background image

Security Target 

Version 1.1

 

2022-03-08 

38 

The D Models satisfy the following SFRs: 

 

FDP_PDC_EXT.3/VI(D)- Authorized Connection Protocols (Video Output) (D Models) 

 

FDP_SPR_EXT.1/DVI-I(D) 

 Sub-Protocol Rules (DVI-I Protocol) (D Models) 

6.3

 

Identification and Authentication (FIA_UAU.2/

 

FIA_UID.2) 

Authentication is required to perform administrator functions such as configuring the keyboard/mouse 
device filtering (i.e. CDF) blacklist. The authorized administrator is identified and authenticated through 
the logon function. The authorized administrator logs on by entering the Administrator Logon mode as 
described in the administrator guide and providing a valid password. The administrator guide states that 
the administrator must change the password after the first successful logon.    

6.4

 

Security Management 

The TOE provides management functions to configure the keyboard/ mouse filtering (i.e. CDF), to return 
the device to factory setting, to view audit logs and to change the administrator password; and restricts 
access to these management functions to the authorized administrator. 

6.4.1

 

FMT_MOF.1 

 Management of Security Functions Behavior 

The TOE restricts the management functions such as the ability to modify the HID device filtering blacklist 
to  the  authorized  administrator.  The  authorized  administrator  must  successfully  authenticate  by 
providing  a  valid  password.  There  is  no  login  name  parameter  for  the  login  function.  Customers  are 
provided with a default password. The administrator guide states that the administrator must change the 
password after the first successful logon. The password is case sensitive and new passwords must contain 
at least 1 lower case letter, at least 1 upper case letter, at least 1 numeric character, and at least 1 special 
character. The supported special characters are: !"#$%&' ()*+,-./ :;<=>? @ [\]^_ ` {|}~ (including 

space

). 

Additionally, the password length must be at least 8 characters but no longer than 22 characters. With 
three  failed  attempts  to  log  in,  the  administrator  logon  mode  will  be  terminated  and  locked  for  15 
minutes.  With nine failed log in attempts, the Secure KVM Switch will become permanently inoperable. 
There is no mechanism to restore a lost/forgotten password. 

6.4.2

 

FMT_SMF.1 

 Specification of Management Functions 

The TOE provides security management functions to configure the keyboard/mouse device filtering (i.e. 
CDF), to return the device to factory setting, to view audit logs and to change the administrator password.  

The TOE provides the authorized administrator with the ability to assign blacklist definitions for keyboard/ 
mouse  devices. Once  successfully  authenticated,  the  Administrator  can  choose  to  add  a  device  to  the 
keyboard/ mouse devices blacklist. 

If a device is on the whitelist, the TOE considers the device as authorized. Otherwise, if the device is on 
the blacklist or is not on any list it is considered unauthorized. If a device is on both blacklist and whitelist, 
the USB device will be considered a blacklisted device. 

Summary of Contents for CS1142D4

Page 1: ... Models Security Target Version 1 1 2022 03 08 Prepared for ATEN 3F No 125 Section 2 Datung Road Sijhih District New Taipei City 221 Taiwan Prepared by Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia Maryland 21046 ...

Page 2: ...istory Version Author Modifications 0 1 Leidos Initial Version 0 2 Leidos Minor update to add adapters 0 3 Leidos Updates for validator check in comments 1 0 Leidos Minor updates for evaluator comments 1 1 Leidos Updates for validator check out comments ...

Page 3: ...ectives 16 4 1 Security Objectives for the Operational Environment 16 5 IT Security Requirements 17 5 1 Extended Requirements 17 5 2 TOE Security Functional Requirements PSD MOD_AO_V1 0 MOD_KM_V1 0 18 5 2 1 Security Audit FAU 19 5 2 2 User Data Protection FDP 20 5 2 3 Identification and Authentication FIA 24 5 2 4 Security Management FMT 25 5 2 5 Protection of the TSF FPT 25 5 2 6 TOE Access FTA 2...

