application.xml

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="..\transforms\pp2html.xsl"?>
<?xml-model href="https://raw.githubusercontent.com/commoncriteria/transforms/master/schemas/CCProtectionProfile.rng" type="application/xml" schematypens="http://relaxng.org/ns/structure/1.0"?>

<PP xmlns="https://niap-ccevs.org/cc/v1"
    xmlns:h="http://www.w3.org/1999/xhtml"
    xmlns:sec="https://niap-ccevs.org/cc/v1/section"
    target-product="Application Software" 
    target-products="Application Software" 
    boilerplate="yes"
    short="App"
>
	
  <PPReference>
    <ReferenceTable>
      <PPTitle>Protection Profile for Application Software</PPTitle>
      <PPVersion>2.0</PPVersion>
      <PPAuthor>National Information Assurance Partnership</PPAuthor>
      <PPPubDate>2024-07-31</PPPubDate>
      <Keywords>application; software</Keywords>
    </ReferenceTable>
  </PPReference>

  <RevisionHistory>
    <entry>
    <version>v 1.0</version>
      <date>2014-10-20</date>
      <subject>Initial release</subject>
    </entry>
    <entry>
      <version>v 1.1</version>
      <date>2014-11-05</date>
      <subject>Addition to TLS cipher suite selections</subject>
    </entry>
    <entry>
      <version>v 1.2</version>
      <date>2016-04-22</date>
      <subject>Added server-side TLS requirements (selection-based)
      <h:br/>Multiple clarification based on NIAP TRRT inquiries
      <h:br/>Refactored FDP_DEC_EXT.1 into separate components
      </subject>
    </entry>
    <entry> 
          <version>v 1.3</version>
          <date>2019-03-01</date>
          <subject>Incorporated available Technical Decisions
            <h:br/>Refactored FPT_TUD 
            <h:br/>Added a selection to FTP_DIT
            <h:br/>Moved SWID Tags requirement
            <h:br/>Leveraged TLS Package
            <h:br/>Added equivalency section
          </subject>
    </entry>
    <entry>
          <version>v 1.4</version>
          <date>2021-10-07</date>
          <subject>Incorporated applicable Technical Decisions
			<h:br/>Updated to TLS FP 1.1
			<h:br/>Incorporated SSH FP 1.0
		  </subject>
    </entry>
  	<entry>
  		<version>v 2.0</version>
  		<date>2024-07-31</date>
  		<subject>CC2022 conversion
		<h:br/>Updating for TLS FP, SSH FP, and X509 FP
		<h:br/>TDs and Github Issues
		<h:br/>CNSA 2.0 updates
		<h:br/>ALC FLR Updates
  		</subject>
  	</entry>
  </RevisionHistory>
	
  
  <!-- TDs incorporated:
    TD0780:  FIA_X509_EXT.1 Test 4 Clarification
    TD0756:  Update for platform-provided full disk encryption
    TD0747:  Configuration Storage Option for Android
    TD0743:  FTP_DIT_EXT.1.1 Selection exclusivity
    TD0736:  Number of elements for iterations of FCS_HTTPS_EXT.1
    TD0719:  ECD for PP APP V1.3 and 1.4
    TD0717:  Format changes for PP_APP_V1.4
    TD0669:  FIA_X509_EXT.1 Test 4 Interpretation
    TD0664:  Testing activity for FPT_TUD_EXT.2.2
    TD0655:  Mutual authentication in FTP_DIT_EXT.1 for SW App
	TD0650:  Conformance claim sections updated to allow for MOD_VPNC_V2.3 and 2.4
	TD0628:  Addition of Container Image to Package Format
	TD0624:  Addition of DataStore for Storing and Setting Configuration Options
	XXXXXX:	 Replaced SSH EP 1.0 with SSH FP 1.0
	TD0601:  Updating FTP_DIT_EXT.1 to conform to changes in FCS_HTTPS_EXT. Supersedes TDs 444, 473, 587.
	TD0600:  Conformance claim sections updated to allow for MOD_VPNC_V2.3
	TD0598:  Expanded AES Modes in FCS_COP for App PP
	TD0587:  X.509 SFR Applicability in App PP  (superseded by TD0601)
	TD0582:  PP-Configuration for Application Software and Virtual Private Network (VPN) Clients now allowed
	TD0561:  Signature verification update
	TD0554:  iOS/iPadOS/Android AppSW Virus Scan
	TD0548:  Integrity for installation tests in AppSW PP 1.3
	TD0544:  Alternative testing methods for FPT_AEX_EXT.1.1
	TD0543:  FMT_MEC_EXT.1 evaluation activity update
	TD0519:  Linux symbolic links and FMT_CFG_EXT.1
	TD0515:  Use Android APK manifest in test
	TD0510:  Obtaining random bytes for iOS/macOS
	TD0498:  Application Software PP Security Objectives and Requirements Rationale
	TD0495:  FIA_X509_EXT.1.2 Test Clarification
	TD0473:  Support for Client or Server TOEs in FCS_HTTPS_EXT (superseded by TD0601)
	TD0465:  Configuration Storage for .NET Apps
	TD0445:  User Modifiable File Definition
    TD0437:  Supported Configuration Mechanism
	TD0435:  Alternative to SELinux for FPT_AEX_EXT.1.3 
	TD0434:  Windows Desktop Applications Test	
	TD0427:  Reliable Time Source 
	TD0416:  Correction to FCS_RBG_EXT.1 Test Activity
	
	Also changed the names of FCS SFRs with iterations as follows:

	FCS_CMK.1 is renamed FCS_CKM_EXT.1
	FCS_CKM.1/1 (a.k.a FCS_CKM.1/ALGO) is renamed FCS_CKM.1/AK 
	FCS_CKM.1/2 is renamed FCS_CKM.1/SK 
	FCS_CKM.1/3 is renamed FCS_CKM_EXT.1/PBKDF (FCS_CKM_EXT.1/PBKDF subsequently renamed FCS_PBKDF_EXT
	FCS_COP.1/1 is renamed FCS_COP.1/SKC
	FCS_COP.1/2 is renamed FCS_COP.1/Hash
	FCS_COP.1/3 is renamed FCS_COP.1/Sig
	FCS_COP.1/4 is renamed FCS_COP.1/KeyedHash
	
   -->
  
  
<!--
  <subaactivity-decl>
     <val id="sad-android" full="Android-based Platform"></val>
     <val id="sad-windows" full="Microsoft Windows Platform"></val>
     <val id="sad-ios" full="Apple iOS Platform"></val>
     <val id="sad-linux" full="Linux-based Platform"></val>
     <val id="sad-Solaris" full="Oracle Solaris Platform"></val>
     <val id="sad-mac" full="Apple macOS Platform"></val>
  </subaactivity-decl> 
  -->
  <include-pkg id="pkg-ssh">
    <git>
      <url>https://github.com/commoncriteria/ssh</url>
      <branch>release-1.0</branch>
    </git>
    <url>https://www.niap-ccevs.org/Profile/Info.cfm?PPID=459&amp;id=459</url>
    <depends on-sel="sel_all_ssh"/>
  </include-pkg>
  
  <include-pkg id="pkg-tls">
    <git>
      <url>https://github.com/commoncriteria/tls</url>
      <branch>release-2.0</branch>
    </git>
    <url>https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&amp;id=439</url>
    <depends on-sel="sel_all_tls" on-also="sel_all_dtls"/>
  </include-pkg>


	<pp-preferences>
		<using-cc2022/>
	</pp-preferences>
	

	<!-- 1.0 Introdiction -->
	<sec:Introduction>

	<!-- 1.1 Overview -->
    <sec:Overview>The scope of this Protection Profile (PP) is to
		describe the security functionality of application software in terms of <xref g="CC"/>
		and to define functional and assurance requirements for such software. In recent years,
		software attacks have shifted from targeting operating systems to targeting applications. This
		has been the natural response to improvements in operating system security and development
		processes. As a result, it is paramount that the 
		security of applications be improved to
		reduce the risk of compromise.
	</sec:Overview>
	
	<!-- 1.2 Terms -->
	<!-- 1.2.1 Common Criteria Terms -->
	<!-- 1.2.2 Technical Terms -->
    <tech-terms>
		<term full="Address Space Layout Randomization" abbr="ASLR">
            An anti-exploitation feature which loads memory mappings into unpredictable
            locations. ASLR makes it more difficult for an attacker to redirect control to code
            that they have introduced into the address space of an application process.</term>
        <term abbr="ADB" full="Android Debug Bridge"/>
        <term abbr="AES" full="Advanced Encryption Standard"/>
        <term abbr="ANSI" full="American National Standards Institute"/>
        <term abbr="APK" full="Android Application Package"/>
        <term full="Application" abbr="app">
            Software that runs on a platform and performs tasks on behalf of
            the user or owner of the platform, as well as its supporting documentation. The 
            terms <h:i>TOE</h:i> and <h:i>application</h:i> are interchangeable in this document.
        </term>
        <term full="Application Programming Interface" abbr="API">
            A specification of routines, data structures, object classes, and variables
            that allows an application to make use of services provided by another software
            component, such as a library. APIs are often provided for a set of libraries included
            with the platform.</term>
        <term abbr="APPX" full="Windows Universal Application Package"/>
        <term abbr="BIOS" full="Basic Input/Output System"/>
        <term abbr="CMC" full="Certificate Management over CMS"/>
        <term full="Credential">
			Data that establishes the identity of a user, e.g. a cryptographic key or password.</term>
        <term abbr="CMS" full="Cryptographic Message Syntax"/>
        <term abbr="CN" full="Common Names"/>
        <term abbr="CRL" full="Certificate Revocation List"/>
        <term abbr="CSA" full="Computer Security Act"/>
        <term full="Data Execution Prevention" abbr="DEP">
            An anti-exploitation feature of modern operating systems executing on
            modern computer hardware, which enforces a non-execute permission on pages of memory.
            DEP prevents pages of memory from containing both data and instructions, which makes
            it more difficult for an attacker to introduce and execute code.</term>
        <term abbr="DES" full="Data Encryption Standard"/>
        <term full="Developer">
            An entity that writes application software. For the purposes of this
            document, vendors and developers are the same.</term>
        <term abbr="DHE" full="Diffie-Hellman Ephemeral"/>
        <term abbr="DMG" full="Apple Disk Image"/>
        <term abbr="DNS" full="Domain Name System"/>
        <term abbr="DPAPI" full="Data Protection Application Programming Interface"/>
        <term abbr="DRBG" full="Deterministic Random Bit Generator"/>
        <term abbr="DSS" full="Digital Signature Standard"/>
        <term abbr="DT" full="Date/Time Vector"/>
        <term abbr="DTLS" full="Datagram Transport Layer Security"/>
        <term abbr="EAP" full="Extensible Authentication Protocol"/>
        <term abbr="ECDHE" full="Elliptic Curve Diffie-Hellman Ephemeral"/>
        <term abbr="ECDSA" full="Elliptic Curve Digital Signature Algorithm"/>
        <term abbr="EMET" full="Enhanced Mitigation Experience Toolkit"/>
        <term abbr="EST" full="Enrollment over Secure Transport"/>
        <term abbr="FIPS" full="Federal Information Processing Standards"/>
        <term abbr="ELF" full="Executable and Linkable Format"/>
        <term abbr="GPS" full="Global Positioning System"/>
        <term abbr="HMAC" full="Hash-based Message Authentication Code"/>
        <term abbr="HTTP" full="Hypertext Transfer Protocol"/>
        <term abbr="HTTPS" full="Hypertext Transfer Protocol Secure"/>
        <term abbr="IANA" full="Internet Assigned Number Authority"/>
        <term abbr="IEC" full="International Electrotechnical Commission"/>
        <term abbr="IETF" full="Internet Engineering Task Force"/>
        <term abbr="IP" full="Internet Protocol"/>
        <term abbr="IPA" full="iOS Package archive"/>
        <term abbr="IR" full="Intermediate Integer"/>
        <term abbr="ISO" full="International Organization for Standardization"/>
        <term abbr="IT" full="Information Technology"/>
        <term abbr="ITSEF" full="Information Technology Security Evaluation Facility"/>
        <term abbr="JNI" full="Java Native Interface"/>
        <term abbr="LDAP" full="Lightweight Directory Access Protocol"/>
		<term full="Mobile Code">
			Software transmitted from a remote system for
			execution within a limited execution environment on the local system.
			Typically, there is no persistent installation and
			execution begins without the user's consent or even notification.
			Examples of mobile code technologies include JavaScript, Java applets, Adobe Flash, 
			and Microsoft Silverlight.
		</term>
        <term abbr="MIME" full="Multi-purpose Internet Mail Extensions"/>
        <term abbr="MPKG" full="Meta Package"/>
        <term abbr="MSI" full="Microsoft Installer"/>
        <term abbr="NFC" full="Near Field Communication"/>
        <term abbr="NIAP" full="National Information Assurance Partnership"/>
        <term abbr="NIST" full="National Institute of Standards and Technology"/>
        <term abbr="OCSP" full="Online Certificate Status Protocol"/>
        <term abbr="OID" full="Object Identifier"/>
        <term abbr="OMB" full="Office of Management and Budget"/>
        <term full="Operating System" abbr="OS">
            Software that manages hardware resources and provides services for
            applications.</term>
        <term full="Personally Identifiable Information" abbr="PII">
            Any information about an individual maintained by an agency, including, but
            not limited to, education, financial transactions, medical history, and criminal or
            employment history and information which can be used to distinguish or trace an
            individual's identity, such as their name, social security number, date and place of
            birth, mother’s maiden name, biometric records, etc., including any other personal
            information which is linked or linkable to an individual. <xref to="bibOMB"/></term>
        <term full="Platform">
            The environment in which application software runs. 
            The platform can be an operating system, hardware environment, a software based execution environment, 
		    or some combination of these.  These types of platforms may also run atop other platforms.
        </term>
        <term abbr="PDF" full="Portable Document Format"/>
	    <term abbr="PE" full="Portable Executable"/>
        <term abbr="PID" full="Process Identifier"/>
        <term abbr="PKG" full="Package file"/>
        <term abbr="PKI" full="Public Key Infrastructure"/>
        <term abbr="RBG" full="Random Bit Generator"/>
        <term abbr="RFC" full="Request for Comment"/>
        <term abbr="RNG" full="Random Number Generator"/>
        <term abbr="RNGVS" full="Random Number Generator Validation System"/>
        <term abbr="SE" full="Security Enhancements"/>
        <term abbr="SHA" full="Secure Hash Algorithm"/>
        <term abbr="S/MIME" full="Secure/Multi-purpose Internet Mail Extensions"/>
        <term abbr="SSH" full="Secure Shell"/>
        <term abbr="SIP" full="Session Initiation Protocol"/>
        <term full="Sensitive Data">
            Sensitive data may include all user or enterprise data or may be
            specific application data such as emails, messaging, documents,
            calendar items, and contacts.  Sensitive data must minimally include
            PII, credentials, and keys.  Sensitive data shall be identified in
            the application’s TSS by the ST author. 
 	    </term>
        <term abbr="SP" full="Special Publication"/>
        <term abbr="SWID" full="Software Identification"/>
        <term full="Stack Cookie">
            An anti-exploitation feature that places a value on the stack at the start
            of a function call, and checks that the value is the same at the end of the function
            call. This is also referred to as Stack Guard, or Stack Canaries.</term>
        <term abbr="SAN" full="Subject Alternative Name"/>
        <term abbr="TLS" full="Transport Layer Security"/>
        <term abbr="UI" full="User Interface"/>
        <term abbr="URI" full="Uniform Resource Identifier"/>
        <term abbr="URL" full="Uniform Resource Locator"/>
        <term abbr="USB" full="Universal Serial Bus"/>
        <term full="Vendor">
            An entity that sells application software. For purposes of this document,
            vendors and developers are the same. Vendors are responsible for maintaining and
            updating application software.</term>
        <term abbr="XCCDF" full="eXtensible Configuration Checklist Description Format"/>
        <term abbr="XOR" full="Exclusive Or"/>
    </tech-terms>
	
	<!-- 1.3 Compliant Targets of Evaluation -->
    <section title="Compliant Targets of Evaluation" id="TOEdescription">
	<h:p>
		The requirements in this document apply to application software which runs on any type of 
		platform. Some application types are covered by more specific PPs, which may be expressed as
		PP-Modules of this PP. Such applications are subject to the requirements of both this PP and the
		PP-Module that addresses their special functionality.  PPs for some 
		particularly specialized applications may not be expressed as PP-Modules at this time,
		though the requirements in this document should be seen as objectives for those 
		highly specialized applications.</h:p>
    	<h:p>
		Although the requirements in this document apply to a wide range of application
		software, consult guidance from the relevant national schemes to
		determine when formal Common Criteria evaluation is expected for a
		particular type of application.  This may vary depending upon the nature
		of the security functionality of the application.</h:p>

	<!-- 1.3.1 TOE Boundary -->
	<sec:TOE_Boundary>
<h:p>
		The application, which consists of the software provided by its vendor,
		is installed onto the platform(s) it operates on.  It executes on the platform, which
		may be an operating system (<xref to="toe-as-apponos"/>), hardware environment, 
	    a software based execution environment, or some combination of these (<xref to="toe-as-apponee"/>). 
		Those platforms may themselves run within other environments, such as virtual machines or operating 
		systems, that completely abstract away the underlying hardware from the application. The TOE is not 
		accountable for security functionality that is implemented by platform layers that are abstracted 
		away. Some evaluation activities are specific to the particular platform
		on which the application runs, in order to provide precision and
		repeatability. The only platforms currently recognized by the AppPP are those specified in SFR Evaluation Activities.
		To test on a platform for which there are no EAs, a Vendor should contact NIAP with recommended EAs.
		NIAP will determine if the proposed platform is appropriate for the PP and accept, reject,
		or develop EAs as necessary in coordination with the technical community.
</h:p><h:p>
		Applications include a diverse range of software such as office suites, thin clients, PDF readers, downloadable
		smartphone apps, and apps running in a cloud container. The TOE includes 
		any software in the application installation package, even those pieces that may 
		extend or modify the functionality of the underlying platform, such as kernel drivers.  
		Many platforms come bundled with applications such as web browsers, email clients and media players and these too
		should be considered subject to the requirements defined in this document although the expectation of formal Common Criteria evaluation
		depends upon the national scheme.  BIOS and other firmware, the operating system kernel,
		and other systems software (and drivers) provided as part of the platform are outside the scope
		of this document.  
		<figure	entity="images/toe.png" title="TOE as an Application and Kernel Module Running on an Operating System" id="toe-as-apponos"/>
		<figure entity="images/toeruntime.png" title="TOE as an Application Running in an Execution Environment Plus Native Code" id="toe-as-apponee"/>
</h:p>
	</sec:TOE_Boundary>
	
	</section>  <!-- 1.3 Compliant Targets of Evaluation -->
	
	<!-- 1.4 Use Cases -->
    <sec:Use_Cases>
		Requirements in this Protection Profile are designed to
		address the security problem in the following use cases. These use cases are intentionally
		very broad, as many specific use cases exist for application software. Many applications may
		be used in combinations of these broad use cases, and evaluation against PP-Modules
		of this PP, when available, may be most appropriate for some application types. 
		<usecases>
			<usecase title="Content Creation" id="contentcreation">
				<description>The application allows a user to create content, saving it to either local or
					remote storage.  Example content includes text documents, presentations, and images.
				</description>
			</usecase>
			<usecase title="Content Consumption" id="contentconsumption">
				<description>The application allows a user to consume content, retrieving it from either
					local or remote storage.  Example content includes web pages and video.</description>
			</usecase>
			<usecase title="Communication" id="interactivecomms">
				<description>The application allows for communication interactively or
					non-interactively with other users or applications over a communications channel.
					Example communications include instant messages, email, and voice.
				</description>
			</usecase>
		</usecases>
	</sec:Use_Cases>
	
	<!-- 1.5 Supported Platforms -->
	<section title="Platforms with Specific EAs" id="sec-platforms">
	    <choice prefix="Platforms:" >
	    	<h:p>
			This PP includes platform-specific EAs for the below-listed operating system platforms. For "bare-metal" applications, applications that run on
			other OS platforms, and applications that run in software-based execution environments, contact the Technical Community for guidance.</h:p>  
			<selectables linebreak="yes">
				<selectable id="android"><h:b><snip>Android</snip></h:b>: <h:i>Mobile operating systems based on Google Android.</h:i></selectable>
				<selectable id="windows"><h:b><snip>Microsoft Windows</snip></h:b>: <h:i>Microsoft Windows operating systems.</h:i></selectable>
				<selectable id="ios"><h:b><snip>Apple iOS</snip></h:b>: <h:i>Apple's mobile operating system for iPhones.</h:i></selectable>
				<selectable id="linux"><h:b><snip>Linux</snip></h:b>: <h:i>Linux-based operating systems other than Android.</h:i></selectable>
				<selectable id="Solaris"><h:b><snip>Oracle Solaris</snip></h:b>: <h:i>Oracle's enterprise operating system.</h:i></selectable>
				<selectable id="mac"><h:b><snip>Apple macOS</snip></h:b>: <h:i>Apple's operating system for MACs.</h:i></selectable></selectables> 
		</choice>
	</section>
	
  </sec:Introduction>
  
	<!-- 2.0 Conformance Claims -->
	<!-- incorporates TD0600 -->
	<!-- incorporates TD0582 -->
	<sec:Conformance_Claims  boilerplate="no">
		<cclaims>
			<cclaim name="Conformance Statement">
				<description>
					<h:p>
					An ST must claim exact conformance to this PP.
					</h:p><h:p>
					The evaluation methods used for evaluating the TOE are a combination of the workunits defined in <xref to="bibCEM"/> as well as the
					Evaluation Activities for ensuring that individual SFRs and SARs have a sufficient level of supporting evidence in the Security Target and 
					guidance documentation and have been sufficiently tested by the laboratory as part of completing ATE_IND.1. Any functional packages 
					this PP claims similarly contain their own Evaluation Activities that are used in this same manner.
					</h:p>
				</description>
			</cclaim>
			<cclaim name="CC Conformance Claims">
				<description>This PP is conformant to Parts 2 (extended) and 3 (extended) of Common Criteria CC:2022, Revision 1.</description>
			</cclaim>
			<cclaim name="PP Claim">
				<description>
					<h:p>
					This PP does not claim conformance to any other Protection Profile.
					</h:p><h:p>
					The following PPs and PP-Modules are allowed to be specified in a PP-Configuration with this PP: 
					<!-- updated to reflect NIAP TD0650 -->
					<h:div class="indent">
						<h:li>Protection Profile for Mobile Device Management Version 4.0</h:li>
						<h:li>PP-Module for File Encryption, Version 1.0</h:li>
						<h:li>PP-Module for File Encryption Enterprise Management, Version 1.0</h:li>
						<h:li>PP-Module for VPN Clients, Version 2.2</h:li>
						<h:li>PP-Module for VPN Clients, Version 2.3</h:li>
						<h:li>PP-Module for VPN Clients, Version 2.4</h:li>
						<h:li>PP-Module for Endpoint Detection and Response, Version 1.0</h:li>
						<h:li>PP-Module for Host Agent, Version 1.0</h:li>
						<h:li>PP-Module for Voice and Video over IP (VVoIP), Version 1.0</h:li>
						<h:li>PP-Module for Email Clients, Version 1.0</h:li>
						<h:li>PP-Module for Web Browsers, Version 1.0</h:li>
						<h:li>PP-Module for Redaction Tools, Version 1.0</h:li>
					</h:div>
					</h:p>
				</description>
			</cclaim>
			<cclaim name="Package Claim">
				<description><h:ul>
					<h:li>This PP is Functional Package for TLS Version 1.1 Conformant.</h:li>
					<h:li>This PP is Functional Package for TLS Version 2.0 Conformant.</h:li>
					<h:li>This PP is Functional Package for SSH Version 1.0 Conformant.</h:li>
					<h:li>This PP is Functional Package for X.509 Version 1.0 Conformant.</h:li>
					<h:li>This PP does not conform to any assurance packages.</h:li>
					</h:ul>
					The functional packages to which the PP conforms include SFRs that are not mandatory to claim for the sake of conformance.
					An ST that claims one or more of these functional packages may include any non-mandatory SFRs that are appropriate to claim based on the 
					capabilities of the TSF and on any triggers for their inclusion based inherently on the SFR selections made. All security requirements
					in these packages are intended to address T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats of this PP.
				</description>
			</cclaim>
		</cclaims>
	</sec:Conformance_Claims>
  
  
	<!-- 3.0 Security Problem Description -->
	<sec:Security_Problem_Definition>
		The security problem is described in terms
		of the threats that the TOE is expected to address, assumptions about the
		operational environment, and any organizational security policies that the TOE
		is expected to enforce.
		
	<!-- 3.1 Threats -->	
    <sec:Threats>
		<threats>
			<threat name="T.NETWORK_ATTACK">
				<description>An attacker is positioned on a communications channel or elsewhere on the
					network infrastructure. Attackers may engage in communications with the application
					software or alter communications between the application software and other endpoints in
					order to compromise it.
					</description>
				<!-- New mapping to build updated threat mapping table. -->
				<addressed-by>FCS_CKM.1/SK (optional)</addressed-by><rationale>The PP includes FCS_CKM.1/SK to define the mechanism used to generate symmetric keys when the TOE performs this function.</rationale>
				<addressed-by>FCS_CKM_EXT.1</addressed-by><rationale>The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.</rationale>
				<addressed-by>FCS_CKM.1/AK (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.1/AK to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.</rationale>
				<addressed-by>FCS_CKM.2 (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.</rationale>
				<addressed-by>FCS_COP.1/SKC (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/SKC to define the symmetric encryption algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_COP.1/Hash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/Hash to define the hash algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_COP.1/Sig (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/Sig to define the digital signature algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_COP.1/KeyedHash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/KeyedHash to define the HMAC algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_HTTPS_EXT.1/Client (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.1/Client to define the TOE’s support for the HTTPS trusted communications protocol as a client.</rationale>
				<addressed-by>FCS_HTTPS_EXT.1/Server (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.1/Server to define the TOE’s support for the HTTPS trusted communications protocol as a server.</rationale>
				<addressed-by>FCS_HTTPS_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.2 to define the TOE’s behavior when presented with an invalid certificate as part of an HTTPS connection attempt.</rationale>
				<addressed-by>FCS_RBG_EXT.1</addressed-by><rationale>The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.</rationale>
				<addressed-by>FCS_RBG_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FCS_RBG_EXT.2 to define the DRBG algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_SNI_EXT. (selection-based)</addressed-by><rationale>The PP includes FCS_SNI_EXT.1 to define the proper salt, nonce, and initialization vector usage to ensure proper cryptographic operation.</rationale>
				<addressed-by>FDP_DEC_EXT.1</addressed-by><rationale>The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to remotely compromise the integrity of the TOE.</rationale>
				<addressed-by>FDP_NET_EXT.1</addressed-by><rationale>The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.</rationale>
				<addressed-by>FMT_CFG_EXT.1</addressed-by><rationale>The PP includes FMT_CFG_EXT.1 for the TSP to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and data</rationale>
				<addressed-by>FMT_SMF.1</addressed-by><rationale>The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE.</rationale>
				<addressed-by>FPR_ANO_EXT.1</addressed-by><rationale>The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.</rationale>
				<addressed-by>FPT_AEX_EXT.1</addressed-by><rationale>The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that application is compatible with security features provided by the platform vendor and that the application implements platform-provided anti-exploitations such as ASLR and stack overflow protection.</rationale>
				<addressed-by>FPT_TUD_EXT.1</addressed-by><rationale>The PP includes FPT_TUD_EXT.1 to ensure that the TOE can be patched and that any updates to the TOE have appropriate integrity protection.</rationale>
				<addressed-by>FPT_IDV_EXT.1</addressed-by><rationale>The PP includes FPT_IDV_EXT.1 to provide a methodology for identifying the TOE versioning.</rationale>
				<addressed-by>FPT_TUD_EXT.1</addressed-by><rationale>The PP includes FPT_TUD_EXT.1 to define how updates to the TOE are deployed and verified.</rationale>
				<addressed-by>FTP_DIT_EXT.1</addressed-by><rationale>The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.</rationale>
				
				</threat>
			<threat name="T.NETWORK_EAVESDROP">
				<description>An attacker is positioned on a communications channel or elsewhere on the
					network infrastructure. Attackers may monitor and gain access to data exchanged between
					the application and other endpoints.</description>
				<!-- New mapping to build updated threat mapping table. -->
				<addressed-by>FCS_CKM.1/AK (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.1/AK to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.</rationale>
				<addressed-by>FCS_CKM.1/SK (optional)</addressed-by><rationale>The PP includes FCS_CKM.1/SK to define the mechanism used to generate symmetric keys when the TOE performs this function.</rationale>
				<addressed-by>FCS_CKM.2 (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.</rationale>
				<addressed-by>FCS_CKM_EXT.1</addressed-by><rationale>The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.</rationale>
				<addressed-by>FCS_COP.1/KeyedHash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/KeyedHash to define the HMAC algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_COP.1/Hash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/Hash to define the hash algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_COP.1/Sig</addressed-by><rationale>The PP includes FCS_COP.1/Sig to define the mechanism used to verify TOE updates if the TOE implements this functionality rather than the underlying platform.</rationale>
				<addressed-by>FCS_COP.1/SKC (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/SKC to define the symmetric encryption algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_HTTPS_EXT.1/Client (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.1/Client to define the TOE’s support for the HTTPS trusted communications protocol as a client.</rationale>
				<addressed-by>FCS_HTTPS_EXT.1/Server (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.1/Server to define the TOE’s support for the HTTPS trusted communications protocol as a server.</rationale>
				<addressed-by>FCS_HTTPS_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FCS_HTTPS_EXT.2 to define the TOE’s behavior when presented with an invalid certificate as part of an HTTPS connection attempt.</rationale>
				<addressed-by>FCS_RBG_EXT.1</addressed-by><rationale>The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.</rationale>
				<addressed-by>FCS_RBG_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FCS_RBG_EXT.2 to define the DRBG algorithms used in support of trusted communications.</rationale>
				<addressed-by>FCS_STO_EXT.1</addressed-by><rationale>The PP includes FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.</rationale>
				<addressed-by>FDP_DAR_EXT.1</addressed-by><rationale>The PP includes FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.</rationale>
				<addressed-by>FDP_NET_EXT.1</addressed-by><rationale>The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.</rationale>
				<addressed-by>FIA_X509_EXT.1 (selection-based)</addressed-by><rationale>The PP includes FIA_X509_EXT.1 to specify that the TSF may rely on platform-provided X.509 certificate validation services.</rationale>
				<addressed-by>FMT_MEC_EXT.1</addressed-by><rationale>The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.</rationale>
				<addressed-by>FMT_SMF.1</addressed-by><rationale>The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE.</rationale>
				<addressed-by>FPR_ANO_EXT.1</addressed-by><rationale>The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.</rationale>
				<addressed-by>FPT_API_EXT.1</addressed-by><rationale>The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.</rationale>
				<addressed-by>FPT_API_EXT.2 (objective)</addressed-by><rationale>The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.</rationale>
				<addressed-by>FPT_IDV_EXT.1</addressed-by><rationale>The PP includes FPT_IDV_EXT.1 to provide a methodology for identifying the TOE versioning.</rationale>
				<addressed-by>FPT_LIB_EXT.1</addressed-by><rationale>The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.</rationale>
				<addressed-by>FPT_TUD_EXT.1</addressed-by><rationale>The PP includes FPT_TUD_EXT.1 to define how updates to the TOE are deployed and verified.</rationale>
				<addressed-by>FPT_TUD_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FPT_TUD_EXT.2 to specify that the TOE may leverage the platform-supported package manager for application distribution and leverages platform-provided mechanisms to remove all traces of itself when removed from the platform system.</rationale>
				<addressed-by>FTP_DIT_EXT.1</addressed-by><rationale>The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.</rationale>
				
