TD0691: OSPP 4.3 Conditional authentication testing
Publication Date
2022.12.13
Protection Profiles
PP_OS_V4.3
Other References
FIA_AFL.1; FIA_UAU.5
Issue Description
In the OSPP v4.3, the test cases in FIA_AFL.1 are not marked as conditional when, in fact, they should be, as the mechanisms are optional/selectable in FIA_AFL.1 and FIA_UAU.5, and test case 55 specifies a combination that cannot be selected. Resolution
The following modifications are made to Section 5.1.6 of PP_OS_4.3: An Application Note is added for FIA_AFL.1.1 as follows, with underlines denoting additions: Application Note: Selections in FIA_AFL1. and FIA_UAU.5 must match. The Evaluation Activities for FIA_AFL.1 are modified as follows, with strikethroughs denoting deletions and underlines denoting additions: Tests The evaluator will set an administrator-configurable threshold for failed attempts, or note the ST-specified assignment. The evaluator will then (per selection) repeatedly attempt to authenticate with an incorrect password, PIN, or certificate until the number of attempts reaches the threshold. Note that the authentication attempts and lockouts must also be logged as specified in FAU_GEN.1. - Test 53 [conditional, to be performed if "authentication based on user name and password" is selected in FIA_AFL.1 and FIA_UAU.5]: The evaluator will attempt to authenticate repeatedly to the system with a known bad password. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied. - Test 54 [conditional, to be performed if "authentication based on user name and a PIN that releases an asymmetric key stored in OE-protected storage" is selected in FIA_AFL.1 and FIA_UAU.5]: The evaluator will attempt to authenticate repeatedly to the system with a known bad certificate PIN. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied. - Test 55 [conditional, to be performed if "authentication based on X.509 certificates" is selected in FIA_AFL.1 and FIA_UAU.5]: The evaluator will attempt to authenticate repeatedly to the system using both a bad password and a known bad certificate. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied. Justification
See issue description. |