2-port usb 3.0 4k dual display displayport kvmp switch for atc (70 pages)
Summary of Contents for ATEN CS1182DP4
Page 1
ATEN Secure KVM Switch Series (Non-CAC Models) Security Target Version 1.1 2022-03-08 Prepared for: ATEN 3F, No. 125, Section 2, Datung Road, Sijhih District, New Taipei City, 221 Taiwan Prepared by: Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, Maryland 21046...
Page 2
Security Target Version 1.1 2022-03-08 Revision History Version Author Modifications Leidos Initial Version Leidos Minor update to add adapters Leidos Updates for validator check-in comments Leidos Minor updates for evaluator comments Leidos Updates for validator check-out comments...
Security Target Version 1.1 2022-03-08 Table of Contents Security Target Introduction ......................... 1 Security Target, Target of Evaluation, and Common Criteria Identification ........1 Conformance Claims ........................2 Conventions ............................ 3 1.3.1 Terminology ..........................3 1.3.2 Acronyms ..........................5 TOE Description ............................ 7 Product Overview ...........................
Page 4
List of Figures and Tables Figure 1: Simplified Block Diagram of a 2-Port KVM TOE ................10 Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment ........12 Table 1: ATEN Secure KVM Switch TOE Models ................... 1...
Page 5
2022-03-08 Table 3: Acronyms ............................5 Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models ............8 Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models ..........9 Table 6: Security Objectives for the Operational Environment ..............16 Table 7: TOE Security Functional Components ...................
Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is ATEN Secure KVM Switch Series (Non-CAC Models) provided by ATEN. The Security Target contains the following additional sections: •...
Security Target Version 1.1 2022-03-08 Conformance Claims This ST and the TOE it describes are conformant to the following CC specifications: • Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Components, Version 3.1 Revision 5, April 2017 •...
Security Target Version 1.1 2022-03-08 Conventions The Security Functional Requirements included in this section are derived from Part 2 of the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, with additional extended functional components. The CC defines operations on Security Functional Requirements: assignments, selections, assignments within selections, iterations, and refinements.
Page 9
Security Target Version 1.1 2022-03-08 Term Definition Connected Peripheral A Peripheral that is connected to a PSD. A physical or logical conduit that enables Devices to interact through respective Connection interfaces. May consist of one or more physical (e.g., a cable) or logical (e.g., a protocol) components.
Security Target Version 1.1 2022-03-08 Term Definition TOE Security Functionality The combined hardware, software, and firmware capabilities of a TOE that are (TSF) responsible for implementation of its claimed SFRs. TOE Security Functionality Any external interface between the TOE and its Operational Environment that has Interface (TSFI) a security‐relevant purpose or is used to transmit security‐relevant data.
Page 11
Security Target Version 1.1 2022-03-08 Acronym Definition Personal Computer Peripheral Sharing Device Remote Port Selector Security Function Policy Universal Serial Bus...
TOE Overview The TOE is the ATEN Secure Switch series of products without CAC. The TOE allows users to connect a single set of peripherals to its console ports to interact with multiple computers that are connected to it via its computer ports.
Page 13
Only speaker connections are supported and the use of an analog microphone or line-in audio device is prohibited. The tables below identify the interfaces of the Secure KVM console and computer ports according to model number. Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models Console Video Output Console...
Page 14
• CS1148D4 The ATEN Secure KVM products implement a secure isolation design for all models to share a single set of peripheral components. Each peripheral has its own dedicated data path. USB keyboard and mouse peripherals are filtered and emulated. DisplayPort video from the selected computer is converted internally to HDMI, then back to DisplayPort for communication with the connected video display and the AUX channel is monitored and converted to EDID.
Page 15
Security Target Version 1.1 2022-03-08 Figure 1: Simplified Block Diagram of a 2-Port KVM TOE As shown in Figure 1 above, the internal components of the KVM consist of switches, emulators, USB host controllers, processors, and embedded with non-updateable firmware v1.1.101. The internal hardware components are identified in Appendix A and include the manufacturer and the part number.
