
|
The PP includes FCS_COP.1(4) to define the HMAC algorithms used in support of trusted communications.
|
FCS_RBG_EXT.2 (selection-based)
|
The PP includes FCS_RBG_EXT.2 to define the DRBG algorithms used in support of trusted communications.
|
FCS_HTTPS_EXT.1 (selection-based)
|
The PP includes FCS_HTTPS_EXT.1 to define the TOE’s support for the HTTPS trusted communications protocol.
|
FDP_NET_EXT.1
|
The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.
|
FIA_X509_EXT.1 (selection-based)
|
The PP includes FIA_X509_EXT.1 to define X.509 certificate validation activities in support of trusted communications.
|
FIA_X509_EXT.2 (selection-based)
|
The PP includes FIA_X509_EXT.2 to define the trusted communications that X.509 certificate services support, as well as the extent to which trusted communications can be established when using a certificate with unknown validity.
|