Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 1 Black Box Secure KVM Switch Security Target (CAC Models) Release Date: November 3, 2021 Revision: 1.08 Author: John Hickey, Black Box Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 2 Table of Contents 1 Introduction...........................................................................................................................7 1.1 ST and TOE Identification.................................................................................................. 7 1.2 PP Reference Identification............................................................................................... 7 1.3 Organization ....................................................................................................................... 8 1.4 Conventions ........................................................................................................................ 9 1.5 Technical Definitions ......................................................................................................... 9 1.5.1 ST Specific Terminology........................................................................................... 10 1.5.2 Acronyms................................................................................................................... 13 1.6 TOE Overview................................................................................................................... 14 1.6.1 TOE Architecture (High Level) ................................................................................ 14 1.6.2 TOE Details ................................................................................................................ 15 1.7 TOE Scope and Boundary ................................................................................................ 23 1.7.1 Overview.................................................................................................................... 23 1.7.2 Environment.............................................................................................................. 24 1.8 Guidance Documents ....................................................................................................... 25 1.9 Features Outside of TOE Evaluation Scope.................................................................... 26 2 Security Problem Description ...................................................................................... 27 2.1 Assumptions ..................................................................................................................... 27 2.2 Organizational Security Policies ..................................................................................... 28 2.3 Threats .............................................................................................................................. 28 3 Security Objectives........................................................................................................... 30 3.1 Security Objectives for the TOE ...................................................................................... 30 3.2 Security Objectives for the Operational Environment.................................................. 32 4 Security Requirements.................................................................................................... 34 4.1 TOE Security Functional Requirements (all models).................................................... 34 4.1.1 Overview.................................................................................................................... 34 4.1.2 Class FAU: Security Audit ......................................................................................... 36 4.1.3 Class FDP: User Data Protection.............................................................................. 37 4.1.4 Class FIA: Identification and Authentication.......................................................... 44 4.1.5 Class FMT: Security Management............................................................................ 45 4.1.6 Class FPT: Protection of the TSF.............................................................................. 45 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 3 4.1.7 Class FTA: TOE Access.............................................................................................. 47 4.2 TOE Security Functional Requirements (V models) ..................................................... 47 4.2.1 Overview.................................................................................................................... 48 4.2.2 Class FDP: User Data Protection.............................................................................. 48 4.3 TOE Security Functional Requirements (D models)..................................................... 49 4.3.1 Overview.................................................................................................................... 49 4.3.2 Class FDP: User Data Protection.............................................................................. 50 4.4 TOE Security Functional Requirements (HV models)................................................... 50 4.4.1 Overview.................................................................................................................... 50 4.4.2 Class FDP: User Data Protection.............................................................................. 51 4.5 TOE Security Functional Requirements (DHV models)................................................ 52 4.5.1 Overview.................................................................................................................... 52 4.5.2 Class FDP: User Data Protection.............................................................................. 53 4.6 TOE Security Functional Requirements (VM models).................................................. 54 4.6.1 Overview.................................................................................................................... 54 4.6.2 Class FDP: User Data Protection.............................................................................. 55 4.7 TOE Security Functional Requirements (VP models)................................................... 56 4.7.1 Overview.................................................................................................................... 56 4.7.2 Class FDP: User Data Protection.............................................................................. 56 4.8 Rationale for TOE Security Requirement Dependencies .............................................. 57 4.9 TOE Security Assurance Requirements.......................................................................... 58 5 Conformance Claims........................................................................................................ 59 5.1 CC Conformance Claims................................................................................................... 59 5.2 PP Conformance Claims................................................................................................... 59 5.3 ST Conformance Requirements ...................................................................................... 59 6 TOE Summary Specification.......................................................................................... 61 6.1 TOE External Interfaces Security Functions .................................................................. 61 6.2 TOE Administration, User Control, and Monitoring Security Functions ..................... 61 6.3 TOE Tampering Protection.............................................................................................. 64 6.4 TOE Self-Testing............................................................................................................... 65 6.5 TOE Audio Subsystem Security Functions ..................................................................... 66 6.6 TOE Keyboard and Mouse Functionality........................................................................ 67 6.7 TOE User Authentication Device Subsystem Security Functions................................. 69 6.8 TOE Video Subsystem Security Functions ..................................................................... 71 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 4 6.8.1 V Models..................................................................................................................... 74 6.8.2 D Models .................................................................................................................... 74 6.8.3 HV Models.................................................................................................................. 75 6.8.4 DHV Models ............................................................................................................... 76 6.8.5 VM Models ................................................................................................................. 77 6.8.6 VP Models .................................................................................................................. 78 Appendix A – Product’s Model Name Structure............................................................. 80 Appendix B – Letter of Volatility ......................................................................................... 81 Main PCBA: USB ........................................................................................................................ 81 Video PCBA: DVI/DP.................................................................................................................. 83 Front Panel PCBA ........................................................................................................................ 84 Table of Figures Figure 1: Standard Setup of 2-Port KVM TOE Installation .......................................................... 24 Figure 2: Standard Setup of 4-Port TOE installation.................................................................... 24 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 5 List of Tables Table 1 – ST Composition................................................................................................................. 7 Table 2 – ST Identification................................................................................................................ 7 Table 3 – ST Technical Definitions ................................................................................................ 13 Table 4 – ST Acronyms ................................................................................................................... 14 Table 5 – Black Box 2-Port Secure TOE Identification................................................................. 16 Table 6 – Black Box 4-Port Secure TOE Identification................................................................. 16 Table 7 – Black Box 8-Port Secure TOE Identification................................................................. 16 Table 8 – Peripheral Devices supported by the TOE ................................................................... 17 Table 9 – Console Port Protocols (2-Port TOE models) .............................................................. 17 Table 10 – Console Port Protocols (4-Port TOE models)............................................................ 18 Table 11 – Console Port Protocols (8-Port TOE models)............................................................ 18 Table 12 – Computer Port Protocols (2-Port TOE models) ........................................................ 18 Table 13 – Computer Port Protocols (4-Port TOE models) ........................................................ 19 Table 14 – Computer Port Protocols (8-Port TOE models) ........................................................ 19 Table 15 – TOE Services ................................................................................................................. 20 Table 16 – TOE User/Administrator Services and Accessibility................................................. 20 Table 17 – TOE Physical Boundary Composition......................................................................... 23 Table 18 – TOE Components.......................................................................................................... 25 Table 19 – Environment Components........................................................................................... 25 Table 20 – Assumptions ................................................................................................................. 28 Table 21 – Threats .......................................................................................................................... 29 Table 22 – Security Objectives for the TOE................................................................................... 32 Table 23 – Security Objectives for the Operational Environment .............................................. 33 Table 24 – TOE SFR Overview ....................................................................................................... 36 Table 25 – Audio Filtration Specifications.................................................................................... 37 Table 26 – TOE SFR Overview (V models).................................................................................... 48 Table 27 – TOE SFR Overview (D models) ................................................................................... 49 Table 28 – TOE SFR Overview (HV models)................................................................................. 51 Table 29 – TOE SFR Overview (DHV models) .............................................................................. 53 Table 30 – TOE SFR Overview (VM models) ................................................................................ 55 Table 31 – TOE SFR Overview (VP models) ................................................................................. 56 Table 32 – TOE Security Assurance Requirements...................................................................... 58 Table 33 – EDID Read/Write Time Chart...................................................................................... 72 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 6 Document Revisions Revision# Date By Updates 1.00 June 3, 2020 John Hickey, Black Box Initial Document Outline 1.01 July 7, 2020 John Hickey, Black Box Formatting updates and adding NIAP TDs 1.02 July 20, 2020 John Hickey, Black Box Responding to comments based on preliminary evaluation 1.03 August 10, 2020 John Hickey, Black Box Updating Specifications for some units 1.04 December 30, 2020 John Hickey, Black Box Removal of isolator models and separation of video peripheral types; Incorporation of NIAP feedback 1.05 May 21, 2021 John Hickey, Black Box Incorporation of NIAP feedback and finalization 1.06 June 25, 2021 John Hickey, Black Box Incorporation of additional NIAP feedback 1.07 October 1, 2021 John Hickey, Black Box Incorporation of additional NIAP feedback 1.08 November 3, 2021 John Hickey, Black Box Incorporation of additional NIAP feedback Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 7 1 Introduction This section identifies the Security Target (ST), Target of Evaluation (TOE), conformance claims, ST organization, document conventions, and terminology. It also includes an overview of the evaluated product. The composition of the ST is listed in the table below. No. Security Target Composition 1 A security problem described as a set of assumptions about the security aspects of the environment (see Chapter 2, Security Problem Description). 2 A set of threats which the product is proposed to identify and counter (see Chapter 2, Security Problem Description). 3 Known rules which the product must comply to (see Chapter 2, Security Problem Description and Chapter 5, Conformance Claims). 4 A set of security objectives to address the security problem (see Chapter 3, Security Objectives). 5 A set of security requirements to address the security problem (see Chapter 4, Security Requirements and Chapter 6, Extended Components Definition). 6 The IT security functions provided by the TOE that meet the set of requirements (see Chapter 7, TOE Summary Specification). Table 1 – ST Composition The structure and content of this ST complies with the requirements stated in the Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 11. 1.1 ST and TOE Identification This section provides information needed to identify and control this ST and its Target of Evaluation (TOE). ST Title Black Box Secure KVM Switch Security Target (CAC Models) Revision Number 1.08 ST Publish Date November 3, 2021 ST Authors John Hickey, Black Box TOE Identification See Tables 5, 6 and 7 below Keywords KVM, Secure, Black Box, Protection Profile 4.0 Table 2 – ST Identification 1.2 PP Reference Identification The TOE claims conformance to the following PP-Configuration: PP-Configuration Reference: PP-Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, User Authentication Devices, and Video/Display Devices (CFG_PSD-AO-KM-UA-VI_V1.0) PP-Configuration Sponsor: National Information Assurance Partnership (NIAP) PP-Configuration Version: 1.0 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 8 PP-Configuration Date: July 19, 2019 The claimed PP-Configuration consists of the Base-PP referenced below and PP-Modules that define required functionality and evaluation activities for the specific peripheral types supported by the TOE. PP Reference: Protection Profile for Peripheral Sharing Device PP Sponsor: National Information Assurance Partnership (NIAP) PP Version: 4.0 PP Date: July 19, 2019 PP-Module Reference: PP-Module for Analog Audio Output Devices PP-Module Sponsor: National Information Assurance Partnership (NIAP) PP-Module Version: 1.0 PP-Module Date: July 19, 2019 PP-Module Reference: PP-Module for Keyboard/Mouse Devices PP-Module Sponsor: National Information Assurance Partnership (NIAP) PP-Module Version: 1.0 PP-Module Date: July 19, 2019 PP-Module Reference: PP-Module for User Authentication Devices PP-Module Sponsor: National Information Assurance Partnership (NIAP) PP-Module Version: 1.0 PP-Module Date: July 19, 2019 PP-Module Reference: PP-Module for Video/Display Devices PP-Module Sponsor: National Information Assurance Partnership (NIAP) PP-Module Version: 1.0 PP-Module Date: July 19, 2019 1.3 Organization Security Target Introduction (Section 1) • Identification of the TOE and ST • Overview of the TOE • Overview of the content of the ST, document conventions, relevant terminology • Description of the TOE security functions • Physical and logical boundaries for the TOE • Hardware and software that make up the TOE Security Problem Description (Section 2) • Threat List • Set of organizational security policies • Set of TOE and TOE environment assumptions Security Objectives (Section 3) • List of Security objectives for the TOE and TOE environment Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 9 • Description of how Security Objectives can be trusted to counter the threats identified for the TOE. Security Requirements (Section 4) • List of Security Functional Requirements (SFRs) met by the TOE • Security Functional Requirements exposition • List of Security Assurance Requirements (SARs) met by the TOE • Security Assurance Requirements (SARs) exposition Conformance Claims (Section 5) • Applicable Common Criteria (CC) conformance claims • Protection Profile (PP) conformance claims • Assurance Package conformance claims Summary Specification (Section 6) • List of Security functions provided by the TOE • How the Security functions satisfy the SFRs. • List of Security assurance measures for the TOE • Security assurance measures exposition 1.4 Conventions The Common Criteria (CC) defines operations on Security Functional Requirements: assignments, selections, assignments within selections and refinements. This document uses the following font conventions to identify the operations defined by the CC: • Assignment: Indicated with italicized text; • Refinement made by ST author (refinements reproduced as-is from the PP are not formatted as such): Indicated with added/substituted text in bold text and deletions with strikethroughs, if necessary; • Selection: Indicated with underlined text; • Assignment within a Selection (or vice versa): Indicated with italicized and underlined text; • Iteration: Indicated by appending the SFR name with a slash followed by text that uniquely references the iteration (e.g. FDP_PDC_EXT.2/KM for an iteration of the FDP_PDC_EXT.2 SFR that applies specifically to keyboard/mouse functionality). An iteration may alternatively or additionally be specified with text in parentheses that identifies a model reference to make it clear that the iteration in question applies to TOE models with the referenced model name. Extended SFRs are identified with the label “_EXT” after the requirement name. In cases where the claimed PP or Module has already completed an operation, the formatting used by the PP or Module is preserved in the ST. Specifically, all completed operations are formatted as italicized text and with the original open/closing brackets preserved. 