Раздел: Документация
0 ... 87 88 89 90 91 92 93 ... 117 unique seeds that can be generated from these inputs should be at least equal to the minimum number of secrets that must be generated. Operations Assignment: In FIASOS.2.1, the PP/ST author should provide a defined quality metric. The quality metric specification can be as simple as a description of the quality checks to be performed or as formal as a reference to a government published standard that defines the quality metrics that secrets must meet. Examples of quality metrics could include a description of the alphanumeric structure of acceptable secrets and/or the space size that acceptable secrets must meet. In FIASOS.2.2, the PP/ST author should provide a list of TSF functions for which the TSF generated secrets must be used. An example of such a function could include a password based authentication mechanism. G.4 User authentication (FIAJJAU) This family defines the types of user authentication mechanisms supported by the TSF. This family defines the required attributes on which the user authentication mechanisms must be based. FIAUAU.1 Timing of authentication User application notes This component requires that the PP/ST author define the TSF-mediated actions that can be performed by the TSF on behalf of the user before the claimed identity of the user is authenticated. The TSF-mediated actions should have no security concerns with users incorrectly identifying themselves prior to being authenticated. For all other TSF-mediated actions not in the list, the user must be authenticated before the action can be performed by the TSF on behalf of the user. This component cannot control whether the actions can also be performed before the identification took place. This requires the use of either FIAUID.1 and FIAUID.2 with the appropriate assignments. Operations Assignment: In FIAUAU.1.1, the PP/ST author should specify a list of TSF-mediated actions that can be performed by the TSF on behalf ofa user before the claimed identity of the user is authenticated. This list cannot be empty. If no actions are appropriate, component FIAUAU.2 should be used instead. An example of such an action might include the request for help on the login procedure. FIAUAU.2 User authentication before any action User application notes This component requires that users are identified before any TSF-mediated action can take place on behalf of that user. FIAUAU.3 Unforgeable authentication User application notes This component addresses requirements for mechanisms that provide protection of authentication data. Authentication data that is copied from another user, or is in some way constructed should be detected and/or rejected. These mechanisms provide confidence that users authenticated by the TSF are actually who they claim to be. This component may be useful only with authentication mechanisms that are based on authentication data that cannot be shared (e.g. biometrics). It is impossible for a TSF to detect or prevent the sharing of passwords outside the control of the TSF. Operations Selection: In FIAUAU.3.1, the PP/ST author should specify whether the TSF will detect, prevent, or detect and prevent forging of authentication data In FIAUAU.3.2, the PP/ST author should specify whether the TSF will detect, prevent, or detect and prevent copying of authentication data FIAUAU.4 Single-use authentication mechanisms User application notes This component addresses requirements for authentication mechanisms based on single-use authentication data. Single-use authentication data can be something the user has or knows, but not something the user is. Examples of single-use authentication data include single-use passwords, encrypted time-stamps, and/or random numbers from a secret lookup table. The PP/ST author can specify to which authentication mechanism(s) this requirement applies. Operations Assignment: In FIAUAU.4.1, the PP/ST author should specify the list of authentication mechanisms to which this requirement applies. This assignment can be all authentication mechanisms. An example of this assignment could be "the authentication mechanism employed to authenticate people on the external network". FIAUAU.5 Multiple authentication mechanisms User application notes The use of this component allows specification of requirements for more than one authentication mechanism to be used within a TOE. For each distinct mechanism, applicable requirements must be chosen from the FIA class to be applied to each mechanism. It is possible that the same component could be selected multiple times in order to reflect different requirements for the different use of the authentication mechanism. The management functions in the class FMT may provide maintenance capabilities for the set of authentication mechanisms, as well as the rules that determine whether the authentication was successful. To allow anonymous users to be on the system, a none authentication mechanism can be incorporated. The use of such access should be clearly explained in the rules of FIAUAU.5.2. 0 ... 87 88 89 90 91 92 93 ... 117
|
