www.GossamerSec.com Assurance Activity Report (NDcPP22e/STFFW14e/VPNGW11) for Cisco FTD (NGFW) 6.4 on Firepower 1000 and 2100 Series with FMC/FMCv Version 0.3 06/07/2021 Prepared by: Gossamer Security Solutions Accredited Security Testing Laboratory – Common Criteria Testing Columbia, MD 21045 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Document: AAR-VID11139 © 2021 Gossamer Security Solutions, Inc. All rights reserved. Version 0.3, 06/07/2021 REVISION HISTORY Revision Date Authors Summary Version 0.1 05/21/2021 Sykes Initial draft Version 0.2 06/04/2021 Sykes Validator comments Version 0.3 06/07/2021 Sykes Validator comments The TOE Evaluation was Sponsored by: Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 Evaluation Personnel: • Tammy Compton • Cody Cummins • Katie Sykes • Khai Van Common Criteria Versions: • Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1, Revision 5, April 2017 Common Evaluation Methodology Versions: • Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017 GSS CCT Assurance Activity Report Page 2 of 211 ©2021 Gossamer Security Solutions, Inc. Document: AAR-VID11139 All rights reserved. Version 0.3, 06/07/2021 TABLE OF CONTENTS 1. Introduction ........................................................................................................................................................... 7 1.1 Equivalence .................................................................................................................................................. 7 1.1.1 Evaluated Platform Equivalence .............................................................................................................. 7 1.1.2 CAVP Equivalence ................................................................................................................................... 8 1.2 References.................................................................................................................................................. 11 2. Protection Profile SFR Assurance Activities ......................................................................................................... 12 2.1 Security audit (FAU) ................................................................................................................................... 12 2.1.1 Audit Data Generation (NDcPP22e:FAU_GEN.1) .................................................................................. 12 2.1.2 Security Audit Data Generation (STFFW14E:FAU_GEN.1) .................................................................... 15 2.1.3 Audit Data Generation (VPNGW11:FAU_GEN.1) .................................................................................. 16 2.1.4 User identity association (NDcPP22e:FAU_GEN.2) ............................................................................... 18 2.1.5 Security Audit Generation (NDcPP22e:FAU_GEN_EXT.1) ..................................................................... 18 2.1.6 Protected Audit Event Storage (NDcPP22e:FAU_STG_EXT.1)............................................................... 19 2.1.7 Protected Local Audit Event Storage for Distributed TOEs (NDcPP22e:FAU_STG_EXT.4) .................... 23 2.1.8 Protected Remote Audit Event Storage for Distributed TOEs (NDcPP22e:FAU_STG_EXT.5) ............... 25 2.2 Communication (FCO) ................................................................................................................................ 27 2.2.1 Component Registration Channel Definition (NDcPP22e:FCO_CPC_EXT.1) ......................................... 27 2.3 Cryptographic support (FCS) ...................................................................................................................... 34 2.3.1 Cryptographic Key Generation (NDcPP22e:FCS_CKM.1) ...................................................................... 34 2.3.2 Cryptographic Key Generation (for IKE Peer Authentication) (VPNGW11:FCS_CKM.1/IKE) ................ 38 2.3.3 Cryptographic Key Establishment (NDcPP22e:FCS_CKM.2) .................................................................. 40 2.3.4 Cryptographic Key Destruction (NDcPP22e:FCS_CKM.4) ...................................................................... 43 2.3.5 Cryptographic Operation (AES Data Encryption/Decryption) (NDcPP22e:FCS_COP.1/DataEncryption) 45 2.3.6 Cryptographic Operation (AES Data Encryption/Decryption) (VPNGW11:FCS_COP.1/DataEncryption) 50 2.3.7 Cryptographic Operation (Hash Algorithm) (NDcPP22e:FCS_COP.1/Hash) .......................................... 50 2.3.8 Cryptographic Operation (Keyed Hash Algorithm) (NDcPP22e:FCS_COP.1/KeyedHash) ..................... 53 2.3.9 Cryptographic Operation (Signature Generation and Verification) (NDcPP22e:FCS_COP.1/SigGen)... 54 GSS CCT Assurance Activity Report Page 3 of 211 ©2021 Gossamer Security Solutions, Inc. Document: AAR-VID11139 All rights reserved. Version 0.3, 06/07/2021 2.3.10 HTTPS Protocol (NDcPP22e:FCS_HTTPS_EXT.1) ............................................................................... 56 2.3.11 IPsec Protocol (NDcPP22e:FCS_IPSEC_EXT.1) .................................................................................. 58 2.3.12 Internet Protocol Security (IPsec) Communications (VPNGW11:FCS_IPSEC_EXT.1) ........................ 74 2.3.13 Random Bit Generation (NDcPP22e:FCS_RBG_EXT.1) ..................................................................... 77 2.3.14 SSH Server Protocol (NDcPP22e:FCS_SSHS_EXT.1) .......................................................................... 79 2.3.15 TLS Client Protocol Without Mutual Authentication (NDcPP22e:FCS_TLSC_EXT.1) ........................ 86 2.3.16 TLS Client Support for Mutual Authentication (NDcPP22e:FCS_TLSC_EXT.2) .................................. 96 2.3.17 TLS Server Protocol Without Mutual Authentication (NDcPP22e:FCS_TLSS_EXT.1) ........................ 97 2.4 User data protection (FDP) ...................................................................................................................... 104 2.4.1 Full Residual Information Protection (STFFW14E:FDP_RIP.2) ............................................................ 104 2.5 Firewall (FFW) .......................................................................................................................................... 105 2.5.1 Stateful Traffic Filtering (STFFW14E:FFW_RUL_EXT.1) ....................................................................... 105 2.5.2 Stateful Filtering of Dynamic Protocols (STFFW14E:FFW_RUL_EXT.2) ............................................... 127 2.6 Identification and authentication (FIA) .................................................................................................... 128 2.6.1 Authentication Failure Management (NDcPP22e:FIA_AFL.1) ............................................................. 128 2.6.2 Password Management (NDcPP22e:FIA_PMG_EXT.1) ....................................................................... 131 2.6.3 Pre-Shared Key Composition (VPNGW11:FIA_PSK_EXT.1) ................................................................. 133 2.6.4 Protected Authentication Feedback (NDcPP22e:FIA_UAU.7) ............................................................ 135 2.6.5 Password-based Authentication Mechanism (NDcPP22e:FIA_UAU_EXT.2) ....................................... 136 2.6.6 User Identification and Authentication (NDcPP22e:FIA_UIA_EXT.1) ................................................. 137 2.6.7 X.509 Certificate Validation (NDcPP22e:FIA_X509_EXT.1/ITT) ........................................................... 140 2.6.8 X.509 Certificate Validation (NDcPP22e:FIA_X509_EXT.1/Rev) .......................................................... 144 2.6.9 X.509 Certificate Validation (VPNGW11:FIA_X509_EXT.1/Rev) ......................................................... 148 2.6.10 X.509 Certificate Authentication (NDcPP22e:FIA_X509_EXT.2) ..................................................... 149 2.6.11 X.509 Certificate Authentication (VPNGW11:FIA_X509_EXT.2) ..................................................... 151 2.6.12 X.509 Certificate Requests (NDcPP22e:FIA_X509_EXT.3) .............................................................. 152 2.6.13 X.509 Certificate Requests (VPNGW11:FIA_X509_EXT.3) .............................................................. 153 2.7 Security management (FMT) .................................................................................................................... 154 2.7.1 Management of security functions behaviour (NDcPP22e:FMT_MOF.1/ManualUpdate) ................. 154 2.7.2 Management of TSF Data (NDcPP22e:FMT_MTD.1/CoreData) .......................................................... 155 2.7.3 Management of TSF Data (NDcPP22e:FMT_MTD.1/CryptoKeys) ....................................................... 157 GSS CCT Assurance Activity Report Page 4 of 211 ©2021 Gossamer Security Solutions, Inc. Document: AAR-VID11139 All rights reserved. Version 0.3, 06/07/2021 2.7.4 Management of TSF Data (VPNGW11:FMT_MTD.1/CryptoKeys) .....................................................