Vertiv Secure KVM, KM and KVM Matrix Devices Firmware Versions 44444-E7E7, 44404- E7E7 and 40444-E7E7 Security Target Evaluation Assurance Level (EAL): EAL4+ Doc No: 2172-001-D102 Version: 0.5 24 September 2020 Vertiv 1050 Dearborn Dr, Columbus, OH 43085 Prepared by: EWA-Canada, An Intertek Company 1223 Michael Street North, Suite 200 Ottawa, Ontario, Canada K1J 7T2 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page i of iii CONTENTS 1 SECURITY TARGET INTRODUCTION.............................................1 1.1 DOCUMENT ORGANIZATION........................................................... 1 1.2 SECURITY TARGET REFERENCE....................................................... 1 1.3 TOE REFERENCE........................................................................... 2 1.4 TOE OVERVIEW............................................................................ 2 TOE Environment ...........................................................................3 1.5 TOE DESCRIPTION ....................................................................... 4 Evaluated Configurations.................................................................4 Physical Scope ...............................................................................6 Logical Scope.................................................................................8 Functionality Excluded from the Evaluated Configuration.....................8 2 CONFORMANCE CLAIMS...............................................................9 2.1 COMMON CRITERIA CONFORMANCE CLAIM ...................................... 9 2.2 PROTECTION PROFILE CONFORMANCE CLAIM................................... 9 2.3 PACKAGE CLAIM........................................................................... 9 2.4 CONFORMANCE RATIONALE ........................................................... 9 3 SECURITY PROBLEM DEFINITION..............................................10 3.1 THREATS .................................................................................. 10 3.2 ORGANIZATIONAL SECURITY POLICIES ......................................... 10 3.3 ASSUMPTIONS........................................................................... 10 4 SECURITY OBJECTIVES..............................................................12 4.1 SECURITY OBJECTIVES FOR THE TOE ............................................ 12 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT......... 13 4.3 SECURITY OBJECTIVES RATIONALE............................................... 13 Security Objectives Rationale Related to Threats..............................14 Security Objectives Rationale Related to Assumptions.......................17 5 EXTENDED COMPONENTS DEFINITION......................................19 5.1 SECURITY FUNCTIONAL REQUIREMENTS........................................ 19 Family FTA_CIN_EXT: Continuous Indications ..................................19 5.2 SECURITY ASSURANCE REQUIREMENTS......................................... 20 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page ii of iii 6 SECURITY REQUIREMENTS ........................................................21 6.1 CONVENTIONS........................................................................... 21 6.2 SECURITY FUNCTIONAL REQUIREMENTS........................................ 21 Security Audit (FAU).....................................................................22 User Data Protection (FDP)............................................................23 Identification and Authentication....................................................25 Security Management (FMT) ..........................................................25 Protection of the TSF (FPT)............................................................27 TOE Access (FTA).........................................................................27 6.3 SECURITY ASSURANCE REQUIREMENTS......................................... 27 6.4 SECURITY REQUIREMENTS RATIONALE.......................................... 29 Security Functional Requirements Rationale.....................................29 SFR Rationale Related to Security Objectives ...................................30 Dependency Rationale ..................................................................32 Security Assurance Requirements Rationale.....................................34 7 TOE SUMMARY SPECIFICATION.................................................35 7.1 SECURITY AUDIT........................................................................ 35 7.2 USER DATA PROTECTION ............................................................ 36 Peripheral Device SFP ...................................................................43 User Data Isolation SFP.................................................................43 Residual Information ....................................................................43 7.3 IDENTIFICATION AND AUTHENTICATION ....................................... 44 7.4 SECURITY MANAGEMENT............................................................. 44 Security Attributes .......................................................................44 Administrative Capabilities ............................................................44 7.5 PROTECTION OF THE TSF ............................................................ 45 Tamper Evidence..........................................................................45 Reliable Timestamps.....................................................................46 7.6 TOE ACCESS.............................................................................. 46 Continuous Indications..................................................................46 8 TERMINOLOGY AND ACRONYMS ................................................47 8.1 TERMINOLOGY........................................................................... 47 8.2 ACRONYMS................................................................................ 47 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page iii of iii LIST OF TABLES Table 1 – Non-TOE Hardware and Software................................................. 4 Table 2 –TOE Peripheral Sharing Devices .................................................... 7 Table 3 – Firmware Version Numbering Structure......................................... 7 Table 4 – Logical Scope of the TOE ............................................................ 8 Table 5 – Threats.................................................................................. 10 Table 6 – Assumptions........................................................................... 11 Table 7 – Security Objectives for the TOE ................................................. 12 Table 8 – Security Objectives for the Operational Environment..................... 13 Table 9 – Mapping Between Objectives, Threats, and Assumptions................ 14 Table 10 – Summary of Security Functional Requirements........................... 22 Table 11 – Authorized Peripheral Devices.................................................. 24 Table 12 – Security Assurance Requirements............................................. 29 Table 13 – Mapping of SFRs to Security Objectives..................................... 30 Table 14 – Functional Requirement Dependencies ...................................... 33 Table 15 – Authorized Peripheral Devices.................................................. 43 Table 16 – Terminology ......................................................................... 47 Table 17 – Acronyms............................................................................. 48 LIST OF FIGURES Figure 1 – KVM Switch Evaluated Configuration ........................................... 4 Figure 2 – KM Switch Evaluated Configuration ............................................. 5 Figure 3 – FTA_CIN_EXT: Continuous Indications Component Levelling.......... 19 Figure 4 – Video Data Flow during EDID Read............................................ 36 Figure 5 – Video Data Flow during EDID Write ........................................... 37 Figure 6 – Video Data Flow during Normal Operation .................................. 39 Figure 7 – Keyboard and Mouse Data Flow................................................ 41 Figure 8 – Channel Selection................................................................... 46 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 1 of 48 1 SECURITY TARGET INTRODUCTION This Security Target (ST) defines the scope of the evaluation in terms of the assumptions made, the intended environment for the Target of Evaluation (TOE), the Information Technology (IT) security functional and assurance requirements to be met, and the level of confidence (evaluation assurance level) to which it is asserted that the TOE satisfies its IT security requirements. This document forms the baseline for the Common Criteria (CC) evaluation. 