Page 4: ...I_EXT 2 PSD Switching Methods FDP_SWI_EXT 3 Tied Switching 36 6 2 9 TOE Video Security Function 36 6 3 Identification and Authentication FIA_UAU 2 FIA_UID 2 38 6 4 Security Management 38 6 4 1 FMT_MOF 1 Management of Security Functions Behavior 38 6 4 2 FMT_SMF 1 Specification of Management Functions 38 6 4 3 FMT_SMR 1 Security Roles 39 6 5 Protection of the TSF 39 6 5 1 FPT_FLS_EXT 1 Failure with...

Page 5: ...urity Functional Components 18 Table 8 Audio Filtration Specifications 20 Table 9 TOE Security Functional Components DP Models 27 Table 10 TOE Security Functional Components H Models 28 Table 11 TOE Security Functional Components D Models 29 Table 12 Assurance Components 30 Table 13 Supported protocols by port 34 Table 14 DP Models 36 Table 15 H Models 37 Table 16 D Models 37 Table 17 SFR Protecti...

Page 6: ... ST Version Version 1 1 ST Date 2022 03 08 Target of Evaluation TOE Identification ATEN Secure KVM Switch Series Non CAC Models TOE Versions The following table identifies the model numbers per configuration The firmware version for all models is v1 1 101 Table 1 ATEN Secure KVM Switch TOE Models Configuration 2 Port 4 Port 8 Port DisplayPort Single Head CS1182DP4 CS1184DP4 CS1188DP4 Dual Head CS1...

Page 7: ...alog Audio Output Devices Version 1 0 19 July 2019 MOD_AO_V1 0 PP Module for Keyboard Mouse Devices Version 1 0 19 July 2019 MOD_KM_V1 0 o including the following optional and selection based SFRs FDP_FIL_EXT 1 KM FDP_RIP 1 KM and FDP_SWI_EXT 3 PP Module for Video Display Devices Version 1 0 19 July 2019 MOD_VI_V1 0 o including the following selection based SFRs FDP_CDS_EXT 1 FDP_IPC_EXT 1 FDP_SPR...

Page 8: ...n is identified with a slash and an identifier e g KM Additional iterations made by the ST author are defined with a reference in parentheses to the specific TOE models they apply to e g DP indicates the SFR only applies to DisplayPort models Though technically not an iteration FDP_IPC_EXT 1 also uses this convention to clarify that this requirement only applies to certain models Extended SFRs are...

Page 9: ...ity of a User to receive an indicator of the current Active Interface Non Selected Computer A Connected Computer that has no Active Interfaces with the PSD Peripheral Interface The PSD s physical receptacle or port for connecting to a Peripheral Device Peripheral Peripheral Device A Device with access that can be Shared or Filtered by a PSD Protection Profile PP An implementation independent set o...

Page 10: ...o authenticate to a computer e g smart card reader biometric authentication device proximity card reader User Data Information that the User inputs to the Connected Computer or is output to the User from the Connected Computer and including user authentication and credential information 1 3 2 Acronyms Table 3 Acronyms Acronym Definition ARC Audio Return Channel AUX Display Port Auxiliary Channel C...

Page 11: ...Security Target Version 1 1 2022 03 08 6 Acronym Definition PC Personal Computer PSD Peripheral Sharing Device RPS Remote Port Selector SFP Security Function Policy USB Universal Serial Bus ...

Page 12: ...the connected computers is active such that the peripherals connected to the console can be used to interact with the selected computer The TOE s console ports support USB keyboard and mouse analog audio out speakers and depending on model DisplayPort HDMI or DVI I display The TOE s computer ports support USB keyboard and mouse analog audio and depending on model DisplayPort HDMI or DVI I display ...

Page 13: ... DisplayPort video signal to HDMI The HDMI signal inside the KVM will be converted again to DisplayPort signal for output to the connected video display s and the AUX channel is monitored and converted to EDID The Secure KVM Switch products also support audio output connections from the computers to a connected audio output device Only speaker connections are supported and the use of an analog mic...