				
				</threat>
			<threat name="T.LOCAL_ATTACK">
				<description>An attacker can act through unprivileged software on the same computing
					platform on which the application executes. Attackers may provide maliciously formatted
					input to the application in the form of files or other local
					communications.</description>
				<!-- New mapping to build updated threat mapping table. -->
				<addressed-by>FCS_CKM.1/AK (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.1/AK to specify that the TSF may rely on platform-provided asymmetric key generation services.</rationale>
				<addressed-by>FCS_CKM.2 (selection-based)</addressed-by><rationale>The PP includes FCS_CKM.2 to specify that the TSF may rely on platform-provided key establishment services.</rationale>
				<addressed-by>FCS_CKM_EXT.1</addressed-by><rationale>The PP includes FCS_CKM_EXT.1 to specify that the TSF may rely on platform-provided key generation services.</rationale>
				<addressed-by>FCS_RBG_EXT.1</addressed-by><rationale>The PP includes FCS_RBG_EXT.1 to specify that the TSF may rely on platform-provided random bit generation services.</rationale> 
				<addressed-by>FCS_STO_EXT.1</addressed-by><rationale>The PP includes FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.</rationale>
				<addressed-by>FDP_DAR_EXT.1</addressed-by><rationale>The PP includes FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.</rationale>
				<addressed-by>FDP_DEC_EXT.1</addressed-by><rationale>The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to locally compromise the integrity of the TOE.</rationale>
				<addressed-by>FMT_CFG_EXT.1</addressed-by><rationale>The PP includes FMT_CFG_EXT.1 for the TSP to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and data</rationale>
				<addressed-by>FMT_MEC_EXT.1</addressed-by><rationale>The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.</rationale>
				<addressed-by>FPT_AEX_EXT.1</addressed-by><rationale>The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that application is compatible with security features provided by the platform vendor and that the application implements platform-provided anti-exploitations such as ASLR and stack overflow protection.</rationale>
				<addressed-by>FPT_API_EXT.2 (objective)</addressed-by><rationale>The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.</rationale>
				<addressed-by>FPT_API_EXT.1</addressed-by><rationale>The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.</rationale>
				<addressed-by>FPT_LIB_EXT.1</addressed-by><rationale>The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.</rationale>
				<addressed-by>FPT_TUD_EXT.1</addressed-by><rationale>The PP includes FPT_TUD_EXT.1 to ensure that the TOE can be patched and that any updates to the TOE have appropriate integrity protection.</rationale>
				<addressed-by>FPT_TUD_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FPT_TUD_EXT.2 to specify that the TOE may leverage the platform-supported package manager for application distribution and leverages platform-provided mechanisms to remove all traces of itself when removed from the platform system.</rationale>
				<addressed-by>FTP_DIT_EXT.1</addressed-by><rationale>The PP includes FTP_DIT_EXT.1 to specify that the TSF may rely on platform-provided services to implement trusted communications.</rationale>
				
				
				</threat>
			<threat name="T.PHYSICAL_ACCESS">
				<description>An attacker may try to access sensitive data at rest.</description>
				<!-- New mapping to build updated threat mapping table. -->
				<addressed-by>FCS_CKM.1/SK (optional)</addressed-by><rationale>The PP includes FCS_CKM.1/SK to define the TOE’s capability to generate symmetric keys. These keys may subsequently be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.</rationale>
				<addressed-by>FCS_RBG_EXT.2 (selection-based)</addressed-by><rationale>The PP includes FCS_RBG_EXT.2 to define the TOE’s implementation of random bit generation functionality in the event that the TOE provides this function in support of generating keys that are used for data protection.</rationale>
				<addressed-by>FCS_COP.1/KeyedHash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/KeyedHash to define HMAC mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.</rationale>
				<addressed-by>FCS_COP.1/Hash (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/Hash to define integrity mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.</rationale>
				<addressed-by>FCS_COP.1/SKC (selection-based)</addressed-by><rationale>The PP includes FCS_COP.1/SKC to define the AES cryptographic algorithm that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.</rationale>
				<addressed-by>FCS_PBKDF_EXT.1 (selection-based)</addressed-by><rationale>The PP includes FCS_PBKDF_EXT.1 to define the password-based key derivation function that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.</rationale>
				<addressed-by>FCS_RBG_EXT.1</addressed-by><rationale>The PP includes FCS_RBG_EXT.1 to define whether random bit generation services are implemented by the TSF or the platform. Depending on how data at rest is protected, the TOE may rely on the use of a random bit generator to create keys that are subsequently used for data protection.</rationale>
				<addressed-by>FCS_STO_EXT.1</addressed-by><rationale>The PP includes FCS_STO_EXT.1 to define the mechanism that the TSF uses or relies upon to protect stored credential data.</rationale>
				<addressed-by>FDP_DAR_EXT.1</addressed-by><rationale>The PP includes FDP_DAR_EXT.1 to define the mechanism that the TSF uses or relies upon to protect sensitive data at rest.</rationale>
				
				</threat>
		</threats>
    </sec:Threats>
			
			
	
	<!-- 3.2 Assumptions -->
    <sec:Assumptions>
		<assumptions>
			<assumption name="A.PLATFORM">
				<description>The TOE relies upon a trustworthy computing platform with a reliable time clock for
					its execution. This includes the underlying platform and whatever runtime environment
					it provides to the TOE.</description>
				<objective-refer ref="OE.PLATFORM">
					<rationale>The operational environment objective OE.PLATFORM is realized through
						A.PLATFORM.</rationale>
				</objective-refer>
			</assumption>
			<assumption name="A.PROPER_USER">
				<description>
					The user of the application software is not willfully negligent or hostile,
					and uses the software in compliance with the applied enterprise security policy.
				</description>
				<objective-refer ref="OE.PROPER_USER">
					<rationale>The operational environment objective OE.PROPER_USER 
						is realized through A.PROPER_USER.</rationale>
				</objective-refer>
			</assumption>
			<assumption name="A.PROPER_ADMIN">
				<description>The administrator of the application software is not careless, willfully
					negligent or hostile, and administers the software in compliance with the applied
					enterprise security policy.</description>
				<objective-refer ref="OE.PROPER_ADMIN">
					<rationale>The operational environment objective OE.PROPER_ADMIN 
						is realized through A.PROPER_ADMIN.</rationale>
				</objective-refer>
			</assumption>
		</assumptions>
    </sec:Assumptions>
	
	<!-- 3.3 Organizational Security Policies -->
    <sec:Organizational_Security_Policies>
  
		<OSPs/>
   <!--     <OSP id="P.ENTERPRISE">
          <description>The configuration of the application software must be capable of adhering to
            the enterprise security policy.</description>
          <objective-refer ref="O.MANAGEMENT">
            <rationale>The organizational security policy P.ENTERPRISE is enforced through the
              objective O.MANAGEMENT as this objective represents how the enterprise and user assert
              management over the TOE.</rationale>
          </objective-refer>
        </OSP>
      </OSPs> -->
    </sec:Organizational_Security_Policies>
	
	</sec:Security_Problem_Definition>
	
	<!-- 4.0 Security Objectives -->
	<sec:Security_Objectives>

	<!-- Old 4.1 Security Objectives for the TOE - Removed -->
		
		<!-- 4.1 Security Objctives for the Operational Environment -->
    <sec:Security_Objectives_for_the_Operational_Environment>
		The following security objectives for the operational
		environment assist the TOE in correctly providing its security
		functionality. These track with the assumptions about the environment. 
		<SOEs>
			<SOE name="OE.PLATFORM">
				<description>The TOE relies upon a trustworthy computing platform for
					its execution. This includes the underlying operating system and any discrete execution 
					environment provided to the TOE.</description>
			</SOE>
			<SOE name="OE.PROPER_USER">
				<description>The user of the application software is not willfully negligent or hostile,
					and uses the software within compliance of the applied enterprise security
					policy.</description>
			</SOE>
			<SOE name="OE.PROPER_ADMIN">
				<description>The administrator of the application software is not careless, willfully
					negligent or hostile, and administers the software within compliance of the applied
					enterprise security policy.</description>
			</SOE>
		</SOEs>
    </sec:Security_Objectives_for_the_Operational_Environment>
	
	<!-- 4.2 Security Objectives Rationale -->
    <sec:Security_Objectives_Rationale/>
	
	</sec:Security_Objectives>
  
	<!-- 5.0 Security Requirements -->
	<sec:req title="Security Requirements">

	<!-- 5.1 Security Functional Requirements -->
	<sec:SFRs title="Security Functional Requirements">
	
	<!-- 5.1.1 Cryptographic Support (FCS) -->
	<section title="Cryptographic Support (FCS)" id="fcs">
	  

		<!-- FCS_CKM_EXT.1 -->
		<ext-comp-def fam-id="FCS_CKM_EXT" title="Cryptographic Key Management">
			<fam-behavior>This family defines requirements for management of cryptographic keys that are not addressed by FCS_CKM in CC Part 2.
			</fam-behavior>
		</ext-comp-def>
		
        <f-component cc-id="fcs_ckm_ext.1" name="Cryptographic Key Generation Services">
        	<comp-lev> requires the TSF to specify whether asymmetric key generation is implemented by the TSF, 
        		invoked from the operational environment, or not used by the TOE.</comp-lev>
        	<management>No specific management functions are identified.</management>
        	<audit>There are no auditable events foreseen.</audit>
        	<dependencies>
        		No dependencies.
        	</dependencies>
        	
			<f-element id="fel-asym-key-gen">
				<title>
					The application shall <selectables linebreak="yes">
						<selectable exclusive="yes">generate no asymmetric cryptographic keys</selectable>
						<selectable id="sel_invoke_genkey">invoke platform-provided functionality for asymmetric key generation</selectable>
						<selectable id="sel_impl_genkey">implement asymmetric key generation</selectable></selectables>.
				</title>
				<note role="application">If "<h:i>implement asymmetric key generation</h:i>" or 
					"<h:b>invoke platform-provided functionality for asymmetric key generation</h:b>" is selected, then
					FCS_CKM.1/AK must be claimed in the ST.
				</note>
				<aactivity level="element">
					<TSS>
						<h:p>
						The evaluator shall inspect the application and its developer documentation 
						to determine if the application needs asymmetric key generation services. If not, the 
						evaluator shall verify the <h:b>generate no asymmetric cryptographic keys</h:b> selection is present 
						in the ST. Otherwise, the evaluation activities shall be performed as stated in the 
						selection-based requirements.</h:p>
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests><h:p>None.</h:p></Tests>
				</aactivity>
			</f-element>
        </f-component>

		<!-- FCS_CKM.1/AK -->
        <f-component cc-id="fcs_ckm.1" id="fcom_asym_key_gen" iteration="AK" name="Cryptographic Asymmetric Key Generation" status="sel-based">
			<depends on="sel_invoke_genkey" and="sel_impl_genkey"/>
			<f-element id="fel-asym-key-gen-impl">
				<title>            
					The <h:b>application</h:b> shall <h:b><selectables linebreak="yes">
						<selectable>invoke platform-provided functionality</selectable>
						<selectable>implement functionality</selectable></selectables></h:b>
					to generate <h:b>asymmetric</h:b> cryptographic keys in accordance with a specified cryptographic key generation algorithm
					<selectables linebreak="yes">
						<selectable><h:b>[RSA schemes]</h:b> using cryptographic key sizes of [<h:i>3072-bit or greater</h:i>] that meet
							the following: [<h:i>FIPS PUB 186-5, "Digital Signature Standard (DSS)," Appendix B.3</h:i>]</selectable>
						<selectable><h:b>[ECC schemes]</h:b> using [<h:i>“NIST curves” P-384 and <selectables>
							<selectable>P-521</selectable>
							<selectable>no other curves</selectable></selectables></h:i>] that meet the following: 
							[<h:i>FIPS PUB 186-5, “Digital Signature Standard (DSS),” Appendix B.4</h:i>]</selectable> 
						<selectable>
							<h:b>[FFC schemes]</h:b> using cryptographic key sizes of [<h:i>3072-bit or greater</h:i>] 
							that meet the following: [<h:i>FIPS PUB 186-5, “Digital Signature Standard (DSS),” Appendix B.1</h:i>]</selectable>
						<selectable><h:b>[FFC Schemes]</h:b> using [<h:i>Diffie-Hellman group 15</h:i>] that meet the following: 
							[<h:i>RFC 3526, Section 3</h:i>]</selectable>
						<selectable><h:b>[FFC Schemes]</h:b> using [<h:i>“safe-prime” groups</h:i>] 
							<selectables>
								<selectable>MODP-3072</selectable>
								<selectable>MODP-4096</selectable>
								<selectable>MODP-6144</selectable>
								<selectable>MODP-8192</selectable>
								<selectable>ffdhe3072</selectable>
								<selectable>ffdhe-4096</selectable>
								<selectable>ffdhe-6144</selectable>
								<selectable>ffdhe-8192</selectable>
							</selectables>
							that meet the following: 
							[<h:i>NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes
								Using Discrete Logarithm Cryptography” and 
							<selectables>
								<selectable>RFC 3526</selectable>
								<selectable>RFC 7919</selectable></selectables></h:i>]</selectable></selectables>.
				</title>
				<note role="application">
					<h:p>
					The ST should claim all key generation schemes used for key 
					establishment and entity authentication. When key generation is used for key 
					establishment, the schemes in FCS_CKM.2.1 and selected cryptographic protocols must 
					match the selection. When key generation is used for entity authentication, the public 
					key is expected to be associated with an X.509v3 certificate.
					</h:p><h:p>
					If the TOE acts as a receiver in the RSA key establishment scheme, 
					the TOE does not need to implement RSA key generation.
					</h:p>
				</note>
				<aactivity level="element">
					<TSS>
						<h:p>
						The evaluator shall ensure that the TSS identifies the key sizes 
						supported by the TOE. If the ST specifies more 
						than one scheme, the evaluator shall examine the TSS to verify that 
						it identifies the usage for each scheme
						</h:p><h:p>
						If the ST selects "<h:b>invoke platform-provided functionality</h:b>,"
						then the evaluator shall examine the TSS to verify that it describes 
						how the key generation functionality is invoked and that the invokation matches the algorithm and size selections for each 
						supported platform. The evaluator shall confirm the invocation of the platform is using non-depricated functions 
						provided by the platform(s).</h:p>
					</TSS>
					<Guidance> 
						<h:p>
						The evaluator shall verify that the operational guidance instructs the administrator how to 
						configure the TOE to use the selected key generation scheme(s) and 
						key size(s) for all uses defined in this PP if any configuration is required.
						</h:p>
					</Guidance>
					<Tests>
						<h:p>
						If the application selects "<h:b>implement functionality</h:b>," then the following test
						activities shall be carried out. 
						</h:p><h:p>
						Evaluation Activity Note: The following tests may require the developer to provide access 
						to a developer environment that provides the evaluator with tools that are typically available
						to end-users of the application
						</h:p><h:p>
						<h:b>Key Generation for FIPS PUB 186-5 RSA Schemes</h:b>
						</h:p><h:p>
						The evaluator shall verify the implementation of RSA Key Generation by the 
						TOE using the Key Generation test. This test verifies the ability of 
						the TSF to correctly produce values for the key components including 
						the public verification exponent e, the private prime factors p and q, the public 
						modulus n and the calculation of the private signature exponent d. Key Pair generation 
						specifies 5 ways (or methods) to generate the primes p and q. 
						These include: <h:ul>
						<h:li>Random Primes:
							<h:ul>
								<h:li>Provable primes</h:li>
								<h:li>Probable primes</h:li>
							</h:ul>
						</h:li>
						<h:li>Primes with Conditions:
							<h:ul>
								<h:li>Primes p1, p2, q1, q2, p, and q shall all be provable primes</h:li>
								<h:li>Primes p1, p2, q1, and q2 shall be provable primes, and p and q shall be 
									probable primes</h:li>
								<h:li>Primes p1, p2, q1, q2, p, and q shall all be probable primes</h:li>
							</h:ul>
						</h:li></h:ul>
						To test the key generation method for the Random Provable primes method and for all 
						the Primes with Conditions methods, the evaluator must seed the TSF 
						key generation routine with sufficient data to deterministically generate the RSA key 
						pair. This includes the random seed(s), the public exponent of the RSA key, and the 
						desired key length. For each key length supported, the evaluator shall have the 
						TSF generate 25 key pairs. The evaluator shall verify the 
						correctness of the TSF’s implementation by comparing values 
						generated by the TSF with those generated from a known good 
						implementation.
						</h:p><h:p>
						If possible, the Random Probable primes method should also be verified against a 
						known good implementation as described above. Otherwise, the evaluator shall have 
						the TSF generate 10 keys pairs for each supported key length nlen 
						and verify: <h:ul>
							<h:li>n = p&#x22c5;q,</h:li>
							<h:li>p and q are probably prime according to Miller-Rabin tests,</h:li>
							<h:li>GCD(p-1, e) = 1,</h:li>
							<h:li>GCD(q-1, e) = 1,</h:li>
							<h:li>2<h:sup>16</h:sup> &#x2264; e &#x2264; 2<h:sup>256</h:sup> and e is an odd integer,</h:li>
							<h:li>|p-q| > 2<h:sup>nlen/2 - 100</h:sup>,</h:li>
							<h:li>p &#x2265; 2<h:sup>nlen/2 -1/2</h:sup>,</h:li>
							<h:li>q &#x2265; 2<h:sup>nlen/2 -1/2</h:sup>,</h:li>
							<h:li>2<h:sup>(nlen/2)</h:sup> &lt; d &lt; LCM(p-1, q-1),</h:li>
							<h:li>e&#x22c5;d = 1 mod LCM(p-1, q-1).</h:li>
						</h:ul>
						</h:p><h:p>
						<h:b>Key Generation for Elliptic Curve Cryptography (ECC)</h:b>
						</h:p><h:p>
						<h:b>FIPS 186-5 ECC Key Generation Test</h:b> -
						For each supported NIST curve, i.e., P-256, P-384 and P-521, the evaluator shall
						require the implementation under test (IUT) to generate 10 private/public key pairs.
						The private key shall be generated using an approved random bit generator (RBG). To 
						determine correctness, the evaluator shall submit the generated key pairs to the 
						public key verification (PKV) function of a known good implementation.
						</h:p><h:p>
						<h:b>FIPS 186-5 Public Key Verification (PKV) Test</h:b> -
						For each supported NIST curve, i.e., P-384 and P-521, the evaluator shall
						generate 10 private/public key pairs using the key generation function of a known 
						good implementation and modify five of the public key values so that they are 
						incorrect, leaving five values unchanged (i.e., correct). The evaluator shall obtain 
						in response a set of 10 PASS/FAIL values.
						</h:p><h:p>
						<h:b>Key Generation for Finite-Field Cryptography (FFC)</h:b>
						</h:p><h:p>
						The evaluator shall verify the implementation of the Parameters Generation and the 
						Key Generation for FFC by the TOE using the Parameter Generation and 
						Key Generation test. This test verifies the ability of the TSF to 
						correctly produce values for the field prime p, the cryptographic prime q (dividing 
						p-1), the cryptographic group generator g, and the calculation of the private key x 
						and public key y. The Parameter generation specifies two ways (or methods) to generate 
						the cryptographic prime q and the field prime p:
						</h:p><h:p>
						Cryptographic and Field Primes:	<h:ul>
							<h:li>Primes q and p shall both be provable primes</h:li>
							<h:li>Primes q and field prime p shall both be probable primes</h:li>
						</h:ul>
						and two ways to generate the cryptographic group generator g:
						</h:p><h:p>
						Cryptographic Group Generator:
						<h:ul>
							<h:li>Generator g constructed through a verifiable process</h:li>
							<h:li>Generator g constructed through an unverifiable process.</h:li>
						</h:ul>
						The Key generation specifies 2 ways to generate the private key x:
						</h:p><h:p>
						Private Key:
						<h:ul>
							<h:li>len(q) bit output of RBG where 1 &#x2264; x &#x2264; q-1</h:li>
							<h:li>len(q) + 64 bit output of RBG, followed by a mod q-1 operation where 
								1&#x2264; x &#x2264;q-1.</h:li>
						</h:ul>
						The security strength of the RBG must be at least that of the security offered by the 
						FFC parameter set.
						To test the cryptographic and field prime generation method for the provable primes 
						method and/or the group generator g for a verifiable process, the evaluator must seed 
						the TSF parameter generation routine with sufficient data to 
						deterministically generate the parameter set.
						For each key length supported, the evaluator shall have the TSF 
						generate 25 parameter sets and key pairs. The evaluator shall verify the correctness 
						of the TSF’s implementation by comparing values generated by the 
						TSF with those generated from a known good implementation. 
						Verification must also confirm
						<h:ul>
							<h:li>g &#8800; 0,1</h:li>
							<h:li>q divides p-1</h:li>
							<h:li>g<h:sup>q</h:sup> mod p = 1</h:li>
							<h:li>g<h:sup>x</h:sup> mod p = y</h:li>
						</h:ul>
						for each FFC parameter set and key pair.
						</h:p><h:p>
						<h:b>Diffie-Hellman Group 14 and FFC Schemes using “safe-prime” groups</h:b>
						</h:p><h:p>
						Testing for FFC Schemes using Diffie-Hellman group 14 and/or safe-prime groups is done as part of testing
						in CKM.2.1.
						</h:p>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>

		<!-- FCS_CKM.1/SK (formerly FCS_CKM.1/2) -->
		<f-component cc-id="fcs_ckm.1" id="fcom_sym_key_gen" iteration="SK" name="Cryptographic Symmetric Key Generation" status="sel-based">
			<depends on="sel_aes_cbc"/>
			<depends on="sel_aes_gcm"/>
			<depends on="sel_aes_xts"/>
			<depends on="sel_aes_ccm"/>
			<depends on="sel_aes_ctr"/>
			<f-element id="fel-sym-key-gen">
				<title>
					The <h:b>application</h:b> shall 
					<selectables>
						<selectable>invoke platform-provided functionality</selectable>
						<selectable>implement functionality</selectable>
					</selectables>
					generate <h:b>symmetric</h:b> cryptographic keys <h:b>using a Random Bit
						Generator as specified in FCS_RBG_EXT.1</h:b>  and specified
					cryptographic key sizes <h:i>256-bit</h:i>
				</title>
				<note role="application">
					Symmetric keys may be used to generate keys along the key chain.</note>
				<aactivity>
					<!-- Revised <tss>The evaluator shall review the TSS to determine that it describes how the
					functionality described by FCS_RBG_EXT.1 <cite linkend="bibAppPP"/> is invoked.<br/>
					If the email client is relying on random from the host platform, the evaluator shall
					verify the TSS includes the name/manufacturer of the external RBG. If different
					external RBGs are used for different platforms, the TSS identifies each one for each
					platform. <br/>If the email client is relying on random from the host platform, the
					evaluator shall verify the TSS describes the function call and parameters used when
					calling the external DRBG function. Also, the TSS includes a short description of
					the vendor's assumption for the amount of entropy seeding the external DRBG. The
					evaluator uses the description of the RBG functionality in FCS_RBG_EXT or
					documentation available for the operational environment to determine that the key
					size being requested is identical to the key size and mode to be used for the
					encryption/decryption of the user data (<linkref linkend="FCS_COP.1(f)" />. </tss> -->
					<TSS>
						<h:p>
							The evaluator shall review the TSS to determine that it describes how the functionality described by
							FCS_RBG_EXT.1 is invoked.
						</h:p><h:p>
							If the application is relying on random bit generation from the
							host platform, the evaluator shall verify the TSS includes the
							name/manufacturer of the external RBG and describes the function call and parameters
							used when calling the external DRBG function. If different external RBGs are used
							for different platforms, the evaluator shall verify the TSS identifies each RBG for
							each platform. Also, the evaluator shall verify the TSS includes a short description
							of the vendor's assumption for the amount of entropy seeding the external DRBG. The
							evaluator uses the description of the RBG functionality in FCS_RBG_EXT or
							documentation available for the operational environment to determine that the key
							size being requested is identical to the key size and mode to be used for the
							encryption/decryption of the user data.
						</h:p>
					</TSS>
					<Guidance>
						<h:p>
							The evaluator shall verify the guidance documention contains any informance necessary to configure key sizes.
						</h:p>
					</Guidance>
					<Tests>None.</Tests>
				</aactivity>
			</f-element>
		</f-component>

		<!-- FCS_CKM.2 -->
        <f-component cc-id="fcs_ckm.2" name="Cryptographic Key Establishment" status="sel-based">
			<depends on="sel_all_tlsc"/>
        	<depends on="sel_all_tlss"/>
        	<depends on="sel_all_dtlsc"/>
        	<depends on="sel_all_dtlss"/>
			<f-element id="fel-key-est">
				<title>
					<h:p>
					The application shall 
						<selectables>
							<selectable>invoke platform-provided functionality</selectable>
							<selectable>implement functionality</selectable></selectables> 
					to perform cryptographic key establishment in accordance with a specified 
					cryptographic key establishment method:
					</h:p><h:p>
					<selectables linebreak="yes">	    
						<selectable>
							<h:b>[RSA-based key establishment schemes]</h:b> that meets the following: <h:b>[NIST 
							Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment 
							Schemes Using Integer Factorization Cryptography”]</h:b>
						</selectable>
						<selectable><h:b>[RSA-based key establishment schemes]</h:b>
							that meet the following: <h:b>RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017,
							“Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1”</h:b>
						</selectable>
						<selectable>
							<h:b>[Elliptic curve-based key establishment schemes]</h:b> that meets the 
							following: <h:b>[NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment 
							Schemes Using Discrete Logarithm Cryptography”]</h:b>
						</selectable>
						<selectable>
							<h:b>[Finite field-based key establishment schemes]</h:b> that meets the following: 
							<h:b>[NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key 
							Establishment Schemes Using Discrete Logarithm Cryptography”]</h:b>
						</selectable>
						<selectable><h:b>[Key establishment scheme using Diffie-Hellman group 14]</h:b>
							that meets the following: <h:b>RFC 3526, Section 3</h:b>
						</selectable>
						<selectable><h:b>[FFC Schemes using “safe-prime” groups]</h:b>
							that meet the following: <h:b>‘NIST Special Publication 800-56A Revision 3,
							“Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”</h:b>
							and <selectables>
								<selectable>RFC 3526</selectable>
								<selectable>RFC 7919</selectable></selectables></selectable></selectables></h:p>.
				</title>
				<note role="application">
					<h:p>
					The ST author shall select all key establishment schemes used for the selected cryptographic 
					protocols. TLS requires cipher suites that use RSA-based key establishment 
					schemes. 
					</h:p><h:p>
					The RSA-based key establishment schemes are described in Section 9 of NIST SP 800-56B; 
					however, Section 9 relies on implementation of other sections in SP 800-56B. If the TOE acts 
					as a receiver in the RSA key establishment scheme, the TOE does not need to implement 
					RSA key generation.
					</h:p><h:p>
					The elliptic curves used for the key establishment scheme shall correlate with the curves 
					specified in FCS_CKM.1.1/AK.
					</h:p><h:p>
					The domain parameters used for the finite field-based key establishment scheme are specified 
					by the key generation according to FCS_CKM.1.1/AK.
					</h:p>
				</note>
				<aactivity level="element">
					<TSS>
					<h:p>
						The evaluator shall ensure that the supported key establishment schemes correspond to the 
						key generation schemes identified in FCS_CKM.1.1/AK. If the ST specifies more than one 
						scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each 
						scheme.
					</h:p><h:p>
						If the ST selects "<h:b>invoke platform-provided functionality</h:b>,"
						then the evaluator shall examine the TSS to verify that it describes 
						how the key establishment functionality is invoked and that the invokation matches the algorithm selection for each 
						supported platform. The evaluator shall confirm the invocation of the platform is using non-depricated functions 
						provided by the platform(s).</h:p>
					</TSS>
					<Guidance> 
						<h:p>
						The evaluator shall verify that the operational guidance instructs the administrator how to configure 
						the TOE to use the selected key establishment scheme(s) if configuration is required.</h:p>  
					</Guidance>
					<Tests>
						<h:p>
						Evaluation Activity Note: The following tests require the developer to provide access to a test 
						platform that provides the evaluator with tools that are typically not found on factory 
						products.
						</h:p><h:p>
						<h:b>Key Establishment Schemes</h:b>
						The evaluator shall verify the implementation of the key establishment schemes supported by 
						the TOE using the applicable tests below.
						</h:p><h:p>
						<h:b>SP800-56A Key Establishment Schemes</h:b>
						</h:p><h:p>
						The evaluator shall verify a TOE's implementation of SP800-56A key agreement schemes 
						using the following Function and Validity tests. These validation tests for each key agreement 
						scheme verify that a TOE has implemented the components of the key agreement scheme 
						according to the specifications in the Recommendation. These components include the 
						calculation of the DLC primitives (the shared secret value Z) and the calculation of the 
						derived keying material (DKM) via the Key Derivation Function (KDF). If key confirmation 
						is supported, the evaluator shall also verify that the components of key confirmation have 
						been implemented correctly, using the test procedures described below. This includes the 
						parsing of the DKM, the generation of MACdata and the calculation of MACtag.
						</h:p><h:p>
						<h:b>Function Test</h:b>
						</h:p><h:p>
						The Function test verifies the ability of the TOE to implement the key agreement 
						schemes correctly. To conduct this test the evaluator shall generate or obtain test vectors 
						from a known good implementation of the TOE supported schemes. For each supported 
						key agreement scheme-key agreement role combination, KDF type, and if supported, 
						key confirmation role and type combination, the tester shall generate 10 
						sets of test vectors. The data set consists of one set of domain parameter values (FFC) or 
						the NIST approved curve (ECC) per 10 sets of public keys. These keys are static, 
						ephemeral or both depending on the scheme being tested.
						</h:p><h:p>
						The evaluator shall obtain the DKM, the corresponding TOE’s public keys (static and/or 
						ephemeral), the MAC tag(s), and any inputs used in the KDF, such as the Other 
						Information <h:i>(OtherInfo)</h:i> and TOE ID fields. 
						</h:p><h:p>
						If the TOE does not use a KDF defined in SP 800-56A, the evaluator shall obtain only 
						the public keys and the hashed value of the shared secret.
						</h:p><h:p>
						The evaluator shall verify the correctness of the TSF’s implementation of a given 
						scheme by using a known good implementation to calculate the shared secret value, 
						derive the keying material DKM, and compare hashes or MAC tags generated from 
						these values.
						</h:p><h:p>
						If key confirmation is supported, the TSF shall perform the above for each implemented 
						approved MAC algorithm.
						</h:p><h:p>
						<h:b>Validity Test</h:b>
						</h:p><h:p>
						The Validity test verifies the ability of the TOE to recognize another party’s valid and 
						invalid key agreement results with or without key confirmation. To conduct this test, the 
						evaluator shall obtain a list of the supporting cryptographic functions included in the 
						SP800-56A key agreement implementation to determine which errors the TOE should 
						be able to recognize. The evaluator generates a set of 24 (FFC) or 30 (ECC) test vectors 
						consisting of data sets including domain parameter values or NIST approved curves, the 
						evaluator’s public keys, the TOE’s public/private key pairs, MACTag, and any inputs 
						used in the KDF, such as the OtherInfo and TOE ID fields. 
						</h:p><h:p>
						The evaluator shall inject an error in some of the test vectors to test that the TOE 
						recognizes invalid key agreement results caused by the following fields being incorrect: 
						the shared secret value Z, the DKM, the OtherInfo field, the data to be 
						MACed, or the generated MACTag. If the TOE contains the full or partial (only ECC) 
						public key validation, the evaluator will also individually inject errors in both parties’ 
						static public keys, both parties’ ephemeral public keys and the TOE’s static private key 
						to ensure that the TOE detects errors in the public key validation function and/or the partial 
						key validation function (in ECC only). At least two of the test vectors shall remain 
						unmodified and therefore should result in valid key agreement results (they should pass).
						</h:p><h:p>
						The TOE shall use these modified test vectors to emulate the key agreement scheme 
						using the corresponding parameters. The evaluator shall compare the TOE’s results with 
						the results obtained by using a known good implementation verifying that the TOE detects these errors.
						</h:p><h:p>
						<h:b>SP800-56B Key Establishment Schemes</h:b>
						</h:p><h:p>
						The evaluator shall verify that the TSS describes whether the TOE acts as a sender, a 
						recipient, or both for RSA-based key establishment schemes. 
						</h:p><h:p>
						If the TOE acts as a sender, the following evaluation activity shall be performed to ensure the 
						proper operation of every TOE supported combination of RSA-based key establishment scheme:
						</h:p><h:p>
						<h:div class="indent">
							To conduct this test the evaluator shall generate or obtain test vectors from a known 
							good implementation of the TOE supported schemes. For each combination of 
							supported key establishment scheme and its options (with or without key confirmation 
							if supported, for each supported key confirmation MAC function if key confirmation 
							is supported, and for each supported mask generation function if KTS-OAEP is 
							supported), the tester shall generate 10 sets of test vectors. Each test vector shall 
							include the RSA public key, the plaintext keying material, any additional input 
							parameters if applicable, the MacKey and MacTag if key confirmation is 
							incorporated, and the outputted ciphertext. For each test vector, the evaluator shall 
							perform a key establishment encryption operation on the TOE with the same inputs 
							(in cases where key confirmation is incorporated, the test shall use the MacKey from 
							the test vector instead of the randomly generated MacKey used in normal operation) 
							and ensure that the outputted ciphertext is equivalent to the ciphertext in the test vector.
						</h:div></h:p><h:p>
						If the TOE acts as a receiver, the following evaluation activities shall be performed to ensure 
						the proper operation of every TOE supported combination of RSA-based key establishment scheme:
						</h:p><h:p>
						<h:div class="indent">
							To conduct this test the evaluator shall generate or obtain test vectors from a known 
							good implementation of the TOE supported schemes. For each combination of 
							supported key establishment scheme and its options (with or without key 
							confirmation if supported, for each supported key confirmation MAC function if key 
							confirmation is supported, and for each supported mask generation function if KTS-OAEP is 
							supported), the tester shall generate 10 sets of test vectors. Each test vector 
							shall include the RSA private key, the plaintext keying material (KeyData), any 
							additional input parameters if applicable, the MacTag in cases where key 
							confirmation is incorporated, and the outputted ciphertext. For each test vector, the 
							evaluator shall perform the key establishment decryption operation on the TOE and 
							ensure that the outputted plaintext keying material (KeyData) is equivalent to the 
							plaintext keying material in the test vector. In cases where key confirmation is 
							incorporated, the evaluator shall perform the key confirmation steps and ensure that 
							the outputted MacTag is equivalent to the MacTag in the test vector.
						</h:div>
						</h:p><h:p>
						The evaluator shall ensure that the TSS describes how the TOE handles decryption errors. In 
						accordance with NIST Special Publication 800-56B, the TOE must not reveal the particular 
						error that occurred, either through the contents of any outputted or logged error message or 
						through timing variations. If KTS-OAEP is supported, the evaluator shall create separate 
						contrived ciphertext values that trigger each of the three decryption error checks described in 
						NIST Special Publication 800-56B section 7.2.2.3, ensure that each decryption attempt 
						results in an error, and ensure that any outputted or logged error message is identical for each. 
						If KTS-KEM-KWS is supported, the evaluator shall create separate contrived ciphertext 
						values that trigger each of the three decryption error checks described in NIST Special 
						Publication 800-56B section 7.2.3.3, ensure that each decryption attempt results in an error, 
						and ensure that any outputted or logged error message is identical for each.
						</h:p><h:p>
						<h:b>RSA-based key establishment</h:b>
						</h:p><h:p>
						The evaluator shall verify the correctness of the TSF’s implementation of RSAES-PKCS1-v1_5 by using a
						known good implementation for each protocol selected in FTP_DIT_EXT.1 that uses RSAES-PKCS1-v1_5. 
						</h:p><h:p>
						<h:b>Diffie-Hellman Group 14</h:b>
						</h:p><h:p>
						The evaluator shall verify the correctness of the TSF’s implementation of Diffie-Hellman group 14 by using
						a known good implementation for each protocol selected in FTP_DIT_EXT.1 that uses Diffie-Hellman group 14.
						</h:p><h:p>
						<h:b>FFC Schemes using “safe-prime” groups</h:b>
						</h:p><h:p>
						The evaluator shall verify the correctness of the TSF’s implementation of safe-prime groups by using a
						known good implementation for each protocol selected in FTP_DIT_EXT.1 that uses safe-prime groups. This test
						must be performed for each safe-prime group that each protocol uses.
						</h:p>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>