Security Target Version 1.1 2022-03-08 A detailed description of the TOE security features can be found in Section 6 (TOE Summary Specification). 2.3.1 Physical Boundary The TOE includes the RPS and hardware models identified in Section 1.1 along with embedded firmware v1.1.101 and corresponding documentation identified in Section 2.5 below.
Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment The ATEN Secure KVM devices do not include any wireless interfaces. The ATEN Secure KVM devices have been tested and found to comply with the radio frequency emissions limits for a Class A digital device, pursuant to Part 15 of the Federal Communications Commission rules.
Security Target Version 1.1 2022-03-08 2.4.1 Security Audit The TOE generates audit records for the authorized administrator actions. Each audit record records a standard set of information such as date and time of the event, type of event, and the outcome (success or failure) of the event.
In general, the [PSD] has presented a Security Problem Definition appropriate for peripheral sharing devices. The ATEN Secure KVM Switch Series supports KVM (USB Keyboard/Mouse, analog audio (out), DisplayPort, DVI-I and HDMI video) peripheral switch functionality by combining a 2/4/8 port KVM switch,...
Security Target Version 1.1 2022-03-08 Security Objectives Like the Security Problem Definition, this Security Target includes by reference the Security Objectives from the [PSD], [MOD_VI_V1.0], [MOD_AO_V1.0], and [MOD_KM_V1.0]. The [PSD], [MOD_AO_V1.0], and [MOD_VI_V1.0] security objectives for the operational environment are reproduced below, since these objectives characterize technical and procedural measures each consumer must implement in their operational environment.
Security Target Version 1.1 2022-03-08 IT Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the Protection Profile: [PSD] and the modules: [MOD_AO_V1.0], [MOD_KM_V1.0], and [MOD_VI_V1.0], and include some of the optional and selection-based SFRs.
Security Target Version 1.1 2022-03-08 • FDP_UDF_EXT.1/KM – Unidirectional Data Flow (Keyboard/Mouse) • FDP_UDF_EXT.1/VI – Unidirectional Data Flow (Video Output) • FPT_FLS_EXT.1 – Failure with Preservation of Secure State • FPT_NTA_EXT.1 – No Access to TOE • FPT_TST_EXT.1 – TSF Testing •...
Security Target Version 1.1 2022-03-08 a. Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other information].
Page 26
Security Target Version 1.1 2022-03-08 5.2.2.3 Active PSD Connections (Keyboard/Mouse) (FDP_APC_EXT.1/KM) FDP_APC_EXT.1.1/KM The TSF shall route user data only to the interfaces selected by the user. FDP_APC_EXT.1.2/KM The TSF shall ensure that no data or electrical signals flow between connected computers whether the TOE is powered on or powered off.
Page 27
Security Target Version 1.1 2022-03-08 FDP_PDC_EXT.1.2 The TSF shall reject connections with devices presenting unauthorized interface protocols upon TOE power up and upon connection of a peripheral device to a powered‐on TOE. FDP_PDC_EXT.1.3 The TOE shall have no external interfaces other than those claimed by the TSF. FDP_PDC_EXT.1.4 The TOE shall not have wireless interfaces.
Page 28
Security Target Version 1.1 2022-03-08 • authorized devices presenting authorized interface protocols as defined in ‐ the PP Module for Video/Display Devices, ] upon TOE power up and upon connection of a peripheral device to a powered- on TOE. 5.2.2.10 Peripheral Device Connection (Video Output) (FDP_PDC_EXT.2/VI) FDP_PDC_EXT.2.1/VI The TSF shall allow connections with authorized devices as defined in [Appendix E of the VI Module] and [...
Security Target Version 1.1 2022-03-08 5.2.2.15 Purge of Residual Information (FDP_RIP_EXT.2) FDP_RIP_EXT.2.1 The TOE shall have a purge memory or restore factory defaults function accessible to the administrator to delete all TOE stored configuration and settings except for logging. 5.2.2.16 PSD Switching (FDP_SWI_EXT.1) FDP_SWI_EXT.1.1 The TSF shall ensure that [switching can be initiated only through express user action].
