Apple Inc. Apple iOS 9.2 MDFPPv2 Security Target Version 1.4 2016-01-28 Prepared for: Apple Inc. 1 Infinite Loop Cupertino, CA 95014 www.apple.com Prepared by: atsec information security Corp. 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2016 Apple Inc. This document may be reproduced and distributed only in its original entirety without revision Table of Contents 1 Security Target Introduction..........................................................................................................5 1.1 Security Target Reference ......................................................................................................5 1.2 TOE Reference.......................................................................................................................5 1.3 TOE Overview.........................................................................................................................5 1.4 TOE Description......................................................................................................................6 1.5 TOE Architecture.....................................................................................................................8 1.5.1 Physical Boundaries ................................................................................................10 1.5.2 Security Functions provided by the TOE .................................................................10 1.5.3 TOE Documentation ................................................................................................14 1.5.4 Technical Decisions .................................................................................................14 1.5.5 Other References ....................................................................................................14 2 Conformance Claims....................................................................................................................15 2.1 CC Conformance ..................................................................................................................15 2.2 Protection Profile (PP)Conformance.....................................................................................15 2.3 Conformance Rationale ........................................................................................................15 3 Security Problem Definition ........................................................................................................16 3.1 Threats..................................................................................................................................16 3.2 Assumptions .........................................................................................................................17 3.3 Organization Security Policies..............................................................................................17 4 Security Objectives ......................................................................................................................18 4.1 Security Objectives for the TOE............................................................................................18 4.2 Security Objectives for the TOE Environment ......................................................................19 5 Security Functional Requirements .............................................................................................20 5.1 Cryptographic Support (FCS) ...............................................................................................20 5.1.1 Cryptographic Key Management (FCS_CKM) ........................................................20 5.1.2 Cryptographic Operations (FCS_COP) ...................................................................23 5.1.3 HTTPS Protocol (FCS_HTTPS) ..............................................................................24 5.1.4 Initialization Vector Generation (FCS_IV)................................................................24 5.1.5 Random Bit Generation (FCS_RBG).......................................................................25 5.1.6 Cryptographic Algorithm Services (FCS_SRV) .......................................................25 5.1.7 Cryptographic Key Storage (FCS_STG) .................................................................25 5.1.8 TLS Client Protocol (FCS_TLSC)............................................................................26 5.2 User Data Protection (FDP)..................................................................................................28 5.2.1 Access Control (FDP_ACF).....................................................................................28 5.2.2 Data-At-Rest Protection (FDP_DAR) ......................................................................28 5.2.3 Subset Information Flow Control - VPN (FDP_IFC) ................................................28 5.2.4 Certificate Data Storage (FDP_STG) ......................................................................28 5.2.5 Inter-TSF User Data Protected Channel (FDP_UPC) .............................................29 5.3 Identification and Authentication (FIA)..................................................................................29 5.3.1 Authentication Failures (FIA_AFL) ..........................................................................29 5.3.2 Bluetooth Authorization and Authentication (FIA_BLT)............................................29 5.3.3 Port Access Entity Authentication (FIA_PAE)..........................................................29 5.3.4 Password Management (FIA_PMG)........................................................................29 5.3.5 Authentication Throttling (FIA_TRT)........................................................................30 5.3.6 User Authentication (FIA_UAU)...............................................................................30 5.3.7 X509 Certificates (FIA_X509)..................................................................................31 5.4 Security Management (FMT)................................................................................................32 5.4.1 Management of Functions in TSF (FMT_MOF).......................................................32 5.4.2 Specification of Management Functions (FMT_SMF) .............................................32 5.5 Protection of the TSF (FPT)..................................................................................................36 5.5.1 Anti-Exploitation Services (FPT_AEX) ....................................................................36 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 2 of 75 5.5.2 Key Storage (FPT_KST)..........................................................................................37 5.5.3 Self-Test Notification (FPT_NOT) ............................................................................37 5.5.4 Reliable Time Stamps (FPT_STM)..........................................................................38 5.5.5 TSF Functionality