<!-- 

Commenting out: the fundamental question is how to handle requirements for more general
functionality (such as these)
        <f-component cc-id="fcs_cop_ext.1" name="Encryption/Decryption Services">
          <f-element id="fel-">
            <title>The application shall <selectables linebreak="yes">
                <selectable>perform no encryption/decryption</selectable>
                <selectable>invoke platform-provided encryption/decryption functionality</selectable>
                <selectable>implement encryption/decryption functionality</selectable></selectables> .
	    </title>
            <note role="application">
			  The selection <i>invoke platform-provided encryption/decryption services</i> is to be
              chosen in cases where the application uses platform APIs to perform these operations.
              If <i>implement encryption/decryption functionality</i> is selected, then
              additional requirements from <linkref linkend="FCS_COP.1(1)"/> shall be included in
              the ST.  
            </note>
            <aactivity>
              If <b>perform no encryption/decryption</b> is selected, the evaluator shall inspect the 
			  application and its developer documentation and verify that the application needs no
              encryption/decryption services. 
			  <br/>
              If <b>implement encryption/decryption functionality</b> is selected, the evaluator shall ensure
			  that additional <linkref linkend="FCS_COP.1(1)"/> elements are included in the ST.
			  <br/>
			  If <b>invoke platform-provided encryption/decryption functionality </b> is selected, 
			  the evaluator shall examine the TSS of the
              application to verify that it describes how the platform's encryption/decryption
              functionality is invoked for each operation for which it is used by the application. 
			</aactivity>
          </f-element>
        </f-component>

        <f-component cc-id="fcs_cop_ext.2" name="Cryptographic Hashing Services">
          <f-element id="fel-">
            <title>The application shall <selectables linebreak="yes">
                <selectable>perform no cryptographic hashing</selectable>
                <selectable>invoke platform-provided cryptographic hashing</selectable>
                <selectable>implement cryptographic hashing</selectable></selectables>.
	    </title>
            <note role="application">
			  The selection <i>invoke platform-provided cryptographic hashing</i> is to be
              chosen in cases where the application uses platform APIs to perform cryptographic
              hashing. If <i>implement cryptographic hashing</i> is selected, then
              additional requirements from <linkref linkend="FCS_COP.1(2)"/> shall be included in
              the ST.
            </note>
            <aactivity>
              If <b>perform no cryptographic hashing</b> is selected, the evaluator shall inspect the 
			  application and its developer documentation and verify that the application needs no
              cryptographic hashing services. 
			  <br/>
              If <b>implement cryptographic hashing</b> is selected, the evaluator shall ensure
			  that additional <linkref linkend="FCS_COP.1(2)"/> elements are included in the ST.
			  <br/>
			  If <b>invoke platform-provided cryptographic hashing</b> is selected, 
			  the evaluator shall examine the TSS of the
              application to verify that it describes how the platform's hashing
              functionality is invoked for each operation for which it is used in the application, including
			  digest sizes used.
			</aactivity>
          </f-element>
        </f-component>

        <f-component cc-id="fcs_cop_ext.3" name="Cryptographic Signing Services">
          <f-element id="fel-">
            <title>The application shall 
			  <selectables linebreak="yes">
                <selectable>perform no cryptographic signing</selectable>
                <selectable>invoke platform-provided cryptographic signing</selectable>
                <selectable>implement cryptographic signing</selectable></selectables>.
	        </title>
            <note role="application">The selection <i>invoke platform-provided cryptographic signing</i> 
			  is to be used in cases where the application uses platform APIs to perform cryptographic
              signing. If <i>implement cryptographic signing</i> is selected, then
              additional requirements from <linkref linkend="FCS_COP.1(3)"/> shall be included in
              the ST.
            </note>
            <aactivity>
              If <b>perform no cryptographic signing</b> is selected, the evaluator shall inspect the 
			  application and its developer documentation and verify that the application needs no
              cryptographic hashing services. 
			  <br/>
              If <b>implement cryptographic signing</b> is selected, the evaluator shall ensure
			  that additional <linkref linkend="FCS_COP.1(3)"/> elements are included in the ST.
			  <br/>
			  If <b>invoke platform-provided cryptographic cryptographic signing</b> is selected, 
			  the evaluator shall examine the TSS of the
              application to verify that it describes how the platform's digital signature
              functionality is invoked for each operation for which it is used in the application, 
			  including digest sizes used.
              </aactivity>
          </f-element>
        </f-component>
-->

		<!-- FCS_COP.1/SKC (formerly FCS_COP.1/1) Symmetric-Key Cryptography -->
        <f-component cc-id="fcs_cop.1" id="fcom_crypto" iteration="SKC" name="Cryptographic Operation - Encryption/Decryption" status="sel-based">
        	<depends on="sel_all_tlsc"/>
        	<depends on="sel_all_tlss"/>
        	<depends on="sel_all_dtlsc"/>
        	<depends on="sel_all_dtlss"/>
			<depends on="sel-fcs-sto-skc"/>
			<f-element id="fel-sym-encrypt">
				<title>
					The <h:b>application</h:b> shall 
					<selectables>
						<selectable>perform</selectable>
						<selectable>invoke the platorm to perform</selectable>
					</selectables>
					 [<h:i>encryption and decryption</h:i>] in accordance with a specified 
					cryptographic algorithm  
					<selectables linebreak="yes">
						<selectable id="sel_aes_cbc">AES-CBC (as defined in NIST SP 800-38A) mode</selectable>
						<selectable id="sel_aes_gcm">AES-GCM (as defined in NIST SP 800-38D) mode</selectable>
						<selectable id="sel_aes_xts">AES-XTS (as defined in NIST SP 800-38E) mode</selectable>
						<selectable id="sel_aes_ccm">AES-CCM (as defined in NIST SP 800-38C) mode</selectable>
						<selectable id="sel_aes_ctr">AES-CTR (as defined in NIST SP 800-38A) mode</selectable></selectables>
					and cryptographic key size of <h:i>256-bits</h:i>.
				</title>
				<note role="application">
					<h:p>
					This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.</h:p>
					<h:p>
					For the selection, the ST author should choose
					the mode or modes in which AES operates.</h:p>
				</note>
				<aactivity>
					<TSS><h:p>Conditional: If AES-GCM is selected the evaluator shall verify the tag length is described and that a tag length
					at least 128 is used unless the following "Appendix C: Requirements and Guidelines for Using Short Tags" is being followed from 
					NIST SP 800-38D.</h:p></TSS>
					<Guidance> 
						<h:p>The evaluator checks the AGD documents to determine that any configuration that 
						is required to be done to configure the functionality for the required modes
						and key size is present.</h:p>
					</Guidance>
					<Tests>
						<h:p>
						The evaluator shall perform all of the following tests for each algorithm implemented by the TSF and used to
						satisfy the requirements of this PP:</h:p>
						<h:p>
							<h:b>AES-CBC Known Answer Tests</h:b></h:p>
						<h:p>
						There are four Known Answer Tests (KATs), described below. In all KATs, the plaintext, ciphertext, and IV values shall be 128-bit
						blocks. The results from each test may either be obtained by the
						evaluator directly or by supplying the inputs to the implementer
						and receiving the results in response. To determine correctness,
						the evaluator shall compare the resulting values to those obtained
						by submitting the same inputs to a known good implementation. <h:ul>
							<h:li>KAT-1. To test the encrypt functionality of AES-CBC, the
								evaluator shall supply a set of 10 plaintext values and obtain
								the ciphertext value that results from AES-CBC encryption of the
								given plaintext using a key value of all zeros and an IV of all
								zeros. Five plaintext values shall be encrypted with a 128-bit
								all-zeros key, and the other five shall be encrypted with a
								256-bit all- zeros key. To test the decrypt functionality of
								AES-CBC, the evaluator shall perform the same test as for
								encrypt, using 10 ciphertext values as input and AES-CBC
								decryption.</h:li>
							<h:li>KAT-2. To test the encrypt functionality of AES-CBC, the
								evaluator shall supply a set of 10 key values and obtain the
								ciphertext value that results from AES-CBC encryption of an
								all-zeros plaintext using the given key value and an IV of all
								zeros. Five of the keys shall be 128-bit keys, and the other five
								shall be 256-bit keys. To test the decrypt functionality of
								AES-CBC, the evaluator shall perform the same test as for
								encrypt, using an all-zero ciphertext value as input and AES-CBC
								decryption.</h:li>
							<h:li>KAT-3. To test the encrypt functionality of AES-CBC, the
								evaluator shall supply the two sets of key values described below
								and obtain the ciphertext value that results from AES encryption
								of an all-zeros plaintext using the given key value and an IV of
								all zeros. The first set of keys shall have 128 128-bit keys, and
								the second set shall have 256 256-bit keys. Key i in each set
								shall have the leftmost i bits be ones and the rightmost N-i bits
								be zeros, for i in [1,N]. To test the decrypt functionality of
								AES-CBC, the evaluator shall supply the two sets of key and
								ciphertext value pairs described below and obtain the plaintext
								value that results from AES-CBC decryption of the given
								ciphertext using the given key and an IV of all zeros. The first
								set of key/ciphertext pairs shall have 128 128-bit key/ciphertext
								pairs, and the second set of key/ciphertext pairs shall have 256
								256-bit key/ciphertext pairs. Key i in each set shall have the
								leftmost i bits be ones and the rightmost N-i bits be zeros, for
								i in [1,N]. The ciphertext value in each pair shall be the value
								that results in an all-zeros plaintext when decrypted with its
								corresponding key.</h:li>
							<h:li>KAT-4. To test the encrypt functionality of AES-CBC, the
								evaluator shall supply the set of 128 plaintext values described
								below and obtain the two ciphertext values that result from
								AES-CBC encryption of the given plaintext using a 128-bit key
								value of all zeros with an IV of all zeros and using a 256-bit
								key value of all zeros with an IV of all zeros, respectively.
								Plaintext value i in each set shall have the leftmost i bits be
								ones and the rightmost 128-i bits be zeros, for i in
								[1,128].</h:li>
						</h:ul>To test the decrypt functionality of AES-CBC, the evaluator
						shall perform the same test as for encrypt, using ciphertext values
						of the same form as the plaintext in the encrypt test as input and
						AES-CBC decryption. </h:p>
						<h:p>
							<h:b>AES-CBC Multi-Block Message Test</h:b></h:p>
						<h:p>
						The evaluator shall test the encrypt functionality by
						encrypting an i-block message where 1 &lt; i &lt;= 10. The
						evaluator shall choose a key, an IV and plaintext message of length
						i blocks and encrypt the message, using the mode to be tested, with
						the chosen key and IV. The ciphertext shall be compared to the
						result of encrypting the same plaintext message with the same key
						and IV using a known good implementation. The evaluator shall also
						test the decrypt functionality for each mode by decrypting an
						i-block message where 1 &lt; i &lt;=10. The evaluator shall choose
						a key, an IV and a ciphertext message of length i blocks and
						decrypt the message, using the mode to be tested, with the chosen
						key and IV. The plaintext shall be compared to the result of
						decrypting the same ciphertext message with the same key and IV
						using a known good implementation. 
						</h:p>
						<h:p>
						<h:b>AES-CBC Monte Carlo Tests</h:b>
						</h:p>
						<h:p>
						The evaluator shall test the encrypt functionality using a set of 200
						plaintext, IV, and key 3-tuples. 100 of these shall use 128-bit
						keys, and 100 shall use 256-bit keys. The plaintext and IV values
						shall be 128-bit blocks. For each 3-tuple, 1000 iterations shall be
						run as follows: 
						  <h:pre>
						  # Input: PT, IV, Key
						  for i = 1 to 1000:
							if i == 1:
								  CT[1] = AES-CBC-Encrypt(Key, IV, PT)
								  PT = IV
							else:
							  CT[i] = AES-CBC-Encrypt(Key, PT) 
							  PT = CT[i-1]
						  </h:pre>
						The ciphertext computed in the 1000th iteration (i.e.,
						CT[1000]) is the result for that trial. This result shall be
						compared to the result of running 1000 iterations with the same
						values using a known good implementation.
						</h:p>
						<h:p>
						The evaluator shall test the decrypt functionality using the
						same test as for encrypt, exchanging CT and PT and replacing
						AES-CBC-Encrypt with AES-CBC-Decrypt. </h:p>
						<h:p>
							<h:b>AES-GCM Monte Carlo Tests</h:b></h:p>
						<h:p>
						The evaluator shall test the authenticated encrypt
						functionality of AES-GCM for each combination of the following
						input parameter lengths: <h:ul>
							<h:li>128-bit and 256-bit keys</h:li>
							<h:li>Two plaintext lengths. One of the plaintext lengths shall be
								a non-zero integer multiple of 128 bits, if
								supported. The other plaintext length shall not be an integer
								multiple of 128 bits, if supported.</h:li>
							<h:li>Three AAD lengths. One AAD length shall be 0, if supported.
								One AAD length shall be a non-zero integer
								multiple of 128 bits, if supported. One AAD length shall not be
								an integer multiple of 128 bits, if supported.</h:li>
							<h:li>Two IV lengths. If 96 bit IV is supported, 96 bits shall be
								one of the two IV lengths tested.</h:li>
						</h:ul>The evaluator shall test the encrypt functionality using a set
						of 10 key, plaintext, AAD, and IV tuples for each combination of
						parameter lengths above and obtain the ciphertext value and tag
						that results from AES-GCM authenticated encrypt. Each supported tag
						length shall be tested at least once per set of 10. The IV value
						may be supplied by the evaluator or the implementation being
						tested, as long as it is known. </h:p>
						<h:p>
						The evaluator shall test the decrypt functionality using a
						set of 10 key, ciphertext, tag, AAD, and IV 5-tuples for each
						combination of parameter lengths above and obtain a Pass/Fail
						result on authentication and the decrypted plaintext if Pass. The
						set shall include five tuples that Pass and five that Fail.
						</h:p><h:p>
						The results from each test may either be obtained by the
						evaluator directly or by supplying the inputs to the implementer
						and receiving the results in response. To determine correctness,
						the evaluator shall compare the resulting values to those obtained
						by submitting the same inputs to a known good
						implementation.</h:p>
						<h:p>
							<h:b>AES-XTS Tests</h:b></h:p>
						<h:p>
						The evaluator shall test the encrypt functionality of XTS-AES for each combination
						of the following input parameter lengths:</h:p>
						<h:p>
						256-bit (for AES-128) and 512 bit (for AES-256) keys
						</h:p>
						<h:p>
						Three data unit (i.e., plaintext) lengths. One of the data unit lengths shall be a
						non-zero integer multiple of 128 bits, if supported. One of the data unit lengths
						shall be an integer multiple of 128 bits, if supported. The third data unit length
						shall be either the longest supported data unit length or 216 bits, whichever is
						smaller.</h:p>
						<h:p>
						Using a set of 100 (key, plaintext and 128-bit random tweak value) 3-tuples, the evaluator shall
						obtain the ciphertext that results from XTS-AES encrypt.</h:p>
						<h:p>
						The evaluator may supply a data unit sequence number instead of the tweak value if
						the implementation supports it. The data unit sequence number is a base-10 number
						ranging between 0 and 255 that implementations convert to a tweak value internally.</h:p>
						<h:p>
						The evaluator shall test the decrypt functionality of XTS-AES using the same test as
						for encrypt, replacing plaintext values with ciphertext values and XTS-AES encrypt
						with XTS-AES decrypt.</h:p>
						<h:p>
							<h:b>AES-CCM Tests</h:b></h:p>
						<h:p>
						It is not recommended that evaluators use values obtained from static sources such as
						http://csrc.nist.gov/groups/STM/cavp/documents/mac/ccmtestvectors.zip or use values not generated expressly
						to exercise the AES-CCM implementation.</h:p>
						<h:p>
						The evaluator shall test the generation-encryption and decryption-verification functionality of AES-CCM for
						the following input parameter and tag lengths:<h:ul>
							<h:li>Keys: All supported and selected key sizes (e.g., 128, 256 bits).</h:li>
							<h:li>Associated Data: Two or three values for associated data length: The minimum (≥ 0 bytes) and 
								maximum (≤ 32 bytes) supported associated data lengths, and 2^16 (65536) bytes, if supported.</h:li>
							<h:li>Payload: Two values for payload length: The minimum (≥ 0 bytes) and maximum (≤ 32 bytes) supported 
								payload lengths.</h:li>
							<h:li>Nonces: All supported nonce lengths (7, 8, 9, 10, 11, 12, 13) in bytes.</h:li>
							<h:li>Tag: All supported tag lengths (4, 6, 8, 10, 12, 14, 16) in bytes.</h:li>
						</h:ul>
						The testing for CCM consists of five tests. To determine correctness in each of the below tests, the evaluator
						shall compare the ciphertext with the result of encryption of the same inputs with a known good implementation.</h:p>
						<h:p>
							<h:b>Variable Associated Data Test</h:b></h:p>
						<h:p>
						For each supported key size and associated data length, and any supported payload length, nonce length, and tag 
						length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload 
						values, and obtain the resulting ciphertext.</h:p>
						<h:p>
							<h:b>Variable Payload Test</h:b></h:p>
						<h:p>
						For each supported key size and payload length, and any supported associated data length, nonce length, and tag 
						length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload 
						values, and obtain the resulting ciphertext.</h:p>
						<h:p>
							<h:b>Variable Nonce Test</h:b></h:p>
						<h:p>
						For each supported key size and nonce length, and any supported associated data length, payload length, and tag 
						length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload
						values, and obtain the resulting ciphertext.</h:p>
						<h:p>
							<h:b>Variable Tag Test</h:b></h:p>
						<h:p>
						For each supported key size and tag length, and any supported associated data length, payload length, and nonce 
						length, the evaluator shall supply one key value, one nonce value, and 10 pairs of associated data and payload 
						values, and obtain the resulting ciphertext.</h:p>
						<h:p>
							<h:b>Decryption-Verification Process Test</h:b></h:p>
						<h:p>
						To test the decryption-verification functionality of AES-CCM, for each combination of supported associated data
						length, payload length, nonce length, and tag length, the evaluator shall supply a key value and 15 sets of input 
						plus ciphertext, and obtain the decrypted payload. Ten of the 15 input sets supplied should fail verification and
						five should pass.</h:p>
						<h:p>
							<h:b>AES-CTR Tests</h:b></h:p>
						<h:p>
							<h:b><h:i>Test 1: Known Answer Tests (KATs)</h:i></h:b></h:p>
						<h:p>
						There are four Known Answer Tests (KATs) described below. For all KATs, the plaintext, IV, and ciphertext values 
						shall be 128-bit blocks. The results from each test may either be obtained by the validator directly or by
						supplying the inputs to the implementer and receiving the results in response. To determine correctness, the 
						evaluator shall compare the resulting values to those obtained by submitting the same inputs to a known good
						implementation.
						<h:ul>
						<h:li>KAT-1. To test the encrypt functionality, the evaluator shall supply a set of 10 plaintext values and obtain the
						ciphertext value that results from encryption of the given plaintext using a key value of all zeros and an IV of
						all zeros. Five plaintext values shall be encrypted with a 128-bit all zeros key, and the other five shall be 
						encrypted with a 256-bit all zeros key. To test the decrypt functionality, the evaluator shall perform the same 
						test as for encrypt, using 10 ciphertext values as input.</h:li>
					    <h:li>KAT-2. To test the encrypt functionality, the evaluator shall supply a set of 10 key values and obtain the ciphertext 
						value that results from encryption of an all zeros plaintext using the given key value and an IV of all zeros.
						Five of the key values shall be 128-bit keys, and the other five shall be 256-bit keys. To test the decrypt 
						functionality, the evaluator shall perform the same test as for encrypt, using an all zero ciphertext value as 
						input.</h:li>
						<h:li>KAT-3. To test the encrypt functionality, the evaluator shall supply the two sets of key values described below and 
						obtain the ciphertext values that result from AES encryption of an all zeros plaintext using the given key values
						an an IV of all zeros. The first set of keys shall have 128 128-bit keys, and the second shall have 256 256-bit 
						keys. Key_i in each set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros, for i
						in [1, N]. To test the decrypt functionality, the evaluator shall supply the two sets of key and ciphertext
						value pairs described below and obtain the plaintext value that results from decryption of the given ciphertext
						using the given key values and an IV of all zeros. The first set of key/ciphertext pairs shall have 128 128-bit
						key/ciphertext pairs, and the second set of key/ciphertext pairs shall have 256 256-bit pairs. Key_i in each
						set shall have the leftmost i bits be ones and the rightmost N-i bits be zeros for i in [1, N]. The ciphertext
						value in each pair shall be the value that results in an all zeros plaintext when decrypted with its corresponding
						key.</h:li>
						<h:li>KAT-4. To test the encrypt functionality, the evaluator shall supply the set of 128 plaintext values described below and 
						obtain the two ciphertext values that result from encryption of the given plaintext using a 128-bit key value of 
						all zeros and using a 256-bit key value of all zeros, respectively, and an IV of all zeros. Plaintext value i in
						each set shall have the leftmost bits be ones and the rightmost 128-i bits be zeros, for i in [1, 128]. To test
						the decrypt functionality, the evaluator shall perform the same test as for encrypt, using ciphertext values of
						the same form as the plaintext in the encrypt test as input.
						</h:li>
						</h:ul>
						</h:p>
						<h:p>
						<h:b><h:i>Test 2: Multi-Block Message Test</h:i></h:b></h:p>
						<h:p>
						The evaluator shall test the encrypt functionality by encrypting an i-block message where 1 less-than i 
						less-than-or-equal to 10. For each i the evaluator shall choose a key, IV, and plaintext message of length i 
						blocks and encrypt the message, using the mode to be tested, with the chosen key. The ciphertext shall be compared 
						to the result of encrypting the same plaintext message with the same key and IV using a known good implementation.
						The evaluator shall also test the decrypt functionality by decrypting an i-block message where 1 less-than i 
						less-than-or-equal to 10. For each i the evaluator shall choose a key and a ciphertext message of length i blocks 
						and decrypt the message, using the mode to be tested, with the chosen key. The plaintext shall be compared to the
						result of decrypting the same ciphertext message with the same key using a known good implementation.</h:p>
						<h:p>
						<h:b><h:i>Test 3: Monte-Carlo Test</h:i></h:b></h:p>
						<h:p>
						For AES-CTR mode, perform the Monte Carlo Test for ECB Mode on the encryption engine of the counter mode
						implementation. There is no need to test the decryption engine.</h:p>
						<h:p>
						The evaluator shall test the encrypt functionality using 200 plaintext/key pairs. 100 of these shall use 128-bit 
						keys, and 100 of these shall use 256-bit keys. The plaintext values shall be 128-bit blocks. For each pair, 
						1000 iterations shall be run as follows:</h:p>
							<h:p>
						<h:code>
							For AES-ECB mode
							   # Input: PT, Key              
							   for i = 1 to 1000:
								  CT[i] = AES-ECB-Encrypt(Key, PT)
								  PT = CT[i]
						</h:code></h:p>
							<h:p>
						The ciphertext computed in the 1000th iteration is the result for that trial. This result shall be compared to
						the result of running 1000 iterations with the same values using a known good implementation.</h:p>
					
					</Tests>
				</aactivity>
			</f-element>
        </f-component> 
		
	    <!-- FCS_COP.1/Hash (former;y FCS_COP.1/2) -->
        <f-component cc-id="fcs_cop.1" id="fcom_hash" iteration="Hash" name="Cryptographic Operation - Hashing" status="sel-based">
        	<depends on="sel_all_tlsc"/>
        	<depends on="sel_all_tlss"/>
        	<depends on="sel_all_dtlsc"/>
        	<depends on="sel_all_dtlss"/>
			<f-element id="fel-crypt-hash">
				<title>
					The <h:b>application</h:b> shall perform [<h:i>cryptographic hashing services</h:i>] in accordance with a specified 
					cryptographic algorithm 
					<selectables linebreak="yes">
						<selectable>SHA-256</selectable>
						<selectable>SHA-384</selectable>
						<selectable>SHA-512</selectable></selectables>
					and <h:b>message digest</h:b> sizes <selectables linebreak="yes">
						<selectable>256</selectable>
						<selectable>384</selectable>
						<selectable>512</selectable></selectables> 
					<h:b>bits</h:b> that meet the following: [<h:i>FIPS Pub 180-4, "Secure Hash Standard"</h:i>].
				</title>
				<note role="application">
				<h:p>
					This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.
				</h:p>><h:p>
					The intent of this requirement is to specify the hashing function. The hash selection must
					support the message digest size selection. 
				</h:p>
				</note>
				<aactivity>
					<TSS>
						<h:p>
						The evaluator shall check that the association of the hash function with other
						application cryptographic functions (for example, the digital signature verification
						function) is documented in the TSS.</h:p>
					</TSS>
					<Guidance>
					<h:p>
						The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size.
					</h:p></Guidance>
					<Tests>
						<h:p>
						The TSF hashing functions can be implemented in one of two 
						modes. The first mode is the byte-oriented mode. In this mode the TSF 
						hashes only messages that are an integral number of bytes in length; i.e., the length 
						(in bits) of the message to be hashed is divisible by 8. The second mode is the 
						bit-oriented mode. In this mode the TSF hashes messages of arbitrary 
						length. As there are different tests for each mode, an indication is given in the 
						following sections for the bit-oriented vs. the byte-oriented test MACs. The evaluator 
						shall perform all of the following tests for each hash algorithm implemented by the 
						TSF and used to satisfy the requirements of this PP.
						</h:p><h:p>
						The following tests require the developer to provide access to a test application
						that provides the evaluator with tools that are typically not found in the production application.
						</h:p>
						<testlist>
							<test>Short Messages Test - Bit-oriented Mode. The evaluators devise an input set
								consisting of m+1 messages, where m is the block length of the hash algorithm. The
								length of the messages range sequentially from 0 to m bits. The message text shall
								be pseudorandomly generated. The evaluators compute the message digest for each of
								the messages and ensure that the correct result is produced when the messages are
								provided to the TSF. </test>
							<test>Short Messages Test - Byte-oriented Mode. The evaluators devise an input set
								consisting of m/8+1 messages, where m is the block length of the hash algorithm.
								The length of the messages range sequentially from 0 to m/8 bytes, with each
								message being an integral number of bytes. The message text shall be
								pseudorandomly generated. The evaluators compute the message digest for each of
								the messages and ensure that the correct result is produced when the messages are
								provided to the TSF. </test>
							<test>Selected Long Messages Test - Bit-oriented Mode. The evaluators devise an input
								set consisting of m messages, where m is the block length of the hash algorithm.
								The length of the ith message is 512 + 99*i, where 1 ≤ i ≤ m. The message text
								shall be pseudorandomly generated. The evaluators compute the message digest for
								each of the messages and ensure that the correct result is produced when the
								messages are provided to the TSF. </test>
							<test>Selected Long Messages Test - Byte-oriented Mode. The evaluators devise an
								input set consisting of m/8 messages, where m is the block length of the hash
								algorithm. The length of the ith message is 512 + 8*99*i, where 1 ≤ i ≤ m/8. The
								message text shall be pseudorandomly generated. The evaluators compute the message
								digest for each of the messages and ensure that the correct result is produced
								when the messages are provided to the TSF. </test>
							<test>Pseudorandomly Generated Messages Test. This test is for byte-oriented
								implementations only. The evaluators randomly generate a seed that is n bits long,
								where n is the length of the message digest produced by the hash function to be
								tested. The evaluators then formulate a set of 100 messages and associated digests
								by following the algorithm provided in Figure 1 of [SHAVS]. The evaluators then
								ensure that the correct result is produced when the messages are provided to the
								TSF. </test>
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
        </f-component> 
	      
	      
	    <!-- FCS_COP.1/KeyedHash (formerly FCS_COP.1/4) -->
        <f-component cc-id="fcs_cop.1" id="fcom_key_hash" iteration="KeyedHash" name="Cryptographic Operation - Keyed-Hash Message Authentication" status="sel-based">
        	<depends on="sel_all_tlsc"/>
        	<depends on="sel_all_tlss"/>
        	<depends on="sel_all_dtlsc"/>
        	<depends on="sel_all_dtlss"/>
			<f-element id="fel-keyed-hash">
				<title>The <h:b>application</h:b> shall perform [<h:i>keyed-hash message authentication</h:i>] in accordance with a 
					specified cryptographic algorithm <selectables linebreak="yes">
						<selectable>HMAC-SHA-256</selectable>
						<selectable>HMAC-SHA-384</selectable>
						<selectable>HMAC-SHA-512</selectable></selectables> 
					<h:b>with</h:b> key sizes <assignable>key size (in bits) used in HMAC</assignable> 
					<h:b>and message digest sizes</h:b> <selectables>
						<selectable>256</selectable>
						<selectable>384</selectable>
						<selectable>512</selectable></selectables> <h:b>bits</h:b>
					that meet the following: [<h:i>FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code,"
					and FIPS Pub 180-4, "Secure Hash Standard"</h:i>].
				</title>
				<note role="application">
				<h:p>
					This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.
				</h:p><h:p>
					The intent of this requirement is to specify the keyed-hash
					message authentication function used for key
					establishment purposes for the various cryptographic protocols
					used by the application (e.g., trusted channel). The hash selection must
					support the message digest size selection. 
				</h:p>
				</note>
				<aactivity>
					The evaluator shall perform the following activities based on the selections in the ST.
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evalutator shall verify the guidance documentation contains any infomration required for configuring the algorithm or size.</h:p></Guidance>
					<Tests>
						For each of the supported parameter sets, the evaluator shall compose 15 sets of test data.
						Each set shall consist of a key and message data.  The evaluator shall have the TSF generate
						HMAC tags for these sets of test data.  The resulting MAC tags shall be compared to the 
						result of generating HMAC tags with the same key and IV using a known-good implementation.
					</Tests>
				</aactivity>
			</f-element>
        </f-component> 