Security Target Version 1.1 2022-03-08 5.2.3.2 User Identification Before Any Action (FIA_UID.2) FIA_UID.2.1 The TSF shall require each administrator to be successfully identified before allowing any other TSF‐mediated actions on behalf of that administrator. 5.2.4 Security Management (FMT) 5.2.4.1 Management of Security Functions Behavior (FMT_MOF.1) FMT_MOF.1.1 The TSF shall restrict the ability to [modify the behavior of] the functions [TOE keyboard and mouse filtering blacklist, Reset to Factory Default, view audit...
Security Target Version 1.1 2022-03-08 5.2.5.4 Resistance to Physical Attack (FPT_PHP.3) FPT_PHP.3.1 The TSF shall resist [a physical attack for the purpose of gaining access to the internal components, to damage the anti‐tamper battery, to drain or exhaust the anti‐tamper battery] to the [TOE enclosure and any remote controllers] by the attacked component becoming permanently disabled.
TOE Security Functional Requirements (DP Models) The following table identifies the [MOD_VI_V1.0] SFRs that are satisfied by DP Models, which include the following: • CS1182DP4, • CS1184DP4, • CS1188DP4, •...
Security Target Version 1.1 2022-03-08 FDP_PDC_EXT.3.2/VI(DP) The TSF shall apply the following rules to the supported protocols: [the TSF shall read the connected display EDID information once during power‐on or reboot]. 5.3.1.3 Sub-Protocol Rules (DisplayPort Protocol) (DP Models) FDP_SPR_EXT.1/DP(DP)) FDP_SPR_EXT.1.1/DP(DP) The TSF shall apply the following rules for the [DisplayPort] protocol: •...
Security Target Version 1.1 2022-03-08 5.4.1.2 Sub‐Protocol Rules (HDMI Protocol) (H Models) (FDP_SPR_EXT.1/HDMI(H)) FDP_SPR_EXT.1.1/HDMI(H) The TSF shall apply the following rules for the [HDMI] protocol: • block the following video/display sub‐protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC,...
Security Target Version 1.1 2022-03-08 5.5.1.2 Sub‐Protocol Rules (DVI‐I Protocol) (D Models) (FDP_SPR_EXT.1/DVI-I(D)) FDP_SPR_EXT.1.1/DVI-I(D) The TSF shall apply the following rules for the [DVI‐I] protocol: • block the following video/display sub‐protocols: o [ARC, o CEC, o EDID from computer to display, o HDCP, o HEAC, o HEC,...
• peripheral device acceptance, • button jam test failure, and • all passing self-tests. During normal operation, the TOE provides administrator access to all audit records. ATEN's assistance is required to read audit records from an inoperable switch.
Security Target Version 1.1 2022-03-08 The logs are stored on EEPROM on the KVM PCBoard component of the TOE. The logs can be extracted by the authorized administrator by entering Administrator Logon mode, logging on, and then issuing the command [LIST]. The TOE extracts the log data and displays them using the text editor. The administrator can view the logs but cannot erase or delete any of the information.
Because of this, the single selected source video feed is always the same channel and indication of the selected channel is through the channel selection LEDs on the TOE chassis. The DisplayPort models CS1182DP4, CS1184DP4, and CS1188DP4 each support one connected display. While CS1142DP4, CS1144DP4, and CS1148DP4 each support two connected displays at a time.
Security Target Version 1.1 2022-03-08 6.2.5 FDP_PDC_EXT.1 – Peripheral Device Connection; FDP_PDC_EXT.2/AO – Peripheral Device Connection (Audio Output); FDP_PDC_EXT.2/KM – Authorized Devices (Keyboard/Mouse); FDP_PDC_EXT.2/VI – Peripheral Device Connection (Video Output) The TOE allows the authorized devices and protocols for the PSD Console Ports as identified in the table below upon TOE power up and upon connection of a peripheral device to a powered-on TOE.
TOE. During KVM operation, non-standard keyboards with integrated USB hubs and/or other USB-integrated devices may not be fully supported due to the strict security standards and policy for the ATEN Secure KVM Switch. If supported, only basic (HID) keyboard operations will function.