Testing (FPT_TST) .....................................................................38 5.5.6 Trusted Update (FPT_TUD).....................................................................................38 5.6 TOE Access (FTA) ................................................................................................................39 5.6.1 Session Locking (FTA_SSL)....................................................................................39 5.6.2 Wireless Network Access (FTA_WSE) ....................................................................39 5.7 Trusted Path/Channels (FTP)...............................................................................................40 5.7.1 Trusted Channel Communication (FTP_ITC) ..........................................................40 5.8 Objective Requirements .......................................................................................................40 5.8.1 Default TOE Access Banners (FTA_TAB) ...............................................................40 5.8.2 Isolation of Baseband (FPT_BBD) ..........................................................................40 6 Security Assurance Requirements.............................................................................................41 6.1 Security Target evaluation (ASE)..........................................................................................41 6.1.1 Conformance claims (ASE_CCL.1) .........................................................................41 6.1.2 Extended components definition (ASE_ECD.1) ......................................................42 6.1.3 Security objectives for the operational environment (ASE_OBJ.1).........................43 6.1.4 Stated security requirements (ASE_REQ.1) ...........................................................44 6.1.5 Security problem definition (ASE_SPD.1) ...............................................................44 6.1.6 TOE summary specification (ASE_TSS.1) ..............................................................45 6.2 Development (ADV)..............................................................................................................45 6.2.1 Basic functional specification (ADV_FSP.1) ............................................................45 6.3 Guidance documents (AGD).................................................................................................46 6.3.1 Operational user guidance (AGD_OPE.1)...............................................................46 6.3.2 Preparative procedures (AGD_PRE.1)....................................................................47 6.4 Life-cycle support (ALC) .......................................................................................................47 6.4.1 Labelling of the TOE (ALC_CMC.1) ........................................................................47 6.4.2 TOE CM coverage (ALC_CMS.1)............................................................................47 6.4.3 Timely Security Updates (ALC_TSU_EXT.1)...........................................................48 6.5 Tests (ATE) ...........................................................................................................................48 6.5.1 Independent testing - conformance (ATE_IND.1)....................................................48 6.6 Vulnerability assessment (AVA)............................................................................................48 6.6.1 Vulnerability survey (AVA_VAN.1) ...........................................................................48 7 TOE Summary Specification .......................................................................................................50 7.1 Hardware Protection Functions ............................................................................................50 7.1.1 The Secure Enclave ................................................................................................50 7.1.2 Memory Protection...................................................................................................51 7.2 Cryptographic support ..........................................................................................................51 7.2.1 Overview of Key Management.................................................................................51 7.2.2 CAVS Certificates ....................................................................................................56 7.3 User Data Protection (FDP)..................................................................................................58 7.3.1 Protection of Files ....................................................................................................58 7.3.2 Application Access to Files ......................................................................................58 7.3.3 Declaring the Required Device Capabilities of an App............................................58 7.3.4 App Groups..............................................................................................................59 7.3.5 Restricting app access to system services..............................................................59 7.3.6 Keychain Data Protection ........................................................................................59 7.4 Identification and Authentication (FIA)..................................................................................60 7.4.1 Certificates...............................................................................................................61 7.5 Security Management (FMT)................................................................................................62 7.6 Protection of the TSF (FPT)..................................................................................................64 7.6.1 Secure Boot .............................................................................................................64 7.6.2 Secure Software Update..........................................................................................64 7.6.3 Domain Isolation ......................................................................................................65 7.6.4 Device locking..........................................................................................................65 7.6.5 Time .........................................................................................................................66 7.6.6 Inventory of TSF Binaries and Libraries ..................................................................66 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 3 of 75 7.7 TOE Access (FTA) ................................................................................................................66 7.7.1 Session Locking.......................................................................................................66 7.7.2 Restricting access to Wireless Networks.................................................................67 