1.1 DOCUMENT ORGANIZATION Section 1, ST Introduction, provides the Security Target reference, the Target of Evaluation reference, the TOE overview and the TOE description. Section 2, Conformance Claims, describes how the ST conforms to the Common Criteria and Packages. The ST does not conform to a Protection Profile. Section 3, Security Problem Definition, describes the expected environment in which the TOE is to be used. This section defines the set of threats that are relevant to the secure operation of the TOE, organizational security policies with which the TOE must comply, and secure usage assumptions applicable to this analysis. Section 4, Security Objectives, defines the set of security objectives to be satisfied by the TOE and by the TOE operating environment in response to the problem defined by the security problem definition. Section 5, Extended Components Definition, defines the extended components which are then detailed in Section 6. Section 6, Security Requirements, specifies the security functional and assurance requirements that must be satisfied by the TOE and the IT environment. Section 7, TOE Summary Specification, describes the security functions that are included in the TOE to enable it to meet the IT security functional requirements. Section 8 Terminology and Acronyms, defines the acronyms and terminology used in this ST. 1.2 SECURITY TARGET REFERENCE ST Title: Vertiv Secure KVM, KM and KVM Matrix Devices Firmware Versions 44444-E7E7, 44404-E7E7 and 40444-E7E7 Security Target ST Version: 0.5 ST Date: 24 September 2020 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 2 of 48 1.3 TOE REFERENCE TOE Identification: Vertiv Secure KVM, KM and KVM Matrix Devices Firmware Versions 44444-E7E7, 44404-E7E7 and 40444-E7E7 TOE Developer: Vertiv TOE Type: TOE devices include Keyboard, Video, Mouse (KVM) Switches, Keyboard, Mouse (KM) Switches and KVM Matrix Switches (Other Devices and Systems) 1.4 TOE OVERVIEW Vertiv Secure KVM, KM and KVM Matrix Devices allow users to share keyboard and mouse functionality between a number of connected computers. Security features ensure isolation between computers and peripherals1 to prevent data leakage between connected systems. The following security features are provided by the Vertiv TOE devices: • Keyboard and Mouse Security • The keyboard and mouse are isolated by dedicated, Universal Serial Bus (USB) device emulation for each computer • One-way, peripheral-to-computer data flow is enforced through unidirectional optical data diodes • Communication from computer-to-keyboard/mouse is blocked • Non HID (Human Interface Device) data transactions are blocked • Audio Security • One-way computer to speaker sound flow is enforced through unidirectional optical data diodes • Hardware Anti-Tampering Indication • Special holographic tampering evident labels on the product’s enclosure provide a clear visual indication if the product has been opened or compromised The following security features are provided by the Vertiv Secure KVM and KVM Matrix Devices: • Video Security • Computer video input interfaces are isolated through the use of different electronic components, power and ground domains 1 ‘Peripherals’ or ‘peripheral devices’ refer to auxiliary devices that are intended to be connected to a computer, but are not an essential part of the computer. E.g. monitor, keyboard or mouse. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 3 of 48 • The display is isolated by a dedicated, read-only, Extended Display Identification Data (EDID) emulation for each computer • Access to the monitor’s EDID is blocked • Access to the Monitor Control Command Set (MCCS commands) is blocked The following security features are provided by the SC845DPH, SC945DPH, SC845DPHC, SC945DPHC, SCM185DPH, SC985DPH and SCKM145PP4 Devices: • Authentication Device • Unauthorized USB devices are blocked • USB authentication devices are authorized by default; all other devices are blocked by default • Devices may be whitelisted or blacklisted based on Vendor Identification/Product Identification (VID/PID) characteristics • Secure management functions allow configuration of allowed devices, and maintain a record of any changes to that configuration The TOE is a combined software and hardware TOE. TOE Environment The following operating system and computer hardware components are required for operation of the TOE in the evaluated configuration. Component Operating System Hardware Connected computers (2, 4 or 8 depending upon device model) Windows Server 2008 R2 General purpose computing hardware supporting DisplayPort or High-Definition Multimedia Interface (HDMI) (supporting Ultra-high- definition (UHD) 4K resolution up to 3840 x 2160) video and USB type B mouse and keyboard connections Video monitor (up to 2 monitors) Not applicable HDMI 1.4, DisplayPort 1.1, 1.2 or Digital Visual Interface Type D (DVI-D) Keyboard Not applicable USB Type A Mouse Not applicable USB Type A Audio output device Analog audio output device (speakers or headphones) Audio output device Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 4 of 48 User authentication device Standard USB smartcard reader/authentication device User authentication device Vertiv KVM Cables USB Type-A to USB Type-B (keyboard and mouse) Video cable (DisplayPort, DVI-D, USB-C and HDMI) 3.5mm stereo cable (Audio cable) USB Type-A to USB Type-B (authentication device) Vertiv KVM Cables Table 1 – Non-TOE Hardware and Software 1.5 TOE DESCRIPTION The TOE includes the following device types: • KVM (Firmware version 44444-E7E7 and 44404-E7E7) • Keyboard, Mouse (KM) (Firmware version 40444-E7E7) • KVM Matrix (Firmware version 44444-E7E7) Evaluated Configurations 1.5.1.1 KVM Switch Figure 1 – KVM Switch Evaluated Configuration Figure 1 shows a basic evaluated configuration for KVM Switches. In the evaluated configuration, the TOE may be connected to two or four computers. The video input may be DisplayPort, HDMI, DVI-D or USB Type-C with Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 5 of 48 DisplayPort as an alternate function, and one or two displays may be connected. The peripheral sharing device is connected to speakers or headphones, and some devices are connected to a user authentication device. This configuration applies to the following models: • SC820DPH • SC840DPH • SC920DPH • SC940DPH • SC845DPH • SC945DPH • SC840DPHC • SC845DPHC • SC940DPHC • SC945DPHC • SC840DVI • SC940DVI • SC985DPH 1.5.1.2 KM Switches Figure 2 – KM Switch Evaluated Configuration Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 6 of 48 Figure 2 shows the evaluated configuration for the KM switches. In the evaluated configuration, the peripheral sharing device may be connected to a user authentication device. This configuration applies to the following model: • SCKM145PP4 1.5.1.3 KVM Matrix The evaluated configuration for the KVM Matrix devices is similar to the configuration for KVM devices (Figure 1), with four or eight connected computers, two connected displays, keyboard, mouse, audio and authentication device. This configuration applies to the following models: • SCM145DPH • SCM185DPH Physical Scope The TOE is made up of the following Keyboard, Mouse (KM), Keyboard, Video, Mouse (KVM) and KVM Matrix devices: Model Description SC820DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 2-Port Single Display SC840DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 4-Port Single Display SC920DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 2-Port Dual Display SC940DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 4-Port Dual Display SC845DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 4-Port Single Display with CAC2 SC945DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 4-Port Dual Display with CAC SC840DPHC CYBEX™ SC Universal DP/HDMI + USB-C secure KVM Switch 4-Port Single Display SC845DPHC CYBEX™ SC Universal DP/HDMI + USB-C secure KVM Switch 4-Port Single Display with CAC SC940DPHC CYBEX™ SC Universal DP/HDMI + USB-C secure KVM Switch 4-Port Dual Display SC945DPHC CYBEX™ SC Universal DPH + USB-C secure KVM Switch 4-Port dual Display with CAC SC840DVI CYBEX™ SC DVI Secure KVM Switch 4-Port Single Display SC940DVI CYBEX™ SC DVI Secure KVM Switch 4-Port Dual Display SCM145DPH CYBEX™ SC Universal DP/HDMI Secure Desktop Matrix 2x4 KVM with CAC 2 Common Access Card Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 7 of 48 SCM185DPH CYBEX™ SC Universal DP/HDMI Secure Desktop Matrix 2x8 KVM with CAC SC985DPH CYBEX™ SC Universal DP/HDMI Secure KVM Switch 8-Port Dual Display with CAC SCKM145PP4 CYBEX™ SC Secure KM Switch 4-Port with CAC Table 2 –TOE Peripheral Sharing Devices The TOE firmware version is broken down as described in Table 3. Product Version System Controller Board Firmware Version Video Controller Board Firmware Version Keyboard Host Emulator Firmware Version DPP Firmware Version Device Emulator Firmware Version Video Hardware Version System Controller Board Version Version 4 4 4 4 4 - E7 E7 Table 3 – Firmware Version Numbering Structure Devices that support keyboard, video, mouse, audio and user authentication (DPP) devices have firmware version 44444-E7E7. Devices that do not support DPP have firmware version 44404-E7E7. The KM device does not support video, but does support DPP, and therefore the firmware version is 40404-E7E7. The firmware for each programmable component is the same for all devices. However, the devices that do not support video or DPP do not have firmware for those functions. 1.5.2.1 TOE Delivery The TOE is delivered as a single package including the device hardware and software and the cables required to connect to the computers. The TOE is delivered to the customer via trusted courier. 1.5.2.2 TOE Guidance The TOE includes the following guidance documentation, which may be downloaded in Portable Document Format (pdf) from the Vertiv website: • CYBEX™ SC SERIES SECURE SWITCHES SC800/900DPH, SC800/900DVI, and SCKM100PP4 Quick Installation Guide • CYBEX™ SC SERIES SECURE SWITCHES SC800DPHC/SC900DPHC Quick Installation Guide • CYBEX™ SC SERIES SECURE SWITCHES SCM100DPH DESKTOP MATRIX Quick Installation Guide Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 8 of 48 • Cybex™ SC/SCM Switching System Additional Operations and Configuration Technical Bulletin Logical Scope The logical boundary of the TOE includes all interfaces and functions within the physical boundary. The logical boundary of the TOE may be broken down by the security function classes described in Section 6. Table 4 summarizes the logical scope of the TOE. Functional Classes Description Security Audit Audit entries are generated for security related events. User Data Protection The TOE ensures that only authorized device types may be successfully connected to the TOE. The TOE ensures that user data only flows from the peripheral devices to the selected computer, and video data flows only from the connected computer to the display. Identification and Authentication Administrators must be identified and authenticated prior to accessing administrative functions. Users may only switch the connected computer channel. Security Management The TOE ensures that no user is able to modify the security attributes used to determine authorized peripheral devices and to provide data isolation between connected computers. Only switching between connected computers is permitted. Administrators may perform security management functions. Protection of the TSF3 The TOE provides clear indications of tampering attempts. The TOE provides reliable time stamps. TOE Access The TOE provides a visual indication showing which channel is currently selected. Table 4 – Logical Scope of the TOE Functionality Excluded from the Evaluated Configuration The following feature, although supported, was not tested as part of this evaluation: • For the purposes of this evaluation, Windows Server 2008 R2 host machines were used. However, the use of other operating systems does not affect the security functionality provided by the TOE devices. 