1.5 Technical Definitions See CC Part 1 Section 4 for definitions of common CC terms. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 10 1.5.1 ST Specific Terminology Term Description Active Interface/Connection An Interface between a PSD and Device that currently has user data flowing through it. Administrator A person who administers (e.g., installs, configures, updates, audits, maintains) a PSD, Connected Peripherals, and Connections. Analog Audio Data stream that uses voltage to describe a continuous sound wave. Analog Audio Output Computer Interface, or Computer Interface The Connector on a PSD through which analog audio data enters the PSD from a Connected Computer. Analog Audio Output Peripheral Interface, or Peripheral Interface The Connector on a PSD through which analog audio data exits the PSD bound for a peripheral device. Attenuation A reduction in signal strength commonly occurring while transmitting analog or digital signals over long distances. Audio codec PC subsystem capable of encoding and decoding a digital data stream of audio. Audio Output Peripheral Device Speakers, handset, and earphones. Authorized Peripheral A Peripheral Device that is both technically supported and administratively permitted to have an active interface with the PSD. Blacklist List containing one or more device attributes that will cause the PSD to reject the devices having that attribute. Configurable Device Filtration (CDF) A PSD function that filters traffic based on properties of a connected peripheral device and criteria that are configurable by an Administrator. Combiner (multi- viewer) A PSD with video integration functionality. Used to simultaneously display output from multiple personal computers (PCs). Composite Device (USB) A peripheral device that supports more than one device class. Computer Interface The PSD’s physical receptacle or port for connecting to a computer. Connected Computer A computing device connected to a PSD. May be a personal computer, server, tablet, or any other computing device. Connected Peripheral A Peripheral that is connected to a PSD. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 11 Connection A physical or logical conduit that enables Devices to interact through respective interfaces. May consist of one or more physical (e.g., a cable) or logical (e.g., a protocol) components. Connector The plug on a Connection that attaches to a Computer or Peripheral Interface. Device An information technology product. In the context of this PP, a Device is a PSD, a Connected Computer, or a Connected Peripheral. Digital Audio Data stream that uses digital values to describe a sound wave in sampled intervals. Disconnection of authentication element Removal of the authentication element, disconnection of a peripheral authentication device (if possible), or switching to a different connected computer (if possible). Display A device that visually outputs user data, such as a monitor. Emulate Imitate the behavior of a device or a function in a device. Endpoint (USB) A source or a sink of data. Universal Serial Bus (USB) host is centric; endpoints occur at the end of the communications channel at the USB function. Enumeration (USB) A process that starts as soon as a device connects to the USB host. In this process, the host and the device jointly define the communications and power settings. Extended Audio Frequency Range The range from 1Hz to 60 KHz External Authentication Device An authentication device that has an exposed USB interface. Fixed Device Filtration (FDF) PSD function that accepts or rejects peripheral devices based on fixed parameters loaded during production. Headphones Computer audio peripheral device with one or more small speakers HID A device that allows input from, or sends output to human users. Host (USB) Initiates all communication on the USB and numbers the connected devices. Interface A shared boundary across which two or more Devices exchange information through a Connection. Interface (USB) Groups of endpoints. Each interface relates with a single device function. An exception to this is endpoint zero, which is for device configuration and not associated with any interface. Internal Authentication Device An authentication device that has no exposed interface. KM A type of PSD that shares a keyboard and pointing device between Connected Computers. A KM may optionally include an analog audio device. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 12 KVM A type of PSD that shares a keyboard, video, and pointing device between Connected Computers. A KVM may optionally include an analog audio device and user authentication device. Letter of Volatility A letter issued by the manufacturer outlining whether onboard memory can store data when the device is powered off (non- volatile) or not (volatile). Monitoring The ability of a User to receive an indicator of the current Active Interface. Non-Selected Computer A Connected Computer that has no Active Interfaces with the PSD. Peripheral/Peripheral Device A Device with access that can be Shared or Filtered by a PSD. Peripheral Interface The PSD’s physical receptacle or port for connecting to a Peripheral Device. Protocol A set of rules or procedures for transmitting data between electronic devices. Remote Controller Remote component of the PSD that extends the controls and indications through a cable. Removal of authentication element Removal of smart‐card, token, or proximity card from the authentication device reader. Secure State An operating condition in which the PSD disables all connected peripheral and connected computer interfaces when the correctness of its functions cannot be ensured. Selected Computer A Connected Computer that has Active Interfaces with the PSD. Sub-Protocol A set of common commands flowing within a protocol. Supported Peripheral A Peripheral Device that is technically supported by the PSD. TOE Computer Video Interface TOE port used to connect the computer or other video source. Touch Screen A pointing device Peripheral Device that enable users to touch one or more objects on the screen or to point the cursor device to specific locations. USB Audio codec Computer audio peripheral device with USB digital input/output, one or more analog audio outputs and one or more analog audio inputs. USB Device USB devices are leafs in the USB tree that are connected to the host. USB Dummy Load A USB Type A plug with resistor connected between positions 1 and 4 and used to simulate overloading a TOE USB peripheral device interface. USB Hub A device that expands a single USB port into several so there are more ports available to connect devices to a host system. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 13 Table 3 – ST Technical Definitions 1.5.2 Acronyms Acronym Full Definition ARC Audio Return Channel CEC Consumer Electronics Control dB Decibel dBv A measurement of voltage ratio to 1 volt DVI Digital Visual Interface (standard) EDID Extended Display Identification Data HDCP High-bandwidth Digital Content Protection HDMI High-Definition Multimedia Interface (standard) HEAC HDMI Ethernet and Audio Return Channel HEC HDMI Ethernet Channel HID Human Interface Device HPD Hot Plug Detect KHz Kilohertz KM Keyboard, Mouse KVM Keyboard, Video and Mouse mV Millivolt PC Personal Computer USB Type-C Universal Serial Bus (USB) interface that supports DisplayPort video output as an alternate mode. User A person that interacts with a PSD (or a process or mechanism acting on behalf of a person). User Authentication Device A Peripheral Device that is used to affirm the identity of a User attempting to authenticate to a computer (e.g., smart card reader, biometric authentication device, proximity card reader). User Authentication Session The exchange of user credentials – typically a user token presented through a User Authentication Device – and the Selected Computer. User Authentication Session Information User data for user authentication devices. User Data Information that the User inputs to the Connected Computer or is output to the User from the Connected Computer (and including user authentication and credential information) Video Data Visual and audio information presented to the user through the display device. Video Wall A tiled set of displays that allow the video output from a single Selected Computer to be spanned across multiple individual displays. Whitelist List containing one or more device attributes that will cause the TOE to accept the devices having that attribute. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 14 PSD Peripheral Sharing Device PS/2 Personal System/2 MCCS Monitor Command Control Set OSP Organizational Security Policies PSD Peripheral Sharing Device SAR Security Assurance Requirement SFR Security Functional Requirement S/PDIF Sony/Philips Digital Interface Format USB Universal Serial Bus VGA Video Graphics Array (standard) Table 4 – ST Acronyms 1.6 TOE Overview 1.6.1 TOE Architecture (High Level) Black Box Secure Peripheral Sharing Switches (PSD) provide a secure medium to share a single set of peripheral components such as keyboard, video display and mouse/pointing devices among one or multiple computers over USB, DVI, HDMI, and DisplayPort. The Black Box Secure PSD product utilizes multiple isolated microcontrollers to emulate the connected peripherals in order to prevent a multitude of threats. The TOE is also equipped with numerous uni-directional data flows forcing devices to guarantee isolation of connected computer data channels. Black Box Secure KVM port models: • 2-Port • 4-Port • 8-Port Black Box Secure KVM video outputs (displays): • Single head • Dual-head • Quad-head The TOE models also include a model with Preview Screen functionality. This device is a single-head 4-port switch that also has a second monitor port. This second monitor can be controlled independently of the other peripherals and can show one or more connected video feeds in different pre-defined layouts. For example, the preview screen can be set to a ‘quad’ display that allows all four connected computer video feeds to be displayed on the secondary monitor, while the primary monitor is set to the same channel as the keyboard, mouse, and other peripherals as shown in the example below. For the preview monitor, on-screen display is used to unambiguously identify the selected computer video feed(s) that are active. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 15 In the above diagram, the left screen (‘PC1’) is a single head display for the selected computer and is switched with all other user peripherals. The right screen (‘PC1 PC2 PC3 PC4’) is the preview screen that is set to a combiner mode. In the diagram, the preview screen configuration is set to all four connected computers in a quad-view mode, but other options are available and configured with chassis button controls that are separate from the port selection buttons for the other peripherals. The Black Box Secure PSD is compatible with standard personal/portable computers, servers or thin- clients. Connected computers are assumed to run off-the-shelf general-purpose operating systems such as Windows or Linux. The PSD includes ports for the following interfaces, depending on model: • USB keyboard – the TOE does not allow USB traffic to flow from the TOE to a connected keyboard via the peripheral port • USB mouse or other pointing device – the TOE does not allow USB traffic to flow from the TOE to a connected pointing device via the peripheral port • DVI, HDMI 1.4 and DisplayPort 1.2 Video Input (computer ports) – the TOE does not allow video traffic to flow from the TOE to a connected computer via the computer port except for those sub-protocols needed to establish initial connectivity between the computer and the peripheral monitor(s) • DVI, HDMI 1.4 and DisplayPort 1.2 Video Output (peripheral port) – the TOE does not allow video traffic to flow from a peripheral to the TOE via the peripheral port except for those sub- protocols needed to establish initial connectivity between the computer and the peripheral monitor(s). • 3.5mm Audio Input (computer ports) – the TOE does not allow audio output to flow from the TOE to a connected computer via the computer ports (i.e. the use of a microphone peripheral is not supported) • 3.5mm Audio Output (peripheral port) – the TOE does not allow audio input to flow from a peripheral to the TOE via the peripheral port (i.e. the use of a microphone peripheral is not supported) • USB authentication device (e.g. Smart-card reader, PIV/CAC reader, Token or Biometric reader) Tables 5, 6, and 7 below provide a summary of the Black Box Secure KVM security features by supported interface types. A detailed description of the TOE security features and how they are mapped to the claimed SFRs can be found in Section 6 (TOE Summary Specification) below. 1.6.2 TOE Details 1.6.2.1 Evaluated Products # Model Name Description Eval. Version 1 KVS4-2002VX 2-Port DH Secure Pro DP KVM w/audio and CAC 4.11.001 2 KVS4-1002HVX 2-Port SH Secure DP/HDMI KVM w/audio and CAC 4.11.202 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 16 3 KVS4-2002HVX 2-Port DH Secure DP/HDMI KVM w/audio and CAC 4.11.202 4 KVS4-1002VMX 2-Port SH DP to 2xHDMI Secure KVM w/audio and CAC 4.11.003 Table 5 – Black Box 2-Port Secure TOE Identification # Model Name Description Eval. Version 1 KVS4-2004VX 4-Port DH Secure Pro DP KVM w/audio and CAC 4.11.001 2 KVS4-4004VX 4-Port QH Secure Pro DP KVM w/audio and CAC 4.11.001 3 KVS4-2004DX 4-Port DH Secure Pro DVI-I KVM w/audio and CAC 4.11.010 4 KVS4-1004HVX 4-Port SH Secure DP/HDMI KVM w/audio and CAC 4.11.202 5 KVS4-2004HVX 4-Port DH Secure DP/HDMI KVM w/audio and CAC 4.11.202 6 KVS4-4004DHVX 4-Port QH Secure SH DVI, SH HDMI, and DH DP KVM w/audio and CAC 4.11.111 7 KVS4-1004VMX 4-Port SH DP to 2xHDMI Secure KVM w/audio and CAC 4.11.003 8 KVS4-2004VMX 4-Port DH DP to 2xHDMI Secure KVM w/audio and CAC 4.11.003 9 KVS4-8004VPX 4-Port SH Secure DP KVM w/audio, CAC and preview screen 4.11.004 Table 6 – Black Box 4-Port Secure TOE Identification # Model Name Description Eval. Version 1 KVS4-1008VX 8-Port SH Secure Pro DP KVM w/audio and CAC 4.11.001 2 KVS4-2008VX 8-Port DH Secure Pro DP KVM w/audio and CAC 4.11.001 3 KVS4-1008DX 8-Port SH Secure Pro DVI-I KVM w/ audio and CAC 4.11.010 4 KVS4-2008DX 8-Port DH Secure Pro DVI-I KVM w/ audio and CAC 4.11.010 Table 7 – Black Box 8-Port Secure TOE Identification Notes: • CAC = Common Access Card filtered USB port. • DP = DisplayPort video. • SH = Single head; DH = Dual head; QH = Quad head. • Description - Includes text that is printed on a label attached to each device on the bottom. • Eval. Version – Firmware and hardware revision per each device. • Black Box’s model name logic can be found in Appendix A. 1.6.2.2 Common Criteria Product Type The TOE is classified as a “Peripheral Sharing Device” (KVM device) in the Common Criteria. Hardware and firmware components are included in the TOE. 1.6.2.3 Peripheral Devices Supported by the TOE The peripheral devices that supported by the TOE are listed in the following table. Console Port Authorized Devices Keyboard Wired keyboard and keypad without internal USB hub or composite device functions, unless the connected device has at least one endpoint which is a keyboard or mouse HID class Display Display device (e.g. monitor, projector) that uses an interface that is physically and logically compatible with the TOE ports (DVI-I, HDMI, or DisplayPort, depending on model) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 17 Audio out Analog amplified speakers, Analog headphones Mouse / Pointing Device Any wired mouse or trackball without internal USB hub or composite device functions User Authentication Device USB devices identified as user authentication (base class 0Bh, e.g. Smart-card reader, PIV/CAC reader, Token, or Biometric reader) Table 8 – Peripheral Devices supported by the TOE 1.6.2.4 Protocols Supported by the TOE Tables 9, 10 and 11 below identify the console (peripheral) interface protocols supported by the TOE. Tables 12, 13, and 14 below identify the host (computer) interface protocols supported by the TOE. Model KVS4-2002VX KVS4-1002HVX KVS4-2002HVX KVS4-1002VMX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ DVI-I DP ✓ ✓ ✓ HDMI ✓ ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ Audio Analog Stereo ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ Table 9 – Console Port Protocols (2-Port TOE models) Model KVS4-2004VX KVS4-4004VX KVS4-2004DX KVS4-1004HVX KVS4-2004HVX KVS4-4004DHVX KVS4-8004VPX KVS4-1004VMX KVS4-2004VMX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ DVI-I ✓ ✓ DP ✓ ✓ ✓ ✓ ✓ ✓ HDMI ✓ ✓ ✓ ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 18 Audio Analog Stereo ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Table 10 – Console Port Protocols (4-Port TOE models) Model KVS4-1008VX KVS4-2008VX KVS4-1008DX KVS4-2008DX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ DVI-I ✓ ✓ HDMI DP ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ Audio Analog Stereo Output ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ Table 11 – Console Port Protocols (8-Port TOE models) Model KVS4-2002VX KVS4-1002HVX KVS4-2002HVX KVS4-1002VMX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ DVI-I DP ✓ ✓ ✓ ✓ HDMI ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ Audio Analog Stereo ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ Table 12 – Computer Port Protocols (2-Port TOE models) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 19 Model KVS4-2004VX KVS4-4004VX KVS4-2004DX KVS4-1004HVX KVS4-2004HVX KVS4-4004DHVX KVS4-8004VPX KVS4-1004VMX KVS4-2004VMX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ DVI-I ✓ ✓ DP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ HDMI ✓ ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Audio Analog Stereo ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Table 13 – Computer Port Protocols (4-Port TOE models) Model KVS4-1008VX KVS4-2008VX KVS4-1008DX KVS4-2008DX Keyboard USB 1.1/2.0 ✓ ✓ ✓ ✓ DVI-I ✓ ✓ HDMI DP ✓ ✓ Mouse USB 1.1/2.0 ✓ ✓ ✓ ✓ Audio Analog Stereo Output ✓ ✓ ✓ ✓ CAC USB 1.1/2.0 ✓ ✓ ✓ ✓ Table 14 – Computer Port Protocols (8-Port TOE models) 1.6.2.5 Logical Scope of the TOE 1.6.2.5.1 Basic KVM TOE Function Overview Secure KVM devices allow an individual user to utilize a set of peripherals to operate in an environment with one or several isolated computers. KVM devices allow switching keyboard, mouse, display, audio, and USB/CAC from one isolated computer to another. Table 15 below shows the various TOE services that were verified in the current evaluation. TOE Service Verification Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 20 User peripheral isolation from source computer ✓ Enable/Disable user USB device to each channel ✓ Admin access to management and log functions ✓ Restore factory defaults function ✓ Mapping user display to chosen computer ✓ Mapping user keyboard and mouse to chosen computer ✓ Mapping user audio device to chosen computer ✓ Mapping user USB CAC peripheral device to selected computer ✓ Table 15 – TOE Services 1.6.2.6 Administrative and User configuration of the TOE Table 16 below shows a summary of user/administrator administrative and security management features. An authenticated User and authenticated Administrator are both considered types of administrators for the PSD PP. See section 6.2 for detailed description of the administration tool architecture. Menu Option User Administrator Change User Access Credentials ✓ Change Admin Access Credentials ✓ View Registered CAC Device ✓ ✓ Register New CAC Device ✓ ✓ Dump Log ✓ Restore Factory Default (reset) ✓ Terminate Session ✓ ✓ Table 16 – TOE User/Administrator Services and Accessibility 1.6.2.6.1 Change User and Admin Credentials option is available for Administrator only, allows updating both the username and password. 1.6.2.6.2 View Registered CAC Device option is available for Administrator and User, allows checking what peripheral USB device was registered if any. 1.6.2.6.3 Register New CAC Device option is available for Administrator and User, allows registration of a new peripheral USB device to the CAC port. 1.6.2.6.4 Dump Log (auditing) option is available for Administrator only, allows generating a detailed report of security functions such as self test, rejected peripheral USB device connection, restore factory default (reset) and failure to log in. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 21 1.6.2.6.5 Restore Factory Default (reset) option is available for Administrator only. The following events will occur when selecting this option: 1. If there was any registered USB peripheral device to the CAC port, it will be removed and the TOE will accept only standard smart-card reader USB 1.1/2.0 token or biometric reader. 2. User and Administrator log-in credential will be reset back to default. 3. The TOE will perform power down for 1,000ms followed by power up. 4. During power down, all connected devices will be disconnected from the computers and all internal cache other than auditing log will be wiped. 