	    <!-- FCS_COP.1/Sig (formerly FCS_COP.1/3) -->
        <f-component cc-id="fcs_cop.1" id="fcom_sign" iteration="Sig" name="Cryptographic Operation - Signing"  status="sel-based">
        	<depends on="sel_all_tlsc"/>
        	<depends on="sel_all_tlss"/>
        	<depends on="sel_all_dtlsc"/>
        	<depends on="sel_all_dtlss"/>
			<f-element id="fel-sign">
				<title>
					The <h:b>application</h:b> shall perform [<h:i>cryptographic signature services (generation and
					verification)</h:i>] in accordance with a specified cryptographic algorithm 
					<selectables linebreak="yes">
						<selectable><h:b>RSA schemes</h:b> using cryptographic key sizes of [3072-bit or greater] that meet the 
							following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 5]</selectable>
						<selectable><h:b>ECDSA schemes</h:b> using [“NIST curves” P-384 and 
							<selectables>
							<selectable>P-521</selectable>
							<selectable exclusive="yes">no other curves</selectable>
							</selectables>]
						that meet the following: [FIPS PUB 186-5, “Digital Signature Standard (DSS),” Section 6]</selectable>
					</selectables>.
				</title>
				<note role="application">
					<h:p>
					This is dependent on implementing cryptographic functionality, as in FTP_DIT_EXT.1.
					</h:p><h:p>
					The ST author should choose the algorithm implemented to perform
					digital signatures; if more than one algorithm is available, this requirement should be iterated
					to specify the functionality. For the algorithm chosen, the ST author should make the
					appropriate assignments/selections to specify the parameters that are implemented for that
					algorithm.
					</h:p>
				</note>
				<aactivity>
					The evaluator shall perform the following activities based on the selections in the ST.
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation contains any information required for configuring the algorithm or size.</h:p></Guidance>
					<Tests>
					<h:p>The following tests require the developer to provide access to a test application
						that provides the evaluator with tools that are typically not found in the production
						application. 
					</h:p><h:p>
						ECDSA Algorithm Tests
					</h:p>
						<testlist>
							<test>ECDSA FIPS 186-5 Signature Generation Test. For each
								supported NIST curve (i.e., P-256, P-384 and P-521) and SHA function pair, the
								evaluator shall generate 10 1024-bit long messages and obtain for each message a
								public key and the resulting signature values R and S. To determine correctness,
								the evaluator shall use the signature verification function of a known good
								implementation. 
							</test>
							<test>
								ECDSA FIPS 186-5 Signature Verification Test. For each supported
								NIST curve (i.e., P-384 and P-521) and SHA function pair, the evaluator
								shall generate a set of 10 1024-bit message, public key and signature tuples and
								modify one of the values (message, public key or signature) in five of the 10
								tuples. The evaluator shall obtain in response a set of 10 PASS/FAIL values.
							</test>
						</testlist>
						RSA Signature Algorithm Tests
						<testlist>
							<test>Signature Generation Test. The evaluator shall
								verify the implementation of RSA Signature Generation by the TOE
								using the Signature Generation Test. To conduct this test the evaluator must 
								generate or obtain 10 messages from a trusted reference implementation for each 
								modulus size/SHA combination supported by the TSF. The evaluator 
								shall have the TOE use their private key and modulus value to 
								sign these messages. The evaluator shall verify the correctness of the 
								TSF’s signature using a known good implementation and the 
								associated public keys to verify the signatures.
							</test>
							<test>Signature Verification Test. The 
								evaluator shall perform the Signature Verification test to verify the ability of 
								the TOE to recognize another party’s valid and invalid 
								signatures. The evaluator shall inject errors into the test vectors produced 
								during the Signature Verification Test by introducing errors in some of the public 
								keys, e, messages, IR format, and/or signatures. The TOE attempts 
								to verify the signatures and returns success or failure.
							</test>
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
		
        <ext-comp-def fam-id="FCS_HTTPS_EXT" title="HTTPS Protocol">
          <fam-behavior>This family defines requirements for implementation of the HTTPS protocol.</fam-behavior>
        </ext-comp-def>
		<!-- invisble SFR for the purpose of having an un-iterated copy of FCS_HTTPS_EXT.1 in the ECD -->
		<f-component cc-id="fcs_https_ext.1" name="HTTPS Protocol" status="invisible">
			
			<comp-lev> defines the capability of the TOE to implement HTTPS.</comp-lev>
			<management>No specific management functions are identified.</management>
			<audit>There are no auditable events foreseen.</audit>
			<dependencies>
				FCS_TLS_EXT.1 TLS Protocol<h:br/>
				FIA_X509_EXT.1 X.509 Certificate Validation
			</dependencies>
		
			
			<f-element id="fel-https-wath">
				<title>
					The application shall implement the HTTPS protocol that complies with RFC 2818.
				</title>
			</f-element>
			<f-element id="fel-https-howl">
				<title>The application shall implement HTTPS using TLS as defined in the Functional Package for TLS.</title>
			</f-element>
			<f-element id="fel-https-who-cl">
				<title> The application shall 
					<assignable>take some action in result to being presented an invalid peer certificate</assignable>.
				</title>
				<aactivity>
					<no-tests></no-tests>
				</aactivity>
			</f-element>
		</f-component>
		
	<!-- FCS_HTTPS_EXT.1/Client -->
	<!-- Added by TD0601 -->
	<f-component cc-id="fcs_https_ext.1" name="HTTPS Protocol" iteration="Client" status="sel-based">
	  <depends on-se1="sel_all_https_cl"/>

			<f-element id="fel-https-wath-cl">
				<title>
					The application shall implement the HTTPS protocol <h:b>as a client</h:b> that complies with RFC 2818.
				</title>
				<aactivity level="element">
					<TSS>
						<h:p>
						The evaluator shall examine the TSS and determine that enough detail is provided to
						explain how the implementation complies with RFC 2818.</h:p>
					</TSS>
					<Guidance>
						<h:p>
						The evaluator shall verify the guidance documentation contains any information necessary to configure 
						HTTPs as a client in alignment with RFC 2818.</h:p>
					</Guidance>
					<Tests>
						The evaluator shall attempt to establish an HTTPS connection with a web server, 
						observe the traffic with a packet analyzer, and verify that the connection succeeds 
						and that the traffic is identified as TLS or HTTPS.
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-https-how-cl">
				<title>The application shall implement HTTPS using TLS as defined in the Functional Package for TLS.</title>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>Other tests are performed in conjunction with the TLS package.</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-https-who-cl">
				<title> The application shall 
					<selectables onlyone="yes">
						<selectable>not establish the application-initiated connection</selectable>
						<selectable>notify the user and not establish the user-initiated connection</selectable>
						<selectable>notify the user and request authorization to establish the user-initiated connection</selectable></selectables>
					if the peer certificate is deemed invalid.
				</title>
				<ext-comp-def-title>
				  <title>
				    The application shall
				    <assignable>take some action</assignable>
				    if the peer certificate is deemed invalid.
				</title>				  
				</ext-comp-def-title>
				<note role="application">
					Validity is determined by the certificate path, the expiration date, and the 
					revocation status in accordance with RFC 5280. 
				</note>
				<aactivity level="element">
					<TSS><h:p>The evaluator shall verify the TSS describes the supported options for responding to invalid certificates 
						when acting as a client and verify that description matches the selections.</h:p></TSS>
					<Guidance><h:p>The validator shall confirm the guidance documentation contains any information required for configuring the 
						response to an invalid certificate.</h:p></Guidance>
					<Tests>
						Certificate validity shall be tested in accordance with testing performed for 
						FIA_X509_EXT.1, and the evaluator shall perform the following test:
						<testlist>
							<test>
							The evaluator shall demonstrate that using a certificate without a valid 
							certification path results in the selected action in the SFR. If "notify the user" 
							is selected in the SFR, then the evaluator shall also determine that the user
							is notified of the certificate validation failure. Using the administrative
							guidance, the evaluator shall then load a certificate or certificates to the 
							Trust Anchor Database needed to validate the certificate to be used in the
							function, and demonstrate that the function succeeds. The evaluator then shall
							delete one of the certificates, and show that again, using a certificate
							without a valid certification path results in the selected action in the SFR,
							and if "notify the user" was selected in the SFR, the user is notified of the 
							validation failure.
							</test>
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>

		<!-- FCS_HTTPS_EXT.1/Server -->
		<!-- Added by TD0601 -->
        <f-component cc-id="fcs_https_ext.1" name="HTTPS Protocol" iteration="Server" status="sel-based">
			<depends on1="sel_all_https_sv"/>
			<depends on1="sel_all_https_ma"/>
			<f-element id="fel-https-wath-sv">
				<title>
					The application shall implement the HTTPS protocol <h:b>as a server</h:b> that complies with RFC 2818.
				</title>
				<aactivity level="element">
					<TSS>
					<h:p>
						The evaluator shall examine the ST and determine that enough detail is provided to
						explain how the implementation complies with RFC 2818.</h:p>
					</TSS>
					<Guidance>
					<h:p>The evaluator shall confirm the guidance documentation contains any information necessary for configuring HTTPs as a server in alignment with RFC 2818.</h:p>
					</Guidance>
					<Tests>
						The evaluator shall attempt to establish an HTTPS connection to the TOE using a 
						client, observe the traffic with a packet analyzer, and verify that the connection
						succeeds and that the traffic is identified as TLS or HTTPS.
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-https-how-sv">
				<title>The application shall implement HTTPS using TLS as defined in the Functional Package for TLS.</title>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>Other tests are performed in conjunction with the TLS package.</Tests>
				</aactivity>
			</f-element>
        	<f-element id="fel-https-bad-cert">
        		<title>
        			The application shall <selectables>
        				<selectable>not establish the connection</selectable>
        				<selectable>establish or not establish the connection based on an administrative or user setting</selectable></selectables> 
        			if the peer certificate is deemed invalid.
        		</title>
        		<aactivity level="element">
        			<TSS>The evalutator shall confirm the ST describes how the application responds to an invalid certificate when acting as a server and verify the description matches the selection.</TSS>
        			<Guidance>The evaluator shall verify the guidance documentation contains any information necessary to configure the response to an invalid
        				certificates.</Guidance>
        			<Tests>
        				Other tests are performed in conjunction with the TLS Functional Package, 
        				FCS_HTTPS_EXT.2 (dependent on selections in FTP_DIT_EXT.1), and FIA_X509_EXT.1.
        			</Tests>
        		</aactivity>
        	</f-element>
        </f-component>

	<!-- FCS_HTTPS_EXT.2 HTTPS Protocol with Mutual Authentication -->
	<!-- Added by TD0601 -->
	<f-component cc-id="fcs_https_ext.2" name="HTTPS Protocol with Mutual Authentication" status="sel-based">
	  <depends on1="sel_all_https_ma"/>


		<comp-lev> defines HTTPS capabilities relating specifically to the case where the TOE acts as an HTTPS server 
			that enforces mutual authentication.</comp-lev>
		<management>No specific management functions are identified.</management>
		<audit>There are no auditable events foreseen.</audit>
		<dependencies>
			FIA_X509_EXT.1 X.509 Certificate Validation
		</dependencies>
		

			<f-element id="fel-https-wath-m">
				<title>
					The application shall 
					<selectables>
						<selectable>not establish the connection</selectable>
						<selectable>establish or not establish the connection based on an administrative or user setting</selectable></selectables>
					if the peer certificate is deemed invalid.
				</title>
				<note role="application">
					 Validity is determined by the certificate path, the expiration date, and the 
					 revocation status in accordance with RFC 5280.
				</note>
				<aactivity level="element">
					<TSS><h:p>The evaluator shall verify the ST contains a description of how invalid peer certificates are responded to and that it matches the selections.</h:p></TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation contains any information necessary to configure the response to invalid peer certificates.</h:p></Guidance>
					<Tests>
						Certificate validity shall be tested in accordance with testing performed for 
						FIA_X509_EXT.1, and the evaluator shall perform the following test:
						<testlist>
							<test> The evaluator shall demonstrate that using a certificate without a 
							valid certification path results in the selected action in the SFR. Using the 
							administrative guidance, the evaluator shall then load a certificate or 
							certificates to the Trust Anchor Database needed to validate the certificate 
							to be used in the function, and demonstrate that the function succeeds. The
							evaluator then shall delete one of the certificates, and show that again,
							using a certificate without a valid certification path results in the selected 
							action in the SFR.</test>
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>



        <ext-comp-def fam-id="FCS_RBG_EXT" title="Random Bit Generation">
          <fam-behavior>This family defines requirements for the generation of random bits.</fam-behavior>
        </ext-comp-def>

	
	
	<!-- FCS_RBG_EXT.1  -->
	<!-- TD416 incorporated -->
	<!-- TD510 incorporated -->
	<f-component cc-id="fcs_rbg_ext.1" name="Random Bit Generation Services">
	  
		<comp-lev> requires the TSF to specify whether random bit generation is implemented by the TSF, 
			invoked from the operational environment, or not used by the TOE.</comp-lev>
		<management>No specific management functions are identified.</management>
		<audit>There are no auditable events foreseen.</audit>
		<dependencies>
			No dependencies.
		</dependencies>

			<f-element id="fel-rbg">
				<title> The application shall
					<selectables linebreak="yes">
						<selectable exclusive="yes">use no DRBG functionality</selectable>
						<selectable>invoke platform-provided DRBG functionality</selectable>
						<selectable id="drbg">implement DRBG functionality</selectable></selectables> for its cryptographic operations. 
				</title>
				<note role="application"> 
				<h:p>
					The selection "<h:b>invoke platform-provided DRBG functionality</h:b>"
					should only be chosen for direct invocations of the platform DRBG, calls to platform protocols
					that may then call the platform's DRBG are not directly using DRBG functionality  and should
					select "<h:b>use no DRBG functionality</h:b>." 
					</h:p><h:p>
					If "<h:b>implement DRBG functionality</h:b>" is selected, then additional FCS_RBG_EXT.2
					elements shall be included in the ST.
					</h:p><h:p>
					In this requirement, cryptographic operations include all cryptographic key generation/derivation/agreement, IVs (for
					certain modes), as well as protocol-specific random values. Cryptographic operations in this requirement refer to
					the other cryptographic requirements in this PP, not additional functionality that is not in scope.
					</h:p>
				</note>
				<aactivity>
					<TSS>
					<h:p>
						If "<h:b>use no DRBG functionality</h:b>" is selected, the evaluator shall inspect the application 
						and its developer documentation and verify that the application needs no random bit generation services. 
					</h:p><h:p>
						If "<h:b>implement DRBG functionality</h:b>" is selected, the evaluator shall ensure
						that additional FCS_RBG_EXT.2 elements are included in the ST.
					</h:p><h:p>
						If "<h:b>invoke platform-provided DRBG functionality</h:b>" is selected, the evaluator 
						performs the following activities.  The evaluator shall examine 
						the TSS to confirm that it identifies all functions (as described by the
						SFRs included in the ST) that obtain random numbers from the platform RBG.  The evaluator 
						shall determine that for each of these functions, the TSS states which 
						platform interface (API) is used to obtain the random numbers.  The evaluator shall confirm 
						that each of these interfaces corresponds to the acceptable interfaces listed for each platform 
						below.
					</h:p><h:p>
						It should be noted that there is no expectation that the evaluators attempt to confirm 
						that the APIs are being used correctly for the functions identified in the TSS; 
						the activity is to list the used APIs and then do an existence check via decompilation.
						</h:p>
					</TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation contains any information required for configuring the DRBG.</h:p></Guidance>
					<Tests>
						<h:p>
						If "<h:b>invoke platform-provided DRBG functionality</h:b>" is selected, the following tests shall be performed:
						</h:p><h:p>
						The evaluator shall decompile the application binary using a decompiler 
						suitable for the application (TOE).  The evaluator shall search the output of the 
						decompiler to determine that, for each API listed in the TSS, that API 
						appears in the output.  If the representation of the API does not correspond directly to 
						the strings in the following list, the evaluator shall provide a mapping from the 
						decompiled text to its corresponding API, with a description of why the API text does 
						not directly correspond to the decompiled text and justification that the decompiled text 
						corresponds to the associated API.
						</h:p><h:p>
						The following are the per-platform list of acceptable APIs:
						<h:div><depends ref="android"/> 
							The evaluator shall verify that the application uses at least one of <h:code>javax.crypto.KeyGenerator</h:code> 
							class or the <h:code>java.security.SecureRandom</h:code> class or <h:code>/dev/random
							</h:code> or <h:code>/dev/urandom</h:code>.
						</h:div>
						<h:div><depends ref="windows"/>
							The evaluator shall verify that rand_s, RtlGenRandom, BCryptGenRandom, or 
							CryptGenRandom API is used for classic desktop applications. The evaluator shall 
							verify the application uses the RNGCryptoServiceProvider class or derives a class 
							from System.Security.Cryptography.RandomNumberGenerator API for Windows Universal
							Applications. It is only required that the API is called/invoked, there is no 
							requirement that the API be used directly. In future versions of this document, 
							CryptGenRandom may be removed as an option as it is no longer the preferred API per
							vendor documentation. </h:div>
						<h:div><depends ref="ios"/> 
							The evaluator shall verify that the application invokes either
							<h:code>SecRandomCopyBytes</h:code>, <h:code>CCRandomGenerateBytes</h:code>, or <h:code>CCRandomCopyBytes</h:code>, or uses <h:code>/dev/random</h:code> directly to acquire random.
						</h:div>
						<h:div><depends ref="linux"/> 
							The evaluator shall verify that the application collects random from <h:code>/dev/random</h:code>
							or <h:code>/dev/urandom</h:code>.
						</h:div>
						<h:div><depends ref="Solaris"/>
							The evaluator shall verify that the application collects random from <h:code>/dev/random</h:code>.
						</h:div>
						<h:div><depends ref="mac"/>
							The evaluator shall verify that the application invokes either <h:code>CCRandomGenerateBytes</h:code> or <h:code>CCRandomCopyBytes</h:code>, or collects random from <h:code>/dev/random</h:code>.
						</h:div>
						</h:p><h:p>
						If invocation of platform-provided functionality is achieved in another way, the evaluator 
						shall ensure the TSS describes how this is carried out, and how it is equivalent to the 
						methods listed here (e.g. higher-level API invokes identical low-level API).
						</h:p>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
		
		<!-- FCS_PBKDF_EXT.1 (formerly FCS_CKM.1/3, FCS_CKM.1/PBKDF, FCS_CKM_EXT.1) -->
		<ext-comp-def fam-id="FCS_PBKDF_EXT" title="Password Conditioning">
			<fam-behavior>This family defines requirements for implementation of password-based key derivation functions.</fam-behavior>
		</ext-comp-def>
		
		<f-component name="Password Conditioning" cc-id="fcs_pbkdf_ext.1" id="fcom_pass" status="sel-based">
			<depends on="sel-fcs-sto-pbkdf"/>
			
			<comp-lev> defines the capability of the TOE to implement PBKDF2 for key derivation.</comp-lev>
			<management>No specific management functions are identified.</management>
			<audit>There are no auditable events foreseen.</audit>
			<dependencies>
				FCS_COP.1 Cryptographic Operation<h:br/>
				FCS_RBG_EXT.1 Random Bit Generation Services
			</dependencies>
			
			<f-element id="fel-pass">
				<title>
					A password/passphrase shall perform <assignable>Password-based Key Derivation Functions</assignable> 
					in accordance with a specified cryptographic algorithm as specified in FCS_COP.1<h:b>/KeyedHash</h:b>, with <assignable>positive 
						integer of 1,000 or more</assignable> iterations, and output cryptographic key sizes <assignable>positive integer of 256 of more</assignable>
					bits that meet the following [<h:i>NIST SP 800-132</h:i>].  
				</title>
				<ext-comp-def-title>
					<title>
						A password/passphrase shall perform <assignable>Password-based Key Derivation Functions</assignable> 
						in accordance with a specified cryptographic algorithm as specified in FCS_COP.1, with <assignable>positive 
							integer of 1,000 or more</assignable> iterations, and output cryptographic key sizes <assignable>positive 
								integer of 256 of greater</assignable> bits that meet the following <assignable>applicable standard</assignable>.
					</title>
				</ext-comp-def-title>
			</f-element>
			<f-element id="fel-gen-salts">
				<title>
					The TSF shall generate salts in accordance with FCS_SNI_EXT.1 and with entropy corresponding
					to the security strength selected for PBKDF in FCS_PBKDF_EXT.1.
				</title>
				<note role="application">
				<h:p>
					This should be included if selected in FCS_STO_EXT.1.
				</h:p><h:p>
					Conditioning can be performed using one of the identified hash functions or the process described 
					in NIST SP 800-132; the method used is selected by the ST Author. SP 800-132 requires the use of a pseudorandom 
					function (PRF) consisting of HMAC with an approved hash function. The ST author selects the hash function used, 
					including the appropriate requirements for HMAC and the hash function.
				</h:p><h:p>
					Appendix A of SP 800-132 recommends setting the iteration count in order to increase the computation needed to derive a 
					key from a password and, therefore, increase the workload of performing a password recovery attack. A significantly higher 
					value is recommended to ensure optimal security. This value is expected to increase to a minimum of 10,000 in a future 
					iteration based on SP 800-63.
				</h:p>
				</note>
				<aactivity>
					<TSS> 
						<h:p>
						Support for PBKDF: The evaluator shall examine the password hierarchy TSS to ensure that 
						the formation of all password based derived keys is described and that the key sizes match that 
						described by the ST author. 
						The evaluator shall check that the TSS describes the method by which the password/passphrase is first encoded and then fed to 
						the SHA algorithm. The settings for the algorithm (padding, blocking, etc.) shall be described, and the evaluator shall verify 
						that these are supported by the selections in this component as well as the selections concerning the hash function itself. 
						The evaluator shall verify that the TSS contains a description of how the output of the hash function is used to form the 
						submask that will be input into the function.
						For the NIST SP 800-132-based conditioning of the password/passphrase, the required evaluation activities will be performed when 
						doing the evaluation activities for the appropriate requirements (FCS_COP.1.1/KeyedHash).
						No explicit testing of the formation of the submask from the input password is required. 
						FCS_PBKDF_EXT.1: The evaluator shall verify the TSS descibes the salt size and verify it corresponds to the security strength selected</h:p>
					</TSS>
					<Guidance><h:p>The evaluator shall confirm the guidance documentation contains any information necesary for configuring
						the password conditioning if any configuration is supported.</h:p></Guidance>
					<Tests>None.</Tests>
				</aactivity>
			</f-element>
		</f-component>
	      
		<!-- FCS_RBG_EXT.2 -->
        <f-component cc-id="fcs_rbg_ext.2" name="Random Bit Generation from Application" status="sel-based">
	  <depends on="drbg"/>

        	<comp-lev> specifies the mechanism by which the TSF generates random bits.</comp-lev>
        	<management>No specific management functions are identified.</management>
        	<audit>There are no auditable events foreseen.</audit>
        	<dependencies>
        		FCS_COP.1 Cryptographic Operation <h:br/>
        		FCS_RBG_EXT.1 Random Bit Generation Services
        	</dependencies>

	  
			<f-element id="fel-drbg-how">
				<title> The application shall perform all deterministic random bit generation (DRBG)
					services in accordance with NIST Special Publication 800-90A using <selectables>
						<selectable>Hash_DRBG (any)</selectable>
						<selectable>HMAC_DRBG (any)</selectable>
						<selectable>CTR_DRBG (AES)</selectable></selectables>.
				</title>
				<note role="application">
					<h:p>
					This requirement shall be included in STs in which 
					"<h:b>implement DRBG functionality</h:b>" is chosen in FCS_RBG_EXT.1.1. 
					The ST author should select the standard to which the RBG services comply (either SP 800-90A or FIPS 
					140-2 Annex C).
					</h:p><h:p>
					SP 800-90A contains three different methods of generating random numbers; each of 
					these, in turn, depends on underlying cryptographic primitives 
					(hash functions/ciphers). The ST author will select the function used (if SP 800-90A 
					is selected), and include the specific underlying cryptographic primitives used in the 
					requirement or in the TSS. While any of the identified hash functions (SHA-256, SHA-384, SHA-512) 
					are allowed for Hash_DRBG or HMAC_DRBG, only AES-based 
					implementations for CTR_DRBG are allowed.
					</h:p>
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation contains any information necessary for configuring the DRBG if any
						configuration is required.</h:p></Guidance>
					<Tests>
						<h:p>The evaluator shall perform the following tests, depending on the standard
						to which the RBG conforms. 
						</h:p><h:p>
						<h:b>Implementations Conforming to FIPS 140-2 Annex C.</h:b> 
						</h:p><h:p>
						The reference for the tests contained in this section is The Random Number Generator
						Validation System (RNGVS). The evaluators shall conduct the following two tests. Note 
						that the "expected values" are produced by a reference implementation of the algorithm 
						that is known to be correct. Proof of correctness is left to each Scheme.
						</h:p>
						<testlist>
							<test>
								The evaluators shall perform a Variable Seed Test. The evaluators shall
								provide a set of 128 (Seed, DT) pairs to the TSF RBG function, 
								each 128 bits. The evaluators shall also provide a key (of the length appropriate 
								to the AES algorithm) that is constant for all 128 (Seed, DT) pairs. The DT value 
								is incremented by 1 for each set. The seed values shall have no repeats within
								the set. The evaluators ensure that the values returned by the 
								TSF match the expected values.
							</test>
							<test>
								The evaluators shall perform a Monte Carlo Test. For this test, they supply
								an initial Seed and DT value to the TSF RBG function; each of 
								these is 128 bits. The evaluators shall also provide a key (of the length 
								appropriate to the AES algorithm) that is constant throughout the test. The 
								evaluators then invoke the TSF RBG 10,000 times, with the DT 
								value being incremented by 1 on each iteration, and the new seed for the 
								subsequent iteration produced as specified in NIST-Recommended Random Number 
								Generator Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES 
								Algorithms, Section E.3. The evaluators ensure that the 10,000th value produced 
								matches the expected value.
							</test>
						</testlist>
						<h:b>Implementations Conforming to NIST Special Publication 800-90A</h:b>
						<testlist>
							<test>
								<h:p>
								The evaluator shall perform 15 trials for the RNG implementation. If the RNG is
								configurable, the evaluator shall perform 15 trials for each configuration. The
								evaluator shall also confirm that the operational guidance contains appropriate
								instructions for configuring the RNG functionality.
								</h:p><h:p>
								If the RNG has prediction resistance enabled, each trial consists of (1) 
								instantiate DRBG, (2) generate the first block of random bits (3) generate a 
								second block of random bits (4) uninstantiate. The evaluator verifies that the 
								second block of random bits is the expected value. The evaluator shall generate 
								eight input values for each trial. The first is a count (0 – 14). The next three 
								are entropy input, nonce, and personalization string for the instantiate 
								operation. The next two are additional input and entropy input for the first call 
								to generate. The final two are additional input and entropy input for the second
								call to generate. These values are randomly generated. The operation to “generate one block of 
								random bits” means to generate random bits with number of returned bits equal to 
								the Output Block Length (as defined in NIST SP 800-90A). 
								</h:p><h:p>
								If the RNG does not have prediction resistance, each trial consists of (1) 
								instantiate DRBG, (2) generate the first block of random bits (3) reseed, (4) 
								generate a second block of random bits (5) uninstantiate. The evaluator verifies 
								that the second block of random bits is the expected value. The evaluator shall 
								generate eight input values for each trial. The first is a count (0 – 14). The 
								next three are entropy input, nonce, and personalization string for the 
								instantiate operation. The fifth value is additional input to the first call to
								generate. The sixth and seventh are additional input and entropy input to the call 
								to reseed. The final value is additional input to the second generate call. 
								</h:p><h:p>
								The following paragraphs contain more information on some of the input values to 
								be generated/selected by the evaluator.
								</h:p><h:p>
								<h:b>Entropy input:</h:b> The length of the entropy input value must equal the seed length.
								</h:p><h:p>
								<h:b>Nonce:</h:b> If a nonce is supported (CTR_DRBG with no Derivation Function does not use 
								a nonce), the nonce bit length is one-half the seed length. 
								</h:p><h:p>
								<h:b>Personalization string:</h:b> The length of the personalization string must be 
								less then or equal to seed length. If the implementation only supports one 
								personalization string length, then the same length can be used for both values. 
								If more than one string length is supported, the evaluator shall use personalization 
								strings of two different lengths. If the implementation does not use a 
								personalization string, no value needs to be supplied.
								</h:p><h:p>
								<h:b>Additional input:</h:b> The additional input bit lengths have the same defaults 
								and restrictions as the personalization string lengths.
								</h:p>
							</test>   
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-drbg-seed">
				<title>
					The deterministic RBG shall be seeded by an entropy source that accumulates
					entropy from a platform-based DRBG and <selectables linebreak="yes">
						<selectable>a software-based noise source</selectable>
						<selectable>a hardware-based noise source</selectable>
						<selectable exclusive='yes'>no other noise source</selectable></selectables> 
					with a minimum of <h:i>256 bits</h:i> 
					of entropy at least equal to the greatest security strength (according
					to NIST SP 800-57) of the keys and hashes that it will generate. 
				</title>
				<note role="application">
					<h:p>
					This requirement shall be included in STs in which 
					"<h:b>implement DRBG functionality</h:b>" is selected in FCS_RBG_EXT.1.1. For the first
					selection in this requirement, the ST author selects "<h:b>software-based noise source</h:b>" if 
					any additional noise sources are used as input to the application's DRBG. Note that 
					the application must use the platform's DRBG to seed its DRBG.
					</h:p>
				</note>
				<aactivity level="element">
					<TSS>
						<h:p>
						Documentation shall be produced - and the evaluator shall perform the
						activities - in accordance with <xref to="entropyappendix"/> and the
						<h:a href="https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/Entropy%20Documentation%20and%20Assessment%20Clarification.pdf">
							Clarification to the Entropy Documentation and Assessment Annex</h:a>.</h:p>
					</TSS>
					<Guidance>
						<h:p>
						The evaluator shall verify the guidance documentation contains any information necessary for configuring the noise sources or size outputs
						if any configuration is supported.</h:p></Guidance>
					<Tests> 
						In the future, specific statistical testing (in line with NIST SP 800-90B) will 
						be required to verify the entropy estimates.
					</Tests>
				</aactivity>
			</f-element>
        </f-component>

	<ext-comp-def fam-id="FCS_STO_EXT" title="Storage of Credentials">
	  <fam-behavior>This family defines requirements for the secure storage of credential data. </fam-behavior>
	</ext-comp-def>
	
	<!-- FCS_STO_EXT.1 Storage of Credential -->
	<f-component cc-id="fcs_sto_ext.1" name="Storage of Credentials">
	  
	  <comp-lev>requires the application to define how to store credentials to non-volatile memory.</comp-lev>
		<management>No specific management functions are identified.</management>
		<audit>There are no auditable events foreseen.</audit>
		<dependencies>
			No dependencies.
		</dependencies>
	  
	  <f-element id="fel-store-creds">
				<title>The application shall 
					<selectables linebreak="yes">
						<selectable exclusive="yes">not store any credentials</selectable>
						<selectable>invoke the functionality provided by the platform to securely store 
							<assignable>list of credentials</assignable>
						</selectable>
						<selectable id="sel_impl_sto">
							securely store
							<assignable>list of credentials</assignable>
							with platform provided
							<selectables>
								<selectable>
									<selectables linebreak="yes">
									<selectable>AES-CBC (as defined in NIST SP 800-38A) mode</selectable>
									<selectable>AES-GCM (as defined in NIST SP 800-38D) mode</selectable>
									<selectable>AES-XTS (as defined in NIST SP 800-38E) mode</selectable>
									</selectables> and cryptographic key size of 256-bits.
								</selectable>
								<selectable>PBKDF2 function that uses <selectables linebreak="yes">
									<selectable>HMAC-SHA256</selectable>
									<selectable>HMAC-SHA384</selectable>
									<selectable>HMAC-SHA512</selectable>
								</selectables> with <assignable>positive integer of 1,000 or more</assignable> iterations 
									and output cryptographic key size of <assignable>positive 
										integer of 256 of greater</assignable> bits that meet the following [<h:i>NIST SP 800-132</h:i>].  
								</selectable>
							</selectables>
						</selectable>
						<selectable id="sel_impl_sto">
							implement functionality to securely store
							<assignable>list of credentials</assignable>
							according to
							<selectables>
								<selectable id="sel-fcs-sto-skc">FCS_COP.1/SKC</selectable>
								<selectable id="sel-fcs-sto-pbkdf">FCS_PBKDF_EXT.1</selectable>
							</selectables>
						</selectable>
					</selectables>
					to non-volatile memory.
				</title>

	<ext-comp-def-title><title>The application shall 
					<selectables linebreak="yes">
						<selectable exclusive="yes">not store any credentials</selectable>
						<selectable>invoke the functionality provided by the platform to securely store 
							<assignable>list of credentials</assignable>
						</selectable>
						<selectable>implement functionality to securely store
							<assignable>list of credentials</assignable>
							according to
							<assignable>cryptographic mechanisms</assignable>
						</selectable></selectables>
					to non-volatile memory.
				      </title>
				      </ext-comp-def-title>
				