3 TOE Security Functionality Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 9 of 48 2 CONFORMANCE CLAIMS 2.1 COMMON CRITERIA CONFORMANCE CLAIM This Security Target claims to be conformant to Version 3.1 of Common Criteria for Information Technology Security Evaluation according to: • Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; CCMB-2017-04-001, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB-2017-04-002, Version 3.1, Revision 5, April 2017 • Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components CCMB-2017-04-003, Version 3.1, Revision 5, April 2017 As follows: • CC Part 2 extended • CC Part 3 conformant The Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017 has been taken into account. 2.2 PROTECTION PROFILE CONFORMANCE CLAIM This ST does not claim conformance of the TOE with any Protection Profile (PP). 2.3 PACKAGE CLAIM This Security Target claims conformance to Evaluation Assurance Level 4 augmented with ALC_FLR.3 Systematic flaw remediation. 2.4 CONFORMANCE RATIONALE This ST does not claim conformance of the TOE with any PP, therefore a conformance rationale is not applicable. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 10 of 48 3 SECURITY PROBLEM DEFINITION 3.1 THREATS Table 5 lists the threats addressed by the TOE. Potential threat agents are unauthorized or malicious users, and poor design. The threat agents are assumed to have an enhanced-basic attack potential and are assumed to have access to all publicly available information about the TOE and potential methods of attacking the TOE, a proficient level of expertise, standard equipment, and minimal time to attack the TOE without detection. It is expected that the TOE will be protected to the extent necessary to ensure that TOE devices remain connected and minimize the window of opportunity available for attack. Unauthorized persons have basic knowledge of TOE operations, and a moderate level of skill. Mitigation of the threats is through the objectives identified in Section 4.1, Security Objectives for the TOE. Threat Description T.DATA_LEAK An unauthorized user may be able to access data that is transmitted via an unauthorized data transfer through the TOE or its connected peripherals. T.PHYSICAL_TAMPER A malicious user could physically tamper with or modify the TOE to allow unauthorized information flows between connected devices. T.SWITCHING A poorly designed TOE could result in a situation where a user is connected to a computer other than the one to which the user intended to connect, resulting in an unintended flow of data. T.UNAUTH A malicious user could tamper with the security attributes that determine allowed peripheral devices and allowed data flows, resulting in the use of unauthorized peripheral devices that may allow unauthorized data flows between connected devices, or an attack on the TOE or its connected computers. T.UNAUTH_DEVICE A malicious user could connect an unauthorized peripheral device to the TOE, and that device could cause information to flow between connected devices in an unauthorized manner, or could enable an attack on the TOE or its connected computers. Table 5 – Threats 3.2 ORGANIZATIONAL SECURITY POLICIES There are no Organizational Security Policies applicable to this TOE. 3.3 ASSUMPTIONS The assumptions required to ensure the security of the TOE are listed in Table 6. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 11 of 48 Assumptions Description A.PHYSICAL Physical security, commensurate with the value of the TOE and the data that passes through the TOE, is assumed to be provided by the environment is provided for the TOE, the peripheral devices and all cabling. A.TRUSTED_CONFIG Personnel installing and configuring the TOE and its operational environment will follow the applicable guidance. A.TRUSTED_USER TOE users are trusted to follow and apply all guidance and security procedures in a reliable manner. A.USER_IDENT The operational environment is responsible for the identification and authentication of users. This determines physical access to the TOE, and access to the connected computers and their applications and resources. Table 6 – Assumptions Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 12 of 48 4 SECURITY OBJECTIVES The purpose of the security objectives is to address the security concerns and to show which security concerns are addressed by the TOE, and which are addressed by the environment. Threats may be addressed by the TOE or the security environment or both. Therefore, the CC identifies two categories of security objectives: • Security objectives for the TOE • Security objectives for the environment 4.1 SECURITY OBJECTIVES FOR THE TOE This section identifies and describes the security objectives that are to be addressed by the TOE. Security Objective Description O.CHANNEL_ISOLATION User data must be routed by the TOE only to the computer selected by the user. The TOE must provide isolation between the data flowing from the peripheral device to the selected computer and any non-selected computer. O.NO_DATA_RETENTION The TOE shall not retain user data after the channel is switched or the TOE is powered down. O.PERIPHERAL_DEVICE The TOE shall ensure that only approved peripheral device types may be used with the TOE. O.SECURE_MANAGEMENT The TOE shall provide management functionality to configure aspects of the TSF as required. The TOE shall ensure that management functions can only be performed by authorized administrators and that an audit trail of management activities is generated. O.STATIC_ATTRIBUTES The TSF will provide TOE users with the security management functionality to switch between connected computers. The TOE will protect all other security attributes from being altered by the TOE users. O.TAMPER_INDICATION The TOE shall be labeled with at least one visible tamper-evident marking that clearly indicates when tampering has been detected. Table 7 – Security Objectives for the TOE Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 13 of 48 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT This section identifies and describes the security objectives that are to be addressed by the IT environment or by non-technical or procedural means. Security Objective Description OE.AUTH The operational environment will ensure that users4 are identified and authenticated prior to gaining physical access to the TOE, or access to the applications and resources of the connected computers. OE.INSTALL The operational environment will ensure that appropriately trained and trusted personnel are available to correctly install and configure the TOE. OE.PERSON TOE users will follow TOE guidance and the security procedures of the operational environment in which the TOE is installed. OE.PHYSICAL The operational environment will provide physical security commensurate with the value of the TOE and the data that passes through the TOE. Table 8 – Security Objectives for the Operational Environment 4.3 SECURITY OBJECTIVES RATIONALE The following table maps the security objectives to the assumptions, threats, and organizational policies identified for the TOE. 4 This refers to users in the ‘user’ role. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 14 of 48 T.DATA_LEAK T.PHYSICAL_TAMPER T.SWITCHING T.UNAUTH T.UNAUTH_DEVICE A.PHYSICAL A.TRUSTED_CONFIG A.TRUSTED_USER A.USER_IDENT O.CHANNEL_ISOLATION X X O.NO_DATA_RETENTION X X O.PERIPHERAL_DEVICE X O.SECURE_MANAGEMENT X O.STATIC_ATTRIBUTES X X O.TAMPER_INDICATION X OE.AUTH X OE.INSTALL X OE.PERSON X X OE.PHYSICAL X X Table 9 – Mapping Between Objectives, Threats, and Assumptions Security Objectives Rationale Related to Threats The security objectives rationale related to threats traces the security objectives for the TOE and the Operational Environment back to the threats addressed by the TOE. Threat: T.DATA_LEAK An unauthorized user may be able to access data that is transmitted via an unauthorized data transfer through the TOE or its connected peripherals. Objectives: O.CHANNEL _ISOLATION User data must be routed by the TOE only to the computer selected by the user. The TOE must provide isolation between the data flowing from the peripheral device to the selected computer and any non-selected computer. O.NO_DATA _RETENTION The TOE shall not retain user data after the channel is switched or the TOE is powered down. O.STATIC The TSF will provide TOE users with the Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 15 of 48 _ATTRIBUTES security management functionality to switch between connected computers. The TOE will protect all other security attributes from being altered by the TOE users. Rationale: O.CHANNEL_ISOLATION mitigates this threat by ensuring that data flows only to the user-selected computer, and is therefore unavailable to an unauthorized user. O.NO_DATA_RETENTION mitigates this threat by ensuring that data is not retained by the TOE, from where it could be mistakenly sent to a non-selected connected computer. O.STATIC_ATTRIBUTES mitigates this threat by ensuring that the security attributes that determine allowed peripherals and data flows cannot be altered to allow an unauthorized data transfer. Threat: T.PHYSICAL _TAMPER A malicious user could physically tamper with or modify the TOE to allow unauthorized information flows between connected devices. Objectives: O.TAMPER _INDICATION The TOE shall