5. After power up the TOE buzzer will buzz twice to indicate completion of power reset and successful self test results. 1.6.2.6.6 Terminate Session logs out the authenticated User or Administrator. 1.6.2.7 TOE Security Functions Overview The following list is an overview of the security features supported by the TOE. TOE Keyboard and Mouse Security Functions 1. No data is stored in non-volatile memory (SRAM only). 2. USB Keyboard and mouse data flows are converted to a serial data flow channel which is isolated from each connected computer and all TOE internal circuitry. 3. Keyboard and mouse channels are isolated electrically and logically from each connected computer and all TOE internal circuitry. 4. Uni-directional data flow enforced by using uni-directional optical data diodes. 5. Temporary power shut down during channel switching to eliminate previous cached keyboard/mouse commands. 6. Device/Host emulators used to prevent connected computer and peripheral device direct communication/data leakage. 7. Device/Host emulators used to maintain KM emulation system on all channels during TOE operation (enabling non-selected connected computers to have emulation even when the user uses another PC). 8. The TOE rejects all unauthorized peripheral devices. 9. Keyboard LEDs will not turn on despite valid keyboard commands being executed (ex: Caps Lock LED will not turn on) to enforce unidirectional communication. 10. The TOE only allows valid and simple keyboard and mouse commands. All other USB traffic is rejected. All advanced keyboard and mouse devices will have their non-basic features disabled by the TOE. 11. Keyboard and mouse channels remain isolated when the TOE is not powered. TOE External Interfaces Security Functions 1. No docking protocols supported by the TOE. 2. No analog audio input allowed by peripherals connected to the TOE. 3. Devices allowed by the TOE: • Wired USB 1.1/2.0 keyboard and mouse • 3.5mm Analog audio output jack • TOE DVI models: DVI input/DVI output • TOE DP and Preview Screen models: DP 1.2 input/DP 1.2 output • TOE DP/HDMI models: DP 1.2 or HDMI 1.4 input/DP 1.2 or HDMI 1.4 output (DP and HDMI can be used interchangeably on both computer and peripheral side) • TOE DPMST models: DP 1.2 input/HDMI 1.4 output Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 22 • TOE ‘combo’ model: DVI input/DVI output, DP 1.2 input/DP 1.2 output, and HDMI 1.4 input/HDMI 1.4 output (all peripheral ports correspond with computer ports of the same type) • Administrator controlled configurable USB 1.1/2.0 user authentication port that can authorize specific USB devices (default allows only CAC/biometric reader) TOE Audio Subsystem Security Functions 1. Stereo audio channel for each connected computer that is isolated electronically/logically from all TOE internal circuitry. 2. No analog microphones allowed by the TOE. 3. LM4880 Boomer audio power amplifier designed specifically to provide high quality output power with a minimal amount of external components using surface mount packaging. 4. LM4880 Boomer analog output amplifier enforces uni-directional data flow from computer to TOE on both left and right stereo audio with internal transistors to prevent microphone access to the computer. 5. Audio data flow is not converted, stored, or used by the TOE to prevent data leakage. 6. Audio channels remain isolated when the TOE is not powered. TOE Video Subsystem Security Functions 1. Video channels are isolated, disabling bidirectional communication with monitors/displays using dedicated EEPROMs for EDID emulation. The video output signal will be transmitted to the display using a single dedicated EDID address, preventing any unauthorized transactions between the display and the PC. 2. Video channels remain isolated when the TOE is not powered. 3. Uni-directional EDID read/write process prevents bi-directional communication. 4. TOE rejects all invalid EDID devices. 5. DVI, DP 1.2 and HDMI 1.4 video inputs supported by the TOE, depending on model. TOE User Authentication Device Subsystem Security Functions 1. Electrically/logically isolated USB/CAC port for each connected computer. 2. Administrator controlled configurable USB/CAC ports that can authorize specific USB devices. 3. During USB/CAC channel switching, temporary power dip resets authentication to prevent data leakage. 4. The TOE rejects all unauthorized USB/CAC devices in default settings. 5. USB/CAC LED indication when port being used by an authorized device (solid light), unauthorized device (flashing light), or unused (off). 6. USB/CAC channels remain isolated when the TOE is not powered. TOE User Control and Monitoring Security Functions 1. Visual indications of current channel state via TOE push-button LEDs. 2. Connected computer channel can be changed by manual pressing of push-button on TOE. 3. Front panel LED indications cannot be dimmed or altered in any way during TOE operation. Self-Testing 1. TOE self-testing function that forcibly executes prior to system power up. 2. Self-testing function failure temporarily disables normal TOE operation until system reboot and subsequent passing of all self-test functions. 3. Self-testing function failure has visual and audible indications (flashing push-button LEDs, pulsing relays). Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 23 Anti-Tampering 1. Permanently active anti-tampering system powered by external supply or internal backup battery (rated for 10 years of operation). 2. Anti-tampering system trigger forces isolation of all connected computers and peripheral devices. 3. Visible and audible indications occur after anti-tampering system trigger (flashing push- button LEDs, pulsing relays, internal alarm beeping). 4. Generated log function to provide an auditable trail for TOE security events. 5. All TOE microcontrollers are protected against firmware read/write from external tools. 6. Uniquely numbered holographic tamper evident label (TEL) placed on TOE to indicate any physical attempt to access TOE internal circuitry. A more detailed version of this overview is provided in Section 6 below. 1.7 TOE Scope and Boundary 1.7.1 Overview The TOE is a Peripheral Sharing Device that supports the following types of peripherals: - Analog audio output - Keyboard/Mouse input - Video output - User authentication device input The physical boundary of the TOE consists of (refer to Figure 1, Figure 2, and Table 17 below): No. Physical Boundary of TOE 1 One Black Box Secure KVM Switch 2 The TOE computer interface cables that are shipped with the product 3 The permanently programmed embedded firmware inside the TOE on each microcontroller and processor 4 Log data, settings data, state data stored in the TOE 5 The TOE power supply that is shipped with the product 6 User Guidance Manual. Current version available for download at: https://www.blackbox.com/NIAP4/documentation 7 Administrator Guidance. Current version available for download at: https://www.blackbox.com/NIAP4/documentation Table 17 – TOE Physical Boundary Composition The evaluated TOE configuration only includes supplied computer interface cables attached to the TOE (no peripherals are supplied by Black Box). The following figures represent the TOE and its environment. Note: Some TOE models support the operation of multiple user displays. Specifically, the model names that include “KVS4-2” (dual-head) or “KVS4-4” (quad-head) support the connection of up to two or four displays to the console ports, respectively. This allows for switching of computers that have multi- monitor display capabilities. Models that do not use this notation in the model name are single head for switchable video output. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 24 The figures below show representative examples of supported TOE models and their connections to peripherals and computers. This includes a 2-port dual-head model and a 4-port single-head model. 8-port models behave the same way as 2-port and 4-port models except that additional connected computers are supported. Figure 1: Standard Setup of 2-Port KVM TOE Installation Figure 2: Standard Setup of 4-Port TOE installation 1.7.2 Environment The following tables identify hardware components and indicate whether or not each component is in the TOE or Environment. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 25 Component Part Number (P/N) Description Each device listed in Tables 5, 6, and 7 above. Same as model number TOE Hardware Black Box KVM Cables USB005-0006 USB Cable – Type A Male to Type B Male, Black, 6- ft. (1.8-m)* EJ110-0005 3.5-mm Stereo Audio Cable, 24 AWG, Male/Male, 5-ft. (1.5-m)* EVNDVI02-0006 DVI-I Male, Straight Hood/DVI-I Male, Straight Hood, 6-ft. (1.8-m)* VCL-HDMIL-002M HDMI to HDMI, 2-m (6.5-ft.)* VCB-DP-0006-MM DP Male/Male, 32 AWG, 6-ft. (1.8-m)* Table 18 – TOE Components *These cables are used for connecting the TOE to peripheral devices/connected computers. Component Description Standard USB Mouse Shared Peripheral Hardware Standard USB Keyboard Shared Peripheral Hardware Standard Computer Display(s) Shared Peripheral Hardware Audio Device (Speakers: supports 3.5mm connector) Shared Peripheral Hardware USB User Authentication Device or any other USB device which was configured to work with the TOE in advance. Console user authentication device interface Standard PC, Server, portable computer or thin client running any operating system Connected Computer(s) Table 19 – Environment Components 1.8 Guidance Documents User manuals for each TOE model and an administrative guide are available for download via the following link: https://www.blackbox.com/NIAP4/documentation. The following links on the page are relevant to the TOE: • Advanced 2/4/8-Port DVI-I Secure KVM Switch • Advanced 4-Port DP Secure KVM Switch W/ Preview • Advanced 2/4-Port DP MST Secure KVM Switch • Advanced 2/4-Port DP/HDMI Secure KVM Switch • Advanced 2/4/8-Port Displayport Secure KVM Switch • Advanced 4-Port DP, HDMI & DVI-I Secure KVM Switch • Secure KVM Administration and Security Management Tool Guide (CAC) Note also that the guidance documents reference both “CAC” and “Non-CAC” models. For this evaluation, CAC models should be referenced, and so all discussion in the documents that relate to CAC functionality apply to the TOE. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 26 1.9 Features Outside of TOE Evaluation Scope This section identifies any items that are specifically excluded from the TOE. • KM Mode: all product models except for the model with Preview Screen support have the ability to be configured into “KM Mode” by an administrator. When in this mode, the device’s video ports are disabled, allowing it to function as a KM device. This also enables cursor control as an alternative switching mechanism. In the evaluated configuration, the TOE is not to be placed into KM Mode. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 27 2 Security Problem Description This section lists the assumptions pertaining to the environment in which the TOE is to be used in and describes the conditions for the secure operation of the TOE. Note: The following content in this section has been taken from the Security Problem Description of the claimed PSD PP and the other PP-Modules in the claimed PP-Configuration and are replicated here for clarity. 2.1 Assumptions The following table defines the assumptions regarding the deployment and use of the TOE. These assumptions are defined in the PSD PP and the PP-Modules that comprise the PP-Configuration that the TOE claims conformance to. Assumption Definition Protection Profile for Peripheral Sharing Device A.NO_TEMPEST Computers and peripheral devices connected to the PSD are not TEMPEST approved. (Added from PP-Module for Keyboard/Mouse Devices) The TSF may or may not isolate the ground of the keyboard and mouse computer interfaces (the USB ground). The Operational Environment is assumed not to support TEMPEST red‐black ground isolation. A.PHYSICAL The environment provides physical security commensurate with the value of the TOE and the data it processes and contains. A.NO_WIRELESS_DEVICES The environment includes no wireless peripheral devices. A.TRUSTED_ADMIN PSD Administrators and users are trusted to follow and apply all guidance in a trusted manner. A.TRUSTED_CONFIG Personnel configuring the PSD and its operational environment will follow the applicable security configuration guidance. A.USER_ALLOWED_ACCESS All PSD users are allowed to interact with all connected computers. It is not the role of the PSD to prevent or otherwise control user access to connected computers. Computers or their connected network shall have the required means to authenticate the user and to control access to their various resources. PP-Module for Analog Audio Output Devices A.NO_MICROPHONES Users are trained not to connect a microphone to the TOE audio output interface. PP-Module for Keyboard/Mouse Devices Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 28 N/A – this PP-Module does not define any assumptions beyond those defined in the PSD PP. PP-Module for User Authentication Devices N/A – this PP-Module does not define any assumptions beyond those defined in the PSD PP. PP-Module for Video/Display Devices A.NO_SPECIAL_ANALOG_CA PABILITIES The computers connected to the TOE are not equipped with special analog data collection cards or peripherals such as analog to digital interface, high performance audio interface, digital signal processing function, or analog video capture function. Table 20 – Assumptions 2.2 Organizational Security Policies No Organizational Security Policies (OSPs) are listed in the claimed PP that needs to be addressed by the TOE. 2.3 Threats The following table defines the threats expected to be mitigated by the TOE. These threats are defined in the PSD PP and the PP-Modules that comprise the PP-Configuration that the TOE claims conformance to. Threat Definition Protection Profile for Peripheral Sharing Device T.DATA_LEAK A connection via the PSD between one or more computers may allow unauthorized data flow through the PSD or its connected peripherals. T.SIGNAL_LEAK A connection via the PSD between one or more computers may allow unauthorized data flow through bit‐by‐bit signaling. T.RESIDUAL_LEAK A PSD may leak (partial, residual, or echo) user data between the intended connected computer and another unintended connected computer. T.UNINTENDED_USE A PSD may connect the user to a computer other than the one to which the user intended to connect. T.UNAUTHORIZED_DEVICES The use of an unauthorized peripheral device with a specific PSD peripheral port may allow unauthorized data flows between connected devices or enable an attack on the PSD or its connected computers. T.LOGICAL_TAMPER An attached device (computer or peripheral) with malware, or otherwise under the control of a malicious user, could modify or overwrite code or data stored in the PSD’s volatile or non‐volatile memory to allow unauthorized information flows. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 29 T.PHYSICAL_TAMPER A malicious user or human agent could physically modify the PSD to allow unauthorized information flows. T.REPLACEMENT A malicious human agent could replace the PSD during shipping, storage, or use with an alternate device that does not enforce the PSD security policies. T.FAILED Detectable failure of a PSD may cause an unauthorized information flow or weakening of PSD security functions. PP-Module for Analog Audio Output Devices T.MICROPHONE_USE A malicious agent could use an unauthorized peripheral device such as a microphone, connected to the TOE audio out peripheral device interface to eavesdrop or transfer data across an air‐gap through audio signaling. T.AUDIO_REVERSED A malicious agent could repurpose an authorized audio output peripheral device by converting it to a low‐gain microphone to eavesdrop on the surrounding audio or transfer data across an air‐gap through audio signaling. PP-Module for Keyboard/Mouse Devices N/A – this PP-Module does not define any threats beyond those defined in the PSD PP. PP-Module for User Authentication Devices N/A – this PP-Module does not define any threats beyond those defined in the PSD PP. PP-Module for Video/Display Devices N/A – this PP-Module does not define any threats beyond those defined in the PSD PP. Table 21 – Threats Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 30 3 Security Objectives This chapter defines the security objectives for the TOE and the Operational Environment. • Security Objectives for TOE are directly addressed by TOE • Security Objectives for Operational environment are not addressed directly by TOE. These security objectives are addressed by non-technical methods, such as through the IT domain. 3.1 Security Objectives for the TOE The following table defines the security objectives that must be satisfied by the TOE. These objectives are defined in the PSD PP and the PP-Modules that comprise the PP-Configuration that the TOE claims conformance to. Security Objective Definition Protection Profile for Peripheral Sharing Device O.COMPUTER_INTERFACE_I SOLATION The PSD shall prevent unauthorized data flow to ensure that the PSD and its connected peripheral devices cannot be exploited in an attempt to leak data. The TOE‐Computer interface shall be isolated from all other PSD‐Computer interfaces while TOE is powered. O.COMPUTER_INTERFACE_I SOLATION_TOE_UNPOWER ED The PSD shall not allow data to transit a PSD‐Computer interface while the PSD is unpowered. O.USER_DATA_ISOLATION The PSD shall route user data, such as keyboard entries, only to the computer selected by the user. The PSD shall provide isolation between the data flowing from the peripheral device to the selected computer and any non‐selected computer. O.NO_USER_DATA_RETENTI ON The PSD shall not retain user data in non‐volatile memory after power up or, if supported, factory reset. O.NO_OTHER_EXTERNAL_IN TERFACES The PSD shall not have any external interfaces other than those implemented by the TSF. O.LEAK_PREVENTION_SWIT CHING The PSD shall ensure that there are no switching mechanisms that allow signal data leakage between connected computers. O.AUTHORIZED_USAGE The TOE shall explicitly prohibit or ignore unauthorized switching mechanisms, either because it supports only one connected computer or because it allows only authorized mechanisms to switch between connected computers. Authorized switching mechanisms shall require express user action restricted to console buttons, console switches, console touch screen, wired remote control, and peripheral devices using a guard. Unauthorized switching mechanisms include keyboard shortcuts, also known as “hotkeys,” automatic port scanning, control through a connected computer, and control through keyboard shortcuts. Where applicable, the results of the switching activity shall be indicated by the TSF so that it is clear to the user that the switching mechanism was engaged as intended. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 31 A conformant TOE may also provide a management function to configure some aspects of the TSF. If the TOE provides this functionality, it shall ensure that whatever management functions it provides can only be performed by authorized administrators and that an audit trail of management activities is generated. O.PERIPHERAL_PORTS_ISOL ATION The PSD shall ensure that data does not flow between peripheral devices connected to different PSD interfaces. O.REJECT_UNAUTHORIZED_ PERIPHERAL The PSD shall reject unauthorized peripheral device types and protocols. O.REJECT_UNAUTHORIZED_ ENDPOINTS The PSD shall reject unauthorized peripheral devices connected via a Universal Serial Bus (USB) hub. O.NO_TOE_ACCESS The PSD firmware, software, and memory shall not be accessible via its external ports. O.TAMPER_EVIDENT_LABE L The PSD shall be identifiable as authentic by the user and the user must be made aware of any procedures or other such information to accomplish authentication. This feature must be available upon receipt of the PSD and continue to be available during the PSD deployment. The PSD shall be labeled with at least one visible unique identifying tamper‐evident marking that can be used to authenticate the device. The PSD manufacturer must maintain a complete list of manufactured PSD articles and their respective identification markings’ unique identifiers. O.ANTI_TAMPERING The PSD shall be physically enclosed so that any attempts to open or otherwise access the internals or modify the connections of the PSD would be evident, and optionally thwarted through disablement of the TOE. Note: This applies to a wired remote control as well as the main chassis of the PSD. O.SELF_TEST The PSD shall perform self‐tests following power up or powered reset. O.SELF_TEST_FAIL_TOE_DIS ABLE The PSD shall enter a secure state upon detection of a critical failure. O.SELF_TEST_FAIL_INDICAT ION The PSD shall provide clear and visible user indications in the case of a self‐test failure. PP-Module for Analog Audio Output Devices O.UNIDIRECTIONAL_AUDIO _OUT The PSD shall enforce the unidirectional flow of audio data from the analog audio computer interface to the analog audio peripheral interface. O.COMPUTER_TO_AUDIO_IS OLATION The PSD shall isolate the analog audio output function from all other TOE functions. PP-Module for Keyboard/Mouse Devices O.EMULATED_INPUT The TOE shall emulate the keyboard and/or mouse functions from the TOE to the connected computer. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 32 O.UNIDIRECTIONAL_INPUT The TOE shall enforce unidirectional keyboard and/or mouse device’s data flow from the peripheral device to only the selected computer. PP-Module for User Authentication Devices O.USER_AUTHENTICATION_ ISOLATION The TOE shall isolate the user authentication function from all other TOE functions. O.SESSION_TERMINATION The TOE shall immediately terminate an open session with the selected computer upon disconnection of the authentication element. PP-Module for Video/Display Devices O.PROTECTED_EDID The TOE shall read the connected display Extended Display Identification Data (EDID) once during the TOE power up or reboot sequence and prevent any EDID channel write transactions that connected computers initiate. O.UNIDIRECTIONAL_VIDEO The TOE shall enforce unidirectional video data flow from the connected computer video interface to the display interface only. Table 22 – Security Objectives for the TOE 3.2 Security Objectives for the Operational Environment The following table defines the security objectives that must be satisfied by the TOE’s operational environment to ensure that the TOE’s functions will be sufficient to mitigate the defined threats. These objectives are defined in the PSD PP and the PP-Modules that comprise the PP-Configuration that the TOE claims conformance to. Security Objective Definition Protection Profile for Peripheral Sharing Device OE.NO_TEMPEST The operational environment will not use TEMPEST approved equipment. OE.PHYSICAL The operational environment will provide physical security, commensurate with the value of the PSD and the data that transits it. OE.NO_WIRELESS_DEVICES The operational environment will not include wireless keyboards, mice, audio, user authentication, or video devices. OE.TRUSTED_ADMIN The operational environment will ensure that trusted PSD Administrators and users are appropriately trained. OE.TRUSTED_CONFIG The operational environment will ensure that administrators configuring the PSD and its operational environment follow the applicable security configuration guidance. PP-Module for Analog Audio Output Devices Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 33 OE.NO_MICROPHONES The operational environment is expected to ensure that microphones are not plugged into the TOE audio output interfaces. PP-Module for Keyboard/Mouse Devices N/A – this PP-Module does not define any environmental security objectives beyond those defined in the PSD PP. PP-Module for User Authentication Devices N/A – this PP-Module does not define any environmental security objectives beyond those defined in the PSD PP. PP-Module for Video/Display Devices OE.NO_SPECIAL_ANALOG_C APABILITIES The operational environment will not have special analog data collection cards or peripherals such as analog to digital interface, high performance audio interface, or a component with digital signal processing or analog video capture functions. Table 23 – Security Objectives for the Operational Environment Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 34 4 Security Requirements The following section describes the IT security requirements of the TOE and its operational environment. The Common Criteria separates the TOE security requirements into two distinct categories: 1. Security functional requirements (SFRs) the TOE needs to satisfy to pass the security objectives (examples are listed below). • Identification/Authentication • Security management • User information protection 2. Security assurance requirements (SARs) specify evidence that provides grounds for confidence the TOE in its operational environment can satisfy the security objectives (examples are listed below). • Testing • Configuration Management • Vulnerability Assessment The SFRs and SARs are discussed in more detail in the following subsections. 4.1 TOE Security Functional Requirements (all models) The SFRs that all TOE models will satisfy are listed below in this section. 4.1.1 Overview The TOE claims all of the mandatory SFRs defined in the PP and PP-Modules that belong to the claimed PP-Configuration. The TOE also meets some of the optional and selection-based SFRs in the PP and PP-Modules. For Base-PP SFRs that are modified by one or more of the claimed PP-Modules, the modifications as required by those PP-Modules have been made. The SFRs have been replicated below for clarity. Table 24 below displays the SFR IDs, their names, and where they originate from. SFR ID Name Source FAU_GEN.1 Audit Data Generation PSD PP (optional) FDP_AFL_EXT.1 Audio Filtration Audio Output Module (mandatory) FDP_APC_EXT.1 Active PSD Connections PSD PP (mandatory) Note that the ST iterates this SFR for each of the claimed PP- Modules, per the instructions found in section 5.1.2 of each PP- Module. FDP_CDS_EXT.1 Connected Displays Supported Video/Display Module (mandatory) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 35 FDP_FIL_EXT.1/KM Device Filtering (Keyboard/Mouse) Keyboard/Mouse Module (optional) FDP_FIL_EXT.1/UA Device Filtering (User Authentication Devices) User Authentication Module (mandatory) FDP_PDC_EXT.1 Peripheral Device Connection PSD PP (mandatory) FDP_PDC_EXT.2/AO Peripheral Device Connection (Audio Output) Audio Output Module (mandatory) FDP_PDC_EXT.2/KM Authorized Devices (Keyboard/Mouse) Keyboard/Mouse Module (mandatory) FDP_PDC_EXT.2/UA Authorized Devices (User Authentication Devices) User Authentication Module (mandatory) FDP_PDC_EXT.2/VI Peripheral Device Connection (Video Output) Video/Display Module (mandatory) FDP_PDC_EXT.3/KM Authorized Connection Protocols (Keyboard/Mouse) Keyboard/Mouse Module (mandatory) FDP_PDC_EXT.4 Supported Authentication Device User Authentication Module (mandatory) FDP_PUD_EXT.1 Powering Unauthorized Devices Audio Output Module (mandatory) FDP_PWR_EXT.1 Powered By Computer User Authentication Module (mandatory) FDP_RIP.1/KM Residual Information Protection (Keyboard Data) Keyboard/Mouse Module (selection-based) FDP_RIP_EXT.1 Residual Information Protection PSD PP (mandatory) FDP_RIP_EXT.2 Purge of Residual Information PSD PP (optional) FDP_SWI_EXT.1 PSD Switching PSD PP (mandatory) FDP_SWI_EXT.2 PSD Switching Methods PSD PP (selection-based) FDP_SWI_EXT.3 Tied Switching Keyboard/Mouse Module (selection-based) FDP_TER_EXT.1 Session Termination User Authentication Module (mandatory) FDP_TER_EXT.2 Session Termination of Removed Devices User Authentication Module (selection-based) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 36 FDP_TER_EXT.3 Session Termination upon Switching User Authentication Module (selection-based) FDP_UAI_EXT.1 User Authentication Isolation User Authentication Module (mandatory) FDP_UDF_EXT.1/AO Unidirectional Data Flow (Audio Output) Audio Output Module (mandatory) FDP_UDF_EXT.1/KM Unidirectional Data Flow (Keyboard/Mouse) Keyboard/Mouse Module (mandatory) FDP_UDF_EXT.1/VI Unidirectional Data Flow (Video Output) Video/Display Module (mandatory) FIA_UAU.2 User Authentication Before Any Action PSD PP (optional) FIA_UID.2 User Identification Before Any Action PSD PP (optional) FMT_MOF.1 Management of Security Functions Behavior PSD PP (optional) FMT_SMF.1 Specification of Management Functions PSD PP (optional) FMT_SMR.1 Security Roles PSD PP (optional) FPT_FLS_EXT.1 Failure with Preservation of Secure State PSD PP (mandatory) FPT_NTA_EXT.1 No Access to TOE PSD PP (mandatory) FPT_PHP.1 Passive Detection of Physical Attack PSD PP (mandatory) FPT_PHP.3 Resistance to Physical Attack PSD PP (optional) FPT_STM.1 Reliable Time Stamps PSD PP (optional) FPT_TST.1 TSF Testing PSD PP (mandatory) FPT_TST_EXT.1 TSF Testing PSD PP (mandatory) FTA_CIN_EXT.1 Continuous Indications PSD PP (selection-based) Table 24 – TOE SFR Overview 4.1.2 Class FAU: Security Audit FAU_GEN.1 Audit Data Generation Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 37 FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a. Start-up and shutdown of the audit functions; b. All auditable events for the [not specified] level of audit; and c. [administrator login, administrator logout, self-test failures, peripheral device acceptance and rejections, [all administrative functions claimed in FMT_MOF.1 and FMT_SMF.1]]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a. Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other information]. 4.1.3 Class FDP: User Data Protection FDP_AFL_EXT.1 Audio Filtration1 FDP_AFL_EXT.1.1 The TSF shall ensure outgoing audio signals are filtered as per [Audio Filtration Specifications table]. Frequency (kHz) Minimum Attenuation (dB) Maximum Voltage After Attenuation 14 23.9 127.65 mV 15 26.4 95.73 mV 16 30.8 57.68 mV 17 35.0 35.57 mV 18 38.8 22.96 mV 19 43.0 14.15 mV 20 46.0 10.02 mV 30 71.4 0.53 mV 40 71.4 0.53 mV 50 71.4 0.53 mV 60 71.4 0.53 mV Table 25 – Audio Filtration Specifications FDP_APC_EXT.1/AO Active PSD Connections (Audio Output) 1 As modified by NIAP TD0557 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 38 FDP_APC_EXT.1.1/AO The TSF shall route user data only from the interfaces selected by the user. FDP_APC_EXT.1.2/AO The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/AO The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/AO The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. Application Note: This SFR is originally defined in the Base-PP but is refined and iterated to apply to the audio output interface per section 5.1.2 of the Audio Output PP- Module. FDP_APC_EXT.1/KM Active PSD Connections (Keyboard/Mouse) FDP_APC_EXT.1.1/KM The TSF shall route user data only to the interfaces selected by the user. FDP_APC_EXT.1.2/KM The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/KM The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/KM The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. Application Note: This SFR is originally defined in the Base-PP but is refined and iterated to apply to the audio output interface per section 5.1.2 of the Keyboard/Mouse PP- Module. FDP_APC_EXT.1/UA Active PSD Connections (User Authentication) FDP_APC_EXT.1.1/UA The TSF shall route user data only to or from the interfaces selected by the user. FDP_APC_EXT.1.2/UA The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/UA The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/UA The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. Application Note: This SFR is originally defined in the Base-PP but is refined and iterated to apply to the audio output interface per section 5.1.2 of the User Authentication PP-Module. FDP_APC_EXT.1/VI Active PSD Connections (Video/Display) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 39 FDP_APC_EXT.1.1/VI The TSF shall route user data only from the interfaces selected by the user. FDP_APC_EXT.1.2/VI The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off. FDP_APC_EXT.1.3/VI The TSF shall ensure that no data transits the TOE when the TOE is powered off. FDP_APC_EXT.1.4/VI The TSF shall ensure that no data transits the TOE when the TOE is in a failure state. Application Note: This SFR is originally defined in the Base-PP but is refined and iterated to apply to the audio output interface per section 5.1.2 of the Video/Display PP- Module. FDP_CDS_EXT.1 Connected Displays Supported FDP_CDS_EXT.1.1 The TSF shall support [one connected display for TOE models with KVS4-100XXX, multiple connected displays for all other TOE models] at a time. Application Note: TOE models with ‘KVS4-200’ or ‘KVS4-400’ in the model name support multi-headed displays (i.e., multiple monitors on the same channel that are switched in tandem with all other peripherals). The KVS4-8004VPX model supports a single-head switchable display and a secondary preview screen monitor that functions as a combiner (and as such, multiple connected displays). FDP_FIL_EXT.1/KM Device Filtering (Keyboard/Mouse) FDP_FIL_EXT.1.1/KM The TSF shall have [fixed] device filtering for [keyboard, mouse] interfaces. FDP_FIL_EXT.1.2/KM The TSF shall consider all [PSD KM] blacklisted devices as unauthorized devices for [keyboard, mouse] interfaces in peripheral device connections. FDP_FIL_EXT.1.3/KM The TSF shall consider all [PSD KM] whitelisted devices as authorized devices for [keyboard, mouse] interfaces in peripheral device connections only if they are not on the [PSD KM] blacklist or otherwise unauthorized. Application Note: The TSF enforces fixed device filtration on the keyboard/mouse interface by implicitly blacklisting all USB devices that are not keyboard or mouse devices. FDP_FIL_EXT.1/UA Device Filtering (User Authentication Devices) FDP_FIL_EXT.1.1/UA The TSF shall have [configurable] device filtering for [user authentication device] interfaces. FDP_FIL_EXT.1.2/UA The TSF shall consider all [PSD UA] blacklisted devices as unauthorized devices for [user authentication device] interfaces in peripheral device connections. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 40 FDP_FIL_EXT.1.3/UA The TSF shall consider all [PSD UA] whitelisted devices as authorized devices for [user authentication device] interfaces in peripheral device connections only if they are not on the [PSD UA] blacklist or otherwise unauthorized. Application Note: By default, the TSF will implicitly blacklist all devices that are not standard smart card readers, PIV/CAC USB tokens, or biometric readers. When configurable device filtration is used, any device that is not explicitly allowed is implicitly blacklisted. FDP_PDC_EXT.1 Peripheral Device Connection FDP_PDC_EXT.1.1 The TSF shall reject connections with unauthorized devices upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.1.2 The TSF shall reject connections with devices presenting unauthorized interface protocols upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.1.3 The TOE shall have no external interfaces other than those claimed by the TSF. FDP_PDC_EXT.1.4 The TOE shall not have wireless interfaces. FDP_PDC_EXT.1.5 The TOE shall provide a visual or auditory indication to the User when a peripheral is rejected. FDP_PDC_EXT.2/AO Peripheral Device Connection (Audio Output) FDP_PDC_EXT.2.1/AO The TSF shall allow connections with authorized devices as defined in [Appendix E of the Analog Audio Output Devices Module] and [ • authorized devices and functions as defined in the PP-Module for Keyboard/Mouse Devices, • authorized devices as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2.2/AO The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E of the Analog Audio Output Devices Module] and [ • authorized devices presenting authorized interface protocols as defined in the PP-Module for Keyboard/Mouse Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 41 FDP_PDC_EXT.2/KM Peripheral Device Connection (Keyboard/Mouse) FDP_PDC_EXT.2.1/KM The TSF shall allow connections with authorized devices and functions as defined in [Appendix E of the Keyboard/Mouse Devices Module] and [ • authorized devices as defined in the PP-Module for Audio Output Devices, • authorized devices as defined in the PP-Module for User Authentication Devices, • authorized devices as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2.2/KM The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E of the Keyboard/Mouse Devices Module] and [ • authorized devices presenting authorized interface protocols as defined in the PP-Module for Audio Output Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for User Authentication Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2/UA Peripheral Device Connection (User Authentication Devices) FDP_PDC_EXT.2.1/UA The TSF shall allow connections with authorized devices as defined in [Appendix E of the User Authentication Devices Module] and [ • authorized devices as defined in the PP-Module for Audio Output Devices, • authorized devices and functions as defined in the PP-Module for Keyboard/Mouse Devices, • authorized devices as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2.2/UA The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E of the User Authentication Devices Module] and [ • authorized devices presenting authorized interface protocols as defined in the PP-Module for Audio Output Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for Keyboard/Mouse Devices, Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 42 • authorized devices presenting authorized interface protocols as defined in the PP-Module for Video/Display Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2/VI Peripheral Device Connection (Video Output) FDP_PDC_EXT.2.1/VI The TSF shall allow connections with authorized devices as defined in [Appendix E of the Video/Display Devices Module] and [ • authorized devices as defined in the PP-Module for Audio Output Devices, • authorized devices and functions as defined in the PP-Module for Keyboard/Mouse Devices, • authorized devices as defined in the PP-Module for User Authentication Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.2.2/VI The TSF shall allow connections with authorized devices presenting authorized interface protocols as defined in [Appendix E of the Video/Display Devices Module] and [ • authorized devices presenting authorized interface protocols as defined in the PP-Module for Audio Output Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for Keyboard/Mouse Devices, • authorized devices presenting authorized interface protocols as defined in the PP-Module for User Authentication Devices ] upon TOE power up and upon connection of a peripheral device to a powered-on TOE. FDP_PDC_EXT.3/KM Authorized Connection Protocols (Keyboard/Mouse) FDP_PDC_EXT.3.1/KM The TSF shall have interfaces for the [USB (keyboard), USB (mouse)] protocols. FDP_PDC_EXT.3.2/KM The TSF shall apply the following rules to the supported protocols: [the TSF shall emulate any keyboard or mouse device functions from the TOE to the connected computer]. FDP_PDC_EXT.4 Supported Authentication Device FDP_PDC_EXT.4.1 The TSF shall have an [external] user authentication device. FDP_PUD_EXT.1 Powering Unauthorized Devices Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 43 FDP_PUD_EXT.1.1 The TSF shall not provide power to any unauthorized device connected to the analog audio peripheral interface. FDP_PWR_EXT.1 Powered By Computer FDP_PWR_EXT.1.1 The TSF shall not be powered by a connected computer. FDP_RIP.1/KM Residual Information Protection (Keyboard Data) FDP_RIP.1.1/KM The TSF shall ensure that any keyboard data in volatile memory is purged upon switching computers. FDP_RIP_EXT.1 Residual Information Protection FDP_RIP_EXT.1.1 The TSF shall ensure that no user data is written to TOE non-volatile memory or storage. FDP_RIP_EXT.2 Purge of Residual Information FDP_RIP_EXT.2.1 The TOE shall have a purge memory or restore factory defaults function accessible to the administrator to delete all TOE stored configuration and settings except for logging. FDP_SWI_EXT.1 PSD Switching FDP_SWI_EXT.1.1 The TSF shall ensure that [switching can be initiated only through express user action]. FDP_SWI_EXT.2 PSD Switching Methods FDP_SWI_EXT.2.1 The TSF shall ensure that no switching can be initiated through automatic port scanning, control through a connected computer, or control through keyboard shortcuts. FDP_SWI_EXT.2.2 The TSF shall ensure that switching can be initiated only through express user action using [console buttons]. FDP_SWI_EXT.3 Tied Switching FDP_SWI_EXT.3.1 The TSF shall ensure that [connected keyboard and mouse peripheral devices] are always switched together to the same connected computer. FDP_TER_EXT.1 Session Termination Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 44 FDP_TER_EXT.1.1 The TSF shall terminate an open session upon removal of the authentication element. FDP_TER_EXT.2 Session Termination of Removed Devices FDP_TER_EXT.2.1 The TSF shall terminate an open session upon removal of the user authentication device. FDP_TER_EXT.3 Session Termination upon Switching FDP_TER_EXT.3.1 The TSF shall terminate an open session upon switching to a different computer. FDP_TER_EXT.3.2 The TSF shall reset the power to the user authentication device for at least one second upon switching to a different computer. FDP_UAI_EXT.1 User Authentication Isolation FDP_UAI_EXT.1.1 The TSF shall isolate the user authentication function from all other TOE USB functions. FDP_UDF_EXT.1/AO Unidirectional Data Flow (Audio Output) FDP_UDF_EXT.1.1/AO The TSF shall ensure [analog audio output data] transits the TOE unidirectionally from [the TOE analog audio output computer] interface to [the TOE analog audio output peripheral] interface. FDP_UDF_EXT.1/KM Unidirectional Data Flow (Keyboard/Mouse) FDP_UDF_EXT.1.1/KM The TSF shall ensure [keyboard, mouse] data transits the TOE unidirectionally from the [TOE [keyboard, mouse]] peripheral interface(s) to the [TOE [keyboard, mouse]] interface. FDP_UDF_EXT.1/VI Unidirectional Data Flow (Video Output) FDP_UDF_EXT.1.1/VI The TSF shall ensure [video] data transits the TOE unidirectionally from the [TOE computer video] interface to the [TOE peripheral device display] interface. 