7.8 Trusted Path/Channels (FTP)...............................................................................................67 7.8.1 EAP-TLS and TLS ...................................................................................................67 7.8.2 AlwaysOn VPN ........................................................................................................68 7.8.3 Bluetooth..................................................................................................................68 7.8.4 Wireless LAN ...........................................................................................................69 7.9 Mapping to the Security Functional Requirements...............................................................69 Table of Figures Figure 1: Layers of iOS 9.2.......................................................................................................................9 Figure 2: Logical Block Diagram of the iOS CoreCrypto Kernel Module................................................11 Figure 3: Logical Block Diagram of the iOS CoreCrypto Module...........................................................11 Figure 4:Key Hierarchy in iOS................................................................................................................54 Table of Tables Table 1: Devices Covered by the Evaluation............................................................................................7 Table 2: Cellular Protocols Supported......................................................................................................8 Table 3: Management Functions ............................................................................................................35 Table 4: Keychain to File-system Mapping.............................................................................................60 Table 5: Mapping of SFRs ......................................................................................................................75 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 4 of 75 1 Security Target Introduction This document is the Common Criteria (CC) Security Target (ST) for the Apple iOS 9.2 operating system on various hardware platforms listed in section 1.4 to be evaluated as a Mobile Device in compliance with the Mobile Device Fundamentals Protection Profile Version 2.0, dated 17 September 2014 [MDFPP2]. 1.1 Security Target Reference ST Title: Apple iOS 9.2 MDFPPv2 Security Target ST Version: Version 1.4 ST Date: 2016-01-28 1.2 TOE Reference Target of Evaluation (TOE) identification: Apple iOS 9.2 on iPhone and iPad devices using the A7 or A8/A8X processor (iPhone 5s, iPad mini 2, iPad Mini 3, iPad Air (A7); iPhone 6, iPhone 6 Plus, iPad Air 2 (A8)) TOE Developer: Apple Inc. Evaluation Sponsor: Apple Inc. 1.3 TOE Overview The TOE is the iOS 9.2 operating system that runs on iPad and iPhone devices with the underlying hardware platform. The operating system manages the device hardware and provides the technologies required to implement native apps. The TOE provides cryptographic services for the encryption of data-at rest, for secure communication channels and for use by applications. User data protection is provided by encrypting the user data, restricting access by applications and by restricting access until the user has been successfully authenticated. User identification and authentication is provided by a user defined passphrase where the minimum length of the passphrase, passphrase rules as well as the maximum number of consecutive failed authentication attempts can be configured by an administrator. Security management capabilities are provided to users via the user interface of the device and to administrators through the installation of configuration profiles on the device. This installation can be done using the Apple Configurator tool or by using a Mobile Device Management (MDM) System. The TOE protects itself by having its own code and data protected from unauthorized access (using hardware provided memory protection features), by encrypting user and TSF data using TSF protected keys and encryption/decryption functions, by self-tests, by ensuring the integrity and authenticity of TSF updates and downloaded applications, and by locking the TOE upon user request or after a defined time of user inactivity. In addition the TOE implements a number of cryptographic protocols that can be used to establish a trusted channel to other IT entities. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 5 of 75 1.4 TOE Description The TOE is a mobile operating system with its underlying hardware. The TOE is intended to be used as a communication solution providing mobile staff connectivity to enterprise data. At the highest level, the operating system part of the TOE acts as an intermediary between the underlying hardware and the apps operating on the TOE. Apps do not talk to the underlying hardware directly. Instead, they communicate with the hardware through a set of well-defined system interfaces. These interfaces make it easy to write apps that work consistently on devices having different hardware capabilities. The TOE needs to be configured by an authorized administrator to operate in compliance with the requirements defined in this Security Target. The evaluated configuration for this includes: • the requirement to define a password for user authentication • the specification of a password policy defining criteria on the minimum length and complexity of a password • the specification of the maximum number of consecutive failed attempts to enter the password • the specification of the session locking policy • the specification of the audio and video collection devices allowed • the specification of the virtual private network (VPN) connection • the specification of the wireless networks allowed • the certificates in the trust anchor database The following table lists the devices that are covered by this evaluation. Device Name Model Number WiFi Cellular Bluetooth iPhone 6 Plus/ iPhone 6 A1549/A1522 (GSM) A1549/A1522 (CDMA) A1586/A1524 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac See table 2 See table 2 See table 2 4.0 4.0 4.0 iPhone 5s A1533 (GSM) A1533 (CDMA) A1453 A1457 A1530 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac 802.11/a/b/g/n/ac See table 2 See table 2 See table 2 See table 2 See table 2 4.0 4.0 4.0 4.0 4.0 iPad mini 3 A1599 (WiFi only) A1600 (WiFi + cellular) A1601 (WiFi + cellular) 802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n - See table 2 See table 2 4.0 4.0 4.0 iPad Air 2 A1566 (WiFi only) A1567 (WiFi + cellular) 802.11a/b/g/n/ac 802.11a/b/g/n/ac - See table 2 4.0 4.0 iPad mini 2 A1489 (WiFi only) A1490 (WiFi + cellular) A1491 (WiFi + cellular) 802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n - See table 2 See table 2 4.0 4.0 4.0 iPad Air A1474 (WiFi only) 802.11a/b/g/n - 4.0 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 6 of 75 Device Name Model