6.2.9.1 DP Models The following TOE models support DP 1.2 video input and output, and one or two displays. Table 14: DP Models Configuration 2-Port 4-Port 8-Port Single Head CS1182DP4 CS1184DP4 CS1188DP4 DisplayPort Dual Head CS1142DP4 CS1144DP4 CS1148DP4 These models accept DisplayPort for the computer video display interface. The TOE will convert the DP signal to HDMI inside the TOE and then back to DisplayPort for output to the console display(s).
Page 42
Security Target Version 1.1 2022-03-08 EDID from display to computer, HPD from display to computer, and Link Training are allowed for the DisplayPort interface. The TOE blocks CEC, EDID from computer to display, HDCP, and MCCS video/display sub‐protocols. The DP Models satisfy the following SFRs: •...
Security Target Version 1.1 2022-03-08 The D Models satisfy the following SFRs: • FDP_PDC_EXT.3/VI(D)- Authorized Connection Protocols (Video Output) (D Models) • FDP_SPR_EXT.1/DVI-I(D) – Sub-Protocol Rules (DVI-I Protocol) (D Models) Identification and Authentication (FIA_UAU.2/ FIA_UID.2) Authentication is required to perform administrator functions such as configuring the keyboard/mouse device filtering (i.e.
Security Target Version 1.1 2022-03-08 The TOE provides a security management function to Reset to Factory Default (not to be confused with the front panel reset button). When a successfully authenticated authorized Administrator performs Reset to Factory Default, settings previously configured by the Administrator (such as USB keyboard/mouse device blacklist) will be cleaned and reset to factory default settings.
TOE user and the guidance documentation instructs the user to stop using the TOE, remove it from service and contact ATEN. The KVM and RPS contain internal batteries with a minimum lifetime of five years, are non-replaceable, and cannot be accessed without opening the device enclosure.
Page 46
Security Target Version 1.1 2022-03-08 • Firmware integrity: the TOE validates the integrity of firmware by calculating the checksum of the firmware binary file and comparing to a pre-calculated value that is stored in the TOE. Upon a failure, the TOE will be in a failure state (permanently inoperable). •...
Security Target Version 1.1 2022-03-08 • For a Key stuck test failure, the front panel Port LED of that jammed button port will flash. • For all other Self-test failures (Firmware integrity, Accessibility of internal memory of the micro- controller, Computer interfaces isolation functionality, Anti-tampering mechanism) all front panel LEDs (except for Power LED) flash.
Page 48
Security Target Version 1.1 2022-03-08 The TOE has a reset button that resets the switch to the default settings when pressed. The switch is then powered up and behaves as described above.
Security Target Version 1.1 2022-03-08 Protection Profile Claims This ST is conformant to the Protection Profile [PSD], including the following optional and selection-based SFRs: FAU_GEN.1, FDP_RIP_EXT.2, FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_PHP.3, FPT_STM.1, and FTA_CIN_EXT.1. The ST is also conformant to the following PP-Modules •...
Security Target Version 1.1 2022-03-08 Rationale This security target includes by reference the [PSD], [MOD_AO_V1.0], [MOD_KM_V1.0], and [MOD_VI_V1.0] Security Problem Definitions, Security Objectives, and Security Assurance Requirements. The security target makes no additions to the [PSD] or listed modules assumptions. The [PSD] and listed module’s security functional requirements have been reproduced with the Protection Profile operations completed.
User Data Manufacturer, and Type Technology Part number System Controller Embedded Undisclosed Volatile May contain user data Host Controller ATEN SICG8021A Host Controller Embedded Undisclosed Volatile May contain user data Device Emulators ATEN SICG8022A System EEPROM EEPROM 512K bits Non-volatile...
Page 54
Security Target Version 1.1 2022-03-08 ITE IT66354 Remarks (1) The Embedded RAM may contain user data. The Embedded RAM is cleared and user keyboard/mouse data is purged when the Secure KVM powers-off or power-cycles, after switching ports, after a KVM reset (reboot), or a trigger of the tamper-proof mechanism is detected.