be labeled with at least one visible tamper-evident marking that clearly indicates when tampering has been detected. OE.PERSON TOE users will follow the security procedures of the operational environment in which the TOE is installed. OE.PHYSICAL The operational environment will provide physical security commensurate with the value of the TOE and the data that passes through the TOE. Rationale: O.TAMPER_INDICATION mitigates this threat by ensuring that tampering with the TOE will result in a clear indication of that activity. OE.PHYSICAL ensures that the operational environment protects against potential malicious users by providing appropriate physical security. OE.PERSON mitigates this threat by ensuring that users with access to the TOE follow the security procedures for the operational environment. Threat: T.SWITCHING A poorly designed TOE could result in a situation where a user is connected to a computer other than the one to which the user intended to connect, resulting in an unintended flow of data. Objectives: O.CHANNEL User data must be routed by the TOE only to the computer selected by the user. The TOE Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 16 of 48 _ISOLATION must provide isolation between the data flowing from the peripheral device to the selected computer and any non-selected computer. O.NO_DATA _RETENTION The TOE shall not retain user data after the channel is switched or the TOE is powered down. Rationale: O.CHANNEL_ISOLATION mitigates this threat by ensuring that user data is sent only to the intended connected computer. O.NO_DATA_RETENTION mitigates this threat by ensuring that no data is retained by the TOE, from where it could be mistakenly sent to an unselected connected computer. Threat: T.UNAUTH A malicious user could tamper with the security attributes that determine allowed peripheral devices and allowed data flows, resulting in the use of unauthorized peripheral devices that may allow unauthorized data flows between connected devices, or an attack on the TOE or its connected computers. Objectives: O.SECURE _MANAGEMENT The TOE shall provide management functionality to configure aspects of the TSF as required. The TOE shall ensure that management functions can only be performed by authorized administrators and that an audit trail of management activities is generated. O.STATIC _ATTRIBUTES The TSF will provide TOE users with the security management functionality to switch between connected computers. The TOE will protect all other security attributes from being altered by the TOE users. Rationale: O.SECURE_MANAGEMENT mitigates this threat by ensuring that only the required security management functions are provided, and access to those functions is restricted to authorized administrators. O.STATIC_ATTRIBUTES mitigates this threat by ensuring that the security attributes that determine allowed peripheral devices and allowed data flows may not be altered by TOE users. Threat: T.UNAUTH _DEVICE A malicious user could connect an unauthorized peripheral device to the TOE, and that device could cause information to flow between connected devices in an unauthorized manner, or could enable an attack on the TOE or its connected computers. Objectives: O.PERIPHERAL _DEVICE The TOE shall ensure that only approved peripheral device types may be used with the TOE. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 17 of 48 Rationale: O.PERIPHERAL_DEVICE mitigates this threat by ensuring that only permitted peripheral devices may be connected to the TOE. Security Objectives Rationale Related to Assumptions The security objectives rationale related to assumptions traces the security objectives for the operational environment back to the assumptions for the TOE’s operational environment. Assumption: A.PHYSICAL Physical security, commensurate with the value of the TOE and the data that passes through the TOE, is assumed to be provided by the environment. Objectives: OE.PHYSICAL The operational environment will provide physical security commensurate with the value of the TOE and the data that passes through the TOE. Rationale: OE.PHYSICAL supports this assumption by protecting the TOE and the data that passes through the TOE from physical attack. Assumption: A.TRUSTED _CONFIG Personnel installing and configuring the TOE and its operational environment will follow the applicable guidance. Objectives: OE.INSTALL The operational environment will ensure that appropriately trained and trusted personnel are available to correctly install and configure the TOE. Rationale: OE.INSTALL supports this assumption by ensuring that trained and trusted individuals are available to install and configure the TOE. Assumption: A.TRUSTED _USER TOE users are trusted to follow and apply all guidance and security procedures in a reliable manner. Objectives: OE.PERSON TOE users will follow TOE guidance and the security procedures of the operational environment in which the TOE is installed. Rationale: OE.PERSON supports this assumption by ensuring that TOE users follow security procedures and guidance. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 18 of 48 Assumption: A.USER _IDENT The operational environment is responsible for the identification and authentication of users. This determines physical access to the TOE, and access to the connected computers and their applications and resources. Objectives: OE.AUTH The operational environment will ensure that users are identified and authenticated prior to gaining physical access to the TOE, or access to the applications and resources of the connected computers. Rationale: OE.AUTH supports this assumption by ensuring that the operational environment identifies and authenticates TOE users. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 19 of 48 5 EXTENDED COMPONENTS DEFINITION 5.1 SECURITY FUNCTIONAL REQUIREMENTS This section specifies the extended Security Functional Requirements (SFRs) used in this ST. The following extended SFR has been created to address additional security features of the TOE: • Continuous Indications (FTA_CIN_EXT.1) Family FTA_CIN_EXT: Continuous Indications Continuous indications provide a means of ensuring that users are aware which connected computer is being displayed at any given time. Since this is a means of accessing the TOE, this family has been made part of the TOE Access Class. Although there are similarities between this family and the TOE access banners family, the continuous indications are not presented in the form of a banner or advisory. Therefore, a new family was required. The Continuous Indications family was modeled after FTA_TAB: TOE Access Banners. The Continuous Indication SFR was loosely modeled after FTA_TAB.1: Default TOE access banners. Family Behaviour Components in this family define how the TSF displays its switching status. Component Levelling Figure 3 – FTA_CIN_EXT: Continuous Indications Component Levelling Management There are no management activities foreseen. Audit There are no auditable events foreseen. 5.1.1.1 FTA_CIN_EXT.1 Continuous Indications Hierarchical to: No other components. Dependencies: No dependencies. FTA_CIN_EXT.1.1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered. FTA_CIN_EXT: Continuous Indications 1 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 20 of 48 FTA_CIN_EXT.1.2 The TSF shall implement the visible indication using the following mechanism: easily visible graphical and/or textual markings of each source video on the display, [selection: a button, a panel with lights, a screen with dimming function, a screen with no dimming function, [assignment: description of visible indication]]. FTA_CIN_EXT.1.3 The TSF shall ensure that while the TOE is powered the current switching status is reflected by [selection: the indicator, multiple indicators which never display conflicting information]. 5.2 SECURITY ASSURANCE REQUIREMENTS This ST does not include extended Security Assurance Requirements. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 21 of 48 6 SECURITY REQUIREMENTS Section 6 provides security functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC, extended requirements, and an Evaluation Assurance Level (EAL) that contains assurance components from Part 3 of the CC. 6.1 CONVENTIONS The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations, when performed on requirements that derive from CC Part 2, are identified in this ST in the following manner: • Selection: Indicated by surrounding brackets, e.g., [selected item]. • Assignment: Indicated by surrounding brackets and italics, e.g., [assigned item]. • Refinement: Refined components are identified by using bold for additional information, or strikeout for deleted text. • Iteration: Indicated by assigning a number in parenthesis to the end of the functional component identifier as well as by modifying the functional component title to distinguish between iterations, e.g., ‘FDP_ACC.1(1), Subset access control (administrators)’ and ‘FDP_ACC.1(2) Subset access control (devices)’. 6.2 SECURITY FUNCTIONAL REQUIREMENTS The security functional requirements for this ST consist of the following components from Part 2 of the CC and extended components defined in Section 5, summarized in Table 10. Class Identifier Name Security Audit (FAU) FAU_GEN.1 Audit data generation User Data Protection (FDP) FDP_ACC.1 Subset access control FDP_ACF.1 Security attribute based access control FDP_IFC.1 Subset information flow control FDP_IFF.1 Simple security attributes FDP_RIP.1 Subset residual information protection Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 22 of 48 Class Identifier Name Identification and Authentication (FIA) FIA_UAU.1 Timing of authentication FIA_UID.1 Timing of identification Security Management (FMT) FMT_MSA.1(1) Management of security attributes (Peripherals) FMT_MSA.1(2) Management of security attributes (User data) FMT_MSA.3(1) Static attribute initialisation (Peripherals) FMT_MSA.3(2) Static attribute initialisation (User data) FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles Protection of the TSF (FPT) FPT_PHP.1 Passive detection of physical attack FPT_STM.1 Reliable time stamps TOE Access (FTA) FTA_CIN_EXT.1 Continuous indications Table 10 – Summary of Security Functional Requirements Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit; and c) [administrator login, administrator logout, self‐test failures, reset to factory default]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other audit relevant information]. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 23 of 48 User Data Protection (FDP) 6.2.2.1 FDP_ACC.1 Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1 The TSF shall enforce the [Peripheral Device SFP5 ] on [Subjects: Peripheral devices Objects: Console ports Operations: allow connection, disallow connection]. 6.2.2.2 FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1 The TSF shall enforce the [Peripheral Device SFP] to objects based on the following: [Subjects: peripheral devices Subject attributes: peripheral device type Objects: Console ports Object attributes: none]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [the TOE queries the connected peripheral device upon initial connection or upon TOE power up and allows the connection if the peripheral device is an authorized device as listed in Table 11]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [no additional rules]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. Console Port Authorized Device Authorized Protocols Keyboard USB HID device USB Mouse USB HID device USB Display Video display or projector DisplayPort, HDMI, DVI-D, USB Type C Audio Output Speakers or headphones Analog audio 5 Security Function Policy Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 24 of 48 Console Port Authorized Device Authorized Protocols DPP6 USB user authentication device USB Table 11 – Authorized Peripheral Devices 6.2.2.3 FDP_IFC.1 Subset information flow control Hierarchical to: No other components. Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1 The TSF shall enforce the [User Data Isolation SFP] on [Subjects: TOE computer interfaces, TOE peripheral device interfaces Information: User data Operations: data flow]. 6.2.2.4 FDP_IFF.1 Simple security attributes Hierarchical to: No other components. Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation FDP_IFF.1.1 The TSF shall enforce the [User Data Isolation SFP] based on the following types of subject and information security attributes: [Subjects: TOE computer interfaces Subject attributes: user selected computer interface Subjects: TOE peripheral device interfaces Subject attributes: none Information: User data Information attributes: none]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ 1. user data is permitted to flow from the HID peripheral device interface to the TOE computer interface for the selected computer; 2. video signals are permitted to flow from the connected computers to the display; 3. analog audio signals are permitted to flow from the connected computers to the speaker/headphone peripheral device; and 4. bidirectional signals are permitted to flow between the connected computers and the user authentication device]. FDP_IFF.1.3 The TSF shall enforce the [no additional rules]. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [no additional rules]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [ 6 Dedicated Peripheral Port Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 25 of 48 1. the TOE will deny user data information flow from a peripheral device to a non-selected computer interface; and 2. the TOE will deny user data information flow from one connected computer to another connected computer]. 6.2.2.5 FDP_RIP.1 Subset residual information protection Hierarchical to: No other components. Dependencies: No dependencies. FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [deallocation of the resource from] the following objects: [a TOE computer interface]. Application Note: Deallocation of the resource is deemed to take place: • Immediately after the TOE is switched to another selected computer • On start-up of the TOE Identification and Authentication 6.2.3.1 FIA_UAU.1 Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FIA_UAU.1.1 The TSF shall allow [changing of the connected computer channel] on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.2.3.2 FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. FIA_UID.1.1 The TSF shall allow [changing of the connected computer channel] on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Security Management (FMT) 6.2.4.1 FMT_MSA.1(1) Management of security attributes (Peripherals) Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(1) The TSF shall enforce the [Peripheral Device SFP] to restrict the ability to [modify] the security attributes [peripheral device type] to [no TOE users for HID, video and audio interfaces, and administrators for user authentication devices]. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 26 of 48 6.2.4.2 FMT_MSA.1(2) Management of security attributes (User data) Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1(2) The TSF shall enforce the [User Data Isolation SFP] to restrict the ability to [[change]] the security attributes [selected computer interface] to [users with physical access to the TOE]. 6.2.4.3 FMT_MSA.3(1) Static attribute initialisation (Peripherals) Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(1) The TSF shall enforce the [Peripheral Device SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2(1) The TSF shall allow the [no user] to specify alternative initial values to override the default values when an object or information is created. 6.2.4.4 FMT_MSA.3(2) Static attribute initialisation (User data) Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1(2) The TSF shall enforce the [User Data Isolation SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2(2) The TSF shall allow the [no user] to specify alternative initial values to override the default values when an object or information is created. 6.2.4.5 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [Reset to factory default, modify Configurable Device Filtration (CDF) list for authentication devices, view firmware version, manage administrator accounts, view logs]. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 27 of 48 6.2.4.6 FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles [user, administrator]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Protection of the TSF (FPT) 6.2.5.1 FPT_PHP.1 Passive detection of physical attack Hierarchical to: No other components. Dependencies: No dependencies. FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF. FPT_PHP.1.2 The TSF shall provide the capability to determine whether physical tampering with the TSF's devices or TSF's elements has occurred. 6.2.5.2 FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. TOE Access (FTA) 6.2.6.1 FTA_CIN_EXT.1 Continuous Indications FTA_CIN_EXT.1.1 The TSF shall display a visible indication of the selected computers at all times when the TOE is powered. FTA_CIN_EXT.1.2 The TSF shall implement the visible indication using the following mechanism: easily visible graphical and/or textual markings of each source video on the display, [[illuminated buttons]]. FTA_CIN_EXT.1.3 The TSF shall ensure that while the TOE is powered the current switching status is reflected by [the indicator]. 6.3 SECURITY ASSURANCE REQUIREMENTS The assurance requirements are summarized in Table 12. Assurance Class Assurance Components Identifier Name Development (ADV) ADV_ARC.1 Security architecture description ADV_FSP.4 Complete functional specification Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 28 of 48 Assurance Class Assurance Components Identifier Name ADV_IMP.1 Implementation representation of the TSF ADV_TDS.3 Basic modular design Guidance Documents (AGD) AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life-Cycle Support (ALC) ALC_CMC.4 Production support, acceptance procedures and automation ALC_CMS.4 Problem tracking CM7 coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model ALC_TAT.1 Well-defined development tools ALC_FLR.3 Systematic flaw remediation Security Target Evaluation (ASE) ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification Tests (ATE) ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design 7 Configuration Management Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 29 of 48 Assurance Class Assurance Components Identifier Name ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample Vulnerability Assessment (AVA) AVA_VAN.3 Focused vulnerability analysis Table 12 – Security Assurance Requirements 6.4 SECURITY REQUIREMENTS RATIONALE Security Functional Requirements Rationale The following Table provides a mapping between the Security Functional Requirements (SFRs) and Security Objectives. O.CHANNEL_ISOLATION O.NO_DATA_RETENTION O.PERIPHERAL_DEVICE O.SECURE_MANAGEMENT O.STATIC_ATTRIBUTES O.TAMPER_INDICATION FAU_GEN.1 X FDP_ACC.1 X FDP_ACF.1 X FDP_IFC.1 X FDP_IFF.1 X FDP_RIP.1 X FIA_UAU.1 X FIA_UID.1 X FMT_MSA.1(1) X FMT_MSA.1(2) X Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 30 of 48 O.CHANNEL_ISOLATION O.NO_DATA_RETENTION O.PERIPHERAL_DEVICE O.SECURE_MANAGEMENT O.STATIC_ATTRIBUTES O.TAMPER_INDICATION FMT_MSA.3(1) X FMT_MSA.3(2) X FMT_SMF.1 X X FMT_SMR.1 X X FPT_PHP.1 X FPT_STM.1 X FTA_CIN_EXT.1 X Table 13 – Mapping of SFRs to Security Objectives SFR Rationale Related to Security Objectives The following rationale traces each SFR back to the Security Objectives for the TOE. Objective: O.CHANNEL _ISOLATION User data must be routed by the TOE only to the computer selected by the user. The TOE must provide isolation between the data flowing from the peripheral device to the selected computer and any non-selected computer. Security Functional Requirements: FDP_IFC.1 Subset information flow control FDP_IFF.1 Simple security attributes Rationale: FDP_IFC.1 and FDP_IFF.1 ensure that the only permitted user data flow is from the peripheral device to the selected computer. Objective: O.NO_DATA _RETENTION The TOE shall not retain user data after the channel is switched