				<note role="application">
					This requirement ensures that persistent credentials (secret keys, PKI private keys, passwords, etc) 
					are stored securely, and never persisted in cleartext form. 
					Application developers are encouraged to use platform mechanisms for the secure storage of credentials. 
					Depending on the platform that may include hardware-backed protection for credential storage. Application
					developers must choose a selection, or multiple selections, based on all credentials that the application
					stores. If "<h:b>not store any credentials</h:b>" is selected, then the application must not store any credentials.
					If "<h:b>invoke the functionality provided by the platform to securely store</h:b>" is selected, then the 
					Application developer must closely review the EA for their platform and provide documentation indicating
					which platform mechanisms are used to store credentials. 
					If "<h:b>implement functionality to securely store credentials</h:b>" is selected, then the following components 
					must be included in the ST: FCS_COP.1/SKC or FCS_PBKDF_EXT.1.
					If other cryptographic operations are used to implement the secure storage of credentials, the corresponding 
					requirements must be included in the ST. If the OS is Linux and Java KeyStores are used to store 
					credentials, "<h:i>implement functionality to securely store credentials</h:i>" must be selected.
				</note>           
				<aactivity>
					<TSS>
					<h:p>
						The evaluator shall check the TSS to ensure that it lists all persistent 
						credentials (secret keys, PKI private keys, or passwords) needed to meet the 
						requirements in the ST. For each of these items, the evaluator shall 
						confirm that the TSS lists for what purpose it is used, and how it is stored. 
					</h:p><h:p>
						If <h:b>securely store</h:b> is selected, the evaluator shall verify the TSS contains the platform functions utilized and verify those functions 
						are documented by the platform to be non-depricated functions meeting the specifications in the requirement.
					</h:p><h:p>
						If <h:b>invoke the functionality provided by the platform to securly store</h:b> is selected, the evaluator shall confirm the TSS describes
						how the platform storaged is invoked for each supported platform. The evaluator shall confirm the invocation of the platform is using non-depricated functions 
						provided by the platform(s).</h:p>
					</TSS>              
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>
						For all credentials for which the application implements functionality, the evaluator shall 
						verify credentials are encrypted according to FCS_COP.1/SKC or conditioned according to FCS_PBKDF_EXT.1.
						For all credentials for which the application invokes platform-provided
						functionality, the evaluator shall perform the following actions which vary per platform.
						<h:div><depends ref="android"/>The evaluator shall verify that the application uses
							the Android <h:code>KeyStore</h:code> or the Android <h:code>KeyChain</h:code> to store certificates.  
						</h:div>
						<h:div><depends ref="windows"/>The evaluator shall verify that all certificates are
							stored in the Windows Certificate Store. The evaluator shall verify that other
							credentials, like passwords, are stored in the Windows Credential Manager or stored 
							using the Data Protection API (DPAPI). For Windows Universal Applications, the evaluator shall 
							verify that the application is using the ProtectData class and storing credentials 
							in IsolatedStorage.
						</h:div>
						<h:div><depends ref="ios"/>
							The evaluator shall verify that all credentials are stored
							within a <h:code>Keychain</h:code>. 
						</h:div>
						<h:div><depends ref="linux"/>
							The evaluator shall verify that all keys are stored using Linux keyrings.
						</h:div>
						<h:div><depends ref="Solaris"/>
							The evaluator shall verify that all keys are stored using Solaris 
							<h:code>Key Management Framework (KMF)</h:code>.
						</h:div>
						<h:div><depends ref="mac"/>The evaluator shall verify that all credentials are 
							stored within <h:code>Keychain</h:code>.</h:div>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
		
		<!-- FCS_SNI_EXT.1 Salts Nonces and Initalization Vectors -->
		<f-component cc-id="fcs_sni_ext.1" name="Cryptographic Operation (Salt, Nonce, and Initialization Vector Generation)" status="sel-based">
			<depends on="sel_aes_cbc"/>
			<depends on="sel_aes_gcm"/>
			<depends on="sel_aes_xts"/>
			<depends on="sel_aes_ccm"/>
			<depends on="sel_aes_ctr"/>
			<depends on="sel-fcs-sto-pbkdf"/>
			<comp-lev>requires the application to define how to generate salt, nonces, and initialization vectors</comp-lev>
			<management>No specific management functions are identified.</management>
			<audit>There are no auditable events foreseen.</audit>
			<dependencies>
				No dependencies.
			</dependencies>
			
			<f-element id="fel-sni">
				<title>The application shall 
					<selectables>
						<selectable>use no salts</selectable>
						<selectable>use salts that are generated by a DRBG as specificed in FCS_RBG_EXT.1</selectable>
					</selectables>
				</title>
			</f-element>
			<f-element>
				<title>The application shall use 
					<selectables>
						<selectable>no nonces</selectable>
						<selectable>unique nonces with a minimum size of [64] bits].</selectable>
					</selectables>
				</title>
			</f-element>
			<f-element>
				<title>The application shall 
					<selectables>
						<selectable>use no IVs</selectable>
						<selectable>create IVs in the following manner 
							<selectables linebreak="yes">
								<selectable>CBC: IVs shall be non-repeating and unpredictable;</selectable>
								<selectable>CCM: Nonce shall be non-repeating and unpredictable;</selectable>
								<selectable>CTR: "Initial Counter" shall be non-repeating. No counter value shall be repeated
								across multiple messages with the same secret key.</selectable>
								<selectable>XTS: No IV. Tweak values shall be non-negative integers, assigned consecutively,
									and starting at an arbitrary non-negative integer;</selectable>
								<selectable>GCM: IV shall be non-repeating. The number of invocations of GCM shall not exceed
									 2^32 for a given secret key].</selectable>
							</selectables>
						</selectable>
					</selectables>
					
				</title>
				
				<note role="application">
					This requirement ensures that salts, nonces, and initalization vectors are properly implimented.  If the application is implementing
					a salt, nonce, or intialization vector they must select the corresponding selection.  If the platform is performing a function that
					uses a salt, nonce, or initialization vector the selection use no selection shall be made.
				</note>           
				<aactivity>
					<TSS>
						<h:p>
							If salts are used the evaluator shall ensure the TSS describes how salts are generated. The evaluator
							shall confirm that the salt is generating using an RBG described in FCS_RBG_EXT.1. 
						</h:p><h:p>
							If nonces are used the evaluator shall ensure the TSS describes how nonces are created verify they are a minimum of 64 bits in size.
						</h:p><h:p>
							If initialization vectors (IV) are used the evaluator shall ensure the TSS describes how
							IVs and tweaks are handled based on the AES mode. The evaluator shall confirm that
							the IVs and tweaks meet the stated requirements for each AES mode.
						</h:p>
					</TSS>              
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>
						None.
					</Tests>
				</aactivity>
			</f-element>
		</f-component>
    </section>    <!-- 5.1.1 Cryptographic Support (FCS) -->

	<!-- 5.1.2 User Data Protection (FDP) -->
    <section title="User Data Protection (FDP)" id="fdp">

    	<!-- FDP_DAR_EXT.1 Encryption of Sensitive Application Data -->
    	<!-- incorporates TD582 -->
    	
    	
    	<ext-comp-def fam-id="FDP_DAR_EXT" title="Data-at-Rest Encryption">
    		<fam-behavior>This family defines requirements for implementation of data-at-rest protection. </fam-behavior>
    	</ext-comp-def>
    	
    	<f-component cc-id="fdp_dar_ext.1" name="Encryption Of Sensitive Application Data">
    		<comp-lev>requires the application to be able to protect all data with a chosen method of encryption.</comp-lev>
    		<management>No specific management functions are identified.</management>
    		<audit>There are no auditable events foreseen.</audit>
    		<dependencies>
    			No dependencies.
    		</dependencies>
    		
    		<f-element id="fel-dar-how">
    			<title>
    				The application shall 
    				<selectables linebreak="yes">
    					<selectable>leverage platform-provided functionality to encrypt sensitive data</selectable>
    					<selectable>implement functionality to encrypt sensitive data as defined in the PP-Module for File Encryption</selectable>
    					<selectable>protect sensitive data in accordance with FCS_STO_EXT.1</selectable>
    					<selectable exclusive="yes">not store any sensitive data</selectable></selectables> in non-volatile memory.
    			</title>
    			<note role="application">
    				<h:p>
    				If "<h:b>implement functionality to encrypt sensitive data as defined in the PP-Module for File Encryption</h:b>"
    				is selected, the TSF must claim conformance to a PP-Configuration that includes the File Encryption PP-Module. 
    				</h:p><h:p>
    				Any file that may potentially contain sensitive data (to include temporary files)
    				shall be protected.  The only exception is if the user intentionally exports the sensitive data
    				to non-protected files. ST authors should select "<h:i>protect sensitive data in accordance with 
    					FCS_STO_EXT.1</h:i>" for the sensitive data that is covered by the FCS_STO_EXT.1 SFR.
    				</h:p>
    			</note>
    			<aactivity>
    				<TSS>
    					<h:p>
    					If any selection other than <h:b>not store any sensitive data</h:b> is selected the evaluator shall examine the TSS 
    					to ensure that it describes the sensitive data processed by the application. 
    					The evaluator shall then ensure that the following activities cover all of the sensitive data identified in the TSS.
    					</h:p><h:p>
    					If <h:b>not store any sensitive data</h:b> is selected, the evaluator shall inspect the TSS to ensure 
    					that it describes how sensitive data cannot be written to non-volatile memory. The evaluator shall also 
    					ensure that this is consistent with the filesystem test below.
    					</h:p><h:p>
    					If <h:b>implement functionality to encrypt sensitive data</h:b> is selected the evalutator shall confirm the TSS describes how the 
    					application ensures all sensative data is protected by the file encryption functions.
    					</h:p><h:p>
    					If <h:b>protect sensative data in accordance with FCS_STO_EXT.1</h:b> is selected the evaluator shall confirm the TSS desribes
    					which data is protected via this mechanism and the selections within FCS_STO_EXT.1 that are leveraged.
    					If mulitple selections are included the evaluator shall ensure the TSS describes which sensative data is captures by which selection.
    					</h:p>
    				</TSS>
    				<Guidance><h:p>The evaluator shall confirm the operational guidance contains any instructions necessary configing the storage and 
    					protection of any sensative data.
    				</h:p><h:p>
    					If <h:b>leverage platform-provided functionality to encrypt sensitive data</h:b> is selected the evaluator shall confirm the operational guidance contains the list of supported 
    					operational environments and any steps necessary to ensure the platform captures any sensative data that is stored.
    					</h:p></Guidance>
    				<Tests>
    					<h:p>
    					If "<h:b>implement functionality to encrypt sensitive data as defined in the PP-Module for File Encryption</h:b>" 
    					or "<h:b>protect sensitive data in accordance with FCS_STO_EXT.1</h:b>" is selected,
    					the evaluator shall inventory the filesystem locations where the application may write data. 
    					The evaluator shall run the application and attempt to store sensitive data. The evaluator shall 
    					then inspect those areas of the filesystem to note where data was stored (if any), and verify 
    					it has been encrypted.
    					</h:p><h:p>
    					If "<h:b>leverage platform-provided functionality...</h:b>" is selected, the evaluation activities will be performed as 
    					stated in the following requirements, which vary on a per-platform basis.
    					</h:p><h:p>
    					<h:div><depends ref="android"/>
    						The evaluator shall inspect the TSS and verify that it describes how files containing sensitive data are 
    						stored with the <h:code>MODE_PRIVATE</h:code> flag set.
    					</h:div>
    					<h:div><depends ref="windows"/>
    						The Windows platform currently does not provide data-at-rest
    						encryption services which depend upon invocation by application developers. No additional test is required.
    					</h:div>
    					<h:div><depends ref="ios"/>
    						The evaluator shall inspect the TSS and ensure that it describes how the 
    						application uses the Complete Protection, Protected Unless Open, or Protected Until 
    						First User Authentication Data Protection Class for each data file stored locally. 
    					</h:div>
    					<h:div><depends ref="linux"/>
    						The Linux platform currently does not provide data-at-rest encryption services which depend
    						upon invocation by application developers.  No additional test is required.
    					</h:div>
    					<h:div><depends ref="Solaris"/>
    						The Solaris platform currently does not provide data-at-rest encryption services which depend
    						upon invocation by application developers.  No additional test is required.
    					</h:div>
    					<h:div><depends ref="mac"/>
    						The macOS platform currently does not provide data-at-rest encryption services which depend
    						upon invocation by application developers.  No additional test is required.
    					</h:div>
    					</h:p>
    				</Tests>
    			</aactivity>
    		</f-element>
    	</f-component>
      <!-- FDR_DEC_EXT.1 -->
      <!-- Incorporates TD434 -->
      <!-- Incorporates TD515 -->
      <ext-comp-def fam-id="FDP_DEC_EXT" title="Access to Platform Resources">
	<fam-behavior>This family defines requirements for accessing platform resources.</fam-behavior>
      </ext-comp-def>
      <f-component cc-id="fdp_dec_ext.1" name="Access to Platform Resources">

      	<comp-lev> requires the application to restrict access to hardware sources and sensitive information repositories.</comp-lev>
      	<management>The following action could be considered for the management functions in FMT: <h:ul type="a">
      		<h:li>Enabling and disabling the transmission of any information describing the system’s hardware, software, or configuration.</h:li>
      	</h:ul>
      	</management>
      	<audit>There are no auditable events foreseen.</audit>
      	<dependencies>
      		FCS_TLS_EXT.1 TLS Protocol<h:br/>
      		FIA_X509_EXT.1 X.509 Certificate Validation
      	</dependencies>
      	
			<f-element id="fel-hardware-access">
				<title> The application shall restrict its access to
					<selectables linebreak="yes">
						<selectable exclusive="yes">no hardware resources</selectable>
						<selectable>network connectivity</selectable>
						<selectable>camera</selectable>
						<selectable>microphone</selectable>
						<selectable>location services</selectable>
						<selectable>NFC</selectable>
						<selectable>USB</selectable>
						<selectable>Bluetooth</selectable>
						<selectable><assignable>list of additional hardware resources</assignable></selectable></selectables>.
				</title>
				<note role="application">
					The intent is for the evaluator to ensure that the selection captures all
					hardware resources which the application accesses, and that these are 
					restricted to those which are justified.
					On some platforms, the application must explicitly solicit permission 
					in order to access hardware resources.
					Seeking such permissions, even if the application does not later make use of the
					hardware resource, should still be considered access.
					Selections should be expressed in a manner consistent with how the application expresses
					its access needs to the underlying platform.  For example,
					the platform may provide location services which implies the potential use of a variety
					of hardware resources (e.g. satellite receivers, WiFi, cellular radio)
					yet "<h:i>location services</h:i>" is the proper selection.  This is because use of these resources
					can be inferred, but also because the actual usage may vary based on the particular platform.
					Resources that do not need to be explicitly identified are
					those which are ordinarily used by any application such as central processing units,
					main memory, displays, input devices (e.g. keyboards, mice), and
					persistent storage devices provided by the platform.
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall perform the platform-specific actions below and inspect user
						documentation to determine the application's access to hardware
						resources.  The evaluator shall ensure that this is consistent with the selections
						indicated.  The evaluator shall review documentation provided by the application
						developer and for each resource which it accesses, identify the
						justification as to why access is required.</h:p>
					</Guidance>
					<Tests>
						<h:div><depends ref="android"/>
							The evaluator shall verify that each <h:code>uses-permission</h:code> entry in the AndroidManifest.xml file 
							for access to a hardware resource is reflected in the selection.
						</h:div>
						<h:div><depends ref="windows"/>For Windows Universal Applications the evaluator shall check 
							the AppxManifest.xml file for a list of required hardware capabilities. The evaluator
							shall verify that the user is made aware of the required hardware capabilities when
							the application is first installed. This includes permissions such as
							ID_CAP_ISV_CAMERA, ID_CAP_LOCATION, ID_CAP_NETWORKING, ID_CAP_MICROPHONE,
							ID_CAP_PROXIMITY and so on.
							A complete list of Windows App permissions can be found at: 
							<h:ul><h:li>
								<h:a href="http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx">
								http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx</h:a>
							</h:li></h:ul>
							For Windows Desktop Applications the evaluator shall identify in either the
							application software or its documentation the list of the required
							hardware resources. 
						</h:div>
						<h:div><depends ref="ios"/>The evaluator shall verify that either the
							application or the documentation provides a list of the
							hardware resources it accesses. </h:div>
						<h:div><depends ref="linux"/> The evaluator shall verify that either the
							application software or its documentation provides a list of the
							hardware resources it accesses. </h:div>
						<h:div><depends ref="Solaris"/> The evaluator shall verify that either the
							application software or its documentation provides a list of the
							hardware resources it accesses. </h:div>
						<h:div><depends ref="mac"/> The evaluator shall verify that either the application
							software or its documentation provides a list of the hardware
							resources it accesses.</h:div>
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-info-access">
				<title>The application shall restrict its access to
					<selectables linebreak="yes">
						<selectable exclusive="yes">no sensitive information repositories</selectable>
						<selectable>address book</selectable>
						<selectable>calendar</selectable>
						<selectable>call lists</selectable>
						<selectable>system logs</selectable>
						<selectable><assignable>list of additional sensitive information repositories</assignable></selectable></selectables>.
				</title>
				<note role="application"> 
					"<h:i>Sensitive information repositories</h:i>" are defined as those collections of sensitive data that 
					could be expected to be shared among some applications, users, or user roles, but to which not all
					of these would ordinarily require access.
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall perform the platform-specific actions below and inspect user
						documentation to determine the application's access to sensitive information
						repositories.  The evaluator shall ensure that this is consistent with the selections
						indicated.  The evaluator shall review documentation provided by the application
						developer and for each sensitive information repository which it accesses, identify the
						justification as to why access is required.</h:p>
					</Guidance>
					<Tests>
	                    <h:div><depends ref="android"/>
							The evaluator shall verify that each <h:code>uses-permission</h:code> entry in the AndroidManifest.xml file 
							for access to a sensitive information repository is reflected in the selection.  
						</h:div>
						<h:div><depends ref="windows"/>For Windows Universal Applications the evaluator shall check the
							AppxManifest.xml file for a list of required capabilities. The evaluator shall
							identify the required information repositories when the
							application is first installed. This includes permissions such as
							ID_CAP_CONTACTS,ID_CAP_APPOINTMENTS,ID_CAP_MEDIALIB and so on. A complete list of
							Windows App permissions can be found at: 
							<h:ul><h:li>
								<h:a href="http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx">
									http://msdn.microsoft.com/en-US/library/windows/apps/jj206936.aspx</h:a>
							</h:li></h:ul>
							For Windows Desktop Applications the evaluator shall identify in either the
							application software or its documentation the list of 
							sensitive information repositories it accesses. 
						</h:div>
						<h:div><depends ref="ios"/>The evaluator shall verify that either the application
							software or its documentation provides a list of
							the sensitive information repositories it accesses.</h:div>
						<h:div><depends ref="linux"/> The evaluator shall verify that either the 
							application software or its documentation provides a list of 
							sensitive information repositories it accesses.
						</h:div>
						<h:div><depends ref="Solaris"/>The evaluator shall verify that either the
							application software or its documentation provides a list of
							sensitive information repositories it accesses. </h:div>
						<h:div><depends ref="mac"/>The evaluator shall verify that either the application
							software or its documentation provides a list of
							sensitive information repositories it accesses.</h:div>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>

	<ext-comp-def fam-id="FDP_NET_EXT" title="Network Communications">
	  <fam-behavior>This family defines requirements for the TOE’s use of network connectivity.</fam-behavior>
	</ext-comp-def>
	
        <f-component cc-id="fdp_net_ext.1" name="Network Communications">

        	<comp-lev> identifies the purpose for each network interface used by the TOE and how that interface is invoked.</comp-lev>
        	<management>No specific management functions are identified.</management>
        	<audit>There are no auditable events foreseen.</audit>
        	<dependencies>
        		No dependencies.
        	</dependencies>
        	
			<f-element id="fel-network-access">
				<title>The application shall restrict network communication to 
					<selectables linebreak="yes">
						<selectable exclusive="yes">no network communication</selectable>
						<selectable>user-initiated communication for 
							<assignable>list of functions 
							for which the user can initiate network communication</assignable></selectable>
						<selectable>respond to <assignable>list of remotely initiated communication</assignable></selectable>
						<selectable><assignable>list of application-initiated network communication</assignable></selectable></selectables>. 
				</title>
				<note role="application">
					This requirement is intended to restrict both inbound and
					outbound network communications to only those required, or to network
					communications that are user initiated.
					It does not apply to network communications in which the application may generically 
					access the filesystem which may result in the platform accessing remotely mounted
					drives/shares.
				</note>
				<aactivity>
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documents contain any instructions necessary to configure the restriction of network
						communications.</h:p></Guidance>
					<Tests>The evaluator shall perform the following tests:
						<testlist>
							<test>
								The evaluator shall run the application.  While the application is running,
								the evaluator shall sniff network traffic ignoring all non-application 
								associated traffic
								and verify that any network communications witnessed are documented in the TSS or are user-initiated. 
							</test>
							<test>
								The evaluator shall run the application.  After the application initializes, the
								evaluator shall run network port scans to verify that any ports
								opened by the application have been captured in the ST for the third
								selection and its assignment.  This includes
								connection-based protocols (e.g. TCP, DCCP) as well as connectionless protocols
								(e.g. UDP).
							</test>
						</testlist>
						<h:div><depends ref="android"/>
							If "<h:b>no network communication</h:b>" is selected, the evaluator shall ensure that the application's
							AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag
							containing android:name="android.permission.INTERNET".
							In this case,
							it is not necessary to perform the above Tests 1 and 2, as the platform will not allow the
							application to perform any network communication.
						</h:div>
					</Tests>
				</aactivity>
			</f-element>	
		</f-component>
		

    </section>   <!-- FDP -->
	    
	<!-- Identification and Authentication (FIA) Removed due to X509 FP-->
    
		
	      
		
      <section title="Security Management (FMT)" id="fmt">



      	<ext-comp-def fam-id="FMT_CFG_EXT" title="Secure by Default Configuration">
      		<fam-behavior>
      			This family defines requirements for authorization to manage the behavior of the application.
      		</fam-behavior>
      	</ext-comp-def>
      	<!-- FMT_CFG_EXT.1 Secure by Default Configuration -->
      	<!-- Incoporates TD519 -->
      	<f-component cc-id="fmt_cfg_ext.1" name="Secure by Default Configuration">
      		
      		<comp-lev> requires the application to define how to set new credentials 
      			and protect the application from modification by unprivileged users.</comp-lev>
      		<management>No specific management functions are identified.</management>
      		<audit>There are no auditable events foreseen.</audit>
      		<dependencies>No dependencies.
      		</dependencies>
      		
      		<f-element id="fel-default-config">
      			<title>
      				The application shall provide only enough functionality to set new credentials when 
      				configured with default credentials or no credentials.
      			</title>
      			<note role="application">
      				Default credentials are credentials (e.g., passwords, keys) that are automatically 
      				(without user interaction) loaded onto the platform during application installation.
      				Credentials that are generated during installation using requirements laid out in 
      				FCS_RBG_EXT.1 are not by definition default credentials.
      			</note>
      			<aactivity level="element">
      				<TSS><h:p>
      					The evaluator shall check the TSS to determine if the application requires any type
      					of credentials and if the application installs with default credentials.</h:p>
      				</TSS>
      				<Guidance><h:p>The evaluator shall verify the guidance documentation details regarding any default or null credentials being used
      					and how they would be updated.</h:p>
      				</Guidance>
      				<Tests>If the application uses any default credentials the evaluator shall run the following tests.
      					<testlist>
      						<test>
      							The evaluator shall install and run the application without generating or loading 
      							new credentials and verify that only the minimal
      							application functionality required to set new credentials is available.
      						</test>
      						<test>
      							The evaluator shall attempt to clear all credentials and verify that only
      							the minimal application functionality required to set new credentials is available.
      						</test>
      						<test>
      							The evaluator shall run the application, establish new credentials and
      							verify that the original default credentials no longer provide access to
      							the application.
      						</test>
      					</testlist>
      				</Tests>
      			</aactivity>
      		</f-element>
      		<f-element id="fel-file-perms">
      			<title>
      				The application shall be configured by default with file permissions which protect
      				the application binaries and data files from modification by normal unprivileged users.
      			</title>
      			<note role="application">
      				The precise expectations for file permissions vary per platform
      				but the general intention is that a trust boundary protects the application and its data.
      			</note>
      			<aactivity level="element">
      				<TSS><h:p>None.</h:p></TSS>
      				<Guidance><h:p>None.</h:p></Guidance>
      				<Tests>
      					The evaluator shall install and run the application. The evaluator shall
      					inspect the filesystem of the platform (to the extent possible) for any files created
      					by the application and ensure that their permissions are adequate to protect them.
      					The method of doing so varies per platform.
      					<h:div><depends ref="android"/>The evaluator shall run the command <h:code>find -L . -perm /002</h:code> 
      						inside the application's data directories to ensure that all files are not world-writable. The command 
      						should not print any files (for this test, directories are not considered to be files).
      					</h:div>
      					<h:div><depends ref="windows"/>The evaluator shall run the SysInternals tools,
      						Process Monitor and Access Check (or tools of equivalent capability, like 
      						icacls.exe) for Classic Desktop applications to verify that files written to disk 
      						during an application's installation have the correct file permissions, such that a 
      						standard user cannot modify the application or its data files. For Windows Universal 
      						Applications the evaluator shall consider the requirement met because of the AppContainer 
      						sandbox.
      					</h:div>
      					<h:div><depends ref="ios"/>The evaluator shall determine whether the application
      						leverages the appropriate Data Protection Class for each data file stored
      						locally.</h:div>
      					<h:div><depends ref="linux"/> 
      						The evaluator shall run the command <h:code>find -L . -perm /002</h:code> 
      						inside the application's data directories to ensure that all files are 
      						not world-writable. The command should not print any files.
      					</h:div>
      					<h:div><depends ref="Solaris"/>
      						The evaluator shall run the command <h:code>find . \( -perm -002 \)</h:code>
      						inside the application's data directories to ensure that all files are not 
      						world-writable. The command should not print any files.
      					</h:div>
      					<h:div><depends ref="mac"/>
      						The evaluator shall run the command <h:code>find . -perm +002</h:code> inside
      						the application's data directories to ensure that all files are not world-writable.
      						The command should not print any files.
      					</h:div>
      				</Tests>
      			</aactivity>
      		</f-element>
      	</f-component>
      	

	<ext-comp-def fam-id="FMT_MEC_EXT" title="Supported Configuration Mechanism">
	  <fam-behavior>This family defines requirements for the TOE’s use of mechanisms for the storage of configuration data.</fam-behavior>
	</ext-comp-def>
	
	<!-- FMT_MEC_EXT.1 -->
	<!-- as replaced in TD437 -->
	<!-- incorporates TD465 -->
	<!-- incorporates TD543 -->
	<f-component cc-id="fmt_mec_ext.1" name="Supported Configuration Mechanism">
	  
		<comp-lev> requires the application to store configuration data either through the use of an appropriate environmental mechanism 
			or through its own file encryption capability.</comp-lev>
		<management>No specific management functions are identified.</management>
		<audit>There are no auditable events foreseen.</audit>
		<dependencies>No dependencies.
		</dependencies>
	  
			<f-element id="fel-config-store">
				<title>The application shall <selectables>
					<selectable>invoke the mechanisms recommended by the platform vendor for storing and setting configuration options</selectable>
					<selectable>implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1 in the PP-Module for File Encryption</selectable></selectables>.
				</title>
				<note role="application"> 
					<h:p>
					Configuration options that are stored remotely are not subject to this requirement. 
					Sensitive Data is generally not considered part of configuration options
					and should be stored according to FDP_DAR_EXT.1 or FCS_STO_EXT.1.
					</h:p><h:p>
					If “<h:b>implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1
					in the PP-Module for File Encryption</h:b>" is selected, the TSF must claim conformance to a 
					PP-Configuration that includes the PP-Module for File Encryption.
					</h:p>
				</note>
				<aactivity>
					<TSS>
						<h:p>
						The evaluator shall review the TSS to identify the application's configuration options
						(e.g. settings) and determine whether these are stored and set using the mechanisms
						supported by the platform or implemented by the application in accordance with the PP-Module for File Encryption. 
						At a minimum the TSS shall list settings related to any SFRs and any settings that are mandated in the 
						operational guidance in response to an SFR.
						</h:p><h:p>
						Conditional: If "<h:b>implement functionality to encrypt and store configuration options as defined by FDP_PRT_EXT.1
							in the PP-Module for File Encryption</h:b>" is selected, the evaluator shall ensure that the TSS identifies those options, 
						as well as indicates where the encrypted representation of these options is stored.
						</h:p>
					</TSS>
					<Guidance>
					<h:p>
						The evaluator shall verify the guidance documentation contains any 
						information necessary to configure the protection of configuration settings.</h:p></Guidance>
					<Tests>
						If "<h:b>invoke the mechanisms recommended by the platform vendor for storing and setting configuration options</h:b>" is selected,
						the method of testing varies per platform as follows: 
						<!-- updated to reflect NIAP TD0624 -->
	                    <h:div><depends ref="android"/>
	                    	<h:p>
	                    	The evaluator shall inspect the TSS and verify that it describes what Android API is used 
	                    	(and provides a link to the documentation of the API) when storing configuration data.
							The evaluator shall run the application and verify that the behavior of the TOE is consistent with where and 
							how the API documentation says the configuration data will be stored.
	                    	</h:p><h:p>
	                    	For SharedPreferences, the evaluator shall examine the XML file to make sure it reflects the changes made to the 
	                    	configuration to verify that the application used SharedPreferences or PreferenceActivity 
	                    	to store the configuration data. For DataStore, the evaluator shall use a protocol 
	                    	buffer analyzer to examine the file to make sure it reflects the changes made to the 
	                    	configuration to verify that the application used DataStore to store the configuration data.
	                    	</h:p>
						</h:div>
						<h:div><depends ref="windows"/>The evaluator shall determine and verify that Windows
							Universal Applications use either the Windows.Storage namespace, Windows.UI.ApplicationSettings namespace,
							or the IsolatedStorageSettings namespace for storing application specific settings.
							For .NET applications, the evaluator shall determine and verify that the application 
							uses one of the locations listed in <h:a href='https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/'>
							https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/</h:a> for storing application specific 
							(whether application-wide or user-specific) settings.
							For Classic Desktop applications, the evaluator shall run the application while 
							monitoring it with the SysInternals tool <h:span class="util">ProcMon</h:span> and 
							make changes to its configuration. 
							The evaluator shall verify that <h:span class="util">ProcMon</h:span> logs show corresponding changes to the
							the Windows Registry or C:\ProgramData\ directory.
						</h:div>
						<h:div><depends ref="ios"/>The evaluator shall verify that the app uses the
							<h:code>user defaults system</h:code> or <h:code>key-value store</h:code> for storing all
							settings.</h:div>
						<h:div><depends ref="linux"/> 
							The evaluator shall run the application while monitoring it with the utility <h:span class="util">strace</h:span>.
							The evaluator shall make security-related changes to its configuration.
							The evaluator shall verify that <h:span class="util">strace</h:span> logs corresponding changes to configuration 
							files that reside in /etc (for system-specific configuration), 
							in the user's home directory (for user-specific configuration), or /var/lib/ (for configurations 
							controlled by UI and not intended to be directly modified by an administrator).
						</h:div>
						<h:div><depends ref="Solaris"/>
							The evaluator shall run the application while monitoring it with the utility 
							<h:span class="util">dtrace</h:span>.
							The evaluator shall make security-related changes to its configuration.
							The evaluator shall verify that <h:span class="util">dtrace</h:span> logs corresponding changes to 
							configuration 
							files that reside in /etc (for system-specific configuration) or 
							in the user's home directory (for user-specific configuration).
						</h:div>
						<h:div><depends ref="mac"/>
							The evaluator shall verify that the application stores and retrieves settings
							using the <h:code>NSUserDefaults</h:code> class.
						</h:div>
						If "<h:b>implement functionality to encrypt and store configuration options as defined by 
						FDP_PRT_EXT.1 in the PP-Module for File Encryption</h:b>" is selected, for all configuration 
						options listed in the TSS as being stored and protected using encryption, the evaluator 
						shall examine the contents of the configuration option storage (identified in the TSS) to determine 
						that the options have been encrypted.
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
	      