4.1.4 Class FIA: Identification and Authentication FIA_UAU.2 User Identification before Any Action Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 45 FIA_UAU.2.1 The TSF shall require each administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that administrator. FIA_UID.2 User Identification before Any Action FIA_UID.2.1 The TSF shall require each administrator to be successfully identified before allowing any other TSF-mediated actions on behalf of that administrator. 4.1.5 Class FMT: Security Management FMT_MOF.1 Management of Security Functions Behavior FMT_MOF.1.1 The TSF shall restrict the ability to [modify the behavior of] the functions [user/administrator authentication, configurable CAC device filtering, dump log, restore factory default, terminate session] to [the authorized administrators]. Application Note: The TSF defines a lesser-privileged user role in addition to the administrator role mandated by the claimed PP. Refer to Table 16 for the functions available to each role. FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TOE shall be capable of performing the following management functions: [change user access credential, change administrator access credential, view registered CAC device, register new CAC device, dump log, restore factory default, terminate session]. FMT_SMR.1 Security Roles FMT_SMR.1.1 The TSF shall maintain the roles [administrators, users]. Application Note: The TSF defines a lesser-privileged user role in addition to the administrator role mandated by the claimed PP. Refer to Table 16 for the functions available to each role. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 4.1.6 Class FPT: Protection of the TSF FPT_FLS_EXT.1 Failure with Preservation of Secure State Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 46 FPT_FLS_EXT.1.1 The TSF shall preserve a secure state when the following types of failures occur: failure of the power-on self-test and [failure of the anti-tamper function]. FPT_NTA_EXT.1 No Access to TOE FPT_NTA_EXT.1.1 TOE firmware, software, and memory shall not be accessible via the TOE’s external ports, with the following exceptions: [the Extended Display Identification Data (EDID) memory of Video TOEs may be accessible from connected computers; the configuration data, settings, and logging data that may be accessible by authorized administrators]. FPT_PHP.1 Passive Detection of Physical Attack FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF. FPT_PHP.1.2 The TSF shall provide the capability to determine whether physical tampering with the TSF’s devices or TSF’s elements has occurred. FPT_PHP.3 Resistance to Physical Attack2 FPT_PHP.3.1 The TSF shall resist [a physical attack for the purpose of gaining access to the internal components, to damage the anti-tamper battery, to drain or exhaust the anti-tamper battery] to the [TOE enclosure and any remote controllers] by the attacked component becoming permanently disabled. Application Note: This SFR is modified per NIAP TD0583 to include reference to remote controllers. This modification is not applicable to the TOE because it does not have any remote controllers. FPT_STM.1 Reliable Time Stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. FPT_TST.1 TSF Testing FPT_TST.1.1 The TSF shall run a suite of self-tests [during initial start-up and at the conditions [upon reset button activation]] to demonstrate the correct operation of [user control functions and [active anti-tamper functionality]]. FPT_TST.1.2 The TSF shall provide authorized users with the capability to verify the integrity of [TSF data]. 2 As modified by NIAP TD0583 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 47 FPT_TST.1.3 The TSF shall provide authorized users with the capability to verify the integrity of the [TSF]. FPT_TST_EXT.1 TSF Testing FPT_TST_EXT.1.1 The TSF shall respond to a self-test failure by providing users with a [visual] indication of failure and by shutdown of normal TSF functions. 4.1.7 Class FTA: TOE Access FTA_CIN_EXT.1 Continuous indications FTA_CIN_EXT.1.1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered. FTA_CIN_EXT.1.2 The TSF shall implement the visible indication using the following mechanism: easily visible graphical and/or textual markings of each source video on the display, [a button, a panel with lights]. Application Note: The refined text is added per the Video/Display Devices Module. Application Note: The selected computer is indicated with a panel with lights that corresponds to the computer selection buttons. The CAC port can be enabled/disabled for a particular computer. If it is enabled, the push button for the selected computer will also have an illuminated backlight. For preview screen models, the active channel of the secondary preview monitor is indicated by OSD overlay depicting the current active channel(s), while the primary monitor is switched with other peripherals and indicated via the chassis light panel. FTA_CIN_EXT.1.3 The TSF shall ensure that while the TOE is powered the current switching status is reflected by [multiple indicators which never display conflicting information]. Application Note: As indicated in FTA_CIN_EXT.1.2, the TOE has a light panel that shows the selected computer and, if the CAC port for the computer is enabled, the selection button for the selected computer is also illuminated. There is no situation in which one computer will be indicated with the light panel and a different computer will be indicated with the selection button. 4.2 TOE Security Functional Requirements (V models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘V’ in the model name. In this case, the applicable TOE models are as follows: • KVS4-2002VX • KVS4-2004VX • KVS4-4004VX • KVS4-1008VX Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 48 • KVS4-2008VX 4.2.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support only DisplayPort. As these models are identified with ‘V’ in the model name, the applicable SFRs are iterated with ‘(V)’ to clearly associate these requirements with the relevant models. SFR ID Name Source FDP_IPC_EXT.1(V) Internal Protocol Conversion (V Models) Video/Display Module (selection-based) FDP_PDC_EXT.3/VI(V) Authorized Connection Protocols (Video Output) (V Models) Video/Display Module (mandatory) FDP_SPR_EXT.1/DP(V) Sub-Protocol Rules (DisplayPort Protocol) (V Models) Video/Display Module (selection-based) Table 26 – TOE SFR Overview (V models) 4.2.2 Class FDP: User Data Protection FDP_IPC_EXT.1(V) Internal Protocol Conversion (V Models)3 FDP_IPC_EXT.1.1(V) The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2(V) The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol]. FDP_PDC_EXT.3/VI(V) Authorized Connection Protocols (Video Output) (V Models) FDP_PDC_EXT.3.1/VI(V) The TSF shall have interfaces for the [DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(V) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. 3 As modified by NIAP TD0586 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 49 FDP_SPR_EXT.1/DP(V) Sub-Protocol Rules (DisplayPort Protocol) (V Models) FDP_SPR_EXT.1.1/DP(V) The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub-protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 4.3 TOE Security Functional Requirements (D models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘D’ in the model name. In this case, the applicable TOE models are as follows: • KVS4-2004DX • KVS4-1008DX • KVS4-2008DX 4.3.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support only DVI-I. As these models are identified with ‘D’ in the model name, the applicable SFRs are iterated with ‘(D)’ to clearly associate these requirements with the relevant models. SFR ID Name Source FDP_PDC_EXT.3/VI(D) Authorized Connection Protocols (Video Output) (D Models) Video/Display Module (mandatory) FDP_SPR_EXT.1/DVI-I(D) Sub-Protocol Rules (DVI-I Protocol) (D Models) Video/Display Module (selection-based) Table 27 – TOE SFR Overview (D models) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 50 4.3.2 Class FDP: User Data Protection FDP_PDC_EXT.3/VI(D) Authorized Connection Protocols (Video Output) (D Models) FDP_PDC_EXT.3.1/VI(D) The TSF shall have interfaces for the [DVI-I] protocols. FDP_PDC_EXT.3.2/VI(D) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. FDP_SPR_EXT.1/DVI-I(D) Sub-Protocol Rules (DVI-I Protocol) (D Models) FDP_SPR_EXT.1.1/DVI-I(D) The TSF shall apply the following rules for the [DVI-I] protocol: • block the following video/display sub-protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer]. 4.4 TOE Security Functional Requirements (HV models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘HV’ in the model name. In this case, the applicable TOE models are as follows: • KVS4-1002HVX • KVS4-2002HVX • KVS4-1004HVX • KVS4-2004HVX 4.4.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support both DisplayPort and HDMI interchangeably. As these models are identified with ‘HV’ in the model name, the applicable SFRs are iterated with ‘(HV)’ to clearly associate these requirements with the relevant model. SFR ID Name Source Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 51 FDP_IPC_EXT.1(HV) Internal Protocol Conversion (HV Models) Video/Display Module (selection-based) FDP_PDC_EXT.3/VI(HV) Authorized Connection Protocols (Video Output) (HV Models) Video/Display Module (mandatory) FDP_SPR_EXT.1/DP(HV) Sub-Protocol Rules (DisplayPort Protocol) (HV Models) Video/Display Module (selection-based) FDP_SPR_EXT.1/HDMI(HV) Sub-Protocol Rules (HDMI Protocol) (HV Models) Video/Display Module (selection-based) Table 28 – TOE SFR Overview (HV models) 4.4.2 Class FDP: User Data Protection FDP_IPC_EXT.1(HV) Internal Protocol Conversion (HV Models)4 FDP_IPC_EXT.1.1(HV) The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2(HV) The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol, [HDMI] protocol]. FDP_PDC_EXT.3/VI(HV) Authorized Connection Protocols (Video Output) (HV Models) FDP_PDC_EXT.3.1/VI(HV) The TSF shall have interfaces for the [HDMI, DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(HV) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. FDP_SPR_EXT.1/DP(HV) Sub-Protocol Rules (DisplayPort Protocol) (HV Models) FDP_SPR_EXT.1.1/DP(HV) The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub-protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] 4 As modified by NIAP TD0586 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 52 • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. FDP_SPR_EXT.1/HDMI(HV) Sub-Protocol Rules (HDMI Protocol) (HV Models) FDP_SPR_EXT.1.1/HDMI(HV) The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub-protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer]. 4.5 TOE Security Functional Requirements (DHV models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘DHV’ in the model name. In this case, KVS4-4004DHVX is the only applicable TOE model. 4.5.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support a quad-head configuration with two DisplayPort interfaces, one DVI-I interface, and one HDMI interface. As these models are identified with ‘DHV’ in the model name, the applicable SFRs are iterated with ‘(DHV)’ to clearly associate these requirements with the relevant models. SFR ID Name Source FDP_IPC_EXT.1(DHV) Internal Protocol Conversion (DHV Models) Video/Display Module (selection-based) FDP_PDC_EXT.3/VI(DHV) Authorized Connection Protocols (Video Output) (DHV Models) Video/Display Module (mandatory) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 53 FDP_SPR_EXT.1/DVI-I(DHV) Sub-Protocol Rules (DVI-I Protocol) (DHV Models) Video/Display Module (selection-based) FDP_SPR_EXT.1/DP(DHV) Sub-Protocol Rules (DisplayPort Protocol) (DHV Models) Video/Display Module (selection-based) FDP_SPR_EXT.1/HDMI(DHV) Sub-Protocol Rules (HDMI Protocol) (DHV Models) Video/Display Module (selection-based) Table 29 – TOE SFR Overview (DHV models) 4.5.2 Class FDP: User Data Protection FDP_IPC_EXT.1(DHV) Internal Protocol Conversion (DHV Models)5 FDP_IPC_EXT.1.1(DHV) The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2(DHV) The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol]. FDP_PDC_EXT.3/VI(DHV) Authorized Connection Protocols (Video Output) (DHV Models) FDP_PDC_EXT.3.1/VI(DHV) The TSF shall have interfaces for the [DVI-I, HDMI, DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(DHV) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. FDP_SPR_EXT.1/DP(DHV) Sub-Protocol Rules (DisplayPort Protocol) (DHV Models) FDP_SPR_EXT.1.1/DP(DHV) The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub-protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer, 5 As modified by NIAP TD0586 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 54 o Link Training]. FDP_SPR_EXT.1/DVI-I(DHV) Sub-Protocol Rules (DVI-I Protocol) (DHV Models) FDP_SPR_EXT.1.1/DVI-I(DHV)The TSF shall apply the following rules for the [DVI-I] protocol: • block the following video/display sub-protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer]. FDP_SPR_EXT.1/HDMI(DHV) Sub-Protocol Rules (HDMI Protocol) (DHV Models) FDP_SPR_EXT.1.1/HDMI(DHV) The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub-protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer]. 4.6 TOE Security Functional Requirements (VM models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘VM’ in the model name. In this case, the applicable TOE models are as follows: • KVS4-1002VMX • KVS4-1004VMX • KVS4-2004VMX 4.6.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 55 selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support DisplayPort Multi-Stream Transport (DPMST) to convert a single DisplayPort feed to two separate HDMI outputs. As these models are identified with ‘VM’ in the model name, the applicable SFRs are iterated with ‘(VM)’ to clearly associate these requirements with the relevant models. SFR ID Name Source FDP_IPC_EXT.1(VM) Internal Protocol Conversion (VM Models) Video/Display Module (selection-based) FDP_PDC_EXT.3/VI(VM) Authorized Connection Protocols (Video Output) (VM Models) Video/Display Module (mandatory) FDP_SPR_EXT.1/DP(VM) Sub-Protocol Rules (DisplayPort Protocol) (VM Models) Video/Display Module (selection-based) Table 30 – TOE SFR Overview (VM models) 4.6.2 Class FDP: User Data Protection FDP_IPC_EXT.1(VM) Internal Protocol Conversion (VM Models)6 FDP_IPC_EXT.1.1(VM) The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2(VM) The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[HDMI] protocol]. FDP_PDC_EXT.3/VI(VM) Authorized Connection Protocols (Video Output) (VM Models) FDP_PDC_EXT.3.1/VI(VM) The TSF shall have interfaces for the [DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(VM) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. FDP_SPR_EXT.1/DP(VM) Sub-Protocol Rules (DisplayPort Protocol) (VM Models) FDP_SPR_EXT.1.1/DP(VM) The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub-protocols: o [CEC, 6 As modified by NIAP TD0586 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 56 o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 4.7 TOE Security Functional Requirements (VP models) In addition to the SFRs applicable to all products covered by this ST, the following SFRs are claimed by the TOE models that have ‘VP’ in the model name. In this case, KVS4-8004VPX is the only applicable TOE model. 4.7.1 Overview The TOE includes models with different physical interfaces for different supported video protocols. All TOE models independently satisfy the mandatory requirements of the Video/Display Module. However, the specific selections chosen for the mandatory requirements and the applicability of selection-based requirements each depend on the supported protocol. The requirements in this section are those that are applicable to the TOE models that support DisplayPort but also have “multi-viewer” functionality that allows for a secondary display to show one or more video channels that are not necessarily the same channel as the other active console peripherals. As these models are identified with ‘VP’ in the model name, the applicable SFRs are iterated with ‘(VP)’ to clearly associate these requirements with the relevant model. SFR ID Name Source FDP_IPC_EXT.1(VP) Internal Protocol Conversion (VP Models) Video/Display Module (selection-based) FDP_PDC_EXT.3/VI(VP) Authorized Connection Protocols (Video Output) (VP Models) Video/Display Module (mandatory) FDP_SPR_EXT.1/DP(VP) Sub-Protocol Rules (DisplayPort Protocol) (VP Models) Video/Display Module (selection-based) Table 31 – TOE SFR Overview (VP models) 4.7.2 Class FDP: User Data Protection FDP_IPC_EXT.1(VP) Internal Protocol Conversion (VP Models)7 7 As modified by NIAP TD0586 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 57 FDP_IPC_EXT.1.1(VP) The TSF shall convert the [DisplayPort] protocol at the [DisplayPort computer video interface] into the [HDMI] protocol within the TOE. FDP_IPC_EXT.1.2(VP) The TSF shall output the [HDMI] protocol from inside the TOE to [peripheral display interface(s)] as [[DisplayPort] protocol]. FDP_PDC_EXT.3/VI(VP) Authorized Connection Protocols (Video Output) (VP Models) FDP_PDC_EXT.3.1/VI(VP) The TSF shall have interfaces for the [DisplayPort] protocols. FDP_PDC_EXT.3.2/VI(VP) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power-on or reboot]. FDP_SPR_EXT.1/DP(VP) Sub-Protocol Rules (DisplayPort Protocol) (VP Models) FDP_SPR_EXT.1.1/DP(VP) The TSF shall apply the following rules for the [DisplayPort] protocol: • block the following video/display sub-protocols: o [CEC, o EDID from computer to display, o HDCP, o MCCS] • allow the following video/display sub-protocols: o [EDID from display to computer, o HPD from display to computer, o Link Training]. 4.8 Rationale for TOE Security Requirement Dependencies The TOE claims all SFRs from the claimed PP and all claimed PP-Modules with the following exceptions: - FDP_RDR_EXT.1 (from Keyboard/Mouse Module) – this is an optional SFR that the TSF does not claim to address. - FDP_SPR_EXT.1/DVI-D (from Video/Display Devices Module) – this is a selection-based SFR that is only claimed if “DVI-D” is selected in FDP_PDC_EXT.3.1/VI. Because this selection is not made, the SFR is appropriately omitted. - FDP_SPR_EXT.1/USB (from Video/Display Devices Module) – this is a selection-based SFR that is only claimed if “USB Type-C with DisplayPort as alternate function” is selected in FDP_PDC_EXT.3.1/VI. Because this selection is not made, the SFR is appropriately omitted. - FDP_SPR_EXT.1/VGA (from Video/Display Devices Module) – this is a selection-based SFR that is only claimed if “VGA” is selected in FDP_PDC_EXT.3.1/VI. Because this selection is not made, the SFR is appropriately omitted. In all cases, the omitted SFRs have been excluded from the TSF because they refer to conditional functionality where the TOE did not satisfy the required condition or to optional functionality that may be excluded at the TOE developer’s discretion. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 58 4.9 TOE Security Assurance Requirements The table below defines the SARs claimed by the TOE. These are the same SARs that are required by the claimed PP-Configuration. Assurance Class Assurance Component ID Assurance Components Description Development ADV_FSP.1 Basic Functional Specification Guidance Documents AGD_OPE.1 Operational User Guidance AGD_PRE.1 Preparative Procedures Life Cycle Support ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM coverage Tests ATE_IND.1 Independent Testing – Conformance Vulnerability Assessment AVA_VAN.1 Vulnerability Survey Table 32 – TOE Security Assurance Requirements Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 59 5 Conformance Claims The following section describes the ST Conformance Claims. 5.1 CC Conformance Claims This ST is compliant with the following CC documents: • [CC1] - Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, CCMB-2012-09-001, Version 3.1 Revision 5, April 2017. • [CC2] - Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components, CCMB-2012-09-002, Version 3.1 Revision 5, April 2017. • [CC3] - Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components, CCMB-2012-09-003, Version 3.1 Revision 5, April 2017. • [CEM] - Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, CCMB-2012-09-004, Version 3.1, Revision 5, April 2017. • [Addenda] - CC and CEM addenda – Exact Conformance, Selection-Based SFRs, Optional SFRs, Version 0.5, May 2017. This ST is CC Part 2 extended and CC Part 3 conformant. 5.2 PP Conformance Claims This ST claims exact conformance to the PP‐Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, User Authentication Devices, and Video/Display Devices, Version 1.0 and the following technical decisions: 1. TD0506 - Missing Steps to disconnect and reconnect display, published date 02/28/2020 2. TD0507 - Clarification on USB plug type, published date 03/03/2020 3. TD0514 - Correction to MOD_VI FDP_APC_EXT.1 Test 3 Step 6, published date 05/18/2020 4. TD0518 - Typographical error in Dependency Table, published date 06/15/2020 5. TD0539 - Incorrect selection trigger in FTA_CIN_EXT.1 in MOD_VI_V1.0, published date 07/11/2020 6. TD0557 - Correction to Audio Filtration Specification Table in FDP_AFL_EXT.1, published date 12/08/2020 7. TD0583 – FPT_PHP.3 modified for PSD remote controllers, published date 05/12/2021 8. TD0584 - Update to FDP APC_EXT.1 Video Tests, published date 04/29/2021 9. TD0585 - Update to FDP_APC_EXT.1 Audio Output Tests, published date 04/29/2021 10. TD0586 - DisplayPort and HDMI Interfaces in FDP_IPC_EXT.1, published date 05/11/2021 11. TD0593 - Equivalency Arguments for PSD, published date 06/03/2021 5.3 ST Conformance Requirements This Security Target is in exact conformance with the PP. That is, the ST meets all the assurance requirements as defined by section D.2 of CC Part 1. The mandatory requirements of the PP and all PP-Modules contained within the PP-Configuration are met. The ST is an instantiation of the claimed PP-Configuration. Additionally, optional Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 60 requirements from these materials are claimed as needed and selection-based requirements are claimed where required. The ST does not omit any mandatory requirements, nor does it define or claim any requirements that are not defined in any of the components of the claimed PP- Configuration. This ST meets all assurance requirements defined in the PP-Configuration. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 61 6 TOE Summary Specification This section summarizes the security functions of the TOE and the subsequent Assurance Measures taken to ensure their proper implementation. See Table 24 in Section 4 for the entire list of SFRs that address the security objectives for this TOE. These objectives will be broken down in the subsequent sections for further detail. 6.1 TOE External Interfaces Security Functions [O.NO_OTHER_EXTERNAL_INTERFACES]: FDP_PDC_EXT.1 [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1 [O.REJECT_UNAUTHORIZED_ENDPOINTS]: FDP_PDC_EXT.1 The TOE only supports AC/DC power, USB keyboard and mouse, user authentication devices, and video, which includes one or more of the following depending on TOE model: • DVI-I in/DVI-I out • DP 1.2 in/DP 1.2 out • HDMI 1.4 in/HDMI 1.4 out • HDMI 1.4 or DP 1.2 in/HDMI 1.4 or DP 1.2 out (interchangeable DP/HDMI ports) • DP 1.2 in/HDMI 1.4 out The user authentication device filter is set by default to allow only standard smart-card reader USB 1.1/2.0 token or biometric reader but when user or administrator registers new CAC devices, the TOE will start to support these registered devices. All other peripheral types are rejected, either physically (because the TOE does not support the required physical interface) or logically (because the TOE does not recognize the connected peripheral as authorized). 6.2 TOE Administration, User Control, and Monitoring Security Functions [O.AUTHORIZED_USAGE]: FAU_GEN.1, FDP_SWI_EXT.1, FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_STM.1, FTA_CIN_EXT.1 Each TOE is equipped with Administration and Security Management Tool that can be initiated by running an executable file on a computer with keyboard connected to the same computer via the TOE. The tool requires administrator or a user to be successfully identified and authenticated by name and password in order to gain access to any supported feature. The TOE has a menu-driven interface in which the user or administrator can initiate the supported functions. See below for descriptions of the supported features, Table 16 above will note differences of access by administrator and user accounts. • Change User Access Credentials o Updates the username and password for the “user” account • Change Admin Access Credentials o Updates the username and password for the “admin” account • View Registered CAC Device o Displays the name, manufacturer, Product ID, and Vendor ID of current registered CAC device • Register New CAC Device o Updates the currently registered CAC device • Dump Log o Prints out the last 100 logs the TOE recorded Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 62 • Restore Factory Default o Resets the user credentials, administrator credentials, and registered CAC device to default settings • Terminate Session o Ends the current administrative tool session The TOE is shipped with default credentials for the administrator and user account; these should be changed on first use as part of the initial setup process. Successful and failed authentication attempts are logged, as are logouts. The TOE does not enforce any failure limitations (e.g. lockout after a certain number of successive failures). If an administrator has lost their username and/or password, they must contact the manufacturer for assistance. The administrator/user account passwords as well as the names of the accounts themselves can both be changed. The restrictions for each are as follows: • Minimum 4 characters • Maximum 8 characters • All Letters (Upper and Lower case), Numbers, and the following special characters are allowed ! @ # $ % ^ & * ( ) _ + - = “ ? / • The following special characters are not allowed ~ ` { } | [ ] \ : ; ‘ < > , . • Any other character not specified above is not allowed. • Space and Tab are not allowed All usage of the TOE requires authentication to the Administration and Security Management Tool except for switching. All TOE models can be switched using push-buttons on the TOE chassis. There are no switching mechanisms that can be engaged using automatic port scanning, control through a connected computer, or control through keyboard shortcuts. The console buttons are the only available switching mechanisms. For the Preview Screen model, the TOE has two displays: a primary display that is always switched in tandem with the other peripherals, and a secondary preview display that can be separately controlled through additional chassis buttons that are only present on this model. These buttons are used to the control the secondary multi-viewer output in the following manner: • Pressing the fifth button will display the first channel in full screen on the secondary display and pressing multiple times will toggle the channels on the secondary display in full screen mode. • Pressing the sixth button will display a picture-in-picture image on the secondary display by taking the last channel that was used in Full Screen mode, set it as the main picture and set the next available channel as the smaller secondary picture. Pressing the sixth button multiple times will only toggle the secondary picture to the next available channels. • Pressing the seventh button will change the preview display to T-Quad mode, in which there is one larger main picture and the remaining three images are smaller secondary images displayed on the right side of the display. Pressing the seventh button multiple times will only toggle the main picture to the next channel. • Pressing the eighth button will change the preview display to QuadQ mode. Pressing the eighth button several times will not change anything as there is only one orientation for QuadQ mode. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 63 The TOE has a non-volatile memory event log which records all abnormal security events that occur within TOE operation. This log can be accessed by the identified and authorized administrator and dumped into a .txt file using a connected computer and a program. If the TOE anti-tampering state has been triggered, the access log can only be accessed by de-soldering the memory IC from the internal circuitry and extracted using low-level factory tools (TOE is permanently disabled). The following events are logged in sequential order with time/date stamp and Pass/Fail status: ALO Administrator Log On ALF Administrator Log Off ARM Arming A/T System CAC CAC Configuration EDL EDID Learn LGD LOG Dump PWU Power Up PWD Power Down RCA Rejected CAC Device AFD Restore Factory Default RKM Rejected Keyboard or Mouse STS Self-Test TMP Device Tampered, Review by MFR only ULO User Log On ULF User Log Off The TOE can store up to 100 events. When the allocated memory is fully used, new events will be recorded over the oldest events (first in first out mode). The TOE includes an internal system clock function that is used for time stamps of audit records. The TOE’s clock is set at manufacture time and is set to Pacific Standard Time (GMT -8) by default. The TOE indicates the selected channel using a panel of LEDs that are located directly above the channel selection buttons for the connected computer. When the user presses a channel selection button, the corresponding LED will light up to indicate the selected computer. The channel selection buttons are also backlit. When the backlight is on, the CAC port is active. The user may disable the CAC port for a particular channel by pressing and holding the channel selection button until the backlight has turned off. This can only be used to enable/disable the CAC port for the active computer; it is not possible for one computer to be active (as indicated by the LED panel) while the CAC port is active on a different computer (as indicated by the backlight of a different channel selection button). During operation, all front panel LED indications cannot be turned off or dimmed by the user in any way including after Restore Factory Default (reset). This prevents user confusion of current TOE state.8 When the TOE has booted successfully, it will default to computer 1 being the selected computer. [O.LEAK_PREVENTION_SWITCHING]: FDP_SWI_EXT.1, FDP_SWI_EXT.2 8 See section 1.6.2.6.6 above for detailed information about Restore Factory Default (reset) Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 64 All switching mechanisms must be deliberately engaged by the user. There are no mechanisms that allow data intended for the selected computer to be transmitted to a different computer, and there are no interfaces that allow data to be transmitted directly between computers. 6.3 TOE Tampering Protection In order to mitigate potential tampering and replacement, the TOE is devised to ensure that any replacement may be detected, any physical modification is evident, and any logical modification may be prevented. The tamper protection mechanism is only triggered by tamper detection or failure of self-testing; there is no method by which a user can falsely or accidentally trigger the tamper protection indicator such that the TOE incorrectly indicates that it is operating in a tampered state. The TOE is designed so that access to the TOE firmware, software, or its memory via its accessible ports is prevented. No access is available to modify the TOE or its memory. To mitigate the risk that a potential attacker will tamper with a TOE and then reprogram it with altered functionality, the compliant TOE external and internal interfaces are locked for code read and write. The programmable components of the TOE’s programming ports are permanently disabled for both read and write operations. The TOE’s operational code may not be upgradeable through any of the TOE external or internal ports. [O.NO_TOE_ACCESS]: FPT_NTA_EXT.1 The TOE is designed to prevent any physical or logical access its internal memory. All TOE microcontrollers run from internally protected flash memory. The TOE firmware is read/write protected, inaccessible by JTAG interfacing, and cannot be modified or updated by any external tools. All firmware is executed on SRAM and protected against external access/modification of code or stacks. The only memory access that is granted to external entities are the following: - Connected computers may read the EDID memory - Authorized administrators may read memory related to the TOE’s configuration data, settings, and logging data. - Authorized users may read memory related to configuration data for the current CDF configuration. [O.TAMPER_EVIDENT_LABEL]: FPT_PHP.1 Each TOE has one uniquely labeled front panel holographic tamper evident label (TEL) placed over the boundary between the upper and lower half of the TOE enclosure. The TEL has a recorded unique serial number that is monitored for TOE authentication purposes. Any attempt to access the internals of the TOE will cause permanent visible damage to the TEL. [O.ANTI_TAMPERING]: FPT_PHP.1 FPT_PHP.3 In addition to the TEL on the front panel, the TOE is physically designed to trigger the anti-tampering system once opened. The TOE enclosure is composed of all-around reinforced stainless steel construction, which shields it from outside intrusion through brute physical force. There is also a mechanical switch on the inside of the TOE that triggers the anti-tampering state when the enclosure is manually opened. Once the anti-tampering state is triggered, the TOE is permanently disabled. There is no access available to reset the TOE to factory defaults once the anti-tampering state is active. All channels are Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 65 electrically and logically isolated by setting all TOE multiplexers to isolation and opening all data relays. All stored information on the TOE is also erased. When the anti-tampering system is triggered, the TOE shuts down all ports and functionality. The following user indications occur once the anti-tampering system is triggered: 1. All the push-button LEDs flash repeatedly 2. Alarm from internal speaker beeps repeatedly 3. Relays on the TOE pulse repeatedly The TOE power supply controls the anti-tampering system during powered operation. When the TOE is not supplied with external power, a backup battery located on the TOE circuit board keeps the anti- tampering system powered. The battery is rated for an operational life of 10 years, but this is extended when the TOE is externally powered as the battery depletion rate is reduced in this case. The TOE has a non-volatile battery controller that is powered by both the backup battery and the power supply of the TOE, depending on whether or not the TOE is externally powered. The data retention voltage of this controller is between 1V and 5V. If the voltage of the backup battery depletes below 1V, the anti-tampering function will be triggered, either immediately upon detection if the TOE is powered on, or on the first boot after detection if the TOE is powered off when the depletion threshold is reached. This permanently disables the TOE. 6.4 TOE Self-Testing [O.SELF_TEST]: FPT_TST.1 All TOEs have a self-testing function that executes immediately after power is supplied including Restore Factory Default (reset) and power reset, before normal operation access is granted to the user. Self Test function includes the following activities: 1. Basic integrity test of the TOE hardware (no front panel push buttons are jammed). 2. Basic integrity test of the TOE firmware. 3. Integrity test of the anti-tampering system and control function. a. Ensure the calendar date had been set. b. Ensure the anti-tamper switches had not been opened when powered off. c. Ensure the anti-tamper switches are currently closed. d. Ensure the anti-tamper battery had not been tampered with when powered off. e. Ensure the anti-tamper battery is still intact. 4. Ensure the isolation between HID traffic and CAC traffic of each computer. 5. Ensure the isolation of HID and CAC traffic between different computers. Users verify the integrity of the TSF and its data through these mechanisms. All features of the TOE front panel are tested during power up self-testing. From power up until the termination of the TOE self-test, no channel is selected. This ensures no TOE state is enabled to the user until all self tests have been passed. If all self tests are passed, normal operation is indicated audibly through one beep of the internal alarm followed by one pulse of an internal relay. If any self-tests fail, the TOE is temporarily disabled to the extent that all computer, peripheral, and CAC ports are deactivated, and the management interface cannot be accessed. The user can reboot the TOE (power off/power on) to attempt to clear the error state. [O.SELF_TEST_FAIL_TOE_DISABLE]: FPT_FLS_EXT.1, FPT_TST_EXT.1 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 66 If a self-testing function does not meet normal operation requirements (failure), the TOE is temporarily disabled until the issue is resolved and the TOE is rebooted (power off/power on). If the unit is permanently defective, then it must be replaced. [O.SELF_TEST_FAIL_INDICATION]: FPT_TST_EXT.1 If self-testing fails, all front panel LEDs will turn on to indicate self test failure. TOE normal operation is disabled until the issue is resolved and the system is rebooted. When the system passes all self-testing functions, normal operation is indicated by one beep from the internal speaker and one pulse from an internal TOE relay. 6.5 TOE Audio Subsystem Security Functions The TOE enforces requirements for data isolation and peripheral authorization for the analog audio output interface. [O.COMPUTER_INTERFACE_ISOLATION, O.COMPUTER_INTERFACE_ISOLATION_TOE_UNPOWERED, O.USER_DATA_ISOLATION, O.PERIPHERAL_PORTS_ISOLATION, O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_APC_EXT.1/AO, FDP_PDC_EXT.1, FDP_PDC_EXT.2/AO, FDP_PUD_EXT.1 When the TOE is not powered, an audio isolation relay is opened to isolate the audio input ports from all internal TOE circuitry. The TOE does not supply power to any device connected to the analog audio output interface. Each connected computer has its own isolated stereo audio channel that flows from the connected computer's audio input port to the analog stereo output port of the TOE. The analog audio output interface is the only physical interface for this function; unauthorized peripherals are either physically incompatible or logically incompatible (as is the case with audio input devices). [O.UNIDIRECTIONAL_AUDIO_OUT]: FDP_AFL_EXT.1, FDP_APC_EXT.1/AO, FDP_UDF_EXT.1/AO The use of microphones as input devices is prohibited. All TOE devices support analog audio out switching and all TOE devices will prevent microphone devices. These microphones are stopped through the use of uni-directional audio diodes on both left and right stereo channels (forces data flow from only the computer to the connected audio device) and the LM4880 Boomer analog output amplifier which enforces uni-directional audio data flow. All audio signals are filtered in accordance with the Audio Filtration Specifications table (Table 25) above. The audio system is protected mechanically to provide physical isolation of the audio ports to all the remaining sources; at any given moment, only one source is connected to the audio multiplexer. This type of physical connection ensures the complete isolation between an input computer and limits any possible leakage. The multiplexer provides protection for channel to channel crosstalk as the off channel will not get any audio signal when the active channel is on a high frequency. The multiplexer is also able to control the OFF-Isolation at a level of 120 dB and channel separation at 116 dB. Furthermore, uni-directional audio diodes are placed in parallel on both right and left stereo channels to ensure uni-directional data flow from the connected computer to the audio analog output port on the TOE which prevents any reverse audio from leaking. Audio data from the connected peripheral devices to the connected computer is blocked by the audio uni-directional electronic circuit. Only analog audio is supported, all digital audio will be blocked using a dedicated filter. The output signal is limited to range between 45dB and 75dB. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 67 [O.COMPUTER_TO_AUDIO_ISOLATION]: FDP_APC_EXT.1/AO, FDP_UDF_EXT.1/AO The TOE system controls the audio switching between each connected computer channel using isolated unidirectional audio buses. The TOE audio interface uses a solid state multiplexer and mechanical relays to ensure audio/computer channel isolation. [O.NO_USER_DATA_RETENTION]: FDP_RIP_EXT.1, FDP_RIP_EXT.2 The TOE audio subsystem does not delay, store, or convert audio data flows. This prevents any audio overflow during switching between isolated audio channels. The Letter of Volatility in Appendix B identifies all non-volatile memory components of the TOE and the data that is stored on them; these components do not store audio data. [O.SELF_TEST]: FPT_TST.1 [O.SELF_TEST_FAIL_TOE_DISABLE]: FPT_FLS_EXT.1, FPT_TST_EXT.1 [O.ANTI_TAMPERING_PERMANENTLY_DISABLE_TOE]: FPT_PHP.3 and FPT_FLS.1 If the TOE fails to pass the audio self test or anti-tampering is triggered, the same audio isolation relay is opened to isolate the audio inputs, preventing data leakage. 6.6 TOE Keyboard and Mouse Functionality The TOE enforces requirements for data isolation and peripheral authorization for the keyboard/mouse interface. [O.COMPUTER_INTERFACE_ISOLATION, O.COMPUTER_INTERFACE_ISOLATION_TOE_UNPOWERED, O.USER_DATA_ISOLATION, O.PERIPHERAL_PORTS_ISOLATION, O.REJECT_UNAUTHORIZED_ENDPOINTS, O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_APC_EXT.1/KM, FDP_FIL_EXT.1/KM, FDP_PDC_EXT.1, FDP_SWI_EXT.3 In order to completely isolate the keyboard and mouse interfacing for all connected computers, host and device emulators are used to control these peripheral interfacings. The host emulator receives serial commands from the USB keyboard and mouse and stores them in SRAM. These commands are sent through the current channel to its respective isolated microcontroller (the device emulator). The TOE device emulator then interacts with its assigned isolated connected computer via USB. Having separate isolated device emulators assures that the connected computers do not have an electrical or logical information channel with the TOE or peripheral devices. External devices connected to the USB KM ports of the TOE cannot be used to supply power to the TOE. When the TOE is in a failure state (either because it has experienced self-test failure or physical tampering), no data will be transmitted through the TOE. Each isolated device emulator is powered by the TOE. Each isolated host emulator is powered in conjunction by its respective connected computer and the TOE. The host emulator is being reset whenever the computer or the TOE are powered on. Uni-directional diodes are used to isolate all power domains from each connected computer to each device emulator. In addition to device emulators for interface isolation, computer/host emulators are used by the TOE to interact with the peripheral interfacing of connected keyboard and mouse devices. The host emulator further isolates these peripheral devices from connected computers and TOE circuitry. Any threat that attempts to access connected computers through peripheral keyboard and mouse devices Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 68 must bypass both the host and the device emulator for each isolated channel. The data exchange between the host and device emulators is limited to basic keyboard and mouse commands. A secure peripheral switch (multiplexer) is used to assure the selection of just one tied keyboard and mouse serial data stream during TOE operation. The secure multiplexer has a third position, isolation, which is activated when the TOE has been tampered with or self-test has failed to disable the keyboard and mouse stream. The keyboard and mouse processor is programmed in firmware only to accept 108-key keyboard and 3-button mouse USB devices. Unauthorized peripheral devices will be rejected by the TOE’s keyboard and mouse ports. Wireless keyboard and mouse are special USB composite devices; when this type of device is recognized by the TOE, all front LED’s of the TOE will blink and the user will need to disconnect and reboot the TOE. The only USB host peripheral devices that are allowed by the TOE are keyboard and mouse host emulators. Basic USB 1.1/2.0 HID-class devices are authorized as valid endpoints by the TOE. Note that devices having integrated USB hub and composite devices will only be supported if the connected device has at least one endpoint which is a keyboard or mouse HID class. All other non-keyboard/mouse HID class endpoints will be disabled in this scenario. Both keyboard and mouse TOE ports are interchangeable. It is assumed based on the claimed PP that all standard peripheral devices are untrusted; therefore, the TOE protects the system from attacks that may be executed to exploit such devices and enable unauthorized data flows. By creating uni-directional isolated keyboard and mouse TOE channels that are tied to the two USB 1.1/2.0 ports on the TOE, unauthorized data flows are eliminated. Inside the TOE, the keyboard and mouse peripherals are switched together from one isolated connected computer to the next isolated connected computer. There is no user/administration configuration that allows keyboard and mouse functionality to split into separate serial data channels. Keyboard and mouse data flow is not connected to any other TOE data flow (audio, video, USB/CAC) or other external interfaces. [O.NO_USER_DATA_RETENTION]: FDP_RIP_EXT.1, FDP_RIP_EXT.2, FDP_RIP.1/KM TOE Non-Volatile Memory is not used to store keyboard and mouse data. All keyboard and mouse commands are stored on Static Random Access Memory (SRAM). Since SRAM is volatile memory, all data is cleared off the stack when the TOE is powered down and during Restore Factory Default. The buffer for keyboard and mouse data is 128 bits and is continuously read and cleared during use. During switching between one connected computers to another, the TOE system controller assures that the keyboard and mouse stacks are deleted. The switching process takes between 250 and 500 milliseconds (ms). Internal components of the TOE temporarily shut down power to the keyboard and mouse peripherals to ensure the elimination of any built-up of cached commands from the previous channel. This temporary power reset prevents data leakage. In addition, the TOE is deleting all keyboard and mouse stacks upon Restore Factory Default function. More information about the keyboard/mouse buffer and its clearing, including the physical components responsible for doing this, can be found in Appendix B below. This Appendix also lists the non-volatile memory components of the TOE and the data that is stored on them to show that the TOE does not store user data in non-volatile memory. [O.EMULATED_INPUT]: FDP_PDC_EXT.2/KM, FDP_PDC_EXT.3/KM Isolated host/device emulators are used to interact with the serial commands sent via keyboard and mouse over USB. The host emulator receives a serial data stream from the tied keyboard and mouse Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 69 peripherals. This data is passed through a peripheral data diode, optical isolator, and a mechanical relay to the device emulator. This prevents any type of bi-directional communication between the keyboard/mouse and the connected computers. [O.UNIDIRECTIONAL_INPUT]: FDP_UDF_EXT.1/KM To ensure uni-directional data flow, data diodes, optical isolators, and mechanical relays are placed in series between the TOE host emulators and device emulators. Each isolated device emulator has its own respective diode, optical isolator and relay to assure electrical/logical data isolation from other data channels and other TOE functions. This can be seen in the TOE by observing the embedded keyboard LEDs of CAPS, Num, and Scroll Lock. When connected to the computer through the TOE, these indicators are not functional as this data is not able to pass between the TOE and the computer and vie-versa. Thus, the use of these embedded keyboard LEDs is not supported by the TOE. [O.SELF_TEST]: FPT_TST.1 [O.SELF_TEST_FAIL_TOE_DISABLE]: FPT_FLS_EXT.1, FPT_TST_EXT.1 [O.ANTI_TAMPERING_PERMANENTLY_DISABLE_TOE]: FPT_PHP.3 and FPT_FLS.1 When the TOE is not powered, an isolation relay is opened to isolate the KM input ports from all internal TOE circuitry. If the TOE fails to pass the KM self test or anti-tampering is triggered, the same isolation relay is opened to isolate the KM inputs, preventing data leakage. All stored keyboard and mouse information is erased from the TOE. 6.7 TOE User Authentication Device Subsystem Security Functions The TOE enforces requirements for data isolation and peripheral authorization for user authentication device interface. The TOE has Configurable Device Filtration (CDF) for the USB CAC peripheral port. The default behavior is to allow a USB device with a “user authentication” base class (0Bf) to interface with this port, which includes devices such as smart card reader, PIV/CAC token, or biometric reader. All devices must be bus powered only (no external power source allowed). CDF can be used by the TOE to override the default behavior. Whenever a USB device is plugged into the TOE CAC port, the connection detector verifies that a USB device is now connected to the TOE CAC port. The host USB sniffer then stores the connected USB Product ID (PID), Vendor ID (VID), class and serial number. If the connection detector verifies that a device is connected, a verification signal is sent to the MCU. The MCU then checks to see if the current USB device is currently registered by the TOE. If the PID, VID, class, and serial number do not match the registered TOE USB devices, the USB device is rejected by the TOE. Registered devices are whitelisted by the TOE; all other devices are implicitly blacklisted. The TOE default settings accept standard smart-card reader, PIV/CAC USB 1.1/2.0 token or biometric reader. Only an Identified and authorized user/administrator can register other USB devices. Once a device has been registered on the TOE, no other USB peripheral device (including the default smart-card readers/biometric readers) will be allowed to operate on the TOE USB port. To re-enable default operations, an identified and authorized user/administrator must delete the registered device. When a USB hub is connected to the TOE it will not recognize it as an accepted device even if a standard smart-card reader or similar approved device is connected to the hub. The TOE will recognize that a USB hub is connected and block all communications to this hub, regardless of what Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 70 devices are connected to the hub. The USB hub cannot be registered to the TOE by an administrator to be used with approved devices. [O.COMPUTER_INTERFACE_ISOLATION, O.COMPUTER_INTERFACE_ISOLATION_TOE_UNPOWERED, O.USER_DATA_ISOLATION, O.PERIPHERAL_PORTS_ISOLATION, O.REJECT_UNAUTHORIZED_ENDPOINTS, O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_APC_EXT.1/UA, FDP_FIL_EXT.1/UA, FDP_PDC_EXT.1, FDP_PDC_EXT.2/UA, FDP_PDC_EXT.4, FDP_PWR_EXT.1, FDP_SWI_EXT.2 Each connected computer has an isolated computer interface with its individual CAC port. Each computer interface has isolated circuitry on the TOE and its own individual power plane. Each USB CAC must be powered by the TOE. All data channels are electrically and logically isolated to prevent data leakage. When the TOE is in a failure state (either because it has experienced self-test failure or physical tampering), no data will be transmitted through the TOE. The TOE uses an external authentication device. The TOE supports USB devices on the CAC USB peripheral port that have a “user authentication” base class (0Bf) as well as explicit whitelisting of individual devices that are authorized to use this port. All user authentication ports are tied to their respective isolated channel to prevent data leakage. Any unauthorized user authentication device or unqualified USB device will be rejected by the TOE. When this occurs, the user is notified of the rejection as the LED indicator of the USB CAC device and the button backlight of the current channel will both blink repeatedly until that peripheral is removed. [O.AUTHORIZED_USAGE]: FAU_GEN.1, FDP_SWI_EXT.1, FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_STM.1, FTA_CIN_EXT.1 Only an identified and authenticated user/administrator can register a USB CAC/peripheral device. The device enumeration details are monitored before and during operation with pre-stored values to determine if the device is qualified/unqualified for TOE interfacing. The CDF definitions may define one or more device characteristics such as: USB device class, sub-protocol, VID, PID and serial number.9 Details about the TOE’s identification and authentication mechanism as well as its ability to generate audit records are presented in section 6.2 above. [O.USER_AUTHENTICATION_ISOLATION]: FDP_UAI_EXT.1 The TOE’s CAC ports (for both console and computer interfaces) are physically separate from the keyboard/mouse ports. Each connected computer has an isolated computer interface with its individual CAC port. Each computer interface has isolated circuitry on the TOE and its own individual power plane. All data channels are electrically and logically isolated to prevent data leakage. [O.SESSION_TERMINATION]: FDP_TER_EXT.1, FDP_TER_EXT.2, FDP_TER_EXT.3 9 Registration of a USB CAC/peripheral device is part of Administration and Security Management Tool outlined in section 6.2 above Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 71 When ports are switched, the power to the CAC port is reset for 1,000ms, using an integrated high- side power switch optimized for Universal Serial Bus (USB) applications. The USB power switch offers current and thermal limiting, short circuit protection, controlled rise time, and under-voltage lockout functionality using internal port USB Power Switch and Over-Current Protection. The USB internal power switch completely disconnects the power line (5VDC) from the connected CAC device. The turn off time tested under capacitance of 100μF requires 200μs to drop from 5V to 2V and 250μs to drop from 5V to under 1.8V. Since the power disconnect time has been set to 1,000ms, it allows the CAC device to be completely discharged and erase any internal information. When a connected authentication device is disconnected from the TOE, either because it is physically disconnected or because the TOE is switched to a different channel, the previously-active session on the connected computer is disabled. Similarly, if an authentication device is connected to the TOE that uses removable authentication elements, removal of the authentication element causes a session to be terminated (e.g., removal of a smart card from a connected card reader). [O.NO_USER_DATA_RETENTION]: FDP_RIP_EXT.1, FDP_RIP_EXT.2 No data is stored by the TOE in regards to user authentication device data. User authentication device data is not processed or emulated on the TOE. The Letter of Volatility in Appendix B identifies all non-volatile memory components of the TOE and the data that is stored on them; these components do not store user authentication device data. [O.SELF_TEST]: FPT_TST.1 [O.SELF_TEST_FAIL_TOE_DISABLE]: FPT_FLS_EXT.1, FPT_TST_EXT.1 [O.ANTI_TAMPERING_PERMANENTLY_DISABLE_TOE]: FPT_PHP.3 and FPT_FLS.1 While the TOE is not powered, all user authentication device channels are isolated through a peripheral multiplexer. If the TOE fails during self testing or TOE anti-tampering is triggered, the same multiplexer will isolate all channels as during non-powered operation to prevent data leakage. All open authentication sessions will be disconnected during channel isolation. 6.8 TOE Video Subsystem Security Functions The TOE enforces requirements for data isolation and peripheral authorization for the video interface. The TOE video data flow path is composed of three uni-directional paths: • Read EDID path • Write EDID path • Uni-directional video path The TOE is designed to read the connected monitor’s EDID upon power up for a short period of time. The monitor must be connected to the video output connector located in the console space at the back of the TOE. If the read EDID from the connected monitor is identical to the current stored EDID in the TOE then EDID write function will be skipped. The TOE indicates current EDID read/write processes to the user by flashing the front panel’s LEDs. Port one green and push button blue LEDs will both begin to flash for about 10 seconds. When the LEDs stop flashing, the EDID data has been read by the processor and has been written to all EDID Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 72 emulators for each connected computer video channel. If the TOE has more than one video board (such as dual-head and quad-head models), then the TOE will continue to read/write the EDIDs of the connected monitors and indicate the progress of the process by flashing the next port selections green and push button blue LEDs respectively. Table 33 below shows a time estimate for EDID read/write for all TOE models. Single Head Dual Head Quad Head 2-Port 10 20 4-Port 10 20 40 8-Port 10 20 Table 33 – EDID Read/Write Time Chart EDID READ During EDID read, the EDID I2C isolation switch closes and EDID data is read from the EDID EEPROM of the monitor by the TOE processor. The EDID multiplexer is set its isolated option to establish electrical and physical isolation between the processor and the rest of the TOE EDID emulators, preventing possible bi-directional communication between the monitor and TOE. Note: all computers must be disconnected from the TOE before attempting to read/write EDID information. EDID Write The I2C isolation switch between the EDID EEPROM on the monitor and the TOE processor is opened to prevent any bi-directional communication between the connected computers and the TOE. The EDID multiplexer is then set to the first EDID emulator of the TOE. The processor then transmits the EDID data to the EDID emulator. Once the EDID data has been transmitted, the EDID multiplexer switches to the next EDID emulator. The process repeats itself until the processor has written to all EDID emulators in the TOE. Normal Operation All attempted threats made from a connected computer to the TOE will be stopped by the TOE architecture. Each connected computer video channel has its own emulated EDID EEPROM chip. Each independent EDID EEPROM chip isolates all video data provided by the connected computers. The following features implemented in the TOE video subsystem (depending on the video protocols supported): [O.COMPUTER_INTERFACE_ISOLATION, O.COMPUTER_INTERFACE_ISOLATION_TOE_UNPOWERED, O.USER_DATA_ISOLATION, O.PERIPHERAL_PORTS_ISOLATION]: FDP_APC_EXT.1/VI Each connected computer has its own TOE isolated channel with its own EDID emulator and video input port. Data flows from the input video source through its respective EDID emulator and out of the monitor display port. Each video input interface is isolated from one another using different EDID ICs, power planes, ground planes, and electronic components in each independent channel. When the TOE is in a failure state (either because it has experienced self-test failure or physical tampering), no data will be transmitted through the TOE. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 73 [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI To ensure the EDID signal cannot be used to transfer unauthorized data, the TOE has the following limitations on EDID: • The EDID is only learned on power up of the TOE and only from the display. • During the learning process, all EDID signals are disconnected from the computers and the computers all have hot plug disabled. • Each computer has a dedicated EEPROM for storing the EDID data. This EEPROM is limited to be Read-Only by the computer and has only 256 bytes of storage, the computer cannot edit it and it can be read only using the protocol of the EDID with its limitations. • When the learning process is complete, each computer is connected to the Read-Only EDID flash memory. The reading is initiated by the computer after the TOE has completed the learning and programming of the flashes to all the computer ports. • The transition of the Hotplug signal from “disabled” during learning process triggers the computer to read from the dedicated flash memory of the TOE through the DDC. • For each supported display protocol, the TOE permits communication of EDID and HPD information from display to computer. [O.UNIDIRECTIONAL_VIDEO]: FDP_UDF_EXT.1/VI For each supported video protocol, the TOE forces native Analog video data (red, green, and blue channels) and TMDS digital video data (1 Clock signal, red, green, blue channels) to unidirectional flow from the switched computer to the connected display device (or devices, if the TOE supports dual-head or quad-head and multiple displays are connected to the TOE’s console ports). [O.AUTHORIZED_USAGE]: FDP_CDS_EXT.1, FTA_CIN_EXT.1 All TOE models except for the KVS4-8004VPX Preview Screen model support connected displays from a single source video feed (either single-head or multi-head). Because of this, the single selected source video feed for these models is always the same channel as all other peripherals, and indication of the selected channel is indicated through the channel selection LEDs on the TOE chassis. For the Preview Screen model, the TOE has one display that is tied to the other peripherals as with a typical single-head switch and a second “Preview Screen” display that functions as a multi-viewer for one or more connected channels separate from the other peripherals. The active channel for the primary display is indicated by the port selection LED on the TOE chassis, while the active channel(s) for the Preview Screen display is indicated as on-screen display watermarks for the displayed video feeds. This functionality relates to unauthenticated users operating the TOE so it does not relate to the portion of the O.AUTHORIZED_USAGE objective that is satisfied by the administration capability described in section 6.2 above. [O.SELF_TEST]: FPT_TST.1 [O.SELF_TEST_FAIL_TOE_DISABLE]: FPT_FLS_EXT.1, FPT_TST_EXT.1 [O.ANTI_TAMPERING_PERMANENTLY_DISABLE_TOE]: FPT_PHP.3 and FPT_FLS.1 When TOE is unpowered, all video signals are isolated electrically and logically from the TOE. If the TOE anti-tampering is triggered or TOE self-testing has failed, the same video signal isolation occurs inside the TOE. The emulated EDID EEPROMs are still powered by their respective computers, but cannot communicate with the TOE due to hardware component isolation. [O.ANTI_TAMPERING]: FPT_PHP.3 and FPT_FLS.1 If anti-tampering is triggered on the TOE, all video channels are permanently isolated and all EDID information is erased from the TOE. [O.NO_USER_DATA_RETENTION]: FDP_RIP_EXT.1 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 74 No data is stored by the TOE in regards to user video data (as opposed to EDID data that is used to interface with a connected video peripheral). The Letter of Volatility in Appendix B identifies all non-volatile memory components of the TOE and the data that is stored on them; these components do not store buffered video data. 6.8.1 V Models The KVS4-2002VX, KVS4-2004VX, KVS4-1008VX, and KVS4-2008VX TOE models support DP 1.2 video input and output. The TOE will convert the DP signal to HDMI inside the TOE. This signal is then converted back to DisplayPort for output to console display. The TOE rejects communication of EDID information from computer to display, as well as CEC, HDCP, and MCCS communications. Link Training is allowed for the DisplayPort interface. [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(V), FDP_IPC_EXT.1(V), FDP_SPR_EXT.1/DP(V) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which is DisplayPort for V models. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. A VGA signal, for example, is analog and cannot be read by the digital standard of DisplayPort. The TMDS signal of HDMI and DVI cannot be read by the DisplayPort interface. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. The DisplayPort AUX channel between the PC and the monitor is completely disconnected. The AUX channel from the computer is connected to an internal FPGA that simulates a monitor. The simulated AUX is preloaded in the FPGA during manufacturing and can never be changed. The source video feed for connected computers is DisplayPort. This is converted to HDMI inside the TOE before being converted back to DisplayPort and output. [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP(V) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. 6.8.2 D Models The KVS4-2004DX, KVS4-1008DX, and KVS4-2008DX TOE models support DVI-I video input and output. The TOE rejects communication of EDID information from computer to display, as well as ARC, CEC, HDCP, HEAC, HEC, and MCCS communications. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 75 [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(D), FDP_SPR_EXT.1/DVI-I(D) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which is DVI-I for D models. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DVI-I(D) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. 6.8.3 HV Models The KVS4-1002HVX, KVS4-2002HVX, KVS4-1004HVX, and KVS4-2004HVX TOE models support both DP 1.2 and HDMI 1.4 video input and output. The physical TOE ports are a combined DP/HDMI port on a single bus and either connector can be used interchangeably on both the computer and console ports. If a DisplayPort monitor is connected to the TOE, the TSF will convert the signal to HDMI. It will then output the signal as either HDMI or DisplayPort, depending on the physical port(s) used for the console display(s). If a DisplayPort monitor is connected to the TOE, it will block EDID information from computer to display, as well as CEC, HDCP, and MCCS communications. If an HDMI monitor is connected to the TOE, these same communications will be blocked as well as ARC, HEAC, and HEC communications. If a DisplayPort monitor is connected to the TOE, Link Training is allowed for this interface. [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(HV), FDP_IPC_EXT.1(HV), FDP_SPR_EXT.1/DP(HV), FDP_SPR_EXT.1/HDMI(HV) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which is either DisplayPort or HDMI for HV models. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. A VGA signal, for example, is analog and cannot be read by the digital standard of DisplayPort. The TMDS signal of HDMI and DVI cannot be read by the DisplayPort interface. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 76 The DisplayPort AUX channel between the PC and the monitor is completely disconnected. The AUX channel from the computer is connected to an internal FPGA that simulates a monitor. The simulated AUX is preloaded in the FPGA during manufacturing and can never be changed. The source video feed for connected computers is DisplayPort or HDMI. If DisplayPort is used, this is converted to HDMI inside the TOE before being converted back to DisplayPort and output. [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP(HV), FDP_SPR_EXT.1/HDMI(HV) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. 6.8.4 DHV Models The KVS4-4004DHVX TOE model is a quad-head device with two DP interfaces, one DVI-I interface, and one HDMI interface. These interfaces are isolated from one another and not interchangeable; for example, if a video input is connected to the TOE’s DVI-I port, the TOE must have a monitor connected to the DVI-I console port to display the video feed from that signal. For the DP interface, the TOE will convert the DP signal to HDMI inside the TOE. This signal is then converted back to DisplayPort for output to console display. The TOE rejects communication of EDID information from computer to display, as well as CEC, HDCP, and MCCS communications. If a DisplayPort monitor is connected to the TOE, Link Training is allowed for this interface. [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(DHV), FDP_IPC_EXT.1(DHV), FDP_SPR_EXT.1/DP(DHV), FDP_SPR_EXT.1/DVI-I(DHV), FDP_SPR_EXT.1/HDMI(DHV) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which include DisplayPort, DVI-I, and HDMI. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. A VGA signal, for example, is analog and cannot be read by the digital standard of DisplayPort. The TMDS signal of HDMI and DVI cannot be read by the DisplayPort interface. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. The DisplayPort AUX channel between the PC and the monitor is completely disconnected. The AUX channel from the computer is connected to an internal FPGA that simulates a monitor. The simulated AUX is preloaded in the FPGA during manufacturing and can never be changed. The source video feed for connected computers is DisplayPort, DVI-I, or HDMI. When DisplayPort is used, this is converted to HDMI inside the TOE before being converted back to DisplayPort and output. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 77 [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP(DHV), FDP_SPR_EXT.1/DVI-I(DHV), FDP_SPR_EXT.1/HDMI(DHV) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. 6.8.5 VM Models The KVS4-1002VMX, KVS4-1004VMX, and KVS4-2004VMX TOE models support DisplayPort input and HDMI output. Specifically, the TOE uses Multi-Stream Transport (MST) technology to take one DisplayPort input to display two separate HDMI outputs. This works by taking the video stream from one input and through the use of an MST hub the device is able to split this input stream into two separate output streams. For example, if the input resolution is 3840x2160 @ 60 hertz, the MST hub can split this into two separate output streams of 3840x2160 @ 30 hertz each. The TOE rejects communication of EDID information from computer to display, as well as CEC, HDCP, and MCCS communications. Link Training is allowed for the DisplayPort interface. [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(VM), FDP_IPC_EXT.1(VM), FDP_SPR_EXT.1/DP(VM) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which is DisplayPort in and 2xHDMI out for VM models. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. The DisplayPort AUX channel between the PC and the monitor is completely disconnected. The AUX channel from the computer is connected to an internal FPGA that simulates a monitor. The simulated AUX is preloaded in the FPGA during manufacturing and can never be changed. The source video feed for connected computers is DisplayPort. This is converted to HDMI inside the TOE and output as HDMI. [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP(VM) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 78 6.8.6 VP Models The KVS4-8004VPX TOE model supports DP 1.2 video input and output. The TOE will convert the DP signal to HDMI inside the TOE. This signal is then converted back to DisplayPort for output to console display. The TOE rejects communication of EDID information from computer to display, as well as CEC, HDCP, and MCCS communications. Link Training is allowed for the DisplayPort interface. The TOE has two monitors: one that is switched with the non-video peripherals in the same manner as the TOE DPN models referenced in section 6.8.1 above, and a secondary console video port that can be used as a preview screen or multi-viewer. This secondary display can be controlled independently of the push buttons used to select the channel for the remaining console peripherals. It also allows for multiple video feeds to be combined in a single monitor through methods such as picture-in- picture or quad display. This allows the user to keep tabs on the video feed of one or more ‘inactive’ computers while interacting with the selected computer. Preview Screen All attempted threats made from a connected computer to the TOE will be stopped by the TOE architecture. Each connected computer video channel has its own emulated EDID EEPROM chip. Each independent EDID EEPROM chip isolates all video data provided by the connected computers. The second monitor shows another non used computer and can display only its video signal, all control is limited to the main display. [O.REJECT_UNAUTHORIZED_PERIPHERAL]: FDP_PDC_EXT.1, FDP_PDC_EXT.2/VI, FDP_PDC_EXT.3/VI(VP), FDP_IPC_EXT.1(VP), FDP_SPR_EXT.1/DP(VP) The TOE rejects unauthorized video peripherals through the physical port and filtering of video signals received. Physically, the TOE will only accept a video connector which fits specifications of the unit, which is either DisplayPort or HDMI for HV models. The connectors that are not for the specified unit will not be able to connect and send signals to the TOE. The Pin out for each video interface is different which ensures that no other physical connector can be used. The video signals themselves are also ensured to adhere to the specifications. A VGA signal, for example, is analog and cannot be read by the digital standard of DisplayPort. The TMDS signal of HDMI and DVI cannot be read by the DisplayPort interface. The power level and the HPD signal for the various connections are also different across the board which will reduce any risk. Another thing to note the PC in the system is specifically an input device and can only receive certain signals from the monitor. On top of these obstructions, the TSF ensures that any signal which does not match the protocol of the intended video signal depending on the device, will be completely ignored by the TOE. The DisplayPort AUX channel between the PC and the monitor is completely disconnected. The AUX channel from the computer is connected to an internal FPGA that simulates a monitor. The simulated AUX is preloaded in the FPGA during manufacturing and can never be changed. The source video feed for connected computers is DisplayPort. This is converted to HDMI inside the TOE before being converted back to DisplayPort and output. [O.PROTECTED_EDID]: FDP_PDC_EXT.2/VI, FDP_SPR_EXT.1/DP(VP) The TOE video subsystem prevents MCCS write commands through independent, read only emulated EDID EEPROMs. The TOE processor reads the EDID data from the monitor and then individually writes this EDID data to the emulator during power up. All changes in display after the EDID read/write process are ignored. There are switches in the internal circuitry to prevent the connected computer from writing to its EDID emulator. The TOE will reject invalid EDID display devices, regardless of which physical device types are supported by the particular TOE model. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 79 Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 80 Appendix A – Product’s Model Name Structure XXXX- XXX X XXX X KVS4 = Secure KVM NIAP 4.0 100=Single Head 2=2 Port D=DVI X = CAC 200=Dual Head 4=4 Port H=HDMI 400=Quad Head 8=8 Port V=DP 800=Special M=MST Support P=Preview Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 81 Appendix B – Letter of Volatility Main PCBA: USB Device: Controller Board Main MCU - ATxmega256A3U-AU Manufacturer: Atmel Type: Microcontroller Functions: The Controller Board Main MCU is responsible for controlling the operations of the USB, Keyboard and Mouse, CAC, and front panel board. It also is responsible for communications with the Video board. No other source can independently power the Controller Board Main MCU other than the TOE. Memory type: 1. Flash Firmware 4KB EEPROM, 256KB Programmable Flash (non-volatile): • All Main MCU firmware that controls its operation is saved in its own dedicated flash memory. This firmware cannot be changed by any user or programmer. All Main MCU firmware is erased if anti-tampering is triggered. 2. User 2KB EEPROM Flash (non-volatile): • The Main MCU has dedicated flash EEPROM to save all registration of USB devices, and a log of operations. 3. SRAM (volatile): • The Main MCU uses SRAM memory to run the entire TOE system. The SRAM is erased as soon as the external power supply is disconnected. All SRAM is erased if anti-tampering is triggered. No user data is stored inside the SRAM when the power is disconnected from the TOE, or if anti-tampering has been triggered. The Controller Board Main MCU contains a 128-bit data buffer for keyboard and mouse input. The contents of this buffer are continuously read and cleared. When a switching operation is initiated, the buffer is immediately erased prior to the switch being performed. The erasure is performed by the triggering of an AP2146 power switch that supplies power to the buffer. When the switch operation is initiated the power is removed for 1ms, causing the data to be wiped. When the Restore Factory Default operation is performed, all the user memory will be erased and brought back to its initial state. Device: Emulation MCU - PIC18F25J50-I/SS Manufacturer: Microchip Type: Microcontroller Functions: The Emulation MCU controls all USB device emulation and communication between the Controller Board Main MCU and the USB connections of the TOE connected computers. No other source can independently power the Emulation MCU other than the TOE. Memory type: Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 82 1. Flash Firmware 32KB Programmable Flash (non-volatile): • All Emulation MCU firmware that controls its operation is saved in its own dedicated flash memory. 2. SRAM (volatile): • The Emulation MCU uses SRAM memory to run USB device emulation. The SRAM is erased as soon as the external power supply is disconnected. All SRAM is erased if anti-tampering is triggered. No user data is stored inside the SRAM when the power is disconnected from the TOE, or if anti-tampering has been triggered. Note: No flash ROM is dedicated to the Emulation MCU to save any data or log. When the Restore Factory Default operation is performed, or power reset is initiated, or USB cable is disconnected from the computer, all the working memory of Emulation MCU is reset to default. The main function of this device is the emulate keyboard and mouse only. All the memory/RAM needed is for internal operation and not related to any user data. Device: Keyboard and Mouse USB Host Controller - SL811HS and ARM Cortex Manufacturer: Cypress, ST Type: USB Host processor Functions: The Keyboard and Mouse USB Host Controller is responsible for controlling the USB protocol, storing the device information of the connected keyboard and mouse, and communicating with the Controller Board Main MCU. The Keyboard and Mouse USB Host Controller ties both keyboard and mouse serial transmissions into one line and transfers them to the Main MCU before emulation. No other source can independently power the Keyboard and Mouse USB Host Controller other than the TOE. Memory Type: 1. SRAM (volatile): • The Keyboard and Mouse USB Host Controller uses SRAM memory to store USB Keyboard and Mouse peripheral commands and USB keyboard and mouse device information. The SRAM is erased after each designated TOE channel switch to purge any stored keyboard and mouse commands. The SRAM is erased as soon as the external power supply is disconnected. All SRAM is erased if anti-tampering is triggered. No user data is stored inside the SRAM when the power is disconnected from the TOE, or if anti-tampering has been triggered. Note: No flash ROM is dedicated to the KM USB Host Controller to save any data or log. When the Restore Factory Default operation is performed, or power reset is initiated, or USB keyboard or mouse is disconnected from the TOE, all the working memory of KM USB Host Controller is reset to default. The main function of this device is to read the keyboard and mouse and convert to secure internal communication. All the memory/RAM needed is for internal operation and not related to any user data. Device: CAC USB Host Controller - SL811HS and ARM Cortex M Manufacturer: Cypress, ST Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 83 Type: USB Host Processor Functions: The CAC USB Host Controller is responsible for all the operations of the TOE CAC port, and communication with the Controller Board Main MCU. This includes USB user authentication device registration, validation, and communication with connected computers. No other source can independently power the CAC USB Host Controller other than the TOE. Memory type: 1. SRAM (volatile): • The CAC USB Host Controller uses SRAM memory to store USB device information (PID/VID) during CAC device registration. After the MCU has read this information, the SRAM is erased. The SRAM is also erased if anti-tampering is triggered, or power is disconnected from the device. Note: No flash ROM is dedicated to the CAC USB Host Controller to save any data or log. When the Restore Factory Default operation is performed, or power reset is initiated, or USB CAC device is disconnected from the TOE, all the working memory of CAC USB Host Controller is reset to default. The main function of this device is to read the device ID to ensure it is a permitted device. All the memory/RAM needed is for internal operation and not related to any user data. Video PCBA: DVI/DP Device: Video Board Main MCU - ATxmega256A3U-AU and STM32 ARM Manufacturer: Atmel, ST Type: Microcontroller Functions: The Video Board Main MCU is responsible for all the operations of the video board, and communications with the Controller Board Main MCU. All devices on the video board are controlled by the Video Board Main MCU. No other source can independently power the Video Board Main MCU other than the TOE. Memory type: 1. Flash Firmware 2KB EEPROM, 64KB Programmable Flash (non-volatile): • All Video Board Main MCU firmware that controls its operation is saved in its own dedicated firmware flash block. This firmware cannot be changed by any user or programmer. Video Board Main MCU firmware is erased if anti-tampering is triggered. 2. SRAM (volatile): • The Video Board Main MCU uses SRAM memory to run the entire video board during TOE operation. The SRAM is erased as soon as the external power supply is disconnected. All SRAM is erased if anti-tampering is triggered. No user data is stored inside the SRAM when the power is disconnected from the TOE, or if anti- tampering has been triggered. Black Box Secure KVM Switch Security Target (CAC Models) Rev 1.08 84 When the Restore Factory Default operation is performed, all the user memory will be erased and brought back to its initial state. Device: EDID Emulator Manufacturer: Atmel - AT24C04C-SSHM-T, Atmel - AT24C08C-SSHM-T, Microchip - 24LC04B- I/SN, Microchip - 24LC08B-I/SN Type: EEPROM Functions: The EDID Emulator is responsible for all EDID storage, used for emulation on the video board. All the EDID emulators are powered by their respective computers or the TOE, however all communications channels are disabled if TOE is not powered. Memory - Atmel - AT24C04C-SSHM-T or Microchip - 24LC04B-I/SN (non-volatile): • SERIAL 4KBIT 400KHZ EEPROM • The EDID EEPROM is 4K bit electrically erasable • Programmable memory (EEPROM), organized as 512 x 8 bits. Memory - Atmel - AT24C08C-SSHM-T or Microchip - 24LC08B-I/SN (non-volatile): • SERIAL 8KBIT 400KHZ EEPROM • The EDID EEPROM is 8K bit electrically erasable • Programmable memory (EEPROM), organized as 1024 x 8 bits. When the Restore Factory Default operation is performed, all the EDID information stored in the local memory is erased and brought to its initial state. After first operation, the TOE will detect a new display, all computers will be disconnected, and the TOE will learn the new display, store in its EDID memory for each computer. Front Panel PCBA The front panel board has no ROM or RAM functionality.