Number WiFi Cellular Bluetooth A1475 (WiFi + cellular) A1476 (WiFi + cellular) 802.11a/b/g/n 802.11a/b/g/n See table 2 See table 2 4.0 4.0 Table 1: Devices Covered by the Evaluation The following table lists the cellular protocols supported by each model. Device Name Model Number Cellular iPhone 6 Plus/ iPhone 6 A1549/A1522 (GSM) A1549/A1522 (CDMA) A1586/A1524 UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz) GSM/EDGE (850, 900, 1800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26, 28, 29) CDMA EV-DO Rev. A and Rev. B (800, 1700/2100, 1900, 2100 MHz) UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz) GSM/EDGE (850, 900, 1800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26, 28, 29) CDMA EV-DO Rev. A and Rev. B (800, 1700/2100, 1900, 2100 MHz) UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz) TD-SCDMA 1900 (F), 2000 (A) GSM/EDGE (850, 900, 1800, 1900 MHz) FDD-LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26, 28, 29) TD-LTE (Bands 38, 39, 40, 41) iPhone 5s A1533 (GSM) A1533 (CDMA) A1453 UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 2, 3, 4, 5, 8, 13, 17, 19, 20, 25) CDMA EV-DO Rev. A and Rev. B (800, 1700/2100, 1900, 2100 MHz); UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 2, 3, 4, 5, 8, 13, 17, 19, 20, 25) CDMA EV-DO Rev. A and Rev. B (800, 1700/2100, 1900, 2100 MHz); UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 7 of 75 Device Name Model Number Cellular A1457 A1530 GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 2, 3, 4, 5, 8, 13, 17, 18, 19, 20, 25, 26) UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 2, 3, 5, 7, 8, 20) UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); FDD-LTE (Bands 1, 2, 3, 5, 7, 8, 20); TD-LTE (Bands 38, 39, 40) iPad mini 3 WiFi + cellular UMTS/HSPA/HSPA+/DC‑HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) CDMA EV-DO Rev. A and Rev. B (800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26) iPad Air 2 WiFi + cellular UMTS/HSPA/HSPA+/DC‑HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) CDMA EV-DO Rev. A and Rev. B (800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26, 28, 29, 38, 39, 40, 41) iPad mini 2 WiFi + cellular UMTS/HSPA/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) CDMA EV-DO Rev. A and Rev. B (800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26) iPad Air WiFi + cellular UMTS/HSPA/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) CDMA EV-DO Rev. A and Rev. B (800, 1900 MHz) LTE (Bands 1, 2, 3, 4, 5, 7, 8, 13, 17, 18, 19, 20, 25, 26) Table 2: Cellular Protocols Supported 1.5 TOE Architecture The implementation of TOE architecture can be viewed as a set of layers, which are shown in Figure 1. Lower layers contain fundamental services and technologies. Higher-level layers build upon the lower layers and provide more sophisticated services and technologies. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 8 of 75 Figure 1: Layers of iOS 9.2 The individual layers provide the following services. The Cocoa Touch layer contains key frameworks for building iOS apps. These frameworks define the appearance of applications (apps). They also provide the basic app infrastructure and support for key technologies such as multitasking, touch-based input, push notifications, and many high-level system services. When designing apps, one should investigate the technologies in this layer first to see if they meet the needs. The Media layer contains the graphics, audio, and video technologies you use to implement multimedia experiences in apps. The technologies in this layer make it easy to build apps that look and sound great. The Core Services layer contains fundamental system services for apps. Key among these services are the Core Foundation and Foundation frameworks, which define the basic types that all apps use. This layer also contains individual technologies to support features such as location, iCloud, social media, and networking. This layer also implements data protection functions that allow apps that work with sensitive user data to take advantage of the built-in encryption available on some devices. When an app designates a specific file as protected, the system stores that file on disk in an encrypted format. While the device is locked, the contents of the file are inaccessible to both the app and to any potential intruders. However, when the device is unlocked by the user, a decryption key is created to allow the app to access the file. Other levels of data protection are also available. The Core OS layer contains the low-level features that most other technologies are built upon. Even if an app does not use these technologies directly, they are most likely being used by other frameworks. And in situations where an app needs to explicitly deal with security or communicating with an external hardware accessory, it does so by using the frameworks in this layer. Security related frameworks provided by this layer are: • the Generic Security Services Framework, providing services as specified in RFC 2743 (Generic Security Service Application Program Interface Version 2, Update 1) and RFC 4401 (Pseudo Random Function) • the Local Authentication Framework • the Network Extension Framework, providing support for configuring and controlling VPN tunnels Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 9 of 75 • the Security Framework, providing services to manage and store certificates, public and private keys, and trust policies. This framework also provides the Common Crypto library for symmetric encryption and hash-based message authentication codes • the System Framework, providing the kernel environment, drivers, and low-level UNIX interfaces. The kernel manages the virtual memory system, threads, file system, network, and inter-process communication and is therefore responsible for separating apps from each other and controlling the use of low-level resources. The TOE may be managed by a mobile device management (MDM) solution that enables an enterprise to control and administer the TOE instances that are enrolled in the MDM solution. 1.5.1 Physical Boundaries The TOE is a Mobile Device which is composed of a hardware platform and its system software. It provides wireless connectivity and includes software for VPN connection, for access to the protected enterprise network, enterprise data and applications, and for communicating to other Mobile Devices. The software for the VPN connection is evaluated separately. The TOE does not include the user applications that run on top of the operating system, but does include controls that limit application behavior. The TOE may be used as a mobile device within an enterprise environment where the configuration of the device is managed through an evaluated MDM solution. The TOE communicates and interacts with 802.11-2012 Access Points and mobile data networks to establish network connectivity, and the through that connectivity interacts with MDM servers that allow administrative control of the TOE. 1.5.2 Security Functions provided by the TOE The TOE provides the security functionality required by [MDFPP2]. 