	      
        <f-component cc-id="fmt_smf.1" name="Specification of Management Functions">
			<f-element id="fel-management-funcs">
				<title> The TSF shall be capable of performing the following management functions 
					<selectables linebreak="yes">
						<selectable exclusive="yes">no management functions</selectable>
						<selectable> enable/disable the transmission of any information describing the
							system's hardware, software, or configuration</selectable>
						<selectable> enable/disable the transmission of any PII</selectable>
						<selectable> enable/disable transmission of any application state (e.g. crashdump)
							information</selectable>
						<selectable> enable/disable network backup functionality to <assignable> list of 
							enterprise or commercial cloud backup systems</assignable>
						</selectable>
						<selectable> <assignable> list of other management functions to be provided by
							the TSF</assignable></selectable> </selectables>.
				</title>
				<note role="application">
					This requirement stipulates that an application needs to provide the ability to 
					enable/disable only those functions that it actually implements. The application
					is not responsible for controlling the behavior of the platform or other applications.
				</note>
				<aactivity>
					<TSS><h:p>None.</h:p></TSS>
					<Guidance>
						<h:p>
						The evaluator shall verify that every management function 
						mandated by the PP is described in the operational guidance and that the description 
						contains the information required to perform the management duties associated with the 
						management function.</h:p>
					</Guidance>
					<Tests>
						The evaluator shall test the application's ability to provide the 
						management functions by configuring the application and testing each option selected 
						from above. The evaluator is expected to test these functions in all the ways in which 
						the ST and guidance documentation state the configuration can be managed.
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
    </section>   <!-- FMT -->

    <section title="Privacy (FPR)" id="fpr">
      <ext-comp-def fam-id="FPR_ANO_EXT" title="User Consent for Transmission of Personally Identifiable Information">
	<fam-behavior>
	  This family defines requirements for anonymity that are not covered by the Part 2 family FPR_ANO.
	</fam-behavior>
      </ext-comp-def>
	
      <f-component cc-id="fpr_ano_ext.1" name="User Consent for Transmission of Personally Identifiable Information">
	<comp-lev> requires the TSF to transmit personally identifiable information only with explicit approval.</comp-lev>
	<management>The following action could be considered for the management functions in FMT: <h:ul type="a">
		<h:li>Enabling and disabling the transmission of any PII.</h:li>
	</h:ul>
	</management>
    <audit>There are no auditable events foreseen.</audit>
    <dependencies>No dependencies.</dependencies>  	
      	
	<f-element id="fel-transmit-pii">
				<title>The application shall 
					<selectables onlyone="yes" linebreak="yes">
						<selectable>not transmit PII over a network</selectable>
						<selectable>require user approval before executing
							<assignable>list of functions that transmit PII over a network</assignable>
						</selectable></selectables>.
				</title>
				<note role="application">
					This requirement applies only to PII that is specifically requested by the application;
					it does not apply if the user volunteers PII without prompting from the application 
					into a general (or inappropriate) data field.
					A dialog box that declares intent to send PII presented to the user 
					at the time the application is started is sufficient to meet this requirement. 
				</note>
				<aactivity>
					<TSS>
						<h:p>The evaluator shall inspect the TSS documentation to verify it contains a list of functionality in the
						application where PII can be transmitted.</h:p>
					</TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation contains any instructions to configure the
						transmission of PII and details any prompts that would approve or deny transmission of PII.</h:p></Guidance>
					<Tests>
					<!--<testlist>
						<test>-->
						If "<h:b>require user approval before executing...</h:b>" is selected, the evaluator shall run the application and exercise the functionality responsible
						for transmitting PII and verify that user approval is required before transmission
						of the PII.
						<!--</test>
						Removing this test for now. 
						<test>
							The evaluator shall sniff network traffic while running the application 
							and verify that no PII is transmitted without user approval.
							If the application communicates over TLS, the evaluator shall use
							man-in-the-middle tools to expose encrypted traffic before sniffing.
						</test>     
					</testlist>-->
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
		
    </section>  <!-- FPR -->

    <section title="Protection of the TSF (FPT)" id="fpt">

    	<!-- FPT_AEX_EXT.1 -->
    	<!-- Incorporates TD436 -->
    	<!-- Incorporates TD445 -->
    	<!-- Incorporates TD544 -->
    	<ext-comp-def fam-id="FPT_AEX_EXT" title="Anti-Exploitation Capabilities">
    		<fam-behavior>
    			This family defines requirements for protecting against common types of software exploitation techniques.
    		</fam-behavior>
    	</ext-comp-def>
    	
    	<f-component cc-id="fpt_aex_ext.1" name="Anti-Exploitation Capabilities">
    		<comp-lev> requires the application to implement functionality that protects against common software exploits.</comp-lev>
    		<management>No specific management functions are identified.</management>
    		<audit>There are no auditable events foreseen.</audit>
    		<dependencies>No dependencies.</dependencies>
    		
    		<f-element id="fel-aslr">
    			<title> 
    				The application shall not request to map memory at an explicit address
    				except for <assignable>list of explicit exceptions</assignable>.
    			</title>
    			<note role="application"> Requesting a memory mapping at an explicit address
    				subverts address space layout randomization (ASLR). 
    			</note>
    			<aactivity level="element"> 
    				<TSS><h:p>
    					The evaluator shall ensure that the TSS describes the compiler flags used to 
    					enable ASLR when the application is compiled. If any explicitly-mapped exceptions are claimed, 
    					the evaluator shall check that the TSS identifies these exceptions, describes the static memory 
    					mapping that is used, and provides justification for why static memory mapping is appropriate in this case.
    				</h:p></TSS>
    				<Guidance><h:p>None.</h:p></Guidance>
    				<Tests> 
    					The evaluator shall perform either a static or dynamic
    					analysis to determine that no memory mappings are placed at an explicit and
    					consistent address  except for any exceptions claimed in the SFR. For these exceptions, 
    					the evaluator shall verify that this analysis shows explicit mappings that are consistent 
    					with what is claimed in the TSS. The method of doing so varies per platform. For those platforms 
    					requiring the same application running on two different systems, the evaluator may 
    					alternatively use the same device. After collecting the first instance of mappings, 
    					the evaluator must uninstall the application, reboot the device, and reinstall the application 
    					to collect the second instance of mappings.
    					<h:div><depends ref="android"/>
    						The evaluator shall run the same application on two
    						different Android systems. Both devices do not need to be evaluated, as the second device is acting only as a tool. 
    						Connect via ADB and inspect /proc/PID/maps. Ensure the two different instances share no memory mappings made by the 
    						application at the same location.
    					</h:div>
    					<h:div><depends ref="windows"/> 
    						The evaluator shall run the same application on two
    						different Windows systems and run a tool that will list all memory mapped addresses
    						for the application. The evaluator shall then verify the two different instances
    						share no mapping locations. The Microsoft SysInternals tool, VMMap, could be used to
    						view memory addresses of a running application.  The evaluator shall use a tool
    						such as Microsoft's BinScope Binary Analyzer to confirm that the application has
    						ASLR enabled.
    					</h:div>
    					<h:div><depends ref="ios"/>
    						The evaluator shall perform a static analysis to search
    						for any mmap calls (or API calls that call mmap), and ensure that
    						no arguments are provided that request a mapping at a fixed address.
    					</h:div>
    					<h:div><depends ref="linux"/> 
    						The evaluator shall run the same application on two different Linux systems. 
    						The evaluator shall then compare their memory maps using 
    						<h:code>pmap -x <h:i>PID</h:i> </h:code>
    						to ensure the two different instances share no mapping locations.
    					</h:div>
    					<h:div><depends ref="Solaris"/>
    						The evaluator shall run the same application on two different Solaris systems. 
    						The evaluator shall then compare their memory maps using 
    						<h:code>pmap -x <h:i>PID</h:i> </h:code>
    						to ensure the two different instances share no mapping locations.
    					</h:div>
    					<h:div><depends ref="mac"/>
    						The evaluator shall run the same application on two different Mac systems. 
    						The evaluator shall then compare their memory maps using 
    						<h:code>vmmap <h:i>PID</h:i></h:code>
    						to ensure the two different instances share no mapping locations.
    					</h:div>
    				</Tests>
    			</aactivity>
    		</f-element>
    		<f-element id="fel-nwx">
    			<title>
    				The application shall 
    				<selectables onlyone="yes" linebreak="yes">
    					<selectable>not allocate any memory region with both write and execute permissions</selectable>
    					<selectable>allocate memory regions with write and execute permissions for only
    						<assignable> list of functions performing just-in-time compilation</assignable>
    					</selectable></selectables>.
    			</title>
    			<note role="application"> 
    				Requesting a memory mapping with both write and execute permissions subverts the
    				platform protection provided by DEP.  If the application performs no just-in-time 
    				compiling, then the first selection must be chosen.
    			</note>
    			<aactivity level="element"> 
    				<TSS><h:p>None.</h:p></TSS>
    				<Guidance><h:p>None.</h:p></Guidance>
    				<Tests>
    					The evaluator shall verify that no memory mapping requests are made with write and
    					execute permissions. The method of doing so varies per platform.
    					<h:div><depends ref="android"/> 
    						The evaluator shall perform static analysis on the application to verify that <h:ul>
    							<h:li> mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions,
    								and </h:li>
    							<h:li> mprotect is never invoked.</h:li>
    						</h:ul> 
    					</h:div>
    					<h:div><depends ref="windows"/> 
    						The evaluator shall use a tool such as Microsoft's 
    						BinScope Binary Analyzer to confirm that the application passes the NXCheck. The 
    						evaluator may also ensure that the <h:code>/NXCOMPAT</h:code> flag was used during 
    						compilation to verify that DEP protections are enabled for the application. 
    					</h:div>
    					<h:div><depends ref="ios"/> 
    						The evaluator shall perform static analysis on the
    						application to verify that mprotect is never invoked with the PROT_EXEC permission. 
    					</h:div>
    					<h:div><depends ref="linux"/> 
    						The evaluator shall perform static analysis on the
    						application to verify that both <h:ul>
    							<h:li> mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions,
    								and </h:li>
    							<h:li> mprotect is never invoked with the PROT_EXEC permission.</h:li>
    						</h:ul>  
    					</h:div>
    					<h:div><depends ref="Solaris"/> 
    						The evaluator shall perform static analysis on the
    						application to verify that both <h:ul>
    							<h:li> mmap is never invoked with both the PROT_WRITE and PROT_EXEC permissions,
    								and </h:li>
    							<h:li> mprotect is never invoked with the PROT_EXEC permission.</h:li>
    						</h:ul>
    					</h:div>
    					<h:div><depends ref="mac"/> 
    						The evaluator shall perform static analysis on the
    						application to verify that mprotect is never invoked with the PROT_EXEC permission.
    					</h:div>
    				</Tests>
    			</aactivity>
    		</f-element>
    		<f-element id="fel-plays-nice">
    			<title>
    				The application shall be compatible with security features provided by the
    				platform vendor.
    			</title>
    			<note role="application">
    				This requirement is designed to ensure that platform security 
    				features do not need to be disabled in order for the application to run.
    			</note>
    			<aactivity level="element">
    				<TSS><h:p>None.</h:p></TSS>
    				<Guidance><h:p>None.</h:p></Guidance>
    				<Tests>
    					The evaluator shall configure the platform in the necessary manner and 
    					carry out one of the prescribed tests:
    					<h:div><depends ref="android"/>
    						Applications running on Android cannot disable Android 
    						security features, therefore this requirement is met and no evaluation activity is required.
    					</h:div>
    					<h:div><depends ref="windows"/>
    						<h:p>
    						If the OS platform supports Windows Defender Exploit Guard 
    						(Windows 10 version 1709 or later), then the evaluator shall ensure that the application can 
    						run successfully with Windows Defender Exploit Guard Exploit Protection configured with the 
    						following minimum mitigations enabled; Control Flow Guard (CFG), Randomize memory allocations 
    						(Bottom-Up ASLR), Export address filtering (EAF), Import address filtering (IAF), and
    						Data Execution Prevention (DEP). The following link describes how to enable Exploit Protection, 
    						https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide.
    						</h:p><h:p>
    						If the OS platform supports the Enhanced Mitigation Experience Toolkit (EMET) which can be 
    						installed on Windows 10 version 1703 and earlier, then the evaluator shall ensure that 
    						the application can run successfully with EMET configured with the following minimum 
    						mitigations enabled; Memory Protection Check, Randomize memory allocations (Bottom-Up ASLR), 
    						Export address filtering (EAF), and Data Execution Prevention (DEP).
    						</h:p>
    					</h:div>
    					<h:div><depends ref="ios"/>
    						Applications running on iOS cannot disable
    						security features, therefore this requirement is met and no evaluation activity is required.
    					</h:div>
    					<h:div><depends ref="linux"/> 
    						The evaluator shall ensure that the application can
    						successfully run on a system with either SELinux or AppArmor enabled and in enforce mode.
    					</h:div>
    					<h:div><depends ref="Solaris"/>
    						The evaluator shall ensure that the application can run with 
    						Solaris Trusted Extensions enabled and enforcing.
    					</h:div>
    					<h:div><depends ref="mac"/> 
    						The evaluator shall ensure that the application can
    						successfully run on macOS without disabling any security features. 
    					</h:div>
    				</Tests>
    			</aactivity>
    		</f-element>
    		<f-element id="fel-ro-exe">
    			<title>
    				The application shall not write user-modifiable files to directories that contain 
    				executable files unless explicitly directed by the user to do so.
    			</title>
    			<note role="application">
    				<h:p>
    				The purpose of this requirement is to help ensure the integrity of application binaries
    				by supporting file protection mechanisms such as directory-level file permissions and 
    				application allowlisting.
    				</h:p><h:p>
    				A user-modifiable file for purposes of this requirement is a file that is writable by
    				an unprivileged user of the application -- either directly through application 
    				execution or independently of the application. If the application runs in the context 
    				of the application user, then the application should not be able to write to the 
    				directory containing the application binaries -- regardless of whether the files 
    				are configuration data, audit data, or temporary files.
    				</h:p><h:p>
    				Executables and user-modifiable files may not share the same parent directory, but
    				may share directories above the parent.
    				</h:p>
    			</note>
    			<aactivity level="element">
    				<TSS><h:p>None.</h:p></TSS>
    				<Guidance><h:p>None.</h:p></Guidance>
    				<Tests>The evaluator shall run the application and determine where it writes its files.
    					For files where the user does not choose the destination, the evaluator shall 
    					check whether the destination directory contains executable files.
    					This varies per platform: 
    					<h:div><depends ref="android"/> 
    						The evaluator shall run the program, mimicking normal usage, and note where all user-modifiable files are written. 
    						The evaluator shall ensure that there are no executable files stored under <h:span style="path">/data/data/<h:i>package</h:i>/</h:span> where <h:i>package</h:i> is the Java package of the application.
    					</h:div>
    					<h:div><depends ref="windows"/>For Windows Universal Applications the evaluator shall consider
    						the requirement met because the platform forces applications to write all data
    						within the application working directory (sandbox). For Windows Desktop Applications
    						the evaluator shall run the program, mimicking normal usage, and note where all user-modifiable
    						files are written. The evaluator shall ensure that there are no executable files
    						stored in the same directories to which the application wrote user-modifiable files.</h:div>
    					<h:div><depends ref="ios"/>The evaluator shall consider the requirement met because
    						the platform forces applications to write all data within the application working
    						directory (sandbox).</h:div>
    					<h:div><depends ref="linux"/> 
    						The evaluator shall run the program, mimicking normal usage, 
    						and note where all user-modifiable files are written. 
    						The evaluator shall ensure that there are no executable files stored in the 
    						same directories to which the application wrote user-modifiable files.
    					</h:div>
    					<h:div><depends ref="Solaris"/>
    						The evaluator shall run the program, mimicking normal usage, 
    						and note where all user-modifiable files are written. 
    						The evaluator shall ensure that there are no executable files stored in the 
    						same directories to which the application wrote user-modifiable files.
    					</h:div>
    					<h:div><depends ref="mac"/> The evaluator shall run the program, mimicking normal
    						usage, and note where all user-modifiable files are written. The evaluator shall ensure that there
    						are no executable files stored in the same directories to which the application
    						wrote user-modifiable files.
    					</h:div>
    				</Tests>
    			</aactivity>
    		</f-element>
    		<f-element id="fel-stackcookies">
    			<title>The application shall be built with stack-based buffer overflow protection
    				enabled.</title>
    			<aactivity level="element">
    				<TSS><h:p>(Conditional: The PE or ELF automated tests fail) The evaluator shall ensure that the TSS describes 
    					the stack-based buffer overflow compiler flags.</h:p></TSS>
    				<Guidance><h:p>None.</h:p></Guidance>
    				<Tests>
    					The evaluator will inspect every native executable included in the TOE to ensure that stack-based buffer 
    					overflow protection is present.
    					<h:div><depends ref="windows"/>Applications that run as Managed Code in the .NET Framework do not require
    						these stack protections.
    						Applications developed in Object Pascal using the Delphi IDE compiled with RangeChecking enabled 
    						comply with this element. For other code, 
    						the evaluator shall review the TSS and verify that the /GS flag was used during compilation. The 
    						evaluator shall run a tool like, BinSkim, that can verify the correct usage of /GS.</h:div>
    					<h:div class="subaact"> <h:p><h:i><h:b>For PE</h:b></h:i>
    						, the evaluator will disassemble each and ensure the following sequence appears:</h:p>
    						<h:table class="code-table">
    							<h:tr><h:td>mov rcx, QWORD PTR [rsp+<h:i>(...)</h:i>]</h:td></h:tr>
    							<h:tr><h:td>xor rcx, <h:i>(...)</h:i></h:td></h:tr>
    							<h:tr><h:td>call <h:i>(...)</h:i></h:td></h:tr>
    						</h:table>
    					</h:div>
    					<h:div class="subaact"><h:p> <h:i><h:b>For ELF executables</h:b></h:i>, the evaluator will ensure that each 
    						contains references to the symbol <h:b>__stack_chk_fail</h:b>.</h:p>
    						<h:p>If these automated tests fail, the evaluator shall perform the above, conditional TSS activity.</h:p>
    					</h:div>
    					<h:p>
    						Tools such as <h:a href="https://github.com/commoncriteria/canary-detector">Canary Detector</h:a> may help
    						automate these activities.
    					</h:p>
    				</Tests>
    			</aactivity>
    		</f-element>
    	</f-component>
    	

      <ext-comp-def fam-id="FPT_API_EXT" title="Use of Supported Services and APIs">
	<fam-behavior>
	  This family defines requirements for specifying the environmental APIs used by the TOE.
	</fam-behavior>
      </ext-comp-def>
      <f-component cc-id="fpt_api_ext.1" name="Use of Supported Services and APIs">
	<comp-lev>requires the application to use only documented platform APIs.</comp-lev>
    <management>No specific management functions are identified.</management>
    <audit>There are no auditable events foreseen.</audit>
    <dependencies>No dependencies.</dependencies>
      	
	<f-element id="fel-api-what">
				<title>The application shall use only documented platform APIs.</title>
				<note role="application">
					The definition of "<h:i>documented</h:i>" may vary depending upon whether the application is provided by
					a third party (who relies upon documented platform APIs) or by a platform vendor 
					who may be able to guarantee support for platform APIs.
				</note>
				<aactivity>
					<TSS><h:p>The evaluator shall verify that the TSS lists the platform APIs 
						used in the application. The evaluator shall then compare the list with the supported APIs
						(available through e.g. developer accounts, platform developer groups) and ensure that all 
						APIs listed in the TSS are supported.
					</h:p>
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests></Tests>
					
						
				</aactivity>
			</f-element>
		</f-component>
	      
	      
		<f-component cc-id="fpt_api_ext.2" name="Use of Supported Services and APIs" status="objective">
		  <comp-lev>requires the application to implement media parsing in a specified manner.</comp-lev>
			<management>No specific management functions are identified.</management>
			<audit>There are no auditable events foreseen.</audit>
			<dependencies>No dependencies.</dependencies>
			
			<f-element id="fel-api-parsers">
				<title> The application 
					<selectables onlyone="yes">
						<selectable>shall use platform-provided libraries</selectable>
						<selectable>does not implement functionality</selectable></selectables>
					for parsing <assignable> list of formats parsed that are included in the 
					IANA MIME media types</assignable>.
				</title>
				<note role="application">
					<h:p>
					The IANA MIME types are listed at
					<h:a href='http://www.iana.org/assignments/media-types'>http://www.iana.org/assignments/media-types</h:a> 
					and include many image, audio, video, and content file formats.
					</h:p><h:p>
					This requirement does not apply if providing parsing services is the purpose of the 
					application.
					</h:p>
				</note>
				<aactivity>
					<TSS>
						The evaluator shall verify that the TSS lists the IANA MIME media types
						(as described by <h:a href='http://www.iana.org/assignments/media-types'>
						http://www.iana.org/assignments/media-types</h:a>)
						for all formats the application processes
						and that it maps those formats to parsing services provided by the platform.
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests><h:p>None.</h:p></Tests>
				</aactivity>
			</f-element>
        </f-component>
	      
	     
	
	<ext-comp-def fam-id="FPT_IDV_EXT" title="Software Identification and Versions">
	  <fam-behavior>
	    This family defines requirements for how the TOE version is identified.
	  </fam-behavior>
	</ext-comp-def>
	<!-- FPT_IDV_EXT.1 Software Identification and Versions -->
	<f-component cc-id="fpt_idv_ext.1" name="Software Identification and Versions">
	  <comp-lev> requires the TSF to specify the versioning mechanism used.</comp-lev>
		<management>No specific management functions are identified.</management>
		<audit>There are no auditable events foreseen.</audit>
		<dependencies>No dependencies.</dependencies>
		
			<f-element id="fel-swid">
				<title>The application shall be versioned with
					<h:i>SWID tags that comply with minimum requirements from ISO/IEC 19770-2:2015</h:i>.
				</title>
				<ext-comp-def-title>
					<title>The application shall be versioned with
						<selectables>
							<selectable>SWID tags 
								that comply with minimum requirements from ISO/IEC 19770-2:2015</selectable>
							<selectable><assignable>other version information</assignable></selectable></selectables>.
					</title>
				</ext-comp-def-title>
				<note role="application">
					<h:p>
					The use of a SWID tag to identify application software
					is a requirement for DOD IT based on DoD Instruction 8500.01 which requires
					the use of SCAP which includes SWID tags per the NIST standard. 
					</h:p><h:p>
					Valid SWID tags must contain a SoftwareIdentity element and an Entity element as 
					defined in the ISO/IEC 19770-2:2015 standard. SWID tags must be stored with a .swidtag 
					file extensions as defined in the ISO/IEC 19770-2:2015.
					</h:p>
				</note>
				<aactivity>
					<TSS><h:p>
						None.</h:p>
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>
						The evaluator shall install the application and check for a.swidtag file. 
						The evaluator shall open the file and verify that 
						is contains at least a SoftwareIdentity element and an Entity element.
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
   
	<!-- FPT_LIB_EXT.1 Use of Third-Party Libraries -->
	<ext-comp-def fam-id="FPT_LIB_EXT" title="TSF Use of Third Party Libraries">
	  <fam-behavior>
	    This family defines requirements for identification of any third-party libraries used by the TOE.
	  </fam-behavior>
	</ext-comp-def>
	
        <f-component cc-id="fpt_lib_ext.1" name="Use of Third Party Libraries">
	  <comp-lev> requires the TOE to identify the third party libraries that it uses.</comp-lev>
      <management>No specific management functions are identified.</management>
      <audit>There are no auditable events foreseen.</audit>
      <dependencies>No dependencies.</dependencies>
        	
			<f-element id="fel-thirdparty-libs">
				<title> The application shall be packaged with only
					<assignable>list of third-party libraries</assignable>. 
				</title>
				<note role="application"> 
					The intention of this requirement is for the evaluator to discover and document whether the 
					application includes unnecessary or unexpected third-party libraries.  This includes
					adware libraries which could present a privacy threat, as well as ensuring
					documentation of such libraries in case vulnerabilities are later discovered.
				</note>
				<aactivity> 
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>
						The evaluator shall install the application and survey its installation directory for 
						dynamic libraries. 
						The evaluator shall verify that libraries found to be packaged with or employed by the 
						application are limited to those in the assignment.
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
	      
	          
	<!-- FPT_TUD_EXT.1 Integrity of Installation and Update -->
	<!-- incorporates TD561 -->
	<!-- incorporates TD548 -->
	<ext-comp-def fam-id="FPT_TUD_EXT" title="Trusted Updates">
	  <fam-behavior>
	    This family defines requirements for applying updates to the TOE.
	  </fam-behavior>
	</ext-comp-def>
        <f-component cc-id="fpt_tud_ext.1" name="Integrity for Installation and Update">
        	
	  <comp-lev> requires the TSF to specify how updates to it are acquired and verified.</comp-lev>
      <management>No specific management functions are identified.</management>
      <audit>There are no auditable events foreseen.</audit>
	  <dependencies>FPT_IDV_EXT.1 Software Identification and Versions</dependencies>
        	
	  <f-element id="fel-update-check">
				<title>The application shall <selectables>
					<selectable>provide the ability</selectable>
					<selectable>leverage the platform</selectable></selectables>
					 to check for updates and patches to the application software. 
				</title>
				<note role="application">
					This requirement is about the ability to "check" for updates.
					The actual installation of any updates should be done by the platform. This requirement
					is intended to ensure that the application can check for updates provided by the vendor,
					as updates provided by another source may contain malicious code.
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>
						The evaluator shall check to ensure the guidance includes a description of how check for and apply new updates.
					</h:p></Guidance>
					<Tests>
						The evaluator shall check for an update using procedures described in either the application documentation 
						or the platform documentation and verify that the application does not issue an error.
						If it is updated or if it reports that no update is available this requirement is considered to be met.
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-version-check">
				<title>The application shall <selectables>
					<selectable>provide the ability</selectable>
					<selectable>leverage the platform</selectable></selectables>
					to query the current version of the application software.
				</title>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>
						The evaluator shall verify guidance includes a description of how to query the current 
						version of the application.
					</h:p></Guidance>
					<Tests> 
						The evaluator shall query the application for the current version of the software
						according to the operational user guidance. The evaluator shall then verify that the 
						current version matches that of the documented and installed version.
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-nomod-exe">
				<title> 
					The application shall not download, modify, replace or update its own binary code. 
				</title>
				<note role="application">
					This requirement applies to the code of the application; it
					does not apply to mobile code technologies that are designed for download and
					execution by the application. 
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>
						The evaluator shall verify that the application's executable files are
						not changed by the application. 
						<h:div><depends ref="ios"/>The evaluator shall consider the requirement met because the platform forces
							applications to write all data within the application working directory (sandbox).
						</h:div>
						<h:p>For all other platforms, the evaluator shall perform the following test:</h:p>
						<testlist>
							<test>The evaluator shall install the application and then locate all of its executable files. 
								The evaluator shall then, for each file, save off either a hash of the file or a copy of the file 
								itself. The evaluator shall then run the application and exercise all features of the application as 
								described in the ST. The evaluator shall then compare each executable file with either the saved 
								hash or the saved copy of the files. The evaluator shall verify that these are identical.
							</test>
						</testlist>
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-patch-sign">  <!-- FPT_TUD_EXT.1.4 -->
				<title> 
					Application updates shall be digitally signed such that the application platform can cryptographically verify them prior to installation.
				</title>
				<note role="application">
					The specifics of the verification of updates involves requirements on the platform (and not the
					application), so these are not fully specified here. 
				</note>
				<aactivity level="element">
					<TSS><h:p>
						The evaluator shall verify that the TSS identifies how updates to the application  
						are signed by an authorized source. The definition of an
						authorized source must be contained in the TSS.
						The evaluator shall also ensure that the TSS (or the operational
						guidance) describes how candidate updates are obtained.
					</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>None.</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-distro">
				<title> 
					The application is distributed 
					<selectables>
						<selectable id="sel_with_plat">with the platform OS</selectable>
						<selectable id="sel_add_plat">as an additional software package to the platform OS</selectable></selectables>.
				</title>
				<note role="application">
					Application software that is distributed as part of the platform operating system is not 
					required to be packaged for installation or uninstallation. If "<h:b>as an additional software
						package to the platform OS</h:b>" is selected, the requirements from FPT_TUD_EXT.2 
					must be included in the ST.
				</note>
				<aactivity level="element">
					<TSS><h:p>
						The evaluator shall verify that the TSS identifies how the application
						is distributed. If "<h:b>as an additional package...</h:b>" is selected, the evaluator
						shall perform the tests in FPT_TUD_EXT.2.</h:p>
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>If "<h:b>with the platform OS </h:b>" is selected, the evaluated shall perform
						a clean installation or factory reset to confirm that TOE software is included
						as part of the platform OS.</Tests>
				</aactivity>
			</f-element>
        </f-component>
		<!-- FPT_TUD_EXT.2 Integrity for Installation and Update -->
		<!-- Incorporates TD548, which reincorporates TD178 from v1.2, back when 
			current FPT_TUD_EXT.2.2 was FPT_TUD_EXT.1.3 -->	  
		<!-- incorporates TD561 (adds FPT_TUD_EXT.2.3) -->
        <f-component cc-id="fpt_tud_ext.2" name="Integrity for Installation and Update" status="sel-based">
	  <depends on-sel="sel_add_plat"/>
        	
	  <comp-lev> requires TOE updates to be packaged in a certain manner.</comp-lev>
      <management>No specific management functions are identified.</management>
      <audit>There are no auditable events foreseen.</audit>
      <dependencies>FPT_TUD_EXT.1 Integrity for Installation and Update</dependencies>
	  
			<f-element id="fel-patch-native">
				<title>
					The application shall be distributed using 
					<selectables>
						<selectable>the format of the platform-supported package manager</selectable>
						<selectable>a container image</selectable></selectables>.
				</title>
				<aactivity level="element">
					<TSS><h:p>The evaluator shall verify the TSS contains a description of how the application
						is distributed and verify that description aligns with the selections in the ST.</h:p></TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<!-- updated to reflect NIAP TD0628 -->
					<!-- updated to reflect NIAP TD0664 -->
					<Tests>
						If a container image is claimed, the evaluator shall verify that application updates are distributed as container images.
						If the format of the platform-supported package manager is claimed,
						the evaluator shall verify that application updates are distributed in the
						format supported by the platform. This varies per platform:               
						<h:div><depends ref="android"/> The evaluator shall ensure that the application is
							packaged in the Android application package (APK) format. </h:div>
						<h:div><depends ref="windows"/> The evaluator shall ensure that the application is
							packaged in the standard Windows Installer (.MSI) format, the Windows Application 
							Software (.EXE) format signed using the Microsoft Authenticode process, or the 
							Windows Universal Application package (.APPX) format. See 
							https://msdn.microsoft.com/en-us/library/ms537364(v=vs.85).aspx for details 
							regarding Authenticode signing.  
						</h:div>
						<h:div><depends ref="ios"/> The evaluator shall ensure that the application is
							packaged in the IPA format. </h:div>
						<h:div><depends ref="linux"/> The evaluator shall ensure that the application is
							packaged in the format of the package management infrastructure of the chosen
							distribution. For example, applications running on Red Hat and Red Hat derivatives
							shall be packaged in <h:code>RPM</h:code> format. Applications running on Debian and Debian
							derivatives shall be packaged in <h:code>DEB</h:code> format. </h:div>
						<h:div><depends ref="Solaris"/> The evaluator shall ensure that the application is
							packaged in the PKG format. </h:div>
						<h:div><depends ref="mac"/> The evaluator shall ensure that the application is packaged
							in the DMG format, the PKG format, or the MPKG format. </h:div>
					</Tests>
				</aactivity>
			</f-element>
			<f-element id="fel-removal">
				<title>
					The application shall be packaged such that its removal results in the deletion 
					of all traces of the application, with the exception of configuration settings, output
					files, and audit/log events.
				</title>
				<note role="application">Applications software bundled with the system/firmware image 
					are not subject to this requirement if the user is unable to remove the application through
					means provided by the OS.
				</note>
				<aactivity level="element">
					<TSS><h:p>None.</h:p></TSS>
					<Guidance><h:p>The evaluator shall verify the guidance documentation details how uninstallation of the 
						application is performed.</h:p></Guidance>
					<Tests>
						<h:div><depends ref="android"/>The evaluator shall consider the requirement met because 
							the platform forces applications to write all data within the application working 
							directory (sandbox).</h:div>
						<h:div><depends ref="ios"/>The evaluator shall consider the requirement met because 
							the platform forces applications to write all data within the application working 
							directory (sandbox).</h:div>
						<h:p>For all other platforms, the evaluator shall record the path of every file on the entire filesystem prior to installation of the 
						application, and then install and run the application. Afterward, the evaluator shall uninstall the application, 
						and compare the resulting filesystem to the initial record to verify that no files, other than configuration, output, 
						and audit or log files, have been added to the filesystem.</h:p>
					</Tests>
				</aactivity>
			</f-element>        
			<f-element id="fel-verify"> <!-- Not sure what to put for the f-element id. 2.3 is added here per TD0561 -->
				<title>
					The application installation package shall be digitally signed such that its platform can 
					cryptographically verify them prior to installation.
				</title>
				<note role="application"> 
					The specifics of the verification of installation packages involves 
					requirements on the platform (and not the application), so these are not fully specified here.
				</note>
				<aactivity level="element">
					<TSS>
						<h:p>
						The evaluator shall verify that the TSS identifies how the application installation package 
						is signed by an authorized source. The definition of an authorized source must be contained 
						in the TSS.</h:p>
					</TSS>
					<Guidance><h:p>None.</h:p></Guidance>
					<Tests>None.</Tests>
				</aactivity>
			</f-element>
        </f-component>
       