Page 14: ... Each peripheral has its own dedicated data path USB keyboard and mouse peripherals are filtered and emulated DisplayPort video from the selected computer is converted internally to HDMI then back to DisplayPort for communication with the connected video display and the AUX channel is monitored and converted to EDID The Secure KVM Switch products are designed to enforce the allowed and disallowed ...

Page 15: ...ility of data leakage from a user s peripheral output device to the input device ensures that no unauthorized data flows from the monitor to a connected computer and unidirectional buffers ensure that the audio data can travel only from the selected computer to the audio device There is no possibility of data leakage between computers or from a peripheral device connected to a console port to a no...

Page 16: ...ing their own cable sets as long as the protocols are compatible but the vendor cable sets are recommended The TOE was tested using the cable sets mentioned above and the following adapters UC32381 USB C to HDMI converter UC3239 USB C to DP converter VC986 Active DP to HDMI adapter VC965 Active DP to DVI adapter While the cable sets and adapters were supplied they were not included in the evaluati...

Page 17: ... Class A digital device pursuant to Part 15 of the Federal Communications Commission rules If not installed and used in accordance with the guidance instructions the device may cause harmful interference to radio communications This evaluation did not test for RFI leakage of information 2 4 Logical Boundary This section summarizes the security functions provided by the TOE Security Audit User Data...

Page 18: ...as USB device whitelist blacklist Once the Reset to Factory Default function has been completed the Secure KVM will terminate the Administrator Logon mode purge keyboard mouse buffer and power cycle the Secure KVM automatically 2 4 3 Identification and Authentication The TOE provides an identification and authentication function for the administrative user to perform administrative functions such ...

Page 19: ...TEN PSD PP v4 0 Secure KVM Switch Series 2 4 8 Port USB DVI HDMI DisplayPort Single Dual Display PP v4 0 Secure KVM Switch Administrator Guide Version 1 03 2021 1 25 ATEN PSD PP v4 0 Secure KVM Switch Series 2 4 8 Port USB DVI HDMI DisplayPort Single Dual Display PP v4 0 Secure KVM Switch User Manual Version 1 03 2021 1 25 ATEN PSD PP v4 0 Secure KVM Switch Series 2 4 8 Port USB DVI HDMI DisplayPo...

Page 20: ... is expected to address and assumptions about the operational environment of the TOE In general the PSD has presented a Security Problem Definition appropriate for peripheral sharing devices The ATEN Secure KVM Switch Series supports KVM USB Keyboard Mouse analog audio out DisplayPort DVI I and HDMI video peripheral switch functionality by combining a 2 4 8 port KVM switch and an audio output port...

Page 21: ...crophones are not plugged into the TOE audio output interfaces OE NO_SPECIAL_ANALOG_CAPABILITIES from MOD_VI_V1 0 The operational environment will not have special analog data collection cards or peripherals such as analog to digital interface high performance audio interface or a component with digital signal processing or analog video capture functions OE NO_TEMPEST from PSD The operational envi...

Page 22: ...nd modules define the following extended SFRs and since they are not redefined in this ST the PSD and associated modules should be consulted for more information in regard to those CC extensions FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 Active PSD Connections FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_IPC_EXT 1 DP Internal Protocol Conversion...

Page 23: ...nt Class Requirement Component FAU Security Audit FAU_GEN 1 Audit Data Generation FDP User Data Protection FDP_AFL_EXT 1 Audio Filtration FDP_APC_EXT 1 AO Active PSD Connections Audio Output FDP_APC_EXT 1 KM Active PSD Connections Keyboard Mouse FDP_APC_EXT 1 VI Active PSD Connections Video Display FDP_CDS_EXT 1 Connected Displays Supported FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_...

Page 24: ...vation of Secure State FPT_NTA_EXT 1 No Access to TOE FPT_PHP 1 Passive Detection of Physical Attack FPT_PHP 3 Resistance to Physical Attack FPT_STM 1 Reliable Time Stamps FPT_TST 1 TSF Testing FPT_TST_EXT 1 TSF Testing FTA TOE Access FTA_CIN_EXT 1 Continuous Indications 5 2 1 Security Audit FAU 5 2 1 1 Audit Data Generation FAU_GEN 1 FAU_GEN 1 1 The TSF shall be able to generate an audit record o...