1.5.2.1 Cryptographic Support The TOE provides cryptographic services via two cryptographic modules1 : • The Apple iOS CoreCrypto Kernel Module v6 • The Apple iOS CoreCrypto Module v6 The iOS CoreCrypto Kernel Module is an iOS kernel extension optimized for library use within the iOS kernel. Once the module is loaded into the iOS kernel its cryptographic functions are made available to iOS Kernel services only. The following figure shows the boundary of the iOS CoreCrypto Kernel Module within the TOE. 1 At the time of writing these modules are in process for FIPS 140-2 testing and validation. Please see http://csrc.nist.gov/groups/STM/cmvp/inprocess.html for details. Once validated by the CMVP the Security Policy documents for the modules will be available at http://csrc.nist.gov/groups/STM/cmvp/validation.html Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 10 of 75 Figure 2: Logical Block Diagram of the iOS CoreCrypto Kernel Module The iOS CoreCrypto Module is designed for library use within the iOS user space. It is implemented as an iOS dynamically loadable library. The dynamically loadable library is loaded into the iOS application and its cryptographic functions are made available to the application. A second instance of this module is used within the secure enclave to provide cryptographic services there. The following figure shows the boundary of the iOS CoreCrypto Module within the TOE. Figure 3: Logical Block Diagram of the iOS CoreCrypto Module. The cryptographic functions provided include symmetric key generation, encryption and decryption using the Triple-DES and Advanced Encryption Standard (AES) algorithms, asymmetric key generation and key establishment, cryptographic hashing, and keyed-hash message authentication. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 11 of 75 The functions listed below are used to implement the security protocols supported as well as for the encryption of data-at-rest. • Random Number Generation; Symmetric key generation o SP 800-90A DRBG  CTR_DRBG with AES 128 core, with derivation function and without prediction resistance  CTR DRBG with AES 256 core without derivation function and without prediction resistance. • Symmetric Encryption and Decryption o FIPS 197 AES ,SP 800-38 A, SP 800-38 DSP 800-38 F  Key sizes: 128/256 bits Block chaining modes: CBC, GCM, KW • Digital Signature and Asymmetric Key Generation o FIPS 186-4 RSA, PKCS #1.5  GenKey9.31, SigGenPKCS1.5 (2048/3072), SigVerPKCS1.5 (1024/2048/3072) o FIPS 186-4 ECDSA, ANSI X9.62  PKG: curves P-256, P-384  PKV: curves P-256, P-384  SIG(gen): curves P-256, P-384  SIG(ver): curves P-256, P-384 • Message Digest o FIPS 180-4 SHS  SHA-1, SHA-2( 224, 256, 384, 512) • Keyed Hash o FIPS 198 HMAC  SHA-1, SHA-2( 224, 256, 384, 512) • PBKDF o SP 800-132  Password based key derivation using HMAC with SHA-1 or SHA-2 as pseudorandom function • EC Diffie-Hellman o Curve25519 1.5.2.2 User Data Protection User data in files is protected using cryptographic functions, ensuring this data remains protected even if the device gets lost or is stolen. Critical data like passwords used by applications or application defined cryptographic keys can be stored in the key chain, which provides additional protection. Password protection and encryption ensure that data-at-rest remains protected even in the case the device is lost or stolen. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 12 of 75 Data can also be protected such that only the application that owns the data can access it. 1.5.2.3 Identification and Authentication Except for making emergency calls, users need to authenticate using a password. This password can be configured for a minimum length, for dedicated password policies and for a maximum life time. When entered, passwords are obscured and the frequency of entering passwords is limited as well as the number of consecutive failed attempts of entering the password. The TOE also enters a locked state after a (configurable) time of user inactivity and the user is required to enter his password to unlock the TOE. External entities connecting to the TOE via a secure protocol (Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), TLS, IPsec) can be authenticated using X.509 certificates. 1.5.2.4 Security Management The security functions listed in Table 3 can be managed either by the user or by an authorized administrator through a MDM system. This table identifies the functions that can be managed and indicates, if the management can be performed by the user, by the authorized administrator, or both. 1.5.2.5 Protection of the TSF Some of the functions the TOE implements to protect the TSF and TSF data are: • Protection of cryptographic keys. Keys used for TOE internal key wrapping and for the protection of data-at-rest are not exportable. There are provisions for fast and secure wiping of key material. • Use of memory protection and processor states to separate applications and protect the TSF from unauthorized access to TSF resources. In addition, each device includes a separate system called the "secure enclave" which is the only system that can use the Root Encryption Key (REK). • Digital signature protection of the TSF image. All updates to the TSF need to be digitally signed. • Software/firmware integrity self-test upon start-up. The TOE will not go operational when this test fails. • Digital signature verification for applications • Access to defined TSF data and TSF services only when the TOE is unlocked 1.5.2.6 TOE Access The TSF provides functions to lock the TOE upon request and after an administrator configurable time of inactivity. Access to the TOE via a wireless network is controlled by user/administrator defined policy. 1.5.2.7 Trusted Path/Channels The TOE supports the use of the following cryptographic protocols that define a trusted channel between itself and another trusted IT product. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 13 of 75 • IEEE 802.11-2012 • IEEE 802.1X • EAP-TLS • TLS • IPsec (addressed in a separate evaluation) 1.5.3 TOE Documentation [iOS_SEC] iOS Security, iOS 9.0 or later (September 2015) [iOS_TEC] iOS Technology Overview [iPhone_UG] iPhone User Guide for iOS 9.2 (Sept 16, 2015) [iPad_UG] iPad User Guide for iOS 9.2 (Sept 16, 2015) [iOS_CFG] Configuration Profile Reference (October 8, 2015) [iOS_DPR] iOS Deployment Reference 1.5.4 Technical Decisions The following technical decisions were found to be applicable to the TOE: [TD0060] FDP_IFC_EXT.1 & FMT_SMF_EXT.1 Function 3 [TD0059] FCS_SRV_EXT.1 & CAVS [TD0058] MDFPP v2.0 FMT_SMF_EXT.1, function 15 [TD0057] Update to TD0047 for Non Wear Leveled Flash Memory [TD0048] Curve25519 Implementations in FDP_DAR_EXT.2.2 Requirement [TD0044] Update to FMT_SMF_EXT.1 [TD0034] Revision of Test 5 in FCS_TLSC_EXT.1.1 & EXT.2.1 reqs in MDF PP V2.0, MDM PP V2.0, MDM Agent PP V2.0 1.5.5 Other References [BT] Specification of the Bluetooth System 4.0 https://www.bluetooth.com/specifications/adopted-specifications [MDFPP2] Protection Profile for Mobile Device Fundamentals, Version 2.0[TD0064] Whitelisting SSIDs (FMT_SMF_EXT.1, function 6) in MDF PP v2.0 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 14 of 75 2 Conformance Claims 2.1 CC Conformance This Security Target is conformant to: • Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1, Revision 4, September 2012: • Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 4, September 2012: Part 2 extended • Common Criteria for Information Technology Security Evaluations Part 3, Version 3.1, Revision 4, September 2012: Part 3 extended 2.2 Protection Profile (PP)Conformance This Security Target is conformant to: • Protection Profile for Mobile Device Fundamentals, Version 2.0, dated 17 September 2014 [MDFPP2]. 