    </section>  <!-- FPT -->
	    
	    
    <section title="Trusted Path/Channel (FTP)" id="ftp">
	  
      <!-- FTP_DIT_EXT.1 Protection of Data in Transit -->
      <!-- Modified by TD0609 -->
      <ext-comp-def fam-id="FTP_DIT_EXT" title="Protection of Data in Transit">
	<fam-behavior>
	  This family defines requirements for protecting data in transit.
	</fam-behavior>
      </ext-comp-def>
		
      <f-component cc-id="ftp_dit_ext.1" name="Protection of Data in Transit">
	<comp-lev>requires the TSF to specify what data is transmitted outside the TOE over a trusted channel, 
		what protocol is used for data transmission, and whether the TSF implements 
		this protocol or invokes an environmental interface to do so.</comp-lev>
    <management>No specific management functions are identified.</management>
    <audit>There are no auditable events foreseen.</audit>
    <dependencies>No dependencies.</dependencies>
	
	<!-- updated to reflect NIAP TD0655 -->
			<f-element id="fel-transmit">
				<title>The application shall 
					<selectables linebreak="yes">
						<selectable exclusive="yes">not transmit any 
							<selectables onlyone="yes">
								<selectable>data</selectable>
								<selectable>sensitive data</selectable></selectables>
						</selectable>
						<selectable>encrypt all transmitted 
							<selectables onlyone="yes">
								<selectable>sensitive data</selectable>
								<selectable>data</selectable></selectables> with
							<selectables>
								<selectable id="sel_all_https_cl">HTTPS as a client in accordance with FCS_HTTPS_EXT.1/Client</selectable>
								<selectable id="sel_all_https_sv">HTTPS as a server in accordance with FCS_HTTPS_EXT.1/Server</selectable>
								<selectable id="sel_all_https_ma">HTTPS as a server using mutual authentication in accordance with FCS_HTTPS_EXT.2</selectable>
								<selectable id="sel_all_tlss">TLS as a server as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&amp;id=439"><h:i>Functional Package for TLS</h:i></h:a> and also supports functionality for
									<selectables><selectable>mutual authentication</selectable><selectable>none</selectable></selectables></selectable>
								<selectable id="sel_all_tlsc">TLS as a client as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&amp;id=439"><h:i>Functional Package for TLS</h:i></h:a></selectable>
								<selectable id="sel_all_dtlss">DTLS as a server as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&amp;id=439"><h:i>Functional Package for TLS</h:i></h:a> and also supports functionality for
									<selectables><selectable>mutual authentication</selectable><selectable>none</selectable></selectables></selectable>
								<selectable id="sel_all_dtlsc">DTLS as a client as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=439&amp;id=439"><h:i>Functional Package for TLS</h:i></h:a></selectable>
								<selectable id="sel_all_ssh">SSH as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=459&amp;id=459"><h:i>Functional Package for Secure Shell</h:i></h:a></selectable>
								<selectable id="sel_all_ipsec">IPsec as defined in the <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=419&amp;id=419"><h:i>PP-Module for VPN Client</h:i></h:a></selectable></selectables>
							for <assignable>function(s)</assignable>
							using certificates as defined in the <h:i>Functional Package for X.509</h:i>
						</selectable>
						<selectable>invoke platform-provided functionality to encrypt all transmitted sensitive data with
							<selectables>
								<selectable>HTTPS</selectable>
								<selectable>TLS</selectable>
								<selectable>DTLS</selectable>
								<selectable>SSH</selectable>
								<selectable>IPsec</selectable>
							</selectables> for <assignable>function(s)</assignable>
							using certificates as defined in the <h:i>Functional Package for X.509</h:i>
						</selectable>	    	      
						<selectable>invoke platform-provided functionality to encrypt all transmitted data with
							<selectables>
								<selectable>HTTPS</selectable>
								<selectable>TLS</selectable>
								<selectable>DTLS</selectable>
								<selectable>SSH</selectable> 
								<selectable>IPsec</selectable>
							</selectables> for <assignable>function(s)</assignable>
							using certificates as defined in the <h:i>Functional Package for X.509</h:i>
						</selectable>
					</selectables> between itself and another trusted IT product.
				</title>
				<ext-comp-def-title>
				<title>The application shall 
					<selectables onlyone="yes" linebreak="yes">
						<selectable>not transmit any 
							<selectables onlyone="yes">
								<selectable>data</selectable>
								<selectable>sensitive data</selectable></selectables>
						</selectable>
						<selectable>encrypt all transmitted 
							<selectables onlyone="yes">
								<selectable>sensitive data</selectable>
								<selectable>data</selectable></selectables> with
							<assignable>trusted protocol</assignable> for <assignable>function(s)</assignable>
						</selectable>
						<selectable>invoke platform-provided functionality to encrypt all transmitted sensitive data with
							<assignable>trusted protocol</assignable> for <assignable>function(s)</assignable>
						</selectable>	    	      
						<selectable>invoke platform-provided functionality to encrypt all transmitted data with
							<assignable>trusted protocol</assignable> for <assignable>function(s)</assignable>
						</selectable></selectables> between itself and another trusted IT product.
				</title>
				</ext-comp-def-title>
				<note role="application">
					<!--The X509 requirements are invoked based on the selections in FTP_DIT_EXT.1; if you select a protocol that uses certificates,
					then you must include the SFRs that address the certificates.   
					X509 SFRs shall be included if selections for HTTPS, TLS, or DTLS are included (FCS_HTTPS, FCS_TLSC, FCS_TLSS, FCS_DTLS).
					-->
					<h:p>
					Encryption is not required for applications transmitting data that is not sensitive.
					</h:p><h:p>
						If <h:b>not transmit any</h:b> is selected, no other option can be selected.
					</h:p><h:p>
						If <h:b>not transmit any</h:b> is NOT selected, it is possible to select more than one of the other options to encrypt data 
					for a specific cryptographic function 
					(e.g., application encrypts management data using SSH AND application invokes platform-provided functionality 
					to encrypt syslog data using TLS OR application encrypts syslog data using TLS. 
					Protocol selections and function assignments should be made to cover all data/sensitive data.
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected and "<h:b>TLS</h:b>" or "<h:b>DTLS</h:b>" as a client or server is selected, then 
					corresponding components from the Functional Package for TLS must be selected.
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected, "<h:b>HTTPS</h:b>" is selected, and the 
					TOE acts as a client, then FCS_HTTPS_EXT.1/Client is required.
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected, "<h:b>HTTPS</h:b>" is selected, and the 
					TOE acts as a server, then FCS_HTTPS_EXT.1/Server is required.
					</h:p><h:p>
					If the TOE acts as an HTTPS server and if "<h:b>mutual authentication</h:b>" is selected,
					then FCS_HTTPS_EXT.2 is also required.
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected and "<h:b>SSH</h:b>" is selected, then the 
					TSF shall be validated against the  <h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=459&amp;id=459">
					<h:i>Functional Package for Secure Shell</h:i></h:a>.
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected and "<h:b>IPsec</h:b>" is selected, then the
					TSF must claim conformance to a <h:i>PP-Configuration that includes the
					<h:a href="https://www.niap-ccevs.org/Profile/Info.cfm?PPID=461&amp;id=461">
					VPN Client PP-Module</h:a></h:i>
					</h:p><h:p>
					If "<h:b>encrypt all transmitted</h:b>" is selected the corresponding FCS_COP.1 
					requirements will be included.
					</h:p>
				</note>  
				<aactivity>
					<TSS>
					<h:p>
						The evaluator shall confirm the TSS describes the data transmitted, and verify it matches the selections of all 
						<h:i>data</h:i> or <h:i>sensative data</h:i>.
					</h:p><h:p>
						The evalutator shall confirm the TSS describes the method by which the data is protected and that is matches the chosen selections, 
						if multiple selections are included the evaluator shall verify the TSS describes which data is sent over which trusted channels 
						and the totallity of the data type selection is covered by all chosen selections.
					</h:p><h:p>
						For platform-provided functionality, the evaluator shall verify the TSS contains the calls to the platform that the TOE is 
						leveraging to invoke the functionality. The evaluator shall verify calls are documented by the platform vendor and non-depricated.
					</h:p><h:p>
						For platform-provided HTTPS, IPsec, TLS, or DTLS as a client the evaluator shall verify that the TSS lists any specific calls the product uses that specifies 
						or allows the end users to specify cipher suites, support for mutual authentication, support for session renegotiation, hash algorithms 
						for the signature_algorithms extension in the Client Hello with the supported_signature_algorithms value, and the supported groups in the 
						Supported Groups Extension in Client Hello.  The evaluator shall verify any calls the product specifies align with the options provided 
						in this PP and the TLS Funtional Package.
					</h:p><h:p>
						For platform-provided HTTPS, IPsec, TLS, or DTLS as a server the evaluator shall verify that the TSS lists any specific calls the product uses that specifies 
						or allows the end users to specify cipher suites, which protocols are denied connection requests, key establishment alorithms, 
						support for mutual authentication, response to an invalid client certificate, and support for session renegotiation. 
						The evaluator shall verify any calls the product specifies align with the options provided 
						in this PP and the TLS Funtional Package.
					</h:p><h:p>
						For platform-provided HTTPS dthe evaluator shall verify that the TSS lists any specific calls the product uses that specifies 
						or allows the end users to specify the response to an invalid certificate.
					</h:p><h:p>
						For platform-provided HTTPS as a server the evaluator shall verify that the TSS lists any specific calls the product uses that specifies 
						or allows the end users to specify cipher suites, which protocols are denied connection requests, key establishment alorithms, 
						support for mutual authentication, response to an invalid client certificate, and support for session renegotiation. 
						The evaluator shall verify any calls the product specifies align with the options provided 
						in this PP and the TLS Funtional Package.
					</h:p><h:p>
						For platform-provided SSH the evaluator shall verify that the TSS lists any specific calls the product uses that specifies 
						or allows the end users to specify the applicable RFCs, the authentication methods, the limit for dropping large packets in an SSH transport
						connection, the SSH transport accepted algorithms, the SSH public key for public-key based authentication,
						The diffie-hellman-group used for key exchange, and the parameters of session rekey or termination. 
						The evaluator shall verify any calls the product specifies align with the options provided 
						in this PP and the SSH Funtional Package.
					</h:p>
					</TSS>
					<Guidance>
						<h:p>
						The evaluator shall confirm the guidance documentation contains any information necessary for enabling and configuring the trusted 
						channels that have been selected.</h:p></Guidance>
					<Tests>
						The evaluator shall perform the following tests.
						<testlist>
							<test>
								 The evaluator shall exercise the application (attempting to transmit data; for 
								 example by connecting to remote systems or websites) while capturing packets from 
								 the application. The evaluator shall verify from the packet capture that the
								 traffic is encrypted with HTTPS, TLS, DTLS, SSH, or IPsec in accordance with the
								 selection in the ST.
							</test>
							<test>
								The evaluator shall exercise the application (attempting to transmit data; for
								example by connecting to remote systems or websites) while capturing packets from 
								the application. The evaluator shall review the packet capture and verify that no 
								sensitive data is transmitted in the clear.
							</test>
							<test>
								The evaluator shall inspect the TSS to determine if user credentials are transmitted.
								If credentials are transmitted the evaluator shall set the credential to a known
								value. The evaluator shall capture packets from the application while causing
								credentials to be transmitted as described in the TSS. The evaluator shall perform
								a string search of the captured network packets and verify that the plaintext
								credential previously set by the evaluator is not found.
							</test>
						</testlist>
						<h:div><depends ref="android"/>
							If "<h:b>not transmit any data</h:b>" is selected, the evaluator shall ensure that the application's 
							AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag 
							containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform 
							
							the above Tests 1, 2, or 3, as the platform will not allow the application to perform any network 
							communication.
							<!-- TODO: The current wording here adds additional work when "encrypt all transmitted data"
						   is selected. It'd be preferable if we can instead simplify evaluation in that case, to encourage
						   app developers to select it, so this is commented out for now.
						   If "encrypt all transmitted data" is selected, the evaluator
						   shall ensure that the application's manifest declares usesCleartextTraffic="false". It is
						   still necessary to perform the above tests, as this manifest entry is only enforced on
						   a best effort basis by the platform. -->
						</h:div>
						<h:div><depends ref="ios"/>
							If "<h:b>encrypt all transmitted data</h:b>" is selected, the evaluator shall ensure that the application's
							Info.plist file does not contain the NSAllowsArbitraryLoads or 
							NSExceptionAllowsInsecureHTTPLoads keys, as these keys disable iOS's Application 
							Transport Security feature.
							<!-- TODO: Check the strength of iOS's App Transport Security enforcement (if apps
							can't easily bypass it, then we can skip performing Tests 1, 2, 3 on iOS when
							App Transport Security isn't explicitly disabled (assuming use of iOS 9 or greater)). -->
						</h:div>
					</Tests>
				</aactivity>
			</f-element>
        </f-component>
		
    </section>   <!-- Trusted Path/Channel (FTP) -->

	<!-- 5.1.7 TOE Security Functional Requirements Rationale -->
	<!-- auto generated -->


    </sec:SFRs>  <!-- 5.1 Security Functional Requirements -->
	  
	  
	<!-- 5.2 Security Assurance Requirements -->
    <section title="Security Assurance Requirements" id="SARs">
	<h:p>
		The Security Functional Requirements (SFRs) in <xref to="SFRs"/> are a formal
		instantiation of the addressed <xref to="Threats"/>. The PP identifies the Security Assurance Requirements
		(SARs) to frame the extent to which the evaluator assesses the documentation applicable for the evaluation 
		and performs independent testing.
	</h:p><h:p>
		This section lists the set of SARs from CC part 3 that are required in evaluations against this
		PP. Individual Evaluation Activities (EAs) to be performed are specified both
		in <xref to="req"/> as well as in this section. These SARs were chosen based on the notion that a hypothetical attacker of the TOE lacks administrative privilege
    	on its platform but otherwise has persistent access to the TOE itself and the sophistication to interact with the platform in a way that they can
    	attmept to access stored data without authorization or to run tools that automate more sophisticated malicious activity.
	</h:p><h:p>
		The general model for evaluation of TOEs against STs written to conform to this PP is as follows:
	</h:p><h:p>
		After the ST has been approved for evaluation, the  CCTL will obtain the TOE, supporting
		environmental IT, and the administrative/user guides for the TOE. The CCTL is expected to
		perform actions mandated by the Common Evaluation Methodology (CEM) for the ASE and
		ALC SARs. The CCTL also performs the evaluation activities contained within <xref to="req"/>,
		which are intended to be an interpretation of the other CEM assurance requirements as they
		apply to the specific technology instantiated in the TOE. The evaluation activities that are
		captured in <xref to="req"/> also provide clarification as to what the developer needs
		to provide to demonstrate the TOE is compliant with the PP. The results of these activities will be documented
	    and presented (along with the administrative guidance used) for validation.
	</h:p>
    <section title="Class ASE: Security Target" id="ase">
		As per ASE activities defined in <xref to="bibCEM"/>.
    </section> <!-- Class ASE -->
	
    <section title="Class ADV: Development" id="adv">The information about the TOE
        is contained in the guidance documentation available to the end user as
        well as the TSS portion of the ST. The TOE developer 
        must concur with the description of the product that is contained in the TSS as it relates 
        to the functional requirements. The evaluation activities contained in 
        <xref to="SFRs"/> should provide the ST authors with sufficient information to 
        determine the appropriate content for the TSS section. 
        <a-component cc-id="adv_fsp.1" name="Basic Functional Specification (ADV_FSP.1)">The functional
			specification describes the TSFIs. It is not necessary
			to have a formal or complete specification of these interfaces. Additionally, because
            TOEs conforming to this PP will necessarily have interfaces to the
			Operational Environment that are not directly invocable by TOE users, 
			there is little point specifying that such interfaces be described in and of themselves 
			since only indirect testing of such interfaces may be possible. For this PP, the 
			activities for this family should focus on understanding the interfaces presented in the 
			TSS in response to the functional requirements and the interfaces 
			presented in the AGD documentation. No additional “functional specification” documentation 
			is necessary to satisfy the evaluation activities specified. The interfaces that need to be 
			evaluated are characterized through the information needed to perform the assurance 
			activities listed, rather than as an independent, abstract list. 
			<a-element type="D">
				<title>The developer shall provide a functional specification.</title>
			</a-element>
			<a-element type="D">
				<title>The developer shall provide a tracing from the functional specification to the
					SFRs.</title>
				<note role="application">As indicated in the introduction to this section, the
					functional specification is comprised of the information contained in the AGD_OPE and
					AGD_PRE documentation. The developer may reference a website accessible to application
					developers and the evaluator. The evaluation activities in the functional requirements
					point to evidence that should exist in the documentation and TSS
					section; since these are directly associated with the SFRs, the tracing in element
					ADV_FSP.1.2D is implicitly already done and no additional documentation is
					necessary.
				</note>
			</a-element>   
			<a-element type="C">
				<title>The functional specification shall describe the purpose and method of use for
					each SFR-enforcing and SFR-supporting TSFI.</title>
			</a-element>
			<a-element type="C">
				<title>The functional specification shall identify all parameters associated with each
					SFR-enforcing and SFR-supporting TSFI.</title>
			</a-element>
			<a-element type="C">
				<title>The functional specification shall provide rationale for the implicit
					categorization of interfaces as SFR-non-interfering.</title>
			</a-element>
			<a-element type="C">
				<title>The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification.</title>
			</a-element>    
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements
					for content and presentation of evidence.</title>
			</a-element>
			<a-element type="E">
				<title>The evaluator shall determine that the functional specification is an accurate
					and complete instantiation of the SFRs.</title>
				<aactivity>
				<!-- <TSS>-->
					There are no specific evaluation activities associated with these SARs, except
					ensuring the information is provided. The functional specification documentation is
					provided to support the evaluation activities described in <xref to="SFRs"/>, and
					other activities described for AGD, ATE, and AVA SARs. The requirements on the content
					of the functional specification information is implicitly assessed by virtue of the
					other evaluation activities being performed; if the evaluator is unable to perform an
					activity because there is insufficient interface information, then an adequate
					functional specification has not been provided.
				<!-- </TSS> -->
				</aactivity>
			</a-element>
        </a-component>
    </section>  <!-- Class ADV -->
	  
	  
    <section id="agd" title="Class AGD: Guidance Documentation">
		The guidance documents will be
        provided with the ST. Guidance must include a description of how the IT personnel verifies
        that the Operational Environment can fulfill its role for the security functionality. The
        documentation should be in an informal style and readable by the IT personnel. Guidance must
        be provided for every operational environment that the product supports as claimed in the
        ST. This guidance includes instructions to successfully install the TSF in
        that environment; and instructions to manage the security of the TSF as a 
        product and as a component of the larger operational environment. Guidance pertaining to 
        particular security functionality is also provided; requirements on such guidance are 
        contained in the evaluation activities specified with each requirement.
		
        <a-component cc-id="agd_ope.1" name="Operational User Guidance (AGD_OPE.1)">
			<a-element type="D">
				<title>The developer shall provide operational user guidance.</title>
				<note role="application">The operational user guidance does not have to be contained in a
					single document. Guidance to users, administrators and application developers can be
					spread among documents or web pages. Where appropriate, the guidance documentation is
					expressed in the eXtensible Configuration Checklist Description Format (XCCDF) to
					support security automation. Rather than repeat information here, the developer should
					review the evaluation activities for this component to ascertain the specifics of the
					guidance that the evaluator will be checking for. This will provide the necessary
					information for the preparation of acceptable guidance.
				</note>
			</a-element>  
			<a-element type="C">
				<title>The operational user guidance shall describe, for each user role, the
					user-accessible functions and privileges that should be controlled in a secure
					processing environment, including appropriate warnings.</title>
				<note role="application">User and administrator are to be considered in the definition
					of user role.</note>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall describe, for each user role, how to use the
					available interfaces provided by the TOE in a secure manner.</title>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall describe, for each user role, the available
					functions and interfaces, in particular all security parameters under the control of
					the user, indicating secure values as appropriate.</title>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall, for each user role, clearly present each
					type of security-relevant event relative to the user-accessible functions that need to
					be performed, including changing the security characteristics of entities under the
					control of the TSF.</title>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall identify all possible modes of operation of
					the TOE (including operation following failure or operational
					error), their consequences, and implications for maintaining secure operation.</title>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall, for each user role, describe the security
					measures to be followed in order to fulfill the security objectives for the
					operational environment as described in the ST.</title>
			</a-element>
			<a-element type="C">
				<title>The operational user guidance shall be clear and reasonable.</title>
			</a-element>     
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements
					for content and presentation of evidence.</title>
				<aactivity>
				<!--<Guidance>-->
				<h:p>
					Some of the contents of the operational guidance will be verified by the
					evaluation activities in <xref to="SFRs"/> and evaluation of the TOE
					according to the <xref to="bibCEM"/>. The following additional
					information is also required.
				</h:p><h:p>
					If cryptographic functions are provided by the 
					TOE, the operational guidance shall contain instructions for 
					configuring the cryptographic engine associated with the evaluated configuration of 
					the TOE. It shall provide a warning to the administrator that use of 
					other cryptographic engines was not evaluated nor tested during the CC evaluation of 
					the TOE.
				</h:p><h:p>
					The documentation must describe the process for verifying 
					updates to the TOE by verifying a digital signature – this may
					be done by the TOE or the underlying platform. 
				</h:p><h:p>
					The evaluator shall verify that this process includes the following steps: </h:p>
					<h:ul>      
						<h:li>Instructions for obtaining the 
							update itself. This should include instructions for making the update accessible to 
							the TOE (e.g., placement in a specific directory).</h:li>    
						<h:li>Instructions for initiating the update process, as well as discerning whether the process was 
							successful or unsuccessful. This includes generation of the digital signature. 
							The TOE will likely contain security functionality that does not 
							fall in the scope of evaluation under this PP. The operational guidance shall make it 
							clear to an administrator which security functionality is covered by the evaluation 
							activities.</h:li></h:ul>
				<!--	      </Guidance> -->
				</aactivity>
			</a-element>
		</a-component>
		
		<a-component cc-id="agd_pre.1" name="Preparative Procedures (AGD_PRE.1)">
			<a-element type="D">
				<title>The developer shall provide the TOE, including its preparative procedures.</title>
				<note role="application">
					As with the operational guidance, the developer should look to
					the evaluation activities to determine the required content with respect to preparative
					procedures.</note>
			</a-element>     
			<a-element type="C">
				<title>The preparative procedures shall describe all the steps necessary for secure
					acceptance of the delivered TOE in accordance with the developer's
					delivery procedures.</title>
			</a-element>
			<a-element type="C">
				<title>The preparative procedures shall describe all the steps necessary for secure
					installation of the TOE and for the secure preparation of the
					operational environment in accordance with the security objectives for the operational
					environment as described in the ST.</title>
			</a-element>    
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements
					for content and presentation of evidence.</title>
			</a-element>
			<a-element type="E">
				<title>The evaluator shall apply the preparative procedures to confirm that the TOE
					can be prepared securely for operation.</title>
				<aactivity>
				<!-- <Guidance> -->
					As indicated in the introduction above, there are significant expectations
					with respect to the documentation—especially when configuring the operational
						environment to support TOE functional requirements. The evaluator 
					shall check to ensure that the guidance provided for the TOE 
					adequately addresses all platforms claimed for the TOE in the ST.
				<!--</Guidance> -->
				</aactivity>
			</a-element>
		</a-component>
	</section>  <!-- Class AGD -->
  
  
	<section id="alc" title="Class ALC: Life-cycle Support">
        At the assurance level provided for TOEs conformant to this PP, life-cycle support is limited
        to end-user-visible aspects of the life-cycle, rather than an examination of the TOE vendor’s
        development and configuration management process. This is not meant to diminish the
        critical role that a developer’s practices play in contributing to the overall trustworthiness of a
        product; rather, it is a reflection on the information to be made available for evaluation at this
        assurance level.
        <a-component cc-id="alc_cmc.1" name="Labeling of the TOE (ALC_CMC.1)">
			This component is targeted at identifying the TOE such that it can be distinguished from
			other products or versions from the same vendor and can be easily specified when being
			procured by an end user. 
            <a-element type="D">
				<title>The developer shall provide the TOE and a reference for the TOE.</title>
            </a-element>
			<a-element type="C">
				<title>The application shall be labeled with a unique reference.</title>
				<note role="application">
					Unique reference information includes:
					<h:ul>
						<h:li>Application Name</h:li>
						<h:li>Application Version</h:li>
						<h:li>Application Description</h:li>
						<h:li>Platform on which Application Runs</h:li>
						<h:li>Software Identification (SWID) tags, if available</h:li>
					</h:ul>
				</note>
			</a-element>
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all
					requirements for content and presentation of evidence.</title>
				<aactivity>
                <!-- <TSS>--> 
					The evaluator shall check the ST to ensure that it contains an identifier
					(such as a product name/version number) that specifically identifies the version that
					meets the requirements of the ST. Further, the evaluator shall check the operational guidance
					and TOE samples received for testing to ensure that the version
					number is consistent with that in the ST. If the vendor maintains a website
					advertising the TOE, the evaluator shall examine the information on 
					the website to ensure that the information in the ST is sufficient to distinguish the
					product.
				<!--	    </TSS> -->
				</aactivity>
            </a-element>
        </a-component>
        <a-component cc-id="alc_cms.1" name="TOE CM Coverage (ALC_CMS.1)">
			<a-element type="D">
				<title>The developer shall provide a configuration list for the TOE.</title>
			</a-element>
            <a-element type="C">
				<title>The configuration list shall include the following: the TOE
					itself; and the evaluation evidence required by the SARs.</title>
			</a-element>
			<a-element type="C">
				<title>The configuration list shall uniquely identify the configuration items.</title>
			</a-element>
            <a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements
					for content and presentation of evidence.</title>
				<aactivity>
                <!-- <TSS> -->
					The "evaluation evidence required by the SARs" in this PP is limited to the
					information in the ST coupled with the guidance provided to administrators and users
					under the AGD requirements. By ensuring that the TOE is specifically
					identified and that this identification is consistent in the ST and in the AGD
					guidance (as done in the evaluation activity for ALC_CMC.1), the evaluator implicitly
					confirms the information required by this component. Life-cycle support is targeted
					aspects of the developer’s life-cycle and instructions to providers of applications
					for the developer’s devices, rather than an in-depth examination of the TSF
					manufacturer’s development and configuration management process.
					This is not meant to diminish the critical role that a developer’s practices play in
					contributing to the overall trustworthiness of a product; rather, it’s a reflection on
					the information to be made available for evaluation.
				<!--	      </TSS>
				<Guidance> -->
				<h:p>
					The evaluator shall ensure that the developer has identified (in guidance documentation for application
					developers concerning the targeted platform) one or more development environments
					appropriate for use in developing applications for the developer’s platform. For each
					of these development environments, the developer shall provide information on how to
					configure the environment to ensure that buffer overflow protection mechanisms in the
					environment(s) are invoked (e.g., compiler flags). The evaluator shall ensure that
					this documentation also includes an indication of whether such protections are on by
					default, or have to be specifically enabled. The evaluator shall ensure that the 
					TSF is uniquely identified (with respect to other products from the 
					TSF vendor), and that documentation provided by the developer in 
					association with the requirements in the ST is associated with the 
					TSF using this unique identification. </h:p> 
				<!-- </Guidance>--> 
				</aactivity> 
			</a-element>  
		</a-component>
		
		
		
		<a-component cc-id="alc_flr.1" name="Basic Flaw Remediation (ALC_FLR.1)">
			<a-element type="D">
				<title>The developer shall document and provide flaw remediation procedures addressed to TOE
					developers.</title>
			</a-element>
			<a-element type="C">
				<title>The flaw remediation procedures documentation shall describe the procedures used to
					track all reported security flaws in each release of the TOE.</title>
			</a-element>
			<a-element type="C">
				<title>The flaw remediation procedures shall require that a description of the nature and effect
					of each security flaw be provided, as well as the status of finding a correction to that flaw.</title>
			</a-element>
			<a-element type="C">
				<title>The flaw remediation procedures shall require that corrective actions be identified for
					each of the security flaws.</title>
			</a-element>
			<a-element type="C">
				<title>The flaw remediation procedures documentation shall describe the methods used to
					provide flaw information, corrections and guidance on corrective actions to TOE users.</title>
			</a-element>
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements for
					content and presentation of evidence.</title>
				<aactivity>
					<!-- <TSS> 
					TBD
						      </TSS>
				<Guidance> 
					<h:p>
						TBD
					 </Guidance>--> 
				</aactivity> 
			</a-element>  
		</a-component>
		
		
		
		<a-component cc-id="alc_flr.2" name="Flaw Reporting Procedures (ALC_FLR.2)">
			<a-element type="D">
				<title>
					The developer shall document and provide flaw remediation procedures addressed to TOE
					developers.</title>
			</a-element>
			<a-element type="D">
				<title>
					The developer shall establish a procedure for accepting and acting upon all reports of
					security flaws and requests for corrections to those flaws.
				</title>
			</a-element>
			<a-element type="D">
				<title>
					The developer shall provide flaw remediation guidance addressed to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures documentation shall describe the procedures used to track all
					reported security flaws in each release of the TOE.</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall require that a description of the nature and effect of each
					security flaw be provided, as well as the status of finding a correction to that flaw.</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall require that corrective actions be identified for each of the
					security flaws.</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures documentation shall describe the methods used to provide flaw
					information, corrections and guidance on corrective actions to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall describe a means by which the developer receives
					from TOE users reports and enquiries of suspected security flaws in the TOE.
					</title>
			</a-element>
			<a-element type="C">
				<title>
					The procedures for processing reported security flaws shall ensure that any reported
					flaws are remediated and the remediation procedures issued to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The procedures for processing reported security flaws shall provide safeguards that any
					corrections to these security flaws do not introduce any new flaws.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation guidance shall describe a means by which TOE users report to the
					developer any suspected security flaws in the TOE.
				</title>
			</a-element>
			<a-element type="E">
				<title>
					The evaluator shall confirm that the information provided meets all requirements for content and
					presentation of evidence.</title>
				<aactivity>
					<!-- <TSS> 
					TBD
						      </TSS>
				<Guidance> 
					<h:p>
						TBD
					 </Guidance>--> 
				</aactivity> 
			</a-element>  
		</a-component>		
	

		<a-component cc-id="alc_flr.3" name="Systematic Flaw Remediation (ALC_FLR.3)" status="optional">
			<a-element type="D">
				<title>
					The developer shall document and provide flaw remediation procedures addressed to TOE
					developers.
				</title>
			</a-element>
			<a-element type="D">
				<title>
					The developer shall establish a procedure for accepting and acting upon all reports of security
					flaws and requests for corrections to those flaws.
				</title>
			</a-element>
			<a-element type="D">
				<title>
					The developer shall provide flaw remediation guidance addressed to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures documentation shall describe the procedures used to track all
					reported security flaws in each release of the TOE.
					</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall require that a description of the nature and effect of each
					security flaw be provided, as well as the status of finding a correction to that flaw.
					</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall require that corrective actions be identified for each of the
					security flaws.
					</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures documentation shall describe the methods used to provide flaw
					information, corrections and guidance on corrective actions to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall describe a means by which the developer receives from
					TOE users reports and enquiries of suspected security flaws in the TOE.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation procedures shall include a procedure requiring timely response and
					the automatic distribution of security flaw reports and the associated corrections to
					registered users who might be affected by the security flaw.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The procedures for processing reported security flaws shall ensure that any reported flaws are
					remediated and the remediation procedures issued to TOE users.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The procedures for processing reported security flaws shall provide safeguards that any
					corrections to these security flaws do not introduce any new flaws.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation guidance shall describe a means by which TOE users report to the
					developer any suspected security flaws in the TOE.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation guidance shall describe a means by which TOE users may register
					with the developer, to be eligible to receive security flaw reports and corrections.
				</title>
			</a-element>
			<a-element type="C">
				<title>
					The flaw remediation guidance shall identify the specific points of contact for all reports
					and enquiries about security issues involving the TOE.
				</title>
			</a-element>
			<a-element type="E">
				<title>
					The evaluator shall confirm that the information provided meets all requirements for content and
					presentation of evidence.</title>
				<aactivity>
					<!-- <TSS> 
					TBD
						      </TSS>
				<Guidance> 
					<h:p>
						TBD
					 </Guidance>--> 
				</aactivity> 
			</a-element>  
		</a-component>	



        <a-component cc-id="alc_tsu_ext.1" name="Timely Security Updates">
			This component requires the TOE developer, in conjunction with any other necessary parties,
			to provide information as to how the end-user devices are updated to address security issues
			in a timely manner. The documentation describes the process of providing updates to the
			public from the time a security flaw is reported/discovered, to the time an update is released.
			This description includes the parties involved (e.g., the developer, carriers(s)) and the steps
			that are performed (e.g., developer testing, carrier testing), including worst case time periods,
			before an update is made available to the public.
			<a-element type="D">
				<title>The developer shall provide a description in the TSS of how timely
					security updates are made to the TOE.</title>
				<note>
					Application developers must support updates to their products for purposes of
					fixing security vulnerabilities.
				</note>
			</a-element>
			<a-element type="D">
				<title>
					The developer shall provide a description in the TSS of how users are notified when 
					updates change security properties or the configuration of the product.
				</title>
			</a-element>   
			<a-element type="C">
				<title>The description shall include the process for creating and deploying
				security updates for the TOE software.</title>
			</a-element>
			<a-element type="C">
				<title>The description shall express the time window as the length of time, 
					in days, between public disclosure of a vulnerability and the public availability
					of security updates to the TOE.</title>
			</a-element>
			<a-element type="C">
				<title>The description shall include the mechanisms publicly available for
					reporting security issues pertaining to the TOE.</title>
				<note role="application">
					The reporting mechanism could include a website or email address as
					well as a means to protect the sensitive nature of the report (e.g., public keys that could be
					used to encrypt the details of a proof-of-concept exploit).
				</note>
			</a-element>  
			<a-element type="E">
				<title>The evaluator <h:i>shall confirm</h:i> that the information provided meets all
					requirements for content and presentation of evidence.</title>
				<aactivity>
					<h:p>
					The evaluator shall verify that the TSS contains a description of the timely security update
					process used by the developer to create and deploy security updates. The evaluator shall
					verify that this description addresses the entire application. The evaluator shall also
					verify that, in addition to the TOE developer’s process, any
					third-party processes are also addressed in the description. The evaluator shall
					also verify that each mechanism for deployment of security updates is described.
					</h:p><h:p>
					The evaluator shall verify that, for each deployment mechanism described for the update
					process, the TSS lists a time between public disclosure of a vulnerability and public
					availability of the security update to the TOE patching this vulnerability, to include any third-party
					or carrier delays in deployment. The evaluator shall verify that this time is expressed in
					a number or range of days.
					</h:p><h:p>
					The evaluator shall verify that this description includes the publicly available mechanisms
					(including either an email address or website) for reporting security issues related to the TOE.
					The evaluator shall verify that the description of this mechanism includes a method for
					protecting the report either using a public key for encrypting email or a trusted channel for a
					website.
					</h:p>
				</aactivity>
			</a-element>        
        </a-component>
    </section>  <!-- Class ALC -->
	  
    <section id="ate" title="Class ATE: Tests">
		Testing is specified for functional aspects of
        the system as well as aspects that take advantage of design or implementation weaknesses.
        The former is done through the ATE_IND family, while the latter is through the AVA_VAN
        family. At the assurance level specified in this PP, testing is based on advertised
        functionality and interfaces with dependency on the availability of design information. One
        of the primary outputs of the evaluation process is the test report as specified in the
        following requirements. 
        
