Common Criteria for Information Technology Security Evaluation Part 2: Security functional components September 2007 Version 3.1 Revision 2 CCMB-2007-09-002 Foreword This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005. CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed. CC version 3.1 consists of the following parts: Part 1: Introduction and general model Part 2: Security functional components Part 3: Security assurance components Trademarks: UNIX is a registered trademark of The Open Group in the United States and other countries Windows is a registered trademark of Microsoft Corporation in the United States and other countries Page 2 of 324 Version 3.1 September 2007 Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non- exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit. Australia/New Zealand: The Defence Signals Directorate and the Government Communications Security Bureau respectively; Canada: Communications Security Establishment; France: Direction Centrale de la Sécurité des Systèmes d'Information; Germany: Bundesamt für Sicherheit in der Informationstechnik; Japan: Information Technology Promotion Agency Netherlands: Netherlands National Communications Security Agency; Spain: Ministerio de Administraciones Públicas and Centro Criptológico Nacional; United Kingdom: Communications-Electronics Security Group; United States: The National Security Agency and the National Institute of Standards and Technology. September 2007 Version 3.1 Page 3 of 324 Table of contents Table of Contents 1 INTRODUCTION ............................................................................................. 13 2 SCOPE ........................................................................................................... 14 3 NORMATIVE REFERENCES ......................................................................... 15 4 TERMS AND DEFINITIONS, SYMBOLS AND ABBREVIATED TERMS ...... 16 5 OVERVIEW ..................................................................................................... 17 5.1 Organisation of CC Part 2 ..................................................................................................................... 17 6 FUNCTIONAL REQUIREMENTS PARADIGM ............................................... 18 7 SECURITY FUNCTIONAL COMPONENTS ................................................... 23 7.1 Overview ................................................................................................................................................. 23 7.1.1 Class structure ................................................................................................................................ 23 7.1.2 Family structure .............................................................................................................................. 24 7.1.3 Component structure....................................................................................................................... 25 7.2 Component catalogue ............................................................................................................................ 27 7.2.1 Component changes highlighting ................................................................................................... 28 8 CLASS FAU: SECURITY AUDIT ................................................................... 29 8.1 Security audit automatic response (FAU_ARP) .................................................................................. 30 8.2 Security audit data generation (FAU_GEN) ........................................................................................ 31 8.3 Security audit analysis (FAU_SAA) ..................................................................................................... 33 8.4 Security audit review (FAU_SAR) ........................................................................................................ 37 8.5 Security audit event selection (FAU_SEL) ........................................................................................... 39 8.6 Security audit event storage (FAU_STG) ............................................................................................ 40 9 CLASS FCO: COMMUNICATION .................................................................. 43 9.1 Non-repudiation of origin (FCO_NRO) ............................................................................................... 44 9.2 Non-repudiation of receipt (FCO_NRR) .............................................................................................. 46 10 CLASS FCS: CRYPTOGRAPHIC SUPPORT ............................................ 48 10.1 Cryptographic key management (FCS_CKM) ............................................................................... 49 10.2 Cryptographic operation (FCS_COP) ............................................................................................. 52 Page 4 of 324 Version 3.1 September 2007 Table of contents 11 CLASS FDP: USER DATA PROTECTION ................................................. 54 11.1 Access control policy (FDP_ACC) ................................................................................................... 56 11.2 Access control functions (FDP_ACF) .............................................................................................. 58 11.3 Data authentication (FDP_DAU) ..................................................................................................... 60 11.4 Export from the TOE (FDP_ETC) .................................................................................................. 62 11.5 Information flow control policy (FDP_IFC) ................................................................................... 64 11.6 Information flow control functions (FDP_IFF) .............................................................................. 66 11.7 Import from outside of the TOE (FDP_ITC) .................................................................................. 71 11.8 Internal TOE transfer (FDP_ITT) ................................................................................................... 73 11.9 Residual information protection (FDP_RIP) .................................................................................. 76 11.10 Rollback (FDP_ROL) ........................................................................................................................ 78 11.11 Stored data integrity (FDP_SDI) ...................................................................................................... 80 11.12 Inter-TSF user data confidentiality transfer protection (FDP_UCT) ........................................... 82 11.13 Inter-TSF user data integrity transfer protection (FDP_UIT) ...................................................... 83 12 CLASS FIA: IDENTIFICATION AND AUTHENTICATION ......................... 86 12.1 Authentication failures (FIA_AFL) ................................................................................................. 88 12.2 User attribute definition (FIA_ATD) ............................................................................................... 90 12.3 Specification of secrets (FIA_SOS) .................................................................................................. 91 12.4 User authentication (FIA_UAU) ...................................................................................................... 93 12.5 User identification (FIA_UID) .......................................................................................................... 98 12.6 User-subject binding (FIA_USB) ................................................................................................... 100 13 CLASS FMT: SECURITY MANAGEMENT ............................................... 102 13.1 Management of functions in TSF (FMT_MOF) ........................................................................... 104 13.2 Management of security attributes (FMT_MSA) ......................................................................... 105 13.3 Management of TSF data (FMT_MTD) ........................................................................................ 109 13.4 Revocation (FMT_REV) ................................................................................................................. 112 13.5 Security attribute expiration (FMT_SAE) .................................................................................... 113 13.6 Specification of Management Functions (FMT_SMF) ................................................................. 114 13.7 Security management roles (FMT_SMR) ....................................................................................