2.3 Conformance Rationale This Security Target provides exact conformance to version 2.0 of the Mobile Device Fundamentals Protection Profile [MDFPP2]. The security problem definition, security objectives and security requirements in this Security Target are all taken from the PP performing only operations defined there. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 15 of 75 3 Security Problem Definition The security problem definition has been taken from [MDFPP2] and is reproduced here for the convenience of the reader. 3.1 Threats T.EAVESDROP Network Eavesdropping An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the Mobile Device and other endpoints. T.NETWORK Network Attack An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure. Attackers may initiate communications with the Mobile Device or alter communications between the Mobile Device and other endpoints in order to compromise the Mobile Device. These attacks include malicious software update of any applications or system software on the device. These attacks also include malicious web pages or email attachments which are usually delivered to devices over the network. T.PHYSICAL Physical Access The loss or theft of the Mobile Device may give rise to loss of confidentiality of user data including credentials. These physical access threats may involve attacks which attempt to access the device through external hardware ports, through its user interface, and also through direct and possibly destructive access to its storage media. The goal of such attacks is to access data from a lost or stolen device which is not expected to return to its user. Note: Defending against device re-use after physical compromise is out of scope for this protection profile. T.FLAWAPP Malicious or Flawed Application Applications loaded onto the Mobile Device may include malicious or exploitable code. This code could be included intentionally by its developer or unknowingly by the developer, perhaps as part of a software library. Malicious apps may attempt to exfiltrate data to which they have access. They may also conduct attacks against the platform’s system software which will provide them with additional privileges and the ability to conduct further malicious activities. Malicious applications may be able to control the device's sensors (GPS, camera, microphone) to gather intelligence about the user's surroundings even when those activities do not involve data resident or transmitted from the device. Flawed applications may give an attacker access to perform network-based or physical attacks that otherwise would have been prevented. T.PERSISTENT Persistent Presence Persistent presence on a device by an attacker implies that the device has lost integrity and cannot regain it. The device has likely lost this integrity due to some other threat vector, yet the continued access by an attacker constitutes an on-going threat in itself. In this case the device and its data may be controlled by an adversary at least as well as by its legitimate owner. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 16 of 75 3.2 Assumptions A.CONFIG It is assumed that the TOE’s security functions are configured correctly in a manner to ensure that the TOE security policies will be enforced on all applicable network traffic flowing among the attached networks. A.NOTIFY It is assumed that the mobile user will immediately notify the administrator if the Mobile Device is lost or stolen. A.PRECAUTION It is assumed that the mobile user exercises precautions to reduce the risk of loss or theft of the Mobile Device. 3.3 Organization Security Policies There are no Organizational Security Policies for the Mobile Device. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 17 of 75 4 Security Objectives The security objectives have been taken from [MDFPP2] and are reproduced here for the convenience of the reader. 4.1 Security Objectives for the TOE O.COMMS Protected Communications To address the network eavesdropping and network attack threats described in Section 3.1, concerning wireless transmission of Enterprise and user data and configuration data between the TOE and remote network entities, conformant TOEs will use a trusted communication path. The TOE will be capable of communicating using one (or more) of these standard protocols: IPsec, TLS, HTTPS, or Bluetooth. The protocols are specified by RFCs that offer a variety of implementation choices. Requirements have been imposed on some of these choices (particularly those for cryptographic primitives) to provide interoperability and resistance to cryptographic attack. While conformant TOEs must support all of the choices specified in the ST, they may support additional algorithms and protocols. If such additional mechanisms are not evaluated, guidance must be given to the administrator to make clear the fact that they were not evaluated. O.STORAGE Protected Storage To address the issue of loss of confidentiality of user data in the event of loss of a Mobile Device (T.PHYSICAL), conformant TOEs will use data-at-rest protection. The TOE will be capable of encrypting data and keys stored on the device and will prevent unauthorized access to encrypted data. O.CONFIG Mobile Device Configuration To ensure a Mobile Device protects user and enterprise data that it may store or process, conformant TOEs will provide the capability to configure and apply security policies defined by the user and the Enterprise Administrator. If Enterprise security policies are configured these must be applied in precedence of user specified security policies. O.AUTH Authorization and Authentication To address the issue of loss of confidentiality of user data in the event of loss of a Mobile Device (T.PHYSICAL), users are required to enter an authentication factor to the device prior to accessing protected functionality and data. Some non-sensitive functionality (e.g., emergency calling, text notification) can be accessed prior to entering the authentication factor. The device will automatically lock following a configured period of inactivity in an attempt to ensure authorization will be required in the event of the device being lost or stolen. Authentication of the endpoints of a trusted communication path is required for network access to ensure attacks are unable to establish unauthorized network connections to undermine the integrity of the device. Repeated attempts by a user to authorize to the TSF will be limited or throttled to enforce a delay between unsuccessful attempts. O.INTEGRITY Mobile Device Integrity To ensure the integrity of the Mobile Device is maintained conformant TOEs will perform self- tests to ensure the integrity of critical functionality, software/firmware and data has been maintained. The user shall be notified of any failure of these self-tests. (This will protect against the threat T.PERSISTENT.) Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 18 of 75 To address the issue of an application containing malicious or flawed code (T.FLAWAPP), the integrity of downloaded updates to software/firmware will be verified prior to installation/execution of the object on the Mobile Device. In addition, the TOE will restrict applications to only have access to the system services and data they are permitted to interact with. The TOE will further protect against malicious applications from gaining access to data they are not authorized to access by randomizing the memory layout. 4.2 Security Objectives for the TOE Environment OE.CONFIG TOE administrators will configure the Mobile Device security functions correctly to create the intended security policy. OE.NOTIFY The Mobile User will immediately notify the administrator if the Mobile Device is lost or stolen. OE.PRECAUTION The Mobile User exercises precautions to reduce the risk of loss or theft of the Mobile Device. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 19 of 75 5 Security Functional Requirements This chapter describes the Security Functional Requirements (SFRs) for the TOE. The SFRs have been taken from [MDFPP2], with selections, assignments and potential refinements being applied. Selections and assignments performed as required by [MDFPP2] are marked in bold. Refinements are marked in bold, italics and underlined. Note that this ST does not identify selections, assignments or refinements already applied in [MDFPP2]. This ST also includes SFRs from appendix C of MDFPP2 based on selections made in the baseline SFRs. Those are indicated in the text. Assignment and selection operations performed on the SFRs defined in [MDFPP2] are indicated in bold. Refinements are indicated in bold, italics and underlined. 5.1 Cryptographic Support (FCS) 5.1.1 Cryptographic Key Management (FCS_CKM) 5.1.1.1 Cryptographic Key Generation FCS_CKM.1(1) Cryptographic Key Generation FCS_CKM.1.1(1) The TSF shall generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm • RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: • FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3; • ECC schemes using “NIST curves” P-256, P-384 and no other curves that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4; • Curve25519 schemes that meet the following: IETF draft-irtf-cfrg-curves, "Elliptic Curves for Security". Application Note: The Bernstein curve 25519 has been added in compliance with NIAP TD0048. 5.1.1.2 Cryptographic Key Generation (WLAN) FCS_CKM.1(2) Cryptographic Key Generation FCS_CKM.1.1(2) The TSF shall generate symmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm PRF-384 and specified cryptographic key sizes 128 bits using a Random Bit Generator as specified in FCS_RBG_EXT.1 that meet the following: IEEE 802.11-2012. 5.1.1.3 Cryptographic Key Establishment FCS_CKM.2(1) Cryptographic Key Establishment Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 20 of 75 FCS_CKM.2.1(1) The TSF shall perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: • RSA-based key establishment schemes that meets the following: NIST Special Publication 800-56B, “Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”; and: • Elliptic curve-based key establishment schemes that meets the following: o NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” o IETF draft-irtf-cfrg-curves, "Elliptic Curves for Security". Application Note: This SFR has been stated in accordance with TD0048. 5.1.1.4 Cryptographic Key Distribution FCS_CKM.2(2) Cryptographic Key Distribution FCS_CKM.2.1(2) The TSF shall decrypt Group Temporal Key (GTK) in accordance with a specified cryptographic key distribution method AES Key Wrap in an EAPOL-Key frame that meets the following: NIST SP 800-38F, IEEE 802.11-2012 for the packet format and timing considerations and does not expose the cryptographic keys. 5.1.1.5 Cryptographic Key Support (REK) FCS_CKM_EXT.1 Extended: Cryptographic Key Support FCS_CKM_EXT.1.1 The TSF shall support a hardware-protected REK with a key of size 256 bits. FCS_CKM_EXT.1.2 System software on the TSF shall be able only to request AES encryption/decryption by the key and shall not be able to read, import, or export a REK. FCS_CKM_EXT.1.3 A REK shall be generated by a RBG in accordance with FCS_RBG_EXT.1. FCS_CKM_EXT.1.4 A REK shall not be able to be read from or exported from the hardware. Application Note: FCS_CKM_EXT.1.4 is included as required by Annex C.1 of the Protection profile. 5.1.1.6 Cryptographic Data Encryption Keys FCS_CKM_EXT.2 Extended: Cryptographic Key Random Generation FCS_CKM_EXT.2.1 All DEKs shall be randomly generated with entropy corresponding to the security strength of AES key sizes of 256 bits. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 21 of 75 5.1.1.7 Cryptographic Key Encryption Keys FCS_CKM_EXT.3 Extended: Cryptographic Key Generation FCS_CKM_EXT.3.1 All KEKs shall be 256-bit keys corresponding to at least the security strength of the keys encrypted by the KEK. FCS_CKM_EXT.3.2 The TSF shall generate all KEKs using one of the following methods: a) derive the KEK from a Password Authentication Factor using PBKDF and b) generate the KEK using an RBG that meets this profile (as specified in FCS_RBG_EXT.1). c) Combine the KEK from other KEKs in a way that preserves the effective entropy of each factor by using an XOR operation, encrypting one key with another. Application Note: The random number generator on the main device is used. 5.1.1.8 Cryptographic Key Destruction FCS_CKM_EXT.4 Extended: Key Destruction FCS_CKM_EXT.4.1 The TSF shall destroy cryptographic keys in accordance with the specified cryptographic key destruction methods: • by clearing the KEK encrypting the target key, • in accordance with the following rules: o For volatile memory, the destruction shall be executed by a single direct overwrite consisting of zeroes. o For non-volatile EEPROM, the destruction shall be executed by a single direct overwrite consisting of a pseudo random pattern using the TSF’s RBG (as specified in FCS_RBG_EXT.1), followed by a read-verify. o For non-volatile flash memory that is not wear-leveled, the destruction shall be executed by a block erase. o For non-volatile flash memory that is wear-leveled, the destruction shall be executed by a block erase. o For non-volatile memory other than EEPROM and flash, the destruction shall be executed by overwriting three or more times with a random pattern that is changed before each write. Application Note: This requirement has been modified to comply with NIAP TD0047 and TD0057. FCS_CKM_EXT.4.2 The TSF shall destroy all plaintext keying material and critical security parameters when no longer needed. 