or the TOE is powered down. Security Functional Requirements: FDP_RIP.1 Subset residual information protection Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 31 of 48 Rationale: FDP_RIP.1 ensures that user data from one connected computer becomes unavailable when the peripherals are switched to another connected computer. Objective: O.PERIPHERAL _DEVICE The TOE shall ensure that only approved peripheral device types may be used with the TOE. Security Functional Requirements: FDP_ACC.1 Subset access control FDP_ACF.1 Security attribute based access control Rationale: FDP_ACC.1 and FDP_ACF.1 ensure that only authorized peripheral device types may be connected to the TOE. Objective: O.SECURE _MANAGE MENT The TOE shall provide management functionality to configure aspects of the TSF as required. The TOE shall ensure that management functions can only be performed by authorized administrators and that an audit trail of management activities is generated. Security Functional Requirements: FAU_GEN.1 Audit data generation FIA_UAU.1 Timing of authentication FIA_UID.1 Timing of identification FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FPT_STM.1 Reliable time stamps Rationale: FMT_SMF.1 ensures that management functions are provided to configure the TOE. FMT_SMR.1 ensures that this functionality is restricted to authorized administrators. FIA_UID.1 and FIA_UAU.1 provide a means of identifying and authenticating users before allowing them access to management functions. FAU_GEN.1 ensures that an audit trail of management activities is generated. FPT_STM.1 supports this objective by ensuring that audit records include reliable time stamps. Objective: O.STATIC _ATTRIBUTES The TSF will provide TOE users with the security management functionality to switch between connected computers. The TOE will protect all other security attributes from being altered by the TOE users. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 32 of 48 Security Functional Requirements: FMT_MSA.1(1) Management of security attributes (Peripherals) FMT_MSA.1(2) Management of security attributes (User data) FMT_MSA.3(1) Static attribute initialisation (Peripherals) FMT_MSA.3(2) Static attribute initialisation (User data) FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FTA_CIN_EXT.1 Continuous indications Rationale: FMT_MSA.1(1) ensures that no users can modify the list of acceptable peripheral device types. FMT_MSA.3(1) provides restrictive default values for these types, and does not allow these values to be changed. FMT_MSA.1(2) ensures that only users with physical access to the peripherals attached to the TOE are able to switch connected computers. FMT_MSA.3(2) provides restrictive default values for the selected types, and does not allow these values to be changed. FMT_SMF.1 ensures that the TSF provides TOE users with the capability to switch between connected computers. FMT_SMR.1 provides the TOE administrator and user roles. FTA_CIN_EXT.1 ensures that the user is able to identify the active channel when switching between connected computers. Objective: O.TAMPER _INDICATION The TOE shall be labeled with at least one visible tamper-evident marking that clearly indicates when tampering has been detected. Security Functional Requirements: FPT_PHP.1 Passive detection of physical attack Rationale: FPT_PHP.1 ensures that the TSF provides unambiguous detection of physical tampering. Dependency Rationale Table 14 identifies the Security Functional Requirements from Part 2 of the CC and their associated dependencies. It also indicates whether the ST explicitly addresses each dependency. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 33 of 48 SFR Dependency Dependency Satisfied Rationale FAU_GEN.1 FPT_STM.1  FDP_ACC.1 FDP_ACF.1  FDP_ACF.1 FDP_ACC.1  FMT_MSA.3  Satisfied by FMT_MSA.3(1) FDP_IFC.1 FDP_IFF.1  FDP_IFF.1 FDP_IFC.1  FMT_MSA.3  Satisfied by FMT_MSA.3(2) FDP_RIP.1 None N/A FIA_UAU.1 FIA_UID.1  FIA_UID.1 None N/A FMT_MSA.1(1) FDP_ACC.1 or FDP_IFC.1  Satisfied by FDP_ACC.1 FMT_SMR.1  FMT_SMF.1  FMT_MSA.1(2) FDP_ACC.1 or FDP_IFC.1  Satisfied by FDP_IFC.1 FMT_SMR.1  FMT_SMF.1  FMT_MSA.3(1) FMT_MSA.1  Satisfied by FMT_MSA.1(1) FMT_SMR.1  FMT_MSA.3(2) FMT_MSA.1  Satisfied by FMT_MSA.1(2) FMT_SMR.1  FMT_SMF.1 None N/A FMT_SMR.1 FIA_UID.1  FPT_PHP.1 None N/A FPT_STM.1 None N/A FTA_CIN_EXT.1 None N/A Table 14 – Functional Requirement Dependencies Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 34 of 48 Security Assurance Requirements Rationale The TOE assurance requirements for this ST consist of the requirements corresponding to the EAL 4 level of assurance, as defined in the CC Part 3, augmented by the inclusion of Systematic Flaw Remediation (ALC_FLR.3). EAL 4 was chosen for competitive reasons. The developer is claiming the ALC_FLR.3 augmentation since the current practices and procedures exceed the minimum requirements for EAL 4. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 35 of 48 7 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements. 7.1 SECURITY AUDIT The TOE is equipped with non-volatile memory for the storage of audit records. There are two separate storage areas: • Critical One Time Programming (OTP) Logs o The critical log area stores the following information: o Tampering events – there are six possible event flags o Self-test failure – a record of the latest self-test failure is recorded with error code information o Peripheral device rejection o Configuration changes to the CDF whitelist/blacklist made by the administrator o Reset to factory default event o Changes to the primary administrator password • Non-critical (Random Access Memory (RAM)) Logs o Peripheral device acceptance o Non-security related configuration changes o Administrator login o Administrator logout o Creation and removal of administrator accounts o Administrator password changes (other than for the primary administrator) o Password lock events All events include the date and time. Where applicable, the username of the administrator who initiated the action is also recorded. Logs cannot be deleted by the administrator. The critical logs hold up to 64 events. The non-critical logs hold up to 128 events. In both log files, the oldest logs are overwritten when the storage space allocated to the logs becomes full. Audit records can only be read by authorized administrators through the TOE device’s terminal mode. Instructions for logging into the device and entering terminal mode are detailed in the Cybex™ SC/SCM Switching System Additional Operations and Configuration Technical Bulletin. TOE Security Functional Requirements addressed: FAU_GEN.1. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 36 of 48 7.2 USER DATA PROTECTION There are two SFPs that are enforced by the TOE. They are enforced by the data flows described in the following sections. 7.2.1.1 Video Data Flow The video data flows consist of EDID read and write functions, and unidirectional video from the connected computer to the monitor. The data flow is shown in the following figures. The figures show only four connected computers for simplicity; however, the data flows apply to all connected computer ports. In Figure 4, the TOE video controller function reads the connected display EDID Electrically Erasable Programmable Read-Only Memory (EEPROM) content from the connected monitor through the closed isolation switch. No video is displayed on the monitor since the multiplexer (Video Mux) is switched to the isolation state. This mode of operation only occurs during power up. The EDID is not read from the monitor at any other time. The video controller reads the EDID content to verify that it is valid and usable. If the data is found to be invalid, this function will stop and wait for the next Hot Plug event before continuing on. Figure 4 – Video Data Flow during EDID Read Figure 5 shows the video controller writing the EDID content into the emulated EDID EEPROM chip for the first connected computer. The thick lines show the native video connections. The thin lines show I²C lines. The EDID multiplexer (labeled EDID Mux) couples the I²C lines to the EDID mode switch (orange) for Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 37 of 48 the first connected computer. The first EDID mode switch switches the video controller I²C lines to the first emulated EDID EEPROM chip (gray). The chip write protect switch (green) opens to enable writing. The video controller uses the I²C lines to write to the first emulated EDID EEPROM chip. Once the write operation is complete and verified, the video controller function switches the EDID multiplexer to the next channel and the operation is repeated until all of the EDID EEPROM chips are programmed. Once this write operation is complete, the video controller switches to the normal operation mode. In the EDID Write mode, the emulated EDID EEPROM chips are switched to their respective computers to allow the EDID information to be read. The write protect switches (shown in green) are then switched back to protected mode to prevent any attempt to write the EEPROM or transmit MCCS commands. In the EDID write mode, each connected computer interface is completely independent. The power to each emulated EDID EEPROM is received from its respective computer through the video cable. The main video multiplexer is then switched to the user selected computer to enable the video display for that computer. Figure 5 – Video Data Flow during EDID Write Normal operation is shown in Figure 6. The connected computers have no means to affect the EDID channel. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 38 of 48 The following security features are enforced by the video data flow: a. The video input interfaces are isolated from one another. Isolation is achieved through the use of separate power and ground planes, and separate electronic components and separate emulated EDID chips for each channel; b. The EDID function is emulated by an independent emulated EDID EEPROM chip for each connected computer channel. These chips receive their content from the connected monitor during TOE power up; c. The TOE will reject any display device with non-valid EDID content; d. The TOE supports DVI-D, HDMI 1.4, DisplayPort 1.1 and DisplayPort 1.2 video source input from connected computers. DisplayPort is supported with a USB Type-C connection for some devices. The video function effectively filters out the AUX channel by converting it to I²C EDID only. The DisplayPort video is converted into an HDMI video stream. The I²C EDID lines are connected to the corresponding emulated EDID EEPROM functions as shown in the figures above. Threats to the AUX channel are mitigated through the conversion from DisplayPort to HDMI. Unauthorized protocols such as USB, Ethernet, MCCS and EDID write are blocked since the emulated EEPROM only supports valid EDID read requests from the connected computers; e. The TOE video function blocks MCCS write transactions through the emulated EDID EEPROMs. Emulated EEPROMs only supports EDID read transactions. The write protect switch prevents connected computers from writing to the Emulated EDID EEPROMs; f. When the TOE is powered off, or following failure of a self-test, all video signals are isolated. The emulated EDID EEPROMs may still operate since they receive power from their respective connected computers, however, the isolation function continues to be enforced; and g. Although only one connected computer interface is active at a time, the monitor will continue to display the video from the connected computers in accordance with the user’s configuration. The active computer is always indicated by the buttons on the KVM device, and on the screen. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 39 of 48 Figure 6 – Video Data Flow during Normal Operation Video data is not retained within the TOE. TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1, FDP_IFC.1, FDP_IFF.1, FDP_RIP.1. 7.2.1.2 Keyboard and Mouse Data Flow Isolation between the connected computers is enforced using one way data diodes and device emulators as shown in Figure 7. This diagram shows only two connected computers for simplicity. However, the functionality applies to all connected computer ports. The device emulators are microcontrollers that receive a serial stream representing the keyboard and mouse commands on one side, and interact with the connected computer via the USB bus on the other side. The use of isolated device emulators ensures that connected computers cannot interact physically or logically with shared TOE or peripheral resources. Each device emulator is powered by its respective connected computer. Power domains of different computer interfaces are independent and isolated using unidirectional data diodes. The TOE implements a host emulator to interface with the keyboard and mouse peripheral devices, thereby isolating the peripherals from the internal circuitry and from the connected computers. Data transmission from the host emulator to the device emulators is limited to basic HID transactions through the use of a serial protocol between the TOE host Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 40 of 48 emulator and the device emulators. Only the limited data supported by the serial protocol is able to flow between the emulators. Optical data diodes are used to enforce the unidirectional data flow of serial data between the TOE host emulator and the device emulators. Optical data diodes are included for each device emulator channel to ensure that each channel is physically and logically isolated from the other channels, and from other TOE functionality. This also prevents data flow from the device emulators to the host emulator and on to the peripheral devices. A peripheral switch multiplexer ensures the selection of just one keyboard / mouse serial data source at any given time. The multiplexer has positions for each connected computer port, plus an addition position for isolation. The isolation position is used when the self-test has failed, and effectively disables the data flow from the keyboard and mouse. The keyboard and mouse data flow is not combined with or connected to any other TOE data flow. The keyboard and mouse functions are completely isolated from all other switching functions, such as audio or video. The keyboard and mouse are always switched together. The keyboard and mouse host emulators only enumerate USB HID (Human Interface Devices). No other devices or endpoints are supported on the keyboard or mouse interfaces, and will be rejected. USB hub and composite devices that include an HID interface will only enumerate the HID component of the composite device. The keyboard and mouse console ports are interchangeable since both enumerate HIDs. When power to the TOE is lost, the optical data diodes are powered off and no data flow is possible between the keyboard and mouse peripheral devices and computer interfaces. When the user switches from one computer to another, the system controller function ensures that the keyboard and mouse stacks are deleted and that the first 100 milliseconds of commands received from the keyboard after switching are ignored (deleted). This is done to delete the accumulation of cached commands from the previous channel in the keyboard microcontroller buffer. Since traffic cannot flow from the connected computer to the keyboard or mouse, it is not possible to display indications such as CAP LOCK and NUM LOCK on the keyboard. In accordance with the user guidance, wireless keyboards and mice are not permitted in the evaluated configuration. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 41 of 48 Figure 7 – Keyboard and Mouse Data Flow TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1, FDP_IFC.1, FDP_IFF.1, FDP_RIP.1. 7.2.1.3 Audio Data Flow The TOE audio data flow path is electrically isolated from all other functions and interfaces to prevent signaling data leakage from the audio path. Audio switching is controlled by the TOE system controller function through dedicated unidirectional command lines. Audio signals cannot be digitized or otherwise sampled. There is a separate audio interface for each computer. Each interface is electrically isolated from other interfaces and from other TOE circuitry. The audio switching multiplexer uses mechanical relays and a solid state multiplexer to ensure isolation. Two unidirectional audio flow data diodes enforce the audio data flow from audio device to selected computer. Some devices have a separate channel selection control that allows the user to freeze the audio connection to a selected computer, while switching the other peripherals. This freeze function is indicated by an LED on the front panel of the TOE device. When the TOE device is not receiving power, an audio isolation relay remains open to isolate the audio input from the computer interfaces and from all other circuitry and interfaces. Self-test failure or anti-tampering activation will de- energize the audio isolation relay to isolate the audio input. The audio subsystem does not store, convert or delay any audio data flow, thereby mitigating risk of audio overflow while switching between channels. The use of analog microphones or line-in audio devices is strictly prohibited, and this is indicated in the user guidance. Devices that support analog audio out switching will reject a microphone as follows: Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 42 of 48 a. Analog audio data diode ensures that data flows only from the selected computer to the connected audio peripheral device; and b. The microphone DC8 bias barrier blocks electret microphone DC bias if the TOE is deliberately or inadvertently attached to the connected computer microphone input jack. TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1, FDP_IFC.1, FDP_IFF.1, FDP_RIP.1. 7.2.1.4 DPP Data Flow Some TOE devices have a Dedicated Peripheral Port (DPP) that supports bi- directional USB connections in support of user authentication devices such as smart card readers. Access to this port is restricted so that, by default, only standard smart card readers and biometric authentication devices with a USB smart card class interface that complies with USB Organization standard Chip Card Interface Device (CCID) Revision 1.1 or Integrated Circuit Card Identification (ICCID) Revision 1.0 may be used. The peripheral device’s USB parameters are compared with predefined USB qualification parameters. If the peripheral device’s parameters are consistent with the predefined parameters, the device will be allowed to connect to the TOE. By default, any device that is not a user authentication device will be blocked. Additionally, the TOE will only allow connection of user authentication devices that are bus powered. The TOE devices that support DPP also support configurable device filtration. An administrator can log into the TOE and whitelist or blacklist devices for this port based on USB attributes. Each DPP computer interface is supported by its own independent circuitry and power plane. No circuitry or logical functions are shared with other ports or other TOE functions. The user authentication device data paths within the TOE are fully isolated from all other user data paths and functions. When a user switches the DPP to another connected computer, the TOE resets the user authentication device by causing a temporary power dip. This is done using the High-side Power switches on the System Controller board that switch 5 Volt power to the DPP device jack. A load field effect transistor (FET) shorts the supply voltage to the ground to ensure that all capacitance in the TOE or in the connected device is quickly discharged to a level below 2 Volts. The TOE does not emulate or process user authentication device data. This ensures that no data can be retained. All user authentication device data paths are isolated (switched off) through a peripheral multiplexer when the TOE is powered off, following an anti-tampering trigger or following a failed self-test. TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1, FDP_IFC.1, FDP_IFF.1, FDP_RIP.1. 