        <a-component cc-id="ate_ind.1" name="Independent Testing – Conformance (ATE_IND.1)"> 
			Testing is performed to confirm the
			functionality described in the TSS as well as the administrative
			(including configuration and operational) documentation provided. The focus of the testing
			is to confirm that the requirements specified in <xref to="SFRs"/> are being met,
			although some additional testing is specified for SARs in <xref to="SARs"/>. The
			evaluation activities identify the additional testing activities associated with these
			components. The evaluator produces a test report documenting the plan for and results of
			testing, as well as coverage arguments focused on the platform/TOE
			combinations that are claiming conformance to this PP. Given the scope of the 
			TOE and its associated evaluation evidence requirements, this 
			component’s evaluation activities are covered by the evaluation activities listed for ALC_CMC.1. 
            <a-element type="D">
				<title>The developer shall provide the TOE for testing.</title>
				<note role="application">The developer must provide at least one product instance of the TOE for complete testing on at least one
					platform regardless of equivalency. See the Equivalency Appendix for more details.
				</note>
            </a-element>         
            <a-element type="C">
				<title>The TOE shall be suitable for testing.</title>
			</a-element>  
            <a-element type="E">
				<title>The evaluator <h:i>shall confirm</h:i> that the information provided meets all
					requirements for content and presentation of evidence.</title>
			</a-element>
            <a-element type="E">
				<title>The evaluator shall test a subset of the TSF to confirm
					that the TSF operates as specified.</title>
				<note role="application">The evaluator should test the application on the most current
					fully patched version of the platform.</note>
				<aactivity>
				<h:p>
					The evaluator shall prepare a test plan and report documenting the testing
					aspects of the system, including any application crashes during testing. The evaluator
					shall determine the root cause of any application crashes and include that information
					in the report. The test plan covers all of the testing actions contained in
					the <xref to="bibCEM"/> and the body of this PP’s evaluation activities.
				</h:p><h:p>
					While it is not necessary to have one test case per test listed in an evaluation activity, the
					evaluator must document in the test plan that each applicable testing requirement in
					the ST is covered. The test plan identifies the platforms to be tested, and for those
					platforms not included in the test plan but included in the ST, the test plan provides
					a justification for not testing the platforms. This justification must address the
					differences between the tested platforms and the untested platforms, and make an
					argument that the differences do not affect the testing to be performed. It is not
					sufficient to merely assert that the differences have no effect; rationale must be
					provided. If all platforms claimed in the ST are tested, then no rationale is
					necessary. The test plan describes the composition of each platform to be tested, and
					any setup that is necessary beyond what is contained in the AGD documentation. It
					should be noted that the evaluator is expected to follow the AGD documentation for
					installation and setup of each platform either as part of a test or as a standard
					pre-test condition. This may include special test drivers or tools. For each driver or
					tool, an argument (not just an assertion) should be provided that the driver or tool
					will not adversely affect the performance of the functionality by the TOE and its platform.
				</h:p><h:p>
					This also includes the configuration of the
					cryptographic engine to be used. The cryptographic algorithms implemented by this
					engine are those specified by this PP and used by the cryptographic protocols being
					evaluated (e.g SSH). The test plan identifies high-level test objectives
					as well as the test procedures to be followed to achieve those objectives. These
					procedures include expected results. 
				</h:p><h:p>
					The test report (which could just be an annotated
					version of the test plan) details the activities that took place when the test
					procedures were executed, and includes the actual results of the tests. This shall be
					a cumulative account, so if there was a test run that resulted in a failure; a fix
					installed; and then a successful re-run of the test, the report would show a “fail”
					and “pass” result (and the supporting details), and not just the “pass” result.
				</h:p>
				</aactivity>
			</a-element>	  
        </a-component>
    </section>  <!-- Class ATE -->
	  
	<!-- incorporates TD 554 -->
    <section id="ava" title="Class AVA: Vulnerability Assessment">
		For the current generation of
        this protection profile, the evaluation lab is expected to survey open sources to discover
        what vulnerabilities have been discovered in these types of products. In most cases, these
        vulnerabilities will require sophistication beyond that of a basic attacker. Until
        penetration tools are created and uniformly distributed to the evaluation labs, the
        evaluator will not be expected to test for these vulnerabilities in the TOE. The labs will be expected to comment on the likelihood of these vulnerabilities given
        the documentation provided by the vendor. This information will be used in the development
        of penetration testing tools and for the development of future protection profiles.
		
        <a-component cc-id="ava_van.1" name="Vulnerability Survey (AVA_VAN.1)">
			<a-element type="D">
				<title>The developer shall provide the TOE for testing.</title>
			</a-element>	
			<a-element type="C">
				<title>The application shall be suitable for testing.</title>
					<note role="application">Suitability for testing means not being obfuscated or
						packaged in such a way as to disrupt either static or dynamic analysis by the
						evaluator.</note>
			</a-element>  
			<a-element type="E">
				<title>The evaluator shall confirm that the information provided meets all requirements
					for content and presentation of evidence.</title>
			</a-element>
			<a-element type="E">
				<title>The evaluator shall perform a search of public domain sources to identify
					potential vulnerabilities in the TOE.</title>
				<note role="application">Public domain sources include the Common Vulnerabilities 
					and Exposures (CVE) dictionary for publicly known vulnerabilities.  Public domain
					sources also include sites which provide free checking of files for viruses.</note>
					<!-- their Usage statement does not permit us to mention VirusTotal by name without permission -->
			</a-element>
			<a-element type="E">
				<title>The evaluator shall conduct penetration testing, based on the identified
					potential vulnerabilities, to determine that the TOE is resistant to
					attacks performed by an attacker possessing Basic attack potential.</title>
				<aactivity>
				<h:p>
					The evaluator shall generate a report to document their findings with respect to this 
					requirement. This report could physically be part of the overall test report mentioned in
					ATE_IND, or a separate document. The evaluator performs a search of public information to find
					vulnerabilities that have been found in similar applications with a particular focus on network 
					protocols the application uses and document formats it parses.
				</h:p><h:p>
					The evaluator documents the sources consulted and the vulnerabilities found in the report.
				</h:p><h:p>
					For each vulnerability found, the evaluator either provides a rationale with respect to its 
					non-applicability, or the evaluator formulates a test (using the guidelines provided in ATE_IND)
					to confirm the vulnerability, if suitable. Suitability is determined by assessing the attack 
					vector needed to take advantage of the vulnerability. If exploiting the vulnerability requires
					expert skills and an electron microscope, for instance, then a test would not be suitable and 
					an appropriate justification would be formulated.
				</h:p><h:p>
					<h:span style="font-weight: bold; font-effect: italic">For Windows, Linux, macOS and Solaris:</h:span>
					The evaluator shall also run a virus scanner with the most current virus definitions against the 
					application files and verify that no files are flagged as malicious.
					</h:p>
				</aactivity>
			</a-element> 
        </a-component>
    </section>  <!-- Class AVA -->
    </section>  <!-- Security Assurance Requirements -->
	</sec:req>

  <appendix title="Entropy Documentation and Assessment" id="entropyappendix"> 
  	<h:p>
  This appendix describes the required supplementary information for the entropy
  source used by the TOE.
  	</h:p><h:p>
  The documentation of the entropy source should be detailed enough that, after
  reading, the evaluator will thoroughly understand the entropy source and why
  it can be relied upon to provide sufficient entropy. This documentation should
  include multiple detailed sections: design description, entropy justification,
  operating conditions, and health testing. This documentation is not required to
  be part of the TSS. 
  	</h:p>
<section id="entropydesign" title="Design Description">
	<h:p>
  Documentation shall include the design of the entropy source as a whole,
  including the interaction of all entropy source components. Any information
  that can be shared regarding the design should also be included for any
  third-party entropy sources that are included in the product. 
	</h:p><h:p>
		The documentation shall describe how unprocessed (raw) data was obtained for the analysis. This
		description shall be sufficiently detailed to explain at what point in the entropy source model the data
		was collected and what effects, if any, the process of data collection had on the overall entropy
		generation rate. The documentation
  should walk through the entropy source design indicating where the entropy
  comes from, where the entropy output is passed next, any post-processing
  of the raw outputs (hash, XOR, etc.), if/where it is stored, and finally,
  how it is output from the entropy source. Any conditions placed on the
  process (e.g., blocking) should also be described in the entropy source
  design. Diagrams and examples are encouraged. 
	</h:p><h:p>
  This design must also include a description of the content of the
  security boundary of the entropy source and a description of how
  the security boundary ensures that an adversary outside the boundary
  cannot affect the entropy rate.
	</h:p><h:p>
  If implemented, the design description shall include a description
  of how third-party applications can add entropy to the RBG. A
  description of any RBG state saving between power-off and
  power-on shall be included.
	</h:p>
</section>

<section id="entropyjustification" title="Entropy Justification">
	<h:p>
  There should be a technical argument for where the unpredictability in
  the source comes from and why there is confidence in the entropy source
  delivering sufficient entropy for the uses made of the RBG output
  (by this particular TOE). This argument will include a description of
  the expected min-entropy rate (i.e. the minimum entropy (in bits) per
  bit or byte of source data) and explain that sufficient entropy is
  going into the TOE randomizer seeding process. This discussion will
  be part of a justification for why the entropy source can be relied
  upon to produce bits with entropy.
	</h:p><h:p>
  The amount of information necessary to justify the expected
  min-entropy rate depends on the type of entropy source included in the
  product.
	</h:p><h:p>
  For developer provided entropy sources, in order to justify the
  min-entropy rate, it is expected that a large number of raw source
  bits will be collected, statistical tests will be performed, and the
  min-entropy rate determined from the statistical tests. While no
  particular statistical tests are required at this time, it is expected
  that some testing is necessary in order to determine the amount of
  min-entropy in each output.
	</h:p><h:p>
  For third party provided entropy sources, in which the TOE vendor
  has limited access to the design and raw entropy data of the source, the
  documentation will indicate an estimate of the amount of min-entropy
  obtained from this third-party source.  It is acceptable for the vendor
  to “assume” an amount of min-entropy, however, this assumption must be
  clearly stated in the documentation provided.  In particular, the
  min-entropy estimate must be specified and the assumption included
  in the ST.
	</h:p><h:p>
  Regardless of type of entropy source, the justification will also
  include how the DRBG is initialized with the entropy stated in the ST,
  for example by verifying that the min-entropy rate is multiplied by the
  amount of source data used to seed the DRBG or that the rate of entropy
  expected based on the amount of source data is explicitly stated and
  compared to the statistical rate. If the amount of source data used to
  seed the DRBG is not clear or the calculated rate is not explicitly
  related to the seed, the documentation will not be considered complete.
	</h:p><h:p>
  The entropy justification shall not include any data added from
  any third-party application or from any state saving between restarts.
	</h:p>
</section>

<section id="entropyoperatingconditions" title="Operating Conditions">
  The entropy rate may be affected by conditions outside the control
  of the entropy source itself.  For example, voltage, frequency,
  temperature, and elapsed time after power-on are just a few of the
  factors that may affect the operation of the entropy source.
  As such, documentation will also include the range of operating conditions
  under which the entropy source is expected to generate random data.
  It will clearly describe the measures that have been taken in the
  system design to ensure the entropy source continues to operate
  under those conditions. Similarly, documentation shall describe
  the conditions under which the entropy source is known to malfunction
  or become inconsistent. Methods used to detect failure or degradation
  of the source shall be included.
</section>

<section id="entropyhealthtesting" title="Health Testing">
  More specifically, all entropy source health tests and their rationale
  will be documented. This will include a description of the health tests,
  the rate and conditions under which each health test is performed
  (e.g., at startup, continuously, or on-demand), the expected results
  for each health test, and rationale indicating why each test is
  believed to be appropriate for detecting one or more failures in the
  entropy source.
</section>
  
  </appendix>

  <appendix id="equiv" title="Application Software Equivalency Guidelines">
    <section id="app-intro" title="Introduction">
    	<h:p>
      The purpose of equivalence in PP-based evaluations is to find a balance between evaluation rigor and commercial practicability—to 
      ensure that evaluations meet customer expectations while recognizing that there is little to be gained from requiring that every 
      variation in a product or platform be fully tested. If a product is found to be compliant with a PP on one platform, then all 
      equivalent products on equivalent platforms are also considered to be compliant with the PP.
    	</h:p><h:p>
      A Vendor can make a claim of equivalence if the Vendor believes that a particular instance of their Product implements PP-specified 
      security functionality in a way equivalent to the implementation of the same functionality on another instance of their Product on 
      which the functionality was tested. The Product instances can differ in version number or feature level (model), or the instances may
      run on different platforms. Equivalency can be used to reduce the testing required across claimed evaluated configurations. It can 
      also be used during Assurance Maintenance to reduce testing needed to add more evaluated configurations to a certification.
    	</h:p><h:p>
      These equivalency guidelines do not replace Assurance Maintenance requirements or NIAP Policy #5 requirements for CAVP certificates. 
      Nor may equivalency be used to leverage evaluations with expired certifications.
    	</h:p><h:p>
      These Equivalency Guidelines represent a shift from complete testing of all product instances to more of a risk-based approach. 
      Rather than require that every combination of product and platform be tested, these guidelines support an approach that recognizes
      that products are being used in a variety of environments—and often in cloud environments over where the vendor (and sometimes the 
      customer) have little or no control over the underlying hardware. Developers should be responsible for the security functionality of 
      their applications on the platforms they are developed for—whether that is an operating system, a virtual machine, or a software-based
      execution environment such as a container. But those platforms may themselves run within other environments—virtual machines or
      operating systems—that completely abstract away the underlying hardware from the application. The developer should not be held
      accountable for security functionality that is implemented by platform layers that are abstracted away. The implication is that
      not all security functionality will necessarily be tested for all platform layers down to the hardware for all evaluated
      configurations—especially for applications developed for software-based execution environments such as containers. For these cases, 
      the balancing of evaluation rigor and commercial practicability tips in favor of practicability. Note that this does not affect
      the requirement that at least one product instance be fully tested on at least one platform with cryptography mapped to a CAVP 
      certificate.
    	</h:p><h:p>
      Equivalency has two aspects:
    	</h:p>
      <h:ol>
        <h:li><h:b><h:i>Product Equivalence:</h:i></h:b> Products may be considered equivalent if there are no
          differences between Product Models and Product Versions with respect to PP-specified security functionality.</h:li>
        <h:li><h:b><h:i>Platform Equivalence:</h:i></h:b> Platforms may be considered equivalent if there are no
          significant differences in the services they provide to the Product—or in the way the platforms 
          provide those services—with respect to PP-specified security functionality.</h:li>
      </h:ol>
      The equivalency determination is made in accordance with these guidelines by the Validator and Scheme using information provided by the Evaluator/Vendor.
    </section>
    <section id="approach" title="Approach to Equivalency Analysis">
    	<h:p>
      There are two scenarios for performing equivalency analysis. One is when a product has been certified and the vendor 
      wants to show that a later product should be considered certified due to equivalence with the earlier product. The 
      other is when multiple product variants are going though evaluation together and the vendor would like to reduce 
      the amount of testing that must be done. The basic rules for determining equivalence are the same in both cases. 
      But there is one additional consideration that applies to equivalence with previously certified products. That is, 
      the product with which equivalence is being claimed must have a valid certification in accordance with scheme rules
      and the Assurance Maintenance process must be followed. If a product’s certification has expired, then equivalence 
      cannot be claimed with that product.
    	</h:p><h:p>
      When performing equivalency analysis, the Evaluator/Vendor should first use the factors and guidelines for Product
      Model equivalence to determine the set of Product Models to be evaluated. In general, Product Models that do not differ 
      in PP-specified security functionality are considered equivalent for purposes of evaluation against the AppPP.
    	</h:p><h:p>
      If multiple revision levels of Product Models are to be evaluated—or to determine whether a revision of an evaluated 
      product needs re-evaluation—the Evaluator/Vendor and Validator should use the factors and guidelines for Product 
      Version equivalence to analyze whether Product Versions are equivalent.
    	</h:p><h:p>
      Having determined the set of Product Models and Versions to be evaluated, the next step is to determine the set of
      Platforms that the Products must be tested on.
    	</h:p><h:p>
      Each non-equivalent Product for which compliance is claimed must be fully tested on each non-equivalent platform 
      for which compliance is claimed. For non-equivalent Products on equivalent platforms, only the differences that
      affect PP-specified security functionality must be tested for each product.
    	</h:p><h:p>
      <h:b><h:i>“Differences in PP-Specified Security Functionality” Defined</h:i></h:b>
    	</h:p><h:p>
      If PP-specified security functionality is implemented by the TOE, then differences in the actual implementation
      between versions or product models break equivalence for that feature. Likewise, if the TOE implements the 
      functionality in one version or model and the functionality is implemented by the platform in another version 
      or model, then equivalence is broken. If the functionality is implemented by the platform in multiple models or 
      versions on equivalent platforms, then the functionality is considered different if the product invokes the platform 
      differently to perform the function.
    	</h:p>
    </section>
    <section id="modelequiv" title="Specific Guidance for Determining Product Model Equivalence">
      <h:p>
      Product Model equivalence attempts to determine whether different feature levels of the same product across 
      a product line are equivalent for purposes of PP testing. For example, if a product has a “basic” edition and an “enterprise” 
      edition, is it necessary to test both models? Or does testing one model provide sufficient assurance that both models 
      are compliant?
      </h:p><h:p>
      Product models are considered equivalent if there are no differences that affect PP-specified security 
      functionality—as indicated in Table 1.
      </h:p><h:p>
      
      <h:table border="1">
        <h:tr class="header" bgcolor="#cccccc">
          <h:td valign="top">Factor</h:td>
          <h:td valign="top">Same/Different</h:td>
          <h:td valign="top">Guidance</h:td>
        </h:tr>
        <h:tr>
          <h:td rowspan="2" valign="top">PP-Specified Functionality</h:td>
          <h:td valign="top">Same</h:td>
          <h:td valign="top">If the differences between Models affect only non-PP-specified functionality, then the Models are equivalent. </h:td>
        </h:tr>
        <h:tr>
          <h:td valign="top">Different</h:td>
          <h:td valign="top">If PP-specified security functionality is affected by the differences between Models, 
            then the Models are not equivalent and must be tested separately. It is necessary only to test the functionality 
            affected by the software differences. If only differences are tested, then the differences must be enumerated, 
            and for each difference the Vendor must provide an explanation of why each difference does or does not affect 
            PP-specified functionality. If the Product Models are separately tested fully, then there is no need to document the differences. 
          </h:td>
        </h:tr>
      </h:table>
      <h:b>Table 1. Determining Product Model Equivalence</h:b>
      </h:p>
    </section>
    <section id="versionequiv" title="Specific Guidance for Determining Product Version Equivalence">
      <h:p>
      In cases of version equivalence, differences are expressed in terms of changes implemented in revisions 
      of an evaluated Product. In general, versions are equivalent if the changes have no effect on any 
      security-relevant claims about the TOE or assurance evidence. Non-security-relevant changes to TOE 
      functionality or the addition of non-security-relevant functionality does not affect equivalence.
      </h:p><h:p>
      <h:table border="1">
        <h:tr class="header" bgcolor="#cccccc">
          <h:td valign="top">Factor</h:td>
          <h:td valign="top">Same/Different</h:td>
          <h:td valign="top">Guidance</h:td>
        </h:tr>
        <h:tr valign="top">
          <h:td valign="top">Product Models</h:td>
          <h:td valign="top">Different</h:td>
          <h:td valign="top">Versions of different Product Models are not equivalent unless the Models are equivalent as defined in Section 3.</h:td>
        </h:tr>
        <h:tr>
          <h:td rowspan="2" valign="top">PP-Specified Functionality</h:td>
          <h:td valign="top">Same</h:td>
          <h:td valign="top">If the differences affect only non-PP-specified functionality, then the Versions are equivalent. </h:td>
        </h:tr>
        <h:tr>
          <h:td valign="top">Different</h:td>
          <h:td valign="top">If PP-specified security functionality is affected by the differences, then the 
            Versions are not considered equivalent and must be tested separately. It is necessary only to test 
            the functionality affected by the changes. If only the differences are tested, then for each 
            difference the Vendor must provide an explanation of why the difference does or does not affect 
            PP-specified functionality. If the Product Versions are separately tested fully, then there is 
            no need to document the differences. </h:td>
        </h:tr>
      </h:table>
      <h:b>Table 2. Factors for Determining Product Version Equivalence</h:b>
      </h:p>
    </section>
    <section id="platformequiv" title="Specific Guidance for Determining Platform Equivalence">
      <h:p>
      Platform equivalence is used to determine the platforms that equivalent versions of a Product must be tested on. 
      Platform equivalence analysis done for one software application cannot be applied to another software application.
      Platform equivalence is not general—it is with respect to a particular application. 
      </h:p><h:p>
      Product Equivalency analysis must already have been done and Products have been determined to be equivalent.
      </h:p><h:p>
      The platform can be hardware or virtual hardware, an operating system or similar entity, or a software execution 
      environment such as a container. For purposes of determining equivalence for software applications, we address each
      type of platform separately. In general, platform equivalence is based on differences in the interfaces between the 
      TOE and Platform that are relevant to the implementation of PP-specified security functionality.
      </h:p>
      <section id="hardware-equiv" title="Platform Equivalence—Hardware/Virtual Hardware Platforms">
      	<h:p>
      		If an application runs directly on hardware without an operating system—or directly on virtualized 
        hardware without an operating system—then platform equivalence is based on processor architecture and 
        instruction sets. In the case of virtualized hardware, it is the virtualized processor and architecture 
        that are presented to the application that matters—not the physical hardware.
      </h:p><h:p>
        Platforms with different processor architectures and instruction sets are not equivalent. This is not 
        likely to be an issue for equivalency analysis for applications since there is likely to be a different 
        version of the application for different hardware environments.
        Equivalency analysis becomes important when comparing processors with the same architecture. Processors 
        with the same architecture that have instruction sets that are subsets or supersets of each other are not
        disqualified from being equivalent for purposes of an App evaluation. If the application takes the same 
        code paths when executing PP-specified security functionality on different processors of the same family, 
        then the processors can be considered equivalent with respect to that application.
        For example, if an application follows one code path on platforms that support the AES-NI instruction 
        and another on platforms that do not, then those two platforms are not equivalent with respect to that 
        application functionality. But if the application follows the same code path whether or not the platform 
        supports AES-NI, then the platforms are equivalent with respect to that functionality.
      </h:p><h:p>
        The platforms are equivalent with respect to the application if the platforms are equivalent with respect to all PP-specified
        security functionality.
        <h:table border="1">
          <h:tr class="header" bgcolor="#cccccc">
            <h:td valign="top">Factor</h:td>
            <h:td valign="top">Same/Different/None</h:td>
            <h:td valign="top">Guidance</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Architectures</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Platforms that present different processor architectures and instruction sets to the application are not equivalent.</h:td>
          </h:tr>
          <h:tr>
            <h:td valign="top">PP-Specified Functionality</h:td>
            <h:td valign="top">Same</h:td>
            <h:td valign="top">For platforms with the same processor architecture, the platforms are equivalent with
              respect to the application if execution of all PP-specified security functionality follows the same code path on both platforms.</h:td>
          </h:tr>
        </h:table>
        <h:b>Table 3. Factors for Determining Hardware/Virtual Hardware Platform Equivalence</h:b>
      </h:p>
      </section>
      <section id="os-equiv" title="Platform Equivalence—OS Platforms">
      	<h:p>
        For traditional applications that are built for and run on operating systems, platform equivalence is 
        determined by the interfaces between the application and the operating system that are relevant to PP-specified 
        security functionality. Generally, these are the processor interface, device interfaces, and OS APIs. The following 
        factors applied in order:
        
        <h:table border="1">
          <h:tr class="header" bgcolor="#cccccc">
            <h:td valign="top">Factor</h:td>
            <h:td valign="top">Same/Different/None</h:td>
            <h:td valign="top">Guidance</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Architectures</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Platforms that run on different processor architectures and instruction sets are not equivalent.</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Vendors</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Platforms from different vendors are not equivalent. </h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Versions</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Platforms from the same vendor with different major version numbers are not equivalent.</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Interfaces</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Platforms from the same vendor and major version are not equivalent if there are
              differences in device interfaces and OS APIs that are relevant to the way the platform provides PP-specified 
              security functionality to the application. </h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Interfaces</h:td>
            <h:td valign="top">Same</h:td>
            <h:td valign="top">Platforms from the same vendor and major version are equivalent if there are 
              no differences in device interfaces and OS APIs that are relevant to the way the platform 
              provides PP-specified security functionality to the application, or if the Platform does 
              not provide such functionality to the application.</h:td>
          </h:tr>
          
        </h:table>
        <h:b>Table 4. Factors for Determining OS/VS Platform Equivalence</h:b>
      	</h:p>
    
      </section>
      <section id="software-equiv" title="Software-based Execution Environment Platform Equivalence">
      	<h:p>
        If an Application is built for and runs in a non-OS software-based execution environment, such as a Container or 
        Java Runtime, then the below criteria must be used to determine platform equivalence. The key point is that the 
        underlying hardware (virtual or physical) and OS is not relevant to platform equivalence. This allows applications 
        to be tested and run on software-based execution environments on any hardware—as in cloud deployments.
        
        <h:table border="1">
          <h:tr class="header" bgcolor="#cccccc">
            <h:td valign="top">Factor</h:td>
            <h:td valign="top">Same/Different/None</h:td>
            <h:td valign="top">Guidance</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Type/Vendor</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Software-based execution environments that are substantially different or come 
              from different vendors are not equivalent. For example, a Java virtual machine is not the same as a 
              container. A Docker container is not the same as a CoreOS container.</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">Platform Versions</h:td>
            <h:td valign="top">Different</h:td>
            <h:td valign="top">Execution environments that are otherwise equivalent are not equivalent if they have 
              different major version numbers.</h:td>
          </h:tr>
          <h:tr valign="top">
            <h:td valign="top">PP-Specified Security Functionality</h:td>
            <h:td valign="top">Same</h:td>
            <h:td valign="top">All other things being equal, execution environments are equivalent if there is no 
              significant difference in the interfaces through which the environments provide PP-specified security 
              functionality to applications.</h:td>
          </h:tr>
        </h:table>
        <h:b>Table 5. Factors for Software-based Execution Environment Platform Equivalence</h:b>
      	</h:p>
      </section>
    </section>
    <section id="specificity" title="Level of Specificity for Tested Configurations and Claimed Equivalent Configurations">
    	<h:p>
      In order to make equivalency determinations, the vendor and evaluator must agree on the equivalency claims. They must 
      then provide the scheme with sufficient information about the TOE instances and platforms that were evaluated, and the 
      TOE instances and platforms that are claimed to be equivalent.
    	</h:p><h:p>
      The ST must describe all configurations evaluated down to processor manufacturer, model number, and microarchitecture version. 
    	</h:p><h:p>
      The information regarding claimed equivalent configurations depends on the platform that the application was developed for and runs on.
    	</h:p><h:p>
      <h:b>Bare-Metal Applications</h:b>
    	</h:p><h:p>
      For applications that run without an operating system on bare-metal or virtual bare-metal, the claimed configuration must 
      describe the platform down to the specific processor manufacturer, model number, and microarchitecture version. The Vendor
      must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE functions
      differently to leverage platform differences (e.g., instruction set extensions) in the tested configuration versus the 
      claimed equivalent configuration. 
    	</h:p><h:p>
      <h:b>Traditional Applications</h:b>
    	</h:p><h:p>
      For applications that run with an operating system as their immediate platform, the claimed configuration must describe 
      the platform down to the specific operating system version. If the platform is a virtualization system, then the claimed 
      configuration must describe the platform down to the specific virtualization system version. The Vendor must describe the 
      differences in the TOE with respect to PP-specified security functionality and how the TOE functions differently to leverage
      platform differences in the tested configuration versus the claimed equivalent configuration. Relevant platform differences 
      could include instruction sets, device interfaces, and OS APIs invoked by the TOE to implement PP-specified security 
      functionality.
    	</h:p><h:p>
      <h:b>Software-Based Execution Environments</h:b>
    	</h:p><h:p>
      For applications that run in a software-based execution environment such as a Java virtual machine or a Container, then 
      the claimed configuration must describe the platform down to the specific version of the software execution environment. 
      The Vendor must describe the differences in the TOE with respect to PP-specified security functionality and how the TOE 
      functions differently to leverage platform differences in the tested configuration versus the claimed equivalent 
      configuration.
    	</h:p>
      
    </section>
  </appendix>

    <bibliography>
	  <cc-entry/>
      <entry id="bibOMB">
        <tag>OMB</tag>
        <description>
        	<h:a href="https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2006/m06-19.pdf"
            >Reporting Incidents Involving Personally Identifiable Information and Incorporating the
            Cost for Security in Agency Information Technology Investments</h:a>, OMB M-06-19, July
          12, 2006. </description>
      </entry>
    </bibliography>
 
  <extra-css>
    table.code-table td {
       font-family: monospace;
       font-style: normal;
       padding:0px;
       background-color: #DDDDDD;
    }

    span.code-wildcard::after {
       content: "(...)";
    }
    span.code-wildcard {
       font-style: italics;
    }
  </extra-css>
</PP>