5.1.1.9 TSF Wipe FCS_CKM_EXT.5 Extended: TSF Wipe Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 22 of 75 FCS_CKM_EXT.5.1 The TSF shall wipe all protected data by: • Cryptographically erasing the encrypted DEKs and/or the KEKs in non-volatile memory by following the requirements in FCS_CKM_EXT.4.1; FCS_CKM_EXT.5.2 The TSF shall perform a power cycle on conclusion of the wipe procedure. 5.1.1.10 Cryptographic Salt Generation FCS_CKM_EXT.6 Extended: Salt Generation FCS_CKM_EXT.6.1 The TSF shall generate all salts using a RBG that meets FCS_RBG_EXT.1. Application Note: the salt is generated using the random number generator implemented in the secure enclave, which like the one implemented in the main device satisfies the requirements of FCS_RBG_EXT.1. A proprietary Entropy Assessment Report has been provided to NIAP that gives details of both random number generators. 5.1.2 Cryptographic Operations (FCS_COP) 5.1.2.1 Confidentiality Algorithms FCS_COP.1(1) Cryptographic Operation FCS_COP.1.1(1) The TSF shall perform encryption/decryption in accordance with a specified cryptographic algorithm • AES-CBC (as defined in FIPS PUB 197, and NIST SP 800-38A) mode, • AES-CCMP (as defined in FIPS PUB 197, NIST SP 800-38C and IEEE 802.11- 2012), and • AES Key Wrap (KW) (as defined in NIST SP 800-38F), • AES-GCM (as defined in NIST SP 800-38D), • AES-CCM (as defined in NIST SP 800-38C), and cryptographic key sizes 128-bit key sizes and 256-bit key sizes. 5.1.2.2 Hashing Algorithms FCS_COP.1(2) Cryptographic operation FCS_COP.1.1(2) The TSF shall perform cryptographic hashing in accordance with a specified cryptographic algorithm SHA-1 and SHA-256, SHA-384, SHA-512 and message digest sizes 160 and 256, 384, 512 bits that meet the following: FIPS Pub 180-4. 5.1.2.3 Signature Algorithms FCS_COP.1(3) Cryptographic Operation Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 23 of 75 FCS_COP.1.1(3) The TSF shall perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm • RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 4 and: • ECDSA schemes using “NIST curves” P-256 and P-384 that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5. 5.1.2.4 Keyed Hash Algorithms FCS_COP.1(4) Cryptographic Operation FCS_COP.1.1(4) The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm HMAC-SHA-1 and HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA- 512 and cryptographic key sizes 128 to 256 bit and message digest sizes 160 and 256, 384, 512 bits that meet the following: FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code, and FIPS Pub 180-4, “Secure Hash Standard". 5.1.2.5 Password-Based Key Derivation Functions FCS_COP.1(5) Cryptographic Operation FCS_COP.1.1(5) The TSF shall perform Password-based Key Derivation Functions in accordance with a specified cryptographic algorithm HMAC-SHA-1, with a minimum of 10,000 iterations, and output cryptographic key sizes 256 that meet the following: NIST SP 800-132. Application note: The number of iterations is calibrated to take at least 80 milliseconds and is a minimum of 10,000. The number of iterations may be greater in some devices. 5.1.3 HTTPS Protocol (FCS_HTTPS) FCS_HTTPS_EXT.1 Extended: HTTPS Protocol FCS_HTTPS_EXT.1.1 The TSF shall implement the HTTPS protocol that complies with RFC 2818. FCS_HTTPS_EXT.1.2 The TSF shall implement HTTPS using TLS (FCS_TLSC_EXT.2). FCS_HTTPS_EXT.1.3 The TSF shall notify the application and not establish the connection if the peer certificate is deemed invalid. 5.1.4 Initialization Vector Generation (FCS_IV) FCS_IV_EXT.1 Extended: Initialization Vector Generation FCS_IV_EXT.1.1 The TSF shall generate IVs in accordance with Table 14 defined in MFDPP: References and IV Requirements for NIST-approved Cipher Modes. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 24 of 75 5.1.5 Random Bit Generation (FCS_RBG) FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation) FCS_RBG_EXT.1.1 The TSF shall perform all deterministic random bit generation services in accordance with NIST Special Publication 800-90A using CTR_DRBG (AES). FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded by an entropy source that accumulates entropy from TSF-hardware-based noise source with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate. FCS_RBG_EXT.1.3 The TSF shall be capable of providing output of the RBG to applications running on the TSF that request random bits. 5.1.6 Cryptographic Algorithm Services (FCS_SRV) FCS_SRV_EXT.1 Extended: Cryptographic Algorithm Services FCS_SRV_EXT.1.1 The TSF shall provide a mechanism for applications to request the TSF to perform the following cryptographic operations: • All mandatory and selected algorithms in FCS_CKM.2(1) • The following algorithms in FCS_COP.1(1): AES-CBC, AES Key Wrap, AES-GCM, AES-CCM • All mandatory and selected algorithms in FCS_COP.1(3) • All mandatory and selected algorithms in FCS_COP.1(2) • All mandatory and selected algorithms in FCS_COP.1(4) • All mandatory and selected algorithms in FCS_CKM.1(1), • No other cryptographic operations. 5.1.7 Cryptographic Key Storage (FCS_STG) 5.1.7.1 Secure Key Storage FCS_STG_EXT.1 Extended: Cryptographic Key Storage FCS_STG_EXT.1.1 The TSF shall provide software-based secure key storage for asymmetric private keys and symmetric keys, persistent secrets. FCS_STG_EXT.1.2 The TSF shall be capable of importing keys/secrets into the secure key storage upon request of the administrator and applications running on the TSF. FCS_STG_EXT.1.3 The TSF shall be capable of destroying keys/secrets in the secure key storage upon request of the administrator. FCS_STG_EXT.1.4 The TSF shall have the capability to allow only the application that imported the key/secret Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 25 of 75 the use of the key/secret. Exceptions may only be explicitly authorized bya common application developer. FCS_STG_EXT.1.5 The TSF shall allow only the application that imported the key/secret to request that the key/secret be destroyed. Exceptions may only be explicitly authorized by a common application developer. 5.1.7.2 Encryption of Stored Keys FCS_STG_EXT.2 Extended: Encrypted Cryptographic Key Storage FCS_STG_EXT.2.1 The TSF shall encrypt all DEKs and KEKs and all software-based key storage by KEKs that are 1) Protected by the REK with a. encryption by a KEK chaining to a REK, 2) Protected by the REK and the password with a. encryption by a KEK chaining to a REK and the password-derived KEK. FCS_STG_EXT.2.2 DEKs and KEKs and all software-based key storage shall be encrypted using AES in the Key Wrap (KW) mode. 5.1.7.3 Integrity of Stored Keys FCS_STG_EXT.3 Extended: Integrity of Encrypted Key Storage FCS_STG_EXT.3