8 Direct Current Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 43 of 48 Peripheral Device SFP The TOE supports the following peripheral devices on the TOE console ports. If a device that does not support the authorized protocols is plugged into a console port, that device will not be correctly enumerated and therefore will not function. TOE Console Port Authorized Protocols Authorized Devices Keyboard USB Type A HID Any wired keyboard and keypad Mouse/ Pointing Device USB Type A HID Any wired mouse, trackball or touch screen Display HDMI 1.4 DisplayPort 1.1, 1.2 Monitor, projector Audio Analog audio through a 3.5 mm jack Audio output devices such as speakers and headphones DPP USB Type A Smart card readers and similar authentication devices Table 15 – Authorized Peripheral Devices USB hub and composite devices that include at least one end point that enumerates as a USB HID is accepted as an authorized device on the keyboard and mouse ports. Any functionality that does not enumerate as HID will not be available. TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1 User Data Isolation SFP The allowed data flows between the connected computer and the peripheral devices are described in Sections 7.2.1.1 to 7.2.1.4. TOE Security Functional Requirements addressed: FDP_IFC.1, FDP_IFF.1. Residual Information Data is not retained by the TOE. Residual data protections are described in Sections 7.2.1.1 to 7.2.1.4. TOE Security Functional Requirements addressed: FDP_RIP.1. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 44 of 48 7.3 IDENTIFICATION AND AUTHENTICATION In order to access administrative functions, a user must be in possession of an administrator username and password. A single administrator role is supported by the TOE. Administrators authenticate to the TOE by entering a username and password. The default administrator username is ‘admin1234’. The primary administrator account cannot be deleted. The password remains the same and does not revert to the default when an Reset to Factory Default (RFD) is performed. Up to nine additional administrator accounts may be created. These additional accounts and associated passwords are removed when an RFD is performed. For these accounts, usernames must be between 8 and 11 characters in length, and may be made up of uppercase and lowercase letters. The default administrator password is ‘1234ABCDefg!@#’, and must be changed on the first login. Administrator passwords must be between 8 and 15 characters in length and may contain uppercase letters, lowercase letters, numbers or any of the following special characters: ‘!’, ‘@’, ‘#’, ‘$’, ‘%’, ‘^’, ‘&’, ‘*’, ‘(’, ‘)’, ‘-’, or ‘_’. The password must contain at least one uppercase letter, one lowercase letter, one number and one special character. Passwords are stored in the non-volatile memory in a proprietary, obfuscated format. Lost usernames or passwords cannot be recovered. The user is locked out after three failed login attempts. The user may cycle the device power and try again. Only users in the ‘Administrator’ role are identified and authenticated. Users in the ‘user’ role are not required to identify and authenticate. They are only able to change the connected computer channel. TOE Security Functional Requirements addressed: FIA_UAU.1, FIA_UID.1. 7.4 SECURITY MANAGEMENT Security Attributes The default accepted peripheral device type attributes are restrictive in that they are limited to the values indicated in Table 11. No user is able to change the default values. Switching may only be done by the user with physical access to the peripherals attached to the TOE KVM device. The default values are considered restrictive in that the TOE defaults to the first connected computer on power up. No user is able to change this default behaviour. TOE Security Functional Requirements addressed: FMT_MSA.1(1), FMT_MSA.1(2), FMT_MSA.3(1), FMT_MSA.3(2). Administrative Capabilities The TOE provides for the user roles ‘user’ and ‘administrator’. Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 45 of 48 The only security management functionality available to the user is the ability to switch between connected computers. Administrators must log into the TOE with a username and password. Once logged in, the administrator may use the functions described in the Cybex™ SC/SCM Switching System Additional Operations and Configuration Technical Bulletin to manage the TOE configuration. The administrator login and any configuration changes made are recorded in the audit logs along with the date and time of the event. The administrator can use the administrator console function to perform the following tasks: • Reset to factory default – note that this does not reset the username and password of the primary administrator, and does not reset the critical logs • Configure the CDF • View the firmware version • Manage administrator accounts (change password, create administrator account) • View logs The TOE devices support a RFD option which is available to an authorized administrator. When an administrator requests a restore to factory default, the following occurs: • All peripheral devices are disconnected from the selected computer • The Front panel indicators blink in unison • The TOE device resets and performs a normal power up and self-test sequence. There are no user indications during power up and self-test • The TOE resumes normal operation. Any settings are reset to the factory defaults. Administrator credentials and some log entries are retained. User indicators resume normal behavior at this stage unless the self-test has failed TOE Security Functional Requirements addressed: FMT_SMF.1, FMT_SMR.1. 7.5 PROTECTION OF THE TSF Tamper Evidence The TOE enclosure is designed to prevent physical tampering. It features a stainless steel welded chassis and panels that prevent external access through bending or brute force. Additionally, the TOE is equipped with holographic Tampering Evident Labels located in critical areas of the TOE enclosure. Any attempt to access the TOE internal circuitry causes permanent visible damage to one or more labels. TOE Security Functional Requirements addressed: FPT_PHP.1 Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 46 of 48 Reliable Timestamps Each device includes a real-time clock powered by a battery. The time is set during production. This clock provides reliable time stamps for the audit function. TOE Security Functional Requirements addressed: FPT_STM.1. 7.6 TOE ACCESS Continuous Indications The TOE user switches between computers by pressing the corresponding front panel button on the device. The front panel button corresponding to the selected computer will illuminate. When switching between computers with authentication devices, the authentication device is switched accordingly. When switching to a computer that is not connected to an authentication device, the authentication device will remain mapped to the last channel that supported the connection. A user can select the ‘Freeze USB’ button on the front panel to lock the authentication device to the currently connected computer. When the user switches the other peripherals to another channel, the authentication device will remain attached to the previously selected channel, and the ‘Freeze USB’ LED9 will be illuminated. The authentication device channel is indicated by an LED to the left of the channel. To release the freeze, the user selects the ‘Freeze USB’ a second time. Similarly, there is a ‘Freeze Audio’ button. When selected, the audio remains connected to selected computer while the other peripherals are switched as indicated by the user. The audio channel is indicated by an LED to the left of the channel. Figure 8 shows the selection buttons. Note that this function is not available on all devices. Figure 8 – Channel Selection On power up or power up following reset, all peripherals are connected to channel #1, and the corresponding push button LED will be illuminated. TOE Security Functional Requirements addressed: FTA_CIN_EXT.1 9 Light Emitting Diode Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 47 of 48 8 TERMINOLOGY AND ACRONYMS 8.1 TERMINOLOGY The following terminology is used in this ST: Term Description AUX This refers to an auxiliary channel. DPP The Dedicated Peripheral Port allows bidirectional communications to support the use of user authentication devices. I²C I²C is a synchronous, serial protocol used to connect low- speed devices such as microcontrollers, EEPROMs, and other similar peripherals in embedded systems. Peripheral devices ‘Peripherals’ or ‘peripheral devices’ refer to auxiliary devices that are intended to be connected to a computer, but are not an essential part of the computer. In the context of this ST, a peripheral device is a monitor (also called a display), or a USB HID such as a keyboard or mouse. User The term user refers to a user in the ‘user’ role. Table 16 – Terminology 8.2 ACRONYMS The following acronyms are used in this ST: Acronym Definition CC Common Criteria CCID Chip Card Interface Device CDF Configurable Device Filtration CM Configuration Management DC Direct Current DP DisplayPort DPP Dedicated Peripheral Port DVI Digital Visual Interface EAL Evaluation Assurance Level EDID Extended Display Identification Data EEPROM Electrically Erasable Programmable Read-Only Memory Vertiv Secure KVM, KM and KVM Matrix Devices Security Target Doc No: 2172-001-D102 Version: 0.5 Date: 24 September 2020 Page 48 of 48 Acronym Definition FET Field Effect Transistor HDMI High-Definition Multimedia Interface HID Human Interface Device ICCID Integrated Circuit Card Identification IT Information Technology KM Keyboard, Mouse KVM Keyboard, Video, Mouse LED Light Emitting Diode MCCS Monitor Control Command Set OTP One Time Programming PDF Portable Document Format PID Product Identification PP Protection Profile RAM Random Access Memory RFD Reset to Factory Default SFP Security Function Policy SFR Security Functional Requirement ST Security Target TOE Target of Evaluation TSF TOE Security Functionality UHD Ultra-high-definition USB Universal Serial Bus VID Vendor Identification Table 17 – Acronyms