Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 (Anniversary Update) Microsoft Windows Server 2016



Yüklə 0,57 Mb.
səhifə6/14
tarix14.10.2017
ölçüsü0,57 Mb.
#4533
1   2   3   4   5   6   7   8   9   ...   14
11.FCS_TLSC_EXT.1.2

The evaluator will ensure that the TSS describes the client’s method of establishing all reference identifiers from the application­configured reference identifier, including which types of reference identifiers are supported (e.g. Common Name, DNS Name, URI Name, Service Name, or other application­specific Subject Alternative Names) and whether IP addresses and wildcards are supported. The evaluator will ensure that this description identifies whether and the manner in which certificate pinning is supported or used by the OS.

The evaluator will verify that the AGD guidance includes instructions for setting the reference identifier to be used for the purposes of certificate validation in TLS.



The evaluator will configure the reference identifier according to the AGD guidance and perform the following tests during a TLS connection:

  • Test 1: The evaluator will present a server certificate that does not contain an identifier in either the Subject Alternative Name (SAN) or Common Name (CN) that matches the reference identifier. The evaluator will verify that the connection fails.

  • Test 2: The evaluator will present a server certificate that contains a CN that matches the reference identifier, contains the SAN extension, but does not contain an identifier in the SAN that matches the reference identifier. The evaluator shall verify that the connection fails. The evaluator will repeat this test for each supported SAN type.

  • Test 3: The evaluator will present a server certificate that contains a CN that matches the reference identifier and does not contain the SAN extension. The evaluator will verify that the connection succeeds.

  • Test 4: The evaluator will present a server certificate that contains a CN that does not match the reference identifier but does contain an identifier in the SAN that matches. The evaluator will verify that the connection succeeds.

  • Test 5: The evaluator will perform the following wildcard tests with each supported type of reference identifier:

    • Test 5.1: The evaluator will present a server certificate containing a wildcard that is not in the left­most label of the presented identifier (e.g. foo.*.example.com) and verify that the connection fails.

    • Test 5.2: The evaluator will present a server certificate containing a wildcard in the left­most label but not preceding the public suffix (e.g. *.example.com). The evaluator will configure the reference identifier with a single left­most label (e.g. foo.example.com) and verify that the connection succeeds. The evaluator will configure the reference identifier without a leftmost label as in the certificate (e.g. example.com) and verify that the connection fails. The evaluator will configure the reference identifier with two left­most labels (e.g. bar.foo.example.com) and verify that the connection fails.

    • Test 5.3: The evaluator will present a server certificate containing a wildcard in the left­most label immediately preceding the public suffix (e.g. *.com). The evaluator will configure the reference identifier with a single left­most label (e.g. foo.com) and verify that the connection fails. The evaluator will configure the reference identifier with two left­most labels (e.g. bar.foo.com) and verify that the connection fails.

  • Test 6: [conditional] If URI or Service name reference identifiers are supported, the evaluator will configure the DNS name and the service identifier. The evaluator will present a server certificate containing the correct DNS name and service identifier in the URIName or SRVName fields of the SAN and verify that the connection succeeds. The evaluator will repeat this test with the wrong service identifier (but correct DNS name) and verify that the connection fails.

  • Test 7: [conditional] If pinned certificates are supported the evaluator will present a certificate that does not match the pinned certificate and verify that the connection fails.
12.FCS_TLSC_EXT.1.3

The evaluator will use TLS as a function to verify that the validation rules in FIA_X509_EXT.1.1 are adhered to and shall perform the following additional test:

  • Test 1: The evaluator will demonstrate that a peer using a certificate without a valid certification path results in an authenticate failure. Using the administrative guidance, the evaluator will then load the trusted CA certificate(s) needed to validate the peer's certificate, and demonstrate that the connection succeeds. The evaluator then shall delete one of the CA certificates, and show that the connection fails.

  • Test 2: The evaluator will demonstrate that a peer using a certificate which has been revoked results in an authentication failure.

  • Test 3: The evaluator will demonstrate that a peer using a certificate which has passed its expiration date results in an authentication failure.

  • Test 4: the evaluator will demonstrate that a peer using a certificate which does not have a valid identifier shall result in an authentication failure.

12.1.1.1.1TLS Client Protocol (FCS_TLSC_EXT.2)

The evaluator will verify that TSS describes the supported Elliptic Curves Extension and whether the required behavior is performed by default or may be configured. If the TSS indicates that the supported Elliptic Curves Extension must be configured to meet the requirement, the evaluator will verify that AGD guidance includes configuration of the supported Elliptic Curves Extension.

The evaluator will also perform the following test:

The evaluator will configure the server to perform an ECDHE key exchange message in the TLS connection using a non­supported ECDHE curve (for example, P­192) and shall verify that the OS disconnects after receiving the server's Key Exchange handshake message.

12.1.1.1.2TLS Client Protocol (FCS_TLSC_EXT.3)

The evaluator will verify that TSS describes the signature_algorithm extension and whether the required behavior is performed by default or may be configured. If the TSS indicates that the signature_algorithm extension must be configured to meet the requirement, the evaluator will verify that AGD guidance includes configuration of the signature_algorithm extension.

The evaluator will also perform the following test:

The evaluator will configure the server to send a certificate in the TLS connection that is not supported according to the Client’s HashAlgorithm enumeration within the signature_algorithms extension (for example, send a certificate with a SHA­1 signature). The evaluator will verify that the OS disconnects after receiving the server’s Certificate handshake message.

12.1.1.1.3TLS Client Protocol (FCS_TLSC_EXT.4)

The evaluator will ensure that the TSS description required per FIA_X509_EXT.2.1 includes the use of client­side certificates for TLS mutual authentication.

The evaluator will verify that the AGD guidance required per FIA_X509_EXT.2.1 includes instructions for configuring the client­side certificates for TLS mutual authentication.

The evaluator will also perform the following test:

Configure the server to require mutual authentication and then modify a byte in a CA field in the Server’s Certificate Request handshake message. The modified CA field must not be the CA used to sign the client’s certificate. The evaluator will verify the connection is unsuccessful.

12.1.1.1.4DTLS Implementation (FCS_DTLS_EXT.1)



Yüklə 0,57 Mb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8   9   ...   14




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə