pp-module for bluetooth - niap-ccevs

PP-ModuleforBluetooth

Version:1.02021-04-15

NationalInformationAssurancePartnership

RevisionHistory

Version Date Comment

1.0 2021-04-15 InitialRelease

Contents

1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 MDFPPSecurityFunctionalRequirementsDirection5.1.1 ModifiedSFRs5.1.1.1 SecurityManagement(FMT)5.1.2 AdditionalSFRs5.1.2.1 SecurityManagement(FMT)

5.2 GPOSPPSecurityFunctionalRequirementsDirection5.2.1 ModifiedSFRs5.2.1.1 SecurityManagement(FMT)5.2.2 AdditionalSFRs5.2.2.1 SecurityManagement(FMT)

5.3 TOESecurityFunctionalRequirements5.3.1 SecurityAudit(FAU)5.3.2 CryptographicSupport(FCS)5.3.3 IdentificationandAuthentication(FIA)5.3.4 TrustedPath/Channels(FTP)5.4 TOESecurityFunctionalRequirementsRationale6 ConsistencyRationale6.1 ProtectionProfileforMobileDeviceFundamentalss6.1.1 ConsistencyofTOEType6.1.2 ConsistencyofSecurityProblemDefinition6.1.3 ConsistencyofObjectives6.1.4 ConsistencyofRequirements6.2 ProtectionProfileforGeneralPurposeOperatingSystemss6.2.1 ConsistencyofTOEType6.2.2 ConsistencyofSecurityProblemDefinition6.2.3 ConsistencyofObjectives6.2.4 ConsistencyofRequirements

AppendixA- OptionalSFRsA.1 StrictlyOptionalRequirementsA.2 ObjectiveRequirementsA.2.1 IdentificationandAuthenticationA.3 Implementation-basedRequirementsAppendixB- Selection-basedRequirementsB.1 TrustedPath/ChannelsAppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsAppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentAppendixF- BibliographyAppendixG- Acronyms

1Introduction

1.1OverviewThescopeoftheBluetoothPP-ModuleistodescribethesecurityfunctionalityofBluetoothtechnologyintermsof[CC]andtodefinefunctionalandassurancerequirementsfortheBluetoothcapabilityofmobiledevicesandoperatingsystems.Bluetoothisacommunicationsstandardforshort-rangewirelesstransmissions.Bluetoothisimplementedinmanycommercialdevicesasamethodforwirelesslyconnectingdevicesoraccessories.ThisPP-ModuleisintendedforusewiththefollowingBase-PPs:

GeneralPurposeOperatingSystem(GPOS)ProtectionProfile,Version4.2.1MobileDeviceFundamentals(MDF)ProtectionProfile,Version3.2

TheseBase-PPsarevalidbecauseconsumer-gradedesktopandmobiledevicesmaybothhaveBluetoothhardwareradiosandsobothdesktopandmobileoperatingsystemshavethesoftware/firmwarecapabilitytoallowproductstousethem.

1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.

1.2.1CommonCriteriaTerms

Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].

BaseProtectionProfile(Base-PP)

ProtectionProfileusedasabasistobuildaPP-Configuration.

CommonCriteria(CC)

CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).

CommonCriteriaTestingLaboratory

WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.

CommonEvaluationMethodology(CEM)

CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.

DistributedTOE

ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.

OperationalEnvironment(OE)

HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.

ProtectionProfile(PP)

Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.

ProtectionProfileConfiguration(PP-Configuration)

AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.

ProtectionProfileModule(PP-Module)

Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.

SecurityAssuranceRequirement(SAR)

ArequirementtoassurethesecurityoftheTOE.

SecurityFunctionalRequirement(SFR)

ArequirementforsecurityenforcementbytheTOE.

Security Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.

Target(ST)

TOESecurityFunctionality(TSF)

Thesecurityfunctionalityoftheproductunderevaluation.

TOESummarySpecification(TSS)

AdescriptionofhowaTOEsatisfiestheSFRsinanST.

TargetofEvaluation(TOE)

Theproductunderevaluation.

1.2.2TechnicalTerms

Authentication VerifyingtheidentityofcommunicatingdevicesbasedontheirBluetoothaddress.Bluetoothdoesnotprovidenativeuserauthentication.

Authorization Allowingthecontrolofresourcesbyensuringthatadeviceisauthorizedtouseaservicebeforepermittingittodoso.

BD_ADDR TheBluetoothdeviceAddress,whichisusedtoidentifyaBluetoothdevice.

BR/EDR Bluetoothbasicrate(BR)andenhanceddatarate(EDR).

BR/EDRController

AtermreferringtotheBluetoothRadio,Baseband,LinkManager,andHCIlayers.

BR/EDRPiconetPhysicalChannel

AChannelthatisdividedintotimeslotsinwhicheachslotisrelatedtoanRFhopfrequency.ConsecutivehopsnormallycorrespondtodifferentRFhopfrequenciesandoccuratastandardhoprateof1600hopspersecond.Theseconsecutivehopsfollowapseudo-randomhoppingsequence,hoppingthrougha79RFchannelset,oroptionallyfewerchannelswhenAdaptiveFrequencyHopping(AFH)isinuse.BR/EDR/LEBluetoothbasicrate(BR),enhanceddatarate(EDR)andlowenergy(LE).

Bluetooth AwirelesscommunicationlinkoperatingintheunlicensedISMbandat2.4GHzusingafrequencyhoppingtransceiver.Itallowsreal-timeAVanddatacommunicationsbetweenBluetoothHosts.Thelinkprotocolisbasedontimeslots.

BluetoothBaseband

ThepartoftheBluetoothsystemthatspecifiesorimplementsthemediumaccessandphysicallayerprocedurestosupporttheexchangeofreal-timevoice,datainformationstreams,andadhocnetworkingbetweenBluetoothdevices.

BluetoothController

AgenerictermreferringtoaPrimaryControllerwithorwithoutaSecondaryController.

BluetoothDevice

Adevicethatiscapableofshort-rangewirelesscommunicationsusingtheBluetoothsystem.

BluetoothDeviceAddress

A48bitaddressusedtoidentifyeachBluetoothdevice.

Connect(toservice)

Theestablishmentofaconnectiontoaservice.Ifnotalreadydone,thisalsoincludesestablishmentofaphysicallink,logicaltransport,logicallinkandL2CAPchannel.

Connectabledevice

ABR/EDRdeviceinrangethatperiodicallylistensonitspagescanphysicalchannelandwillrespondtoapageonthatchannel.AnLEdevicethatisadvertisingusingaconnectableadvertisingevent.

Connecteddevices

TwoBR/EDRdevicesandwithaphysicallinkbetweenthem.ConnectingAphaseinthecommunicationbetweendeviceswhenaconnectionbetweenthedevicesisbeingestablished.Theconnectingphasefollowsafterthelinkestablishmentphaseiscompleted.

Connection AninteractionbetweentwopeerapplicationsorhigherlayerprotocolsmappedontoanL2CAPchannel.

Connectionestablishment

Aprocedureforcreatingaconnectionmappedontoachannel.

Connectionevent

Aseriesofoneormorepairsofinterleavingdatapacketssentbetweenamasterandaslaveonthesamephysicalchannel.

Creationofasecure

Aprocedureofestablishingaconnection,includingauthenticationandencryption.

connection

Creationofatrustedrelationship

Aprocedurewheretheremotedeviceismarkedasatrusteddevice.Thisincludesstoringacommonlinkkeyforfutureauthentication,orpairing,whenalinkkeyisnotavailable.

Devicediscovery

AprocedureforretrievingtheBluetoothdeviceaddress,clock,class-of-devicefieldandusedpagescanmodefromdiscoverabledevices.

DiscoverableMode

ABluetoothdevicethatisperforminginquiryscansinBR/EDRoradvertisingwithadiscoverableorconnectableadvertisingeventwithadiscoverableflagsetinLE.

Discoverabledevice

ABR/EDRdeviceinrangethatperiodicallylistensonaninquiryscanphysicalchannelandwillrespondtoaninquiryonthatchannel.AnLEdeviceinrangethatisadvertisingwithaconnectableorscannableadvertisingeventwithadiscoverableflagsetintheadvertisingdata.Thisdeviceisinthediscoverablemode.

Discoveryprocedure

ABluetoothdevicethatiscarryingouttheinquiryprocedureinBR/EDRorscanningforadvertisersusingadiscoverableorconnectableadvertisingeventwithadiscoverableflagsetinLE.

Host Alogicalentitydefinedasallofthelayersbelowthenon-coreprofilesandabovetheHostControllerinterface(HCI);i.e.BluetoothHostattachedtoaBluetoothControllermaycommunicatewithotherBluetoothHostsattachedtotheirControllersaswell.

L2CAPChannel

AlogicalconnectiononL2CAPlevelbetweentwodevicesservingasingleapplicationorhigherlayerprotocol.

L2CAPChannelestablishment

AprocedureforestablishingalogicalconnectiononL2CAPlevel.

LMPauthentication

AnLMPlevelprocedureforverifyingtheidentityofaremotedevice.

LMPpairing Aprocedurethatauthenticatestwodevicesandcreatesacommonlinkkeythatcanbeusedasabasisforatrustedrelationshipora(single)secureconnection.

Link Shorthandforalogicallink.

Linkestablishment

AprocedureforestablishingthedefaultACLlinkandhierarchyoflinksandchannelsbetweendevices.

Linkkey Asecretthatisknownbytwodevicesandisusedtoauthenticatethelink.

LogicalLinkControlandAdaptationProtocol(L2CAP)

AdatalinkprotocolusedintheBluetoothprotocolstack.

Logicallink ThelowestarchitecturallevelusedtoofferindependentdatatransportservicestoclientsoftheBluetoothsystem.

Namediscovery

Aprocedureforretrievingtheuser-friendlyname(theBluetoothdevicename)ofaconnectabledevice.

OBEXPush AmethodofBluetoothone-wayfiletransferthatisinitiatedbytheentitythatisprovidingthefile.

PIN Auser-friendlyvaluethatcanbeusedtoauthenticateconnectionstoadevicebeforepairinghastakenplace.

Paireddevice ABluetoothdeviceforwhichalinkkeyhasbeencreated(eitherbeforeconnectionestablishmentwasrequestedorduringconnectingphase).

Piconet AcollectionofdevicesoccupyingasharedphysicalchannelwhereoneofthedevicesisthePiconetMasterandtheremainingdevicesareconnectedtoit.

PiconetMaster

TheBR/EDRdeviceinapiconetwhoseBluetoothClockandBluetoothDeviceAddressareusedtodefinethepiconetphysicalchannelcharacteristics.

PiconetSlave AnyBR/EDRdeviceinapiconetthatisnotthePiconetMaster,butisconnectedtothePiconetMaster.

RFCOMM AtransportprotocolusedintheBluetoothprotocolstackthatemulatesRS-232serialportconnections.

TrustedDevice

Adevicethathasafixedrelationshipwithanotherdeviceandhasfullaccesstoallservices.

Unknowndevice

ABluetoothdeviceforwhichnoinformation(BluetoothDeviceAddress,linkkeyorother)isstored.

UntrustedDevice

AdevicethatdoesnothaveanestablishedrelationshipwithanotherBluetoothdevice,whichresultsintheuntrusteddevicereceivingrestrictedaccesstoservices.

1.3CompliantTargetsofEvaluationTheTargetofEvaluation(TOE)inthisPP-ModuleisaproductthatimplementsBluetoothfunctionality.ThisPP-ModuledescribestheextendedsecurityfunctionalityofBluetoothintermsofCC.ThisPP-ModuleextendstheProtectionProfileforGeneralPurposeOperatingSystemsorMobileDeviceFundamentals.AcompliantTOEwillmeetallmandatorySFRsdefinedinthisPP-ModuleinadditiontothemandatorySFRsofitsclaimedBase-PP.ForeachBase-PP,thisPP-ModulerefinesseveraloftheBase-PP'sSFRssothattheycanaccommodatetheBluetoothfunctionalitydefinedbythePP-Module.AcompliantTOEwillclaimallselection-basedSFRsfromthisPP-ModuleanditsBase-PPasneededbasedontherelevantselectionsinotherrequirementsbeingchosen.Notethat[MDF]evaluationactivitiesrequirecertainteststobeperformedagainstallradiospresentonthedevice.WhentheTOEalsoclaimsconformancetoaPP-ConfigurationthatincludesthisPP-Module,thosetestsareexecutedagainsttheBluetoothradioaswell.AlsonotethateachBase-PPdefinesitsownrequirementsforprotectionofdataatrest.WhentheTOEalsoclaimsconformancetoaPP-ConfigurationthatincludesthisPP-Module,anydatathatisusedbytheTOE'sBluetoothimplementationisexpectedtobestoredusingthesameprotectionmechanisms.

1.3.1TOEBoundaryTheBluetoothimplementationisalogicalcomponentexecutingonanenduserpersonalcomputingormobiledevice.Assuch,theTOEmustrelyheavilyontheTOE'soperationalenvironment(hostplatform,networkstack,andoperatingsystem)foritsexecutiondomainanditsproperusage.TheTOEwillrelyontheITenvironmenttoaddressmuchofthesecurityfunctionalityrelatedtoadministrativefunctions.ThephysicalboundaryoftheTOEincludesthephysicaldeviceonwhichitisinstalled,asthisdevicewillcontainaninternalorexternalBluetoothradiothatisusedasthephysicalmediumfortransmittingandreceivingdataovertheBluetoothlogicalchannel.

1.4UseCasesRequirementsinthisPP-Modulearedesignedtoaddressthesecurityproblemsinatleastthefollowingusecases.Theseusecasesareintentionallyverybroad,asmanyspecificusecasesexistwithintheselargercategories.

[USECASE1]General-PurposeOperatingSystemThisusecaseisforaBluetoothTOEthatispartofageneral-purposeoperatingsystem.Specifically,theBluetoothTOEisexpectedtobepartoftheoperatingsystemitselfandnotastandalonethird-partyapplicationthatisinstalledontopofit.

[USECASE2]MobileDeviceThisusecaseisforaBluetoothTOEthatispartofamobileoperatingsystemthatrunsonamobiledevice.Specifically,theBluetoothTOEisexpectedtobepartofthemobileoperatingsystemitselfandnotastandalonethird-partyapplicationthatisacquiredfromthemobilevendor'sapplicationstore.

2ConformanceClaimsConformanceStatement

ThisPP-ModuleinheritsexactconformanceasrequiredfromthespecifiedBase-PPandasdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).ThefollowingPPsandPP-ModulesareallowedtobespecifiedinaPP-ConfigurationwiththisPP-Module.

PP-ModuleforVPNClient,Version2.2PP-ModuleforMDMAgent,Version1.0

CCConformanceClaimsThisPP-ModuleisconformanttoParts2(extended)and3(extended)ofCommonCriteriaVersion3.1,Release5[CC].

PackageClaimsTherearenopackageclaimsforthisPP-Module.

3SecurityProblemDescriptionAllthreats,assumptions,organizationalsecuritypolicies,and/orobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheBase-PP.TheSFRsdefinedinthisPP-ModuleprovideadditionalmechanismsformitigatingthethreatsalreadydefinedintheBase-PPsduetothefactthatincludingaBluetoothimplementationintroducesanewexternalinterfacetotheunderlyinggeneral-purposeOSormobiledeviceplatform.

3.1ThreatsThisPP-ModuledefinesnoadditionalthreatsbeyondthosedefinedinthebasePPs.NotehoweverthattheSFRsdefinedinthisPP-ModulewillassistinthemitigationofthefollowingthreatsdefinedinthebasePPs:

T.NETWORK_EAVESDROPSeeMDFPP,Section3.1andGPOSPP,Section3.1.

T.NETWORK_ATTACKSeeMDFPP,Section3.1andGPOSPP,Section3.1.

3.2AssumptionsThisdocumentdoesnotdefineanyadditionalassumptions.

3.3OrganizationalSecurityPoliciesAnorganizationdeployingtheTOEisexpectedtosatisfytheorganizationalsecuritypolicylistedbelowinadditiontoallorganizationalsecuritypoliciesdefinedbytheclaimedbasePP.ThisdocumentdoesnotdefineanyadditionalOSPs.

4SecurityObjectives

4.1SecurityObjectivesfortheTOEThisPP-ModuledefinesnoadditionalTOEsecurityobjectivesbeyondthosedefinedinthebasePPs.NotehoweverthattheSFRsdefinedinthisPP-ModulewillassistintheachievementofthefollowingobjectivesdefinedinthebasePP:

O.PROTECTED_COMMSSeeMDFPP,Section4.1andGPOSPP,Section4.1.

4.2SecurityObjectivesfortheOperationalEnvironmentThisPP-ModuledoesnotdefineanyobjectivesfortheOperationalEnvironment.NoenvironmentalsecurityobjectiveshavebeenidentifiedthatarespecifictoBluetoothtechnology.However,anyenvironmentalsecurityobjectivesdefinedintheBase-PPswillalsoapplytotheportionoftheTOEthatimplementsBluetooth.

4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.

Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP

SecurityObjectives Rationale

T.NETWORK_EAVESDROP O.PROTECTED_COMMS ThethreatT.NETWORK_EAVESDROPiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingBluetoothasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.

T.NETWORK_ATTACK O.PROTECTED_COMMS ThethreatT.NETWORK_ATTACKiscounteredbyO.PROTECTED_COMMSasthisprovidesthecapabilitytocommunicateusingBluetoothasameanstomaintaintheconfidentialityofdatathataretransmittedoutsideoftheTOE.

5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:

Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."

5.1MDFPPSecurityFunctionalRequirementsDirectionInaPP-ConfigurationthatincludesMDFPP,theTOEisexpectedtorelyonsomeofthesecurityfunctionsimplementedbytheMobileDeviceasawholeandevaluatedagainsttheMDFPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheMDFPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.

5.1.1ModifiedSFRsTheSFRslistedinthissectionaredefinedintheMDFPPandrelevanttothesecureoperationoftheTOE.

5.1.1.1SecurityManagement(FMT)

FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1

ThisPP-ModuledoesnotmodifythisSFRasitisdefinedintheMDFPP.However,notethatthisPP-Modulerequiresthelistofradiosspecifiedintheassignmentformanagementfunction4("enable/disable[assignment:listofallradios]")toincludeBluetoothradios.BluetoothBR/EDRandBluetoothLEwillbelistedseparatelyiftheTSFprovidestheabilitytoenable/disablethemseparately(i.e.,ifmanagementfunctionBT-3belowisclaimed).Otherwise,bothinterfaceswillbetreatedasoneradioforthatassignment.

5.1.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheMDFPPisclaimedastheBase-PP.


FMT_SMF_EXT.1/BTSpecificationofManagementFunctionsFMT_SMF_EXT.1.1/BT

TheTSFshallbecapableofperformingthefollowingBluetoothmanagementfunctions:

Function Impl. UserOnly Admin Admin

Only

BT-1.ConfiguretheBluetoothtrustedchannel.

Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modes;

M O O O

BT-2.ChangetheBluetoothdevicename(separatelyforBR/EDRandLE);

O O O O

BT-3.ProvideseparatecontrolsforturningtheBR/EDRandLEradiosonandoff;

O O O O

BT-4.Allow/disallowthefollowingadditional O O O O

wirelesstechnologiestobeusedwithBluetooth:[selection:Wi-Fi,NFC,[assignment:otherwirelesstechnologies]];

BT-5.ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE);

O O O O

BT-6.Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modesseparately;

O O O O

BT-7.Disable/enabletheConnectablemode(forBR/EDRandLE);

O O O O

BT-8.Disable/enabletheBluetooth[assignment:listofBluetoothserviceand/orprofilesavailableontheOS(forBR/EDRandLE)];

O O O O

BT-9.Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE);

O O O O

ApplicationNote:Asisthecasewiththe[MDFPP],thefirstcolumnliststhemanagementfunction,thesecondcolumnlistswhetheritismandatorytoimplementthefunctionandtheremainingcolumnsindicatewhetheritismandatory,optional,orprohibitedtoimplementthefunctionbyroleasfollows:

Thethirdcolumnindicatesfunctionsthataretoberestrictedtotheuser(i.e.notavailabletotheadministrator).Thefourthcolumnindicatesfunctionsthatareavailabletotheadministrator.Thesefunctionscanstillbeavailabletotheuser,aslongasthefunctionisnotrestrictedtotheadministrator(column5).Thefifthcolumnindicateswhetherthefunctionistoberestrictedtotheadministratorwhenthedeviceisenrolledandtheadministratorappliestheindicatedpolicy(i.e.,MDMadministration).Thisdoesnotpreventtheuserfrommodifyingasettingtomakethefunctionstricter,buttheusercannotundotheconfigurationenforcedbytheadministrator.

Forcolumns2-5,an'M'indicatesthatitismandatory,an'O'indicatesthatitisoptional,anda'-'indicatesthatitisprohibited.

(BT-1.)ManagementoftheDiscoverableandAdvertisingmodeandmanagementoftheBluetoothdevicenamearemandatory.AllothermanagementfunctionsforBluetootharecurrentlyobjective.

(BT-2.optional)RequiresmanagementoftheBluetoothdevicenameseparatelyforBR/EDRandLEradios.

(BT-4.optional)MayincludedisablingWi-FibeingusedasapartofBluetoothHighSpeedand/ordisablingNFCasanOutofBandpairingmethodforBluetooth.Mayalsoincludeotherwirelesstechnologiesbeyondthosealreadyspecified.

(BT-8.optional)TheBluetoothservicesand/orprofilesthatmaybedisabledshouldbelistedfortheuseroradministratoreitherbyserviceand/orprofilenameorbythetypesofapplicationsforwhichtheserviceand/orprofileisused.

(BT-9.optional)TheminimumlevelofsecuritypermittedmaybeconfigurableforeachindividualpairingorforallBluetoothpairings.

IftheTSFsupportsanyoftheBR/EDRsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1(anylevel);SecurityMode2;(anylevel);SecurityMode3;(anylevel);SecurityMode4;Levels0;1;2(asidefromtheservicespermittedtouseMode4;Level0inBluetoothCoreSpecificationversion4.2;Vol.3;PartC;p.325).IftheTSFsupportsanyoftheLEsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1:Levels1,2;SecurityMode2,(anylevel).Examplesoflevelsofsecurityaretheuseoflegacypairing;theuseofdifferenttypesofSecureSimplePairing;arequirementforMan-in-the-Middleprotection;theenforcementofSecureConnectionsOnlymode;etc.

5.2GPOSPPSecurityFunctionalRequirementsDirection

InaPP-ConfigurationthatincludesGPOSPP,theTOEisexpectedtorelyonsomeofthesecurityfunctionsimplementedbytheOperatingSystemasawholeandevaluatedagainsttheGPOSPP.ThefollowingsectionsdescribeanymodificationsthattheSTauthormustmaketotheSFRsdefinedintheGPOSPPinadditiontowhatismandatedbySection5.3TOESecurityFunctionalRequirements.

5.2.1ModifiedSFRsTheSFRslistedinthissectionaredefinedintheGPOSPPandrelevanttothesecureoperationoftheTOE.


FMT_MOF_EXT.1ManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1

ThereisnochangetothetextofthisSFR.TheSFRreferencesFMT_SMF_EXT.1andstatesthattheOSshallpermittheadministratorroletoperformtherelevantfunctionslistedinFMT_SMF_EXT.1.Thefunction"Enable/DisabletheBluetoothinterface"islistedasanoptionalmanagementfunctioninFMT_SMF_EXT.1forbothusersandadministrators.WhenthisPP-Moduleisclaimed,theadministratororuserrolemustbeabletoenable/disabletheBluetoothinterface.Inotherwords,thefunctionitselfismovedfromoptionaltomandatory,butthisPP-Moduledoesnotrequirethatitbeimplementedbyaspecificrole.IftheSTindicatesthattheadministratorrolecanperformthisfunction,thentherestrictionsimposedbyFMT_MOF_EXT.1willapplytoit.

FMT_SMF_EXT.1SpecificationofManagementFunctionsFMT_SMF_EXT.1.1

ThisPP-ModuledoesnotmodifythisSFRasitisdefinedintheGPOSPP.However,notethatthisPP-Modulerequiresthefunction"Enable/disableBluetoothinterface"tobeimplemented,thoughthisPP-ModuledoesnotmandatewhetheritbeassignedtotheAdministratororUserrole.

5.2.2AdditionalSFRsThissectiondefinesadditionalSFRsthatmustbeaddedtotheTOEboundaryinordertoimplementthefunctionalityinanyPP-ConfigurationwheretheGPOSPPisclaimedastheBase-PP.


FMT_MOF_EXT.1/BTManagementofSecurityFunctionsBehaviorFMT_MOF_EXT.1.1/BT

TheOSshallrestricttheabilitytoperformthefunctionindicatedinthe"Administrator"columninFMT_SMF_EXT.1.1/BTtotheadministrator.

ApplicationNote:ThemanagementfunctionsinFMT_SMF_EXT.1/BTrequirethefunctionBT-1tobesupportedbytheTOEandmanageablebyanAdministratoratminimum.Allothermanagementfunctions,andwhatrolesmayperformthem,areoptional.TheSTmustmakeitclearwhichofthesefunctionsareprovidedbytheTOEandwhichrolesareabletomanagethem.

FMT_SMF_EXT.1/BTSpecificationofManagementFunctionsFMT_SMF_EXT.1.1/BT

TheOSshallbecapableofperformingthefollowingBluetoothmanagementfunctions:

Function Administrator User

BT-1.ConfiguretheBluetoothtrustedchannel.Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modes;

X O

BT-2.ChangetheBluetoothdevicename(separatelyforBR/EDRandLE);

O O

BT-3.ProvideseparatecontrolsforturningtheBR/EDRandLEradiosonandoff;

O O

BT-4.Allow/disallowthefollowingadditionalwirelesstechnologiestobeusedwithBluetooth:[selection:Wi-Fi,NFC,[assignment:otherwireless

O O

technologies]];

BT-5.ConfigureallowablemethodsofOutofBandpairing(forBR/EDRandLE);

O O

BT-6.Disable/enabletheDiscoverable(forBR/EDR)andAdvertising(forLE)modesseparately;

O O

BT-7.Disable/enabletheConnectablemode(forBR/EDRandLE);

O O

BT-8.Disable/enabletheBluetooth[assignment:listofBluetoothserviceand/orprofilesavailableontheOS(forBR/EDRandLE)];

O O

BT-9.Specifyminimumlevelofsecurityforeachpairing(forBR/EDRandLE);

O O

ApplicationNote:TheSTshouldindicatewhichoftheoptionalmanagementfunctionsareimplementedintheTOE.Thiscanbedonebyadjustingthe"Administrator"and"User"columnsto"X"accordingtowhichcapabilitiesarepresentornotpresent,andforwhichprivilegelevel.

(BT-1.)ManagementoftheDiscoverableandAdvertisingmodeandmanagementoftheBluetoothdevicenamearemandatory.AllothermanagementfunctionsforBluetootharecurrentlyobjective.

(BT-2.optional)RequiresmanagementoftheBluetoothdevicenameseparatelyforBR/EDRandLEradios.

(BT-4.optional)MayincludedisablingWi-FibeingusedasapartofBluetoothHighSpeedand/ordisablingNFCasanOutofBandpairingmethodforBluetooth.Mayalsoincludeotherwirelesstechnologiesbeyondthosealreadyspecified.

(BT-8.optional)TheBluetoothservicesand/orprofilesthatmaybedisabledshouldbelistedfortheuseroradministratoreitherbyserviceand/orprofilenameorbythetypesofapplicationsforwhichtheserviceand/orprofileisused.

(BT-9.optional)TheminimumlevelofsecuritypermittedmaybeconfigurableforeachindividualpairingorforallBluetoothpairings.

IftheTSFsupportsanyoftheBR/EDRsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1(anylevel);SecurityMode2;(anylevel);SecurityMode3;(anylevel);SecurityMode4;Levels0;1;2(asidefromtheservicespermittedtouseMode4;Level0inBluetoothCoreSpecificationversion4.2;Vol.3;PartC;p.325).IftheTSFsupportsanyoftheLEsecuritymodesinthefollowinglist;itshouldprovideamechanismfortheusertochoosetheminimumlevelofsecuritytoenforceforaparticulardeviceduringthepairingprocess:SecurityMode1:Levels1,2;SecurityMode2,(anylevel).Examplesoflevelsofsecurityaretheuseoflegacypairing;theuseofdifferenttypesofSecureSimplePairing;arequirementforMan-in-the-Middleprotection;theenforcementofSecureConnectionsOnlymode;etc.

5.3TOESecurityFunctionalRequirementsThefollowingsectiondescribestheSFRsthatmustbesatisfiedbyanyTOEthatclaimsconformancetothisPP-Module.TheseSFRsmustbeclaimedregardlessofwhichPP-ConfigurationisusedtodefinetheTOE.

5.3.1SecurityAudit(FAU)

FAU_GEN.1/BTAuditDataGeneration(Bluetooth)FAU_GEN.1.1/BT

TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

a. Start-upandshutdownoftheauditfunctionsb. Allauditableeventsforthe[notselected]levelofauditc. [SpecificallydefinedauditableeventsintheAuditableEventstable].

Table2AuditableEvents

Requirement AuditableEvents AdditionalAuditRecordContents

FCS_CKM_EXT.8 None.

FIA_BLT_EXT.1 FaileduserauthorizationofBluetoothdevice.

Userauthorizationdecision(e.g.,userrejectedconnection,incorrectpinentry).

FaileduserauthorizationforlocalBluetoothService.

Bluetoothaddressandnameofdevice.Bluetoothprofile.Identityoflocalservicewith[selection:serviceID,profilename].

FIA_BLT_EXT.2 InitiationofBluetoothconnection.

Bluetoothaddressandnameofdevice.

FailureofBluetoothconnection.

Reasonforfailure.

FIA_BLT_EXT.3(optional)

Duplicateconnectionattempt.

BD_ADDRofconnectionattempt.

FIA_BLT_EXT.4 None.

FIA_BLT_EXT.5(ifclaimed)

None.

FIA_BLT_EXT.6 None.

FIA_BLT_EXT.7 None.

FTP_BLT_EXT.1 None.

FTP_BLT_EXT.2 None.

FTP_BLT_EXT.3/BR None.

FTP_BLT_EXT.3/LE(ifclaimed)

None.

FAU_GEN.1.2/BTTheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:

a. Dateandtimeoftheeventb. Typeofeventc. Subjectidentityd. Theoutcome(successorfailure)oftheevente. [AdditionalinformationintheAuditableEventstable].

ApplicationNote:ItisnotfeasiblefortheFIA_BLT_EXT.3eventtobeauditediftherejectionisperformedattheHCIlayerbecausetheBluetoothstandarddoesnotprovideanotificationinterfaceforthisbehaviorintheHCI.Thisiswhytheeventislabeledasoptional.However,iftherejectionisperformedabovetheHCIlayer,itisexpectedthataconformantTOEshouldimplementthisfunctionality.

5.3.2CryptographicSupport(FCS)

FCS_CKM_EXT.8BluetoothKeyGenerationFCS_CKM_EXT.8.1

TheTSFshallgeneratepublic/privateECDHkeypairsevery[assignment:frequencyofand/orcriteriafornewkeypairgeneration].

ApplicationNote:TherearemultipleacceptablewaysofkeepingECDHkeypairsadequatelyfresh,includingatime-basedapproachsuchthatthesamekeypairswillnotbeusedformorethan,forinstance,24hours.Alternatively,thecriteriamightbelinkedtothenumberofpassedorfailedauthenticationattempts.Asastartingpointtodeterminereasonableauthenticationattempt-basedreplacementcriteria,notethattheBluetoothspecification(v4.1,Vol.2,5.1)suggestsmitigatingrepeatedauthenticationattemptsbychanginga

device'sprivatekeyafterthreefailedauthenticationattemptsfromanyBD_ADDR,aftertensuccessfulpairingsfromanyBD_ADDR,orafteracombinationofthesesuchthatanythreesuccessfulpairingscountasonefailedpairing.

ThisrequirementalsoappliestoBluetoothLEiftheTOEsupportsLESecureConnections,whichwasintroducedinversion4.2ofthespecification.

5.3.3IdentificationandAuthentication(FIA)

FIA_BLT_EXT.1BluetoothUserAuthorizationFIA_BLT_EXT.1.1

TheTSFshallrequireexplicituserauthorizationbeforepairingwitharemoteBluetoothdevice.

ApplicationNote:Userauthorizationincludesexplicitactionslikeaffirmingtheremotedevice'sname,expressinganintenttoconnecttotheremotedevice,andenteringrelevantpairinginformation(e.g.PINs;numericcodes;or"yes/no"responses).Theusermusthavetoexplicitlypermitallpairingattempts;evenwhenbondingisnottakingplace.Becauseexplicituseractionmustberequiredtopermitpairing;itmustnotbepossibleforapplicationstoprogrammaticallyenterpairinginformation(e.g.PINs;numericcodes;or"yes/no"responses)duringthepairingprocess.TheabsenceofpublicAPIsforprogrammaticauthorizationisnotsufficienttomeetthisrequirement;hiddenorprivateAPIsmustbeabsentaswell.

FIA_BLT_EXT.2BluetoothMutualAuthenticationFIA_BLT_EXT.2.1

TheTSFshallrequireBluetoothmutualauthenticationbetweendevicespriortoanydatatransferovertheBluetoothlink.

ApplicationNote:Ifdevicesarenotalreadypaired,thepairingprocessmustbeinitiated.Ifthedevicesarealreadypaired,mutualauthenticationbasedonthecurrentlinkkeymustsucceedbeforeanydatapassesoverthelink.

FIA_BLT_EXT.3RejectionofDuplicateBluetoothConnectionsFIA_BLT_EXT.3.1

TheTSFshalldiscardpairingandsessioninitializationattemptsfromaBluetoothdeviceaddress(BD_ADDR)towhichanactivesessionalreadyexists.

ApplicationNote:SessionisdefinedasthetimeintervalforwhichtheTSFisactivelyconnectedtoanotherdevice.Thus,thesessionterminateswhenthedevicedisconnectsfromtheTSF.IftheTOEhasanactivesessiontoaremoteBluetoothdevice,newsessioninitializationand/orpairingattemptsfromdevicesclaimingthesameBluetoothdeviceaddressmaybemaliciousandshouldberejected/ignored.OnlyonesessiontoasingleremoteBD_ADDRmaybesupportedatatime.

FIA_BLT_EXT.4SecureSimplePairingFIA_BLT_EXT.4.1

TheTOEshallsupportBluetoothSecureSimplePairing,bothinthehostandthecontroller.

FIA_BLT_EXT.4.2TheTOEshallsupportSecureSimplePairingduringthepairingprocess.

ApplicationNote:TheBluetoothhostandcontrollereachsupportaparticularversionoftheBluetoothCoreSpecificationandaparticularsetoffeatures.SupportforvariousfeaturesisindicatedbyeachsideduringtheLinkManagerProtocol(LMP)FeaturesExchange.RefertotheBluetoothspecification[Bluetooth]forfeaturedefinitions,includingthedefinitionsofSecureSimplePairing(ControllerSupport)andSecureSimplePairing(HostSupport).

FIA_BLT_EXT.6TrustedBluetoothDeviceUserAuthorizationFIA_BLT_EXT.6.1

TheTSFshallrequireexplicituserauthorizationbeforegrantingtrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].

ApplicationNote:Inadditiontopairing,itmaybeappropriatetorequireexplicituseractiontoauthorizeaparticularremotedevicetoaccesscertainBluetoothservices.TheTSFmaychoosetorequirethisadditionalactionforall

devicesoronlyforthosedevicesthatdonothavearequiredleveloftrust.

Itisstronglypreferredthatforeachdevice,theTSFmaintainsalistofdevicestrustedtouseforthatparticularservice.However,theTSFmightdesignatecertaindevicesashavingatrusteddevicerelationshipwiththeTOEandgrantingthem"blanket"accesstoallservices.

Furthermore,itmaybethecasethattheTSFallowsmovementofdevicesfromtheuntrustedtothetrustedcategoryforaparticularserviceaftertheuserprovidesexplicitauthorizationforthedevicetousetheservice.Forexample,itmaybeappropriatetorequirethattheuserprovideexplicit,manualauthorizationbeforearemotedevicemayusetheOBEXserviceforanobjecttransferthefirsttime.Theusermightbegiventheoptiontopermitfutureconnectionstothatservicebytheparticulardevicewithoutrequiringexplicitauthorizationeachtime.

FIA_BLT_EXT.7UntrustedBluetoothDeviceUserAuthorizationFIA_BLT_EXT.7.1

TheTSFshallrequireexplicituserauthorizationbeforegrantinguntrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].

ApplicationNote:FIA_BLT_EXT.7differsfromFIA_BLT_EXT.6becauseaconformantTOEmaydistinguishbetween"trusted"and"untrusted"devicessuchthattheTSFgrants"untrusted"devicesaccesstofewerservicesfollowingpairing.However,thisbehaviorisnotrequired;iftheTSFdoesnottreat"trusted"and"untrusted"devicesanydifferently,theSTauthormaycompletetheassignmentsinFIA_BLT_EXT.6.1andFIA_BLT_EXT.7.1withlistsofBluetoothprofiles.

5.3.4TrustedPath/Channels(FTP)

FTP_BLT_EXT.1BluetoothEncryptionFTP_BLT_EXT.1.1

TheTSFshallenforcetheuseofencryptionwhentransmittingdataovertheBluetoothtrustedchannelforBR/EDRand[selection:LE,nootherconnections].

ApplicationNote:LEisselectablebecausenotallconformantTOEsincludesupportforLE.IfLEissupported,itisexpectedthattheTSFbeabletoprovideencryptionforthisinterface.SelectionofLEinFTP_BLT_EXT.1.1requirestheinclusionoftheselection-basedSFRFTP_BLT_EXT.3/LE.

FTP_BLT_EXT.1.2TheTSFshallusekeypairsperFCS_CKM_EXT.8forBluetoothencryption.

FTP_BLT_EXT.2PersistenceofBluetoothEncryptionFTP_BLT_EXT.2.1

TheTSFshall[selection:restartencryption,terminatetheconnection]iftheremotedevicestopsencryptionwhileconnectedtotheTOE.

ApplicationNote:Permittingdevicestoterminateand/orrestartencryptioninthemiddleofaconnectionweakensuserdataprotection.Notethatanencryptionpauserequest,whichincludesarequesttostopencryption,stopsencryptiononlytemporarily.Thisrequirementisnotintendedtoaddresstheencryptionpausefeature.

FTP_BLT_EXT.3/BRBluetoothEncryptionParameters(BR/EDR)FTP_BLT_EXT.3.1/BR

TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[BR/EDR]andnotnegotiateencryptionkeysizessmallerthantheminimumsize.

ApplicationNote:EncryptionismandatoryforBR/EDRconnectionswhenbothdevicessupportSecureSimplePairing.MinimumencryptionrequirementswillbesetandverifiedforeachBluetoothprofile/application.

5.4TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:

Table3:SFRRationale

OBJECTIVE ADDRESSEDBY RATIONALE

O.PROTECTED_COMMS FIA_BLT_EXT.1 FIA_BLT_EXT.1supportstheobjectivebyensuringthatBluetoothcommunicationsarenotinitiatedwithoutuserapproval.

FIA_BLT_EXT.2 FIA_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtoimplementBluetoothmutualauthenticaiton.

FIA_BLT_EXT.3 FIA_BLT_EXT.3supportstheobjectivebypreventingBluetoothspoofingbyrejectingconnectionswithduplicatedeviceaddresses.

FIA_BLT_EXT.4 FIA_BLT_EXT.4supportstheobjectivebydefiningtheTSF'simplementationofBluetoothSecureSimplePairing.

FIA_BLT_EXT.5 FIA_BLT_EXT.5supportstheobjectivebyrequiringtheTSFtosupportSecureConnectionsOnlymodeforthesupportedBluetoothcommunicationchannels.

FIA_BLT_EXT.6 FIA_BLT_EXT.6supportstheobjectivebyrequiringtheTSFtospecifytheBluetoothprofilesthatitrequiresexplicituserauthorizationtograntaccesstofortrusteddevices.

FTP_BLT_EXT.1 FTP_BLT_EXT.1supportstheobjectivebyrequiringtheTSFtoimplementencryptiontoprotectBluetoothcommunications

FTP_BLT_EXT.2 FTP_BLT_EXT.2supportstheobjectivebyrequiringtheTSFtopreventdatatransmissionoverBluetoothifthepaireddeviceisnotusingencryption.

6ConsistencyRationale

6.1ProtectionProfileforMobileDeviceFundamentalss

6.1.1ConsistencyofTOETypeIfthisPP-ModuleisusedtoextendtheMDFPP,theTOEtypefortheoverallTOEisstillamobiledevice.However,oneofthefunctionsofthedevicemustbetheabilityforittohaveBluetoothcapability.TheTOEboundaryissimplyextendedtoincludethatfunctionality.

6.1.2ConsistencyofSecurityProblemDefinitionThethreatsthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheMDFPP.

PP-ModuleThreat,Assumption,OSP ConsistencyRationale

T.NETWORK_EAVESDROP ThisthreatcomesdirectlyfrombothbasePPs.

T.NETWORK_ATTACK ThisthreatcomesdirectlyfrombothbasePPs.

6.1.3ConsistencyofObjectivesTheobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstotheobjectivesgivenintheMDFPP.TheobjectivesfortheTOEsareconsistentwiththeMDFPPbasedonthefollowingrationale:

PP-ModuleTOEObjective ConsistencyRationale

O.PROTECTED_COMMS ThisobjectivecomesdirectlyfromthePP.

6.1.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheMDFPPthatareneededtosupportBluetoothfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheMDFPPisbeingusedforitsintendedpurpose.ThePP-ModulealsoidentifiesanumberofmodifiedSFRsfromtheMDFPPaswellasnewSFRsthatareusedentirelytoprovidefunctionalityforBluetooth.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheMDFPPareasfollows:

PP-ModuleRequirement ConsistencyRationale

ModifiedSFRs

FMT_SMF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.

AdditionalSFRs

FMT_SMF_EXT.1/BT TheSTauthorisinstructedtocompleteanassignmentintheSFRwithinformationrelatedtoBluetooth,andtoincludeadditionalmanagementfunctionsinthisSFRbasedontheBluetoothcapabilitydefinedbythePP-Module.

MandatorySFRs

FAU_GEN.1/BT ThePP-ModuledefinesauditableeventsforBluetooththatextendstheauditfunctionalitydefinedineachBase-PP.

FCS_CKM_EXT.8 ThisSFRappliestothefrequencyofkeygenerationactivity.ThisdoesnotconflictwiththeBase-PPbecauseitinvolvesakeygenerationmechanismdefinedintheBase-PPandrelatesexclusivelytoBluetoothfunctionalitysoitdoesnotaffectanyotherkeygenerationactivitiesrequiredbytheBase-PP.

FIA_BLT_EXT.1 ThisSFRappliestotheestablishmentofBluetoothconnectivity,whichisbehaviornotdescribedinorpreventedbytheBase-PP.






FTP_BLT_EXT.1 ThisSFRappliestoencryptionofBluetoothcommunications.ThisisatrustedchannelthatisnotdiscussedintheBase-PP,butitreliesonthesamecryptographicalgorithmsspecifiedintheBase-PPtofunction.


FTP_BLT_EXT.3/BR ThisSFRappliestoencryptionofBluetoothcommunications.ThisisatrustedchannelthatisnotdiscussedintheBase-PP,butitreliesonthesamecryptographicalgorithmsspecifiedintheBase-PPtofunction.

OptionalSFRs

ThisPP-ModuledoesnotdefineanyOptionalrequirements.

Selection-basedSFRs

FTP_BLT_EXT.3/LE ThisSFRappliestoencryptionofBluetoothcommunications.ThisisatrustedchannelthatisnotdiscussedintheBase-PP,butitreliesonthesamecryptographicalgorithmsspecifiedintheBase-PPtofunction.

ObjectiveSFRs


Implementation-DependentSFRs

ThisPP-ModuledoesnotdefineanyImplementation-Dependentrequirements.

6.2ProtectionProfileforGeneralPurposeOperatingSystemss

6.2.1ConsistencyofTOETypeIfthisPP-Moduleisusedtoextendthe[GPOSPP],theTOEtypefortheoverallTOEisstillagenericoperatingsystem.However,oneofthefunctionsofthegenericoperatingsystemmustbetheabilityforittohaveBluetoothcapability.TheTOEboundaryissimplyextendedtoincludethatfunctionality.

6.2.2ConsistencyofSecurityProblemDefinitionThethreatsthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstothesecurityproblemdefinitiongivenintheGPOSPP.

PP-ModuleThreat,Assumption,OSP ConsistencyRationale

T.NETWORK_EAVESDROP ThisthreatcomesdirectlyfrombothbasePPs.

T.NETWORK_ATTACK ThisthreatcomesdirectlyfrombothbasePPs.

6.2.3ConsistencyofObjectivesTheobjectivesthatapplytothisPP-ModuleareinheritedfromtheBase-PPtowhichtheTOEalsoconforms.ThisPP-ModuledoesnotaddorremoveanyelementstotheobjectivesgivenintheGPOSPP.TheobjectivesfortheTOEsareconsistentwiththeGPOSPPbasedonthefollowingrationale:

PP-ModuleTOEObjective ConsistencyRationale

O.PROTECTED_COMMS ThisobjectivecomesdirectlyfromthePP.

6.2.4ConsistencyofRequirementsThisPP-ModuleidentifiesseveralSFRsfromtheGPOSPPthatareneededtosupportBluetoothfunctionality.ThisisconsideredtobeconsistentbecausethefunctionalityprovidedbytheGPOSPPisbeingusedforitsintendedpurpose.ThePP-ModulealsoidentifiesanumberofmodifiedSFRsfromtheGPOSPPaswellasnewSFRsthatareusedentirelytoprovidefunctionalityforBluetooth.TherationaleforwhythisdoesnotconflictwiththeclaimsdefinedbytheGPOSPPareasfollows:

PP-Module

Requirement ConsistencyRationale

ModifiedSFRs

FMT_MOF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.

FMT_SMF_EXT.1 ThisSFRisunchangedfromitsdefinitionintheBase-PP;theonlychangerequiredbythisPP-ModuleishowtointerpretitinthecontextofBluetoothcapabilities.

AdditionalSFRs

FMT_MOF_EXT.1/BT TheSTauthorisrequiredtoassociateallclaimedmanagementfunctionswiththeadministrativeprivilegesrequiredtoexecutethem.ThisPP-ModulesimplyextendsthisrequirementtoapplytothemanagementfunctionsaddedandmandatedbythePP-Module.

FMT_SMF_EXT.1/BT TheSTauthorisrequiredtoincludeanoptionalmanagementfunctiondefinedintheBase-PPthatrelatestoBluetooth,andtoincludeadditionalmanagementfunctionsinthisSFRbasedontheBluetoothcapabilitydefinedbythePP-Module.

MandatorySFRs

FAU_GEN.1/BT ThePP-ModuledefinesauditableeventsforBluetooththatextendstheauditfunctionalitydefinedineachBase-PP.

FCS_CKM_EXT.8 ThisSFRappliestothefrequencyofkeygenerationactivity.ThisdoesnotconflictwiththeBase-PPbecauseitinvolvesakeygenerationmechanismdefinedintheBase-PPandrelatesexclusivelytoBluetoothfunctionalitysoitdoesnotaffectanyotherkeygenerationactivitiesrequiredbytheBase-PP.









FTP_BLT_EXT.3/BR ThisSFRappliestoencryptionofBluetoothcommunications.ThisisatrustedchannelthatisnotdiscussedintheBase-PP,butitreliesonthesamecryptographicalgorithmsspecifiedintheBase-PPtofunction.

OptionalSFRs

ThisPP-ModuledoesnotdefineanyOptionalrequirements.

Selection-basedSFRs

FTP_BLT_EXT.3/LE ThisSFRappliestoencryptionofBluetoothcommunications.ThisisatrustedchannelthatisnotdiscussedintheBase-PP,butitreliesonthesamecryptographicalgorithmsspecifiedintheBase-PPtofunction.

ObjectiveSFRs


Implementation-DependentSFRs

ThisPP-ModuledoesnotdefineanyImplementation-Dependentrequirements.

AppendixA-OptionalSFRs

A.1StrictlyOptionalRequirementsThisPP-ModuledoesnotdefineanyStrictlyOptionalSFRs.

A.2ObjectiveRequirements

A.2.1IdentificationandAuthentication

FIA_BLT_EXT.5BluetoothSecureConnectionsFIA_BLT_EXT.5.1

TheTOEshallsupportSecureConnectionsOnlymodeforBluetoothBR/EDRand[selection:BluetoothLE,nootherBluetoothprotocol].

ApplicationNote:ThespecificationstatesthatSecureConnectionsOnlyMode,alsocalled"FIPSMode,"shouldbeusedwhensecurityismoreimportantthanbackwardscompatibility.Fromthespecification,"TheHostwillenforcethattheP-256ellipticcurveisusedduringpairing;thesecureauthenticationsequencesareused;andAES-CCMisusedforencryption."Also,"ifaBR/EDR/LEdeviceisconfiguredinSecureConnectionsOnlyMode,thenatransportwillonlybeusedwhenSecureConnectionsissupportedbybothdevices."

A.3Implementation-basedRequirementsThisPP-ModuledoesnotdefineanyImplementation-basedSFRs.

AppendixB-Selection-basedRequirementsB.1TrustedPath/Channels

FTP_BLT_EXT.3/LEBluetoothEncryptionParameters(LE)FTP_BLT_EXT.3.1/LE

TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[LE]andnotnegotiateencryptionkeysizessmallerthantheminimumsize.

ApplicationNote:TheTOEmustimplementencryptionforBluetoothBR/EDRasrequiredbyFTP_BLT_EXT.1.1.AconformantTOEdoesnotneedtosupportBluetoothLE;however,ifitdoes,thenitmustalsosupportencryptionforit.FTP_BLT_EXT.3/LEmustthereforebeclaimedif'LE'isselectedinFTP_BLT_EXT.1.1.

AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedinthePP-Module.

C.1ExtendedComponentsTableAllextendedcomponentsspecifiedinthePParelistedinthistable:

Table4:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents

CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagement

IdentificationandAuthentication(FIA) FIA_BLT_EXTBluetoothPairing

TrustedPath/Channels(FTP) FTP_BLT_EXTBluetoothTrustedCommunications

C.2ExtendedComponentDefinitions

FCS_CKM_EXTCryptographicKeyManagement

FamilyBehaviorComponentsinthisfamilydefinerequirementsforcryptographickeymanagementbeyondthosewhicharespecifiedinthePart2familyFCS_CKM.FCS_CKM_EXT FCS_CKM_EXT.8

ComponentLevelingFCS_CKM_EXT.8,BluetoothKeyGeneration,requirestheTSFtogeneratekeypairsusedforBluetoothoveraspecifiedtimeperiodorinresponsetosomeobservedevent.

Management:FCS_CKM_EXT.8Nospecificmanagementfunctionsareidentified.

Audit:FCS_CKM_EXT.8Therearenoauidtableeventsforeseen.

FCS_CKM_EXT.8BluetoothKeyGenerationHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFPT_STM.1ReliableTimeStampsFTP_BLT_EXT.1BluetoothEncryption

FCS_CKM_EXT.8.1

TheTSFshallgeneratepublic/privateECDHkeypairsevery[assignment:frequencyofand/orcriteriafornewkeypairgeneration].

FIA_BLT_EXTBluetoothPairing

FamilyBehaviorComponentsinthisfamilydefineBluetooth-specificidentificationandauthenticationrequirements.

FIA_BLT_EXT

FIA_BLT_EXT.1FIA_BLT_EXT.2FIA_BLT_EXT.3FIA_BLT_EXT.4FIA_BLT_EXT.6FIA_BLT_EXT.7FIA_BLT_EXT.5

ComponentLevelingFIA_BLT_EXT.1,BluetoothUserAuthorization,requirestheTSFtohaveexplicituserauthorizationbeforeallowingaBluetoothpairing.

Management:FIA_BLT_EXT.1

Nospecificmanagementfunctionsareidentified.

Audit:FIA_BLT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

FaileduserauthorizationofBluetoothdevice.FaileduserauthorizationforlocalBluetoothdevice.

FIA_BLT_EXT.1BluetoothUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.

FIA_BLT_EXT.1.1

TheTSFshallrequireexplicituserauthorizationbeforepairingwitharemoteBluetoothdevice.

ComponentLevelingFIA_BLT_EXT.2,BluetoothMutualAuthentication,requirestheTSFtoenforcemutualauthenticationforBluetooth.

Management:FIA_BLT_EXT.2Nospecificmanagementfunctionsareidentified.


InitiationofBluetoothconnection.FailureofBluetoothconnection.

FIA_BLT_EXT.2BluetoothMutualAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.2.1

TheTSFshallrequireBluetoothmutualauthenticationbetweendevicespriortoanydatatransferovertheBluetoothlink.

ComponentLevelingFIA_BLT_EXT.3,RejectionofDuplicateBluetoothConnections,requirestheTSFtorejectduplicateattemptstoconnecttoBluetooth.



Duplicateconnectionattempt.

FIA_BLT_EXT.3RejectionofDuplicateBluetoothConnectionsHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.3.1

TheTSFshalldiscardpairingandsessioninitializationattemptsfromaBluetoothdeviceaddress(BD_ADDR)towhichanactivesessionalreadyexists.

ComponentLevelingFIA_BLT_EXT.4,SecureSimplePairing,requirestheTSFtosupportSecureSimplePairing.


Audit:FIA_BLT_EXT.4Therearenoauditableeventsforeseen.

FIA_BLT_EXT.4SecureSimplePairing

Hierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.4.1

TheTOEshallsupportBluetoothSecureSimplePairing,bothinthehostandthecontroller.

FIA_BLT_EXT.4.2

TheTOEshallsupportSecureSimplePairingduringthepairingprocess.

ComponentLevelingFIA_BLT_EXT.6,TrustedBluetoothDeviceUserAuthorization,requirestheTSFtohaveexplicituserauthenticationbeforeassociatingtrustedserviceswithBluetooth.

Management:FIA_BLT_EXT.6ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

Abilitytospecifytheservicesthatrequireexplicituserauthorizationbeforetrusteddevicescanusethem.


FIA_BLT_EXT.6TrustedBluetoothDeviceUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.6.1

TheTSFshallrequireexplicituserauthorizationbeforegrantingtrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].

ComponentLevelingFIA_BLT_EXT.7,UntrustedBluetoothDeviceUserAuthorization,requirestheTSFtohaveexplicituserauthenticationbeforeassociatinguntrustedserviceswithBluetooth.

Management:FIA_BLT_EXT.7ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

Abilitytospecifytheservicesthatrequireexplicituserauthorizationbeforeuntrusteddevicescanusethem.


FIA_BLT_EXT.7UntrustedBluetoothDeviceUserAuthorizationHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.7.1

TheTSFshallrequireexplicituserauthorizationbeforegrantinguntrustedremotedevicesaccesstoservicesassociatedwiththefollowingBluetoothprofiles:[assignment:listofBluetoothprofiles].

ComponentLevelingFIA_BLT_EXT.5,BluetoothSecureConnections,requirestheTSFtosupportSecureConnectionsOnlymode.



FIA_BLT_EXT.5BluetoothSecureConnectionsHierarchicalto:Noothercomponents.Dependenciesto:FIA_BLT_EXT.1BluetoothUserAuthorization

FIA_BLT_EXT.5.1

TheTOEshallsupportSecureConnectionsOnlymodeforBluetoothBR/EDRand[selection:BluetoothLE,nootherBluetoothprotocol].

FTP_BLT_EXTBluetoothTrustedCommunications

FamilyBehaviorComponentsinthisfamilydefinerequirementsforBluetoothencryption.

FTP_BLT_EXTFTP_BLT_EXT.1FTP_BLT_EXT.2FTP_BLT_EXT.3

ComponentLevelingFTP_BLT_EXT.1,BluetoothEncryption,requirestheTSFtoenforceencryptionwhentransmittingoverBluetooth.

Management:FTP_BLT_EXT.1Nospecificmanagementfunctionsareidentified.

Audit:FTP_BLT_EXT.1Therearenoauditableeventsforeseen.

FTP_BLT_EXT.1BluetoothEncryptionHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM_EXT.8BluetoothKeyGenerationFIA_BLT_EXT.1BluetoothUserAuthorization

FTP_BLT_EXT.1.1

TheTSFshallenforcetheuseofencryptionwhentransmittingdataovertheBluetoothtrustedchannelforBR/EDRand[selection:LE,nootherconnections].

FTP_BLT_EXT.1.2

TheTSFshallusekeypairsperFCS_CKM_EXT.8forBluetoothencryption.

ComponentLevelingFTP_BLT_EXT.2,PersistenceofBluetoothEncryption,requirestheTSFtoensureencryptionforthedurationoftheuseoftheBluetoothchannel.

Management:FTP_BLT_EXT.2Nospecificmanagementfunctionsareidentified.


FTP_BLT_EXT.2PersistenceofBluetoothEncryptionHierarchicalto:Noothercomponents.Dependenciesto:FTP_BLT_EXT.1BluetoothEncryption

FTP_BLT_EXT.2.1

TheTSFshall[selection:restartencryption,terminatetheconnection]iftheremotedevicestopsencryptionwhileconnectedtotheTOE.

ComponentLevelingFTP_BLT_EXT.3,BluetoothEncryptionParameters,specifiesthekeysizesusedforBluetooth.

Management:FTP_BLT_EXT.3ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

Specificationofminimumencryptionkeysize.


FTP_BLT_EXT.3BluetoothEncryptionParametersHierarchicalto:Noothercomponents.Dependenciesto:FTP_BLT_EXT.1BluetoothEncryption

FTP_BLT_EXT.3.1

TheTSFshallsettheminimumencryptionkeysizeto[assignment:keysizelargerthanorequalto128bits]for[assignment:Bluetoothprotocol].

AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP-Module.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePP-Moduleprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.

Requirement RationaleforSatisfaction

FCS_CKM.1-CryptographicKeyGeneration

FCS_CKM_EXT.8hasadependencyonFCS_CKM.1forthegenerationofECDHkeypairs.ThisdependencyisimplicitlysatisfiedinthisPP-ModulebecausebothBase-PPsthePP-ModuleisintendedtoextenddefinethisSFRandspecifyECDHkeygenerationasarequiredcapabilityoftheTOE.Therefore,aconformantTOEwillalwayshavethiscapability.

FPT_STM.1-ReliableTimeStamps

FCS_CKM_EXT.8hasadependencyonFPT_STM.1becausekeygenerationmaybetriggeredbyagiventimeperiodelapsing.WhentheTOEclaimsconformanceto[MDF],thisdependencyissatisfiedexplicitlythroughtheBase-PP'sdefinitionofFPT_STM.1.WhentheTOEclaimsconformanceto[GPOS],thisdependencyissatisfiedimplicitlythroughthatPP'sA.PLATFORMassumptionofatrustworthycomputingplatform,whichcanbereasonablyassumedtoincludeahardwarereal-timeclock.

AppendixE-EntropyDocumentationandAssessmentTheTOEdoesnotrequireanyadditionalsupplementaryinformationtodescribeitsentropysourcesbeyondtherequirementsoutlinedintheBase-PPs.

AppendixF-Bibliography

Identifier Title

[Bluetooth] BluetoothCoreSpecifications,version5.2;December2019,

[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1Revision5,April2017.

[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.

[GPOS] ProtectionProfileforGeneralPurposeOperatingSystems,Version4.2.1,April22,2019

[MDF] ProtectionProfileforMobileDeviceFundamentals,Version3.2,April15,2021

https://www.bluetooth.org/en-us/specification/adopted-specifications

http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf



http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R5.pdf

https://www.niap-ccevs.org/MMO/PP/PP_OS_V4.2.1.pdf

https://www.niap-ccevs.org/MMO/PP/pp_md_v3.1.pdf

AppendixG-Acronyms

Acronym Meaning

AES AdvancedEncryptionStandard

AES-CCM AESCounterwithCBC-MACMode

API ApplicationProgrammingInterface

BR BasicRate

Base-PP BaseProtectionProfile

CC CommonCriteria

CEM CommonEvaluationMethodology

ECDH EllipticCurveDiffie-Hellman

EDR EnhancedDataRate

FTP FileTransferProtocol

HCI HostControllerInterface

L2CAP LogicalLinkControlandAdaptationProtocol

LE LowEnergy

LMP LinkManagerProtocol

MDF MobileDeviceFundamentals

OBEX ObjectExchange

OE OperationalEnvironment

PP ProtectionProfile

PP-Configuration ProtectionProfileConfiguration

PP-Module ProtectionProfileModule

SAR SecurityAssuranceRequirement

SFR SecurityFunctionalRequirement

ST SecurityTarget

TOE TargetofEvaluation

TSF TOESecurityFunctionality

TSFI TSFInterface

TSS TOESummarySpecification

pp-module for bluetooth - niap-ccevs

Documents