Page 25: ... 8 22 96 mV 19 43 0 14 15 mV 20 46 0 10 02 mV 30 71 4 0 53 mV 40 71 4 0 53 mV 50 71 4 0 53 mV 60 71 4 0 53 mV 5 2 2 2 Active PSD Connections Audio Output FDP_APC_EXT 1 AO FDP_APC_EXT 1 1 AO The TSF shall route user data only from the interfaces selected by the user FDP_APC_EXT 1 2 AO The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered...

Page 26: ...a transits the TOE when the TOE is powered off FDP_APC_EXT 1 4 VI The TSF shall that no data transits the TOE when the TOE is in a failure state Application Note This SFR is originally defined in the Base PP but is refined and iterated to apply to the video interface per section 5 1 2 of the Video Display PP Module 5 2 2 5 Connected Displays Supported FDP_CDS_EXT 1 FDP_CDS_EXT 1 1 The TSF shall su...

Page 27: ...TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in Appendix E of the AO Module and authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Video Display Devices upon TOE power up and upon co...

Page 28: ...n the PP Module for Audio Output Devices authorized devices presenting authorized interface protocols as defined in the PP Module for Keyboard Mouse Devices upon TOE power up and upon connection of a peripheral device to a powered on TOE 5 2 2 11 Authorized Connection Protocols Keyboard Mouse FDP_PDC_EXT 3 KM FDP_PDC_EXT 3 1 KM The TSF shall have interfaces for the USB keyboard USB mouse protocols...

Page 29: ...mouse peripheral devices are always switched together to the same connected computer 5 2 2 19 Unidirectional Data Flow Audio Output FDP_UDF_EXT 1 AO FDP_UDF_EXT 1 1 AO The TSF shall ensure analog audio output data transits the TOE unidirectionally from the TOE analog audio output computer interface to the TOE analog audio output peripheral interface 5 2 2 20 Unidirectional Data Flow Keyboard Mouse...

Page 30: ...The TSF shall maintain the roles administrators FMT_SMR 1 2 The TSF shall be able to associate users with roles 5 2 5 Protection of the TSF FPT 5 2 5 1 Failure with Preservation of Secure State FPT_FLS_EXT 1 FPT_FLS_EXT 1 1 The TSF shall preserve a secure state when the following types of failures occur failure of the power on self test and failure of the anti tamper function 5 2 5 2 No Access to ...

Page 31: ...grity of TSF 5 2 5 7 TSF Testing FPT_TST_EXT 1 FPT_TST_EXT 1 1 The TSF shall respond to a self test failure by providing users with a visual indication of failure and by shutdown of normal TSF functions 5 2 6 TOE Access FTA 5 2 6 1 Continuous Indications FTA_CIN_EXT 1 FTA_CIN_EXT 1 1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered FTA_CIN_E...

Page 32: ...hat are satisfied by DP Models which include the following CS1182DP4 CS1184DP4 CS1188DP4 CS1142DP4 CS1144DP4 and CS1148DP4 Table 9 TOE Security Functional Components DP Models Requirement Class Requirement Component FDP User Data Protection FDP_IPC_EXT 1 DP Internal Protocol Conversion FDP_PDC_EXT 3 VI DP Authorized Connection Protocols DP Models FDP_SPR_EXT 1 DP DP Sub Protocol Rules DisplayPort ...

Page 33: ...ining 5 4 TOE Security Functional Requirements H Models The following table identifies the MOD_VI_V1 0 SFRs that are satisfied by H models which includes the following CS1182H4 CS1184H4 CS1142H4 and CS1144H4 Table 10 TOE Security Functional Components H Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI H Authorized Connection Protocols H Models FDP_SPR_EXT 1 ...

Page 34: ...FRs that are satisfied by D models which includes the following CS1182D4 CS1184D4 CS1188D4 CS1142D4 CS1144D4 and CS1148D4 Table 11 TOE Security Functional Components D Models Requirement Class Requirement Component FDP User Data Protection FDP_PDC_EXT 3 VI D Authorized Connection Protocols D Models FDP_SPR_EXT 1 DVI I D Sub Protocol Rules DVI I Protocol D Models 5 5 1 User Data Protection FDP 5 5 ...

Page 35: ...he TOE are included by reference from the PSD Table 12 Assurance Components Requirement Class Requirement Component Security Target ASE Conformance Claims ASE_CCL 1 Extended Components Definition ASE_ECD 1 ST Introduction ASE_INT 1 Security Objectives ASE_OBJ 2 Derived Security Requirements ASE_REQ 2 Security Problem Definition ASE_SPD 1 TOE Summary Specification ASE_TSS 1 Development ADV Basic Fu...

Page 36: ... in the text editor by entering the command LIST The event logs are divided into two types critical and non critical The Log Data Area displays the critical and non critical Log data Each logged event is recorded with Date Time a code that indicates the type of event and the outcome success or failure of the event The critical audit events recorded and identified in the code include administrator ...

Page 37: ...on 2 2 for details on TOE computer peripherals and connected computer port interfaces for each specific TOE model The TOE ensures that any previous information content of a resource is made unavailable upon the deallocation of the resource from the TOE computer interfaces immediately after a TOE switch to another selected computer and on start up of the TOE The Appendix A Letter of Volatility prov...

Page 38: ...onnected displays at a time 6 2 4 FDP_FIL_EXT 1 KM Device Filtering Keyboard Mouse FDP_PDC_EXT 3 KM Authorized Connection Protocols Keyboard Mouse The TOE supports authorized USB keyboard and mouse peripherals as defined in Table 13 Supported protocols by port below Keyboard mouse peripherals are filtered and emulated Device filtering for keyboard mouse interfaces is configurable Keyboard mouse bl...

Page 39: ...mbedded in DisplayPort Video will be kept with HDMI video DVI Secure KVM Models do not have the ability to embed digital audio into digital video data transmission The TOE does not allow any other user data transmission to or from any other external entities including wireless devices The TOE only recognizes those peripherals with an authorized interface type as described below and all other perip...

Page 40: ...rocontroller Once the TOE is power cycled reset or port switching is detected the data in the console authorized keyboard mouse buffer will be deleted immediately and not processed for emulation Please refer to the Proprietary Isolation Document for more detail The TOE provides two functions to delete TOE stored configuration and settings After logging in authorized administrators can use the Rese...

Page 41: ...auxiliary channel AUX path blocks information flows other than the minimal set required to establish the video link Unauthorized DisplayPort transactions are prevented by disassembling the DisplayPort AUX channel transactions to block all unauthorized transactions The TOE video function filters the AUX channel by converting it to EDID only DisplayPort video is converted into HDMI video stream Moni...

Page 42: ... to read the connected display EDID information EDID from display to computer and HPD from display to computer are allowed for the HDMI interface The TOE blocks ARC CEC EDID from computer to display HDCP HEAC HEC and MCCS video display sub protocols The H Models satisfy the following SFRs FDP_PDC_EXT 3 VI H Authorized Connection Protocols Video Output H Model FDP_SPR_EXT 1 HDMI H Sub Protocol Rule...

Page 43: ...in name parameter for the login function Customers are provided with a default password The administrator guide states that the administrator must change the password after the first successful logon The password is case sensitive and new passwords must contain at least 1 lower case letter at least 1 upper case letter at least 1 numeric character and at least 1 special character The supported spec...

Page 44: ...s to the TOE firmware software or its memory via its accessible ports is prevented No access is available to modify the TOE or its memory To mitigate the risk that a potential attacker will tamper with a TOE and then reprogram it with altered functionality the TOE software is contained in one time programmable read only memory permanently attached non socketed to a circuit assembly The TOE s opera...

Page 45: ...t RPS connected will be permanently disabled and all the front panel LEDs except the Power LED will flash continuously A mechanical intrusion is detected by a pressure switch that trips when the enclosure is opened If a mechanical intrusion is detected by the RPS connected with the switch and aligned this will permanently disable both the RPS itself and the switch and all LEDs on RPS and the front...

Page 46: ...ailure the TOE does not shut down The anti tampering self tests include the correct operation and tampering of the internal KVM and RPS batteries A KVM detecting tampering during normal operation will trigger the KVM inoperable A connected and aligned RPS detecting tampering including damaged or exhausted battery during normal operation will trigger the RPS inoperable and also directly trigger the...

Page 47: ...TOE by triggering a self test e g by powering on or rebooting the TOE and examining the front panel LEDs for self test failures as identified above The TOE performs self tests as described above to demonstrate the correct operation of active anti tamper functionality see also 6 5 3 FPT_PHP 6 6 TOE Access The TOE display a continuous visual indication of the computer to which the user is currently ...

Page 48: ...Security Target Version 1 1 2022 03 08 43 The TOE has a reset button that resets the switch to the default settings when pressed The switch is then powered up and behaves as described above ...

Page 49: ...ce As explained in Section 4 Security Objectives the Security Objectives of the PSD and modules have been included by reference in this ST The following table identifies all the Security Functional Requirements SFRs in this ST drawn from the PSD The only operations performed on the SFRs drawn from the PSD are assignment and selection operations Table 17 identifies the SFRs that are satisfied by th...

Page 50: ... MOD_VI_V1 0 FDP_SWI_EXT 1 PSD Switching PSD FDP_SWI_EXT 2 PSD Switching Methods PSD FDP_SWI_EXT 3 Tied Switching MOD_KM_V1 0 FDP_UDF_EXT 1 AO Unidirectional Data Flow Audio Output MOD_AO_V1 0 FDP_UDF_EXT 1 KM Unidirectional Data Flow Keyboard Mouse MOD_KM_V1 0 FDP_UDF_EXT 1 VI Unidirectional Data Flow Video Output MOD_VI_V1 0 FIA Identification and Authentication FIA_UAU 2 User Authentication Bef...

Page 51: ...fied by aspects of the corresponding security function The set of security functions work together to satisfy all of the security functions and assurance requirements Furthermore all of the security functions are necessary in order for the TSF to provide the required security functionality This Section in conjunction with Section 6 the TOE Summary Specification provides evidence that the security ...

Page 52: ...XT 3 VI H X FDP_PDC_EXT 3 VI D X FDP_PUD_EXT 1 X FDP_RIP 1 KM X FDP_RIP_EXT 1 X FDP_RIP_EXT 2 X FDP_SPR_EXT 1 DP DP X FDP_SPR_EXT 1 DVI I D X FDP_SPR_EXT 1 HDMI H X FDP_SWI_EXT 1 X FDP_SWI_EXT 2 X FDP_UDF_EXT 1 AO X FDP_UDF_EXT 1 KM X FDP_UDF_EXT 1 VI X FIA_UAU 2 X FIA_UID 2 X FMT_SMF 1 X FMT_SMR 1 X FPT_FLS_EXT 1 X FPT_NTA_EXT 1 X FPT_PHP 1 X FPT_PHP 3 X FPT_STM 1 X FPT_TST 1 X FPT_TST_EXT 1 X FT...

Page 53: ...data 2 Host Controller Device Emulators ATEN SICG8022A Embedded RAM 1 Undisclosed Volatile May contain user data 3 System EEPROM ATMEL AT24C512 EEPROM 2 512K bits Non volatile No user data 4 System Flash EON EN29LV040A Flash 3 512K Bytes Non volatile No user data 5 EDID Emulator ROHM BR24G02 3 EEPROM 4 256 Bytes Non volatile No user data 6 DP Video Controller Flash MXIC MX25L4006E Flash 5 4 Mbits ...

Page 54: ...ctory Default KVM reset reboot or power cycle 3 The Flash does not contain user data Firmware code is stored in the Flash and cannot be updated or rewritten The firmware code remains unchanged after a Reset to Factory Default KVM reset reboot or power cycle 4 The EDID ROM does not contain user data It is for PC Read EDID ROM The EDID data will be cleared after a KVM reset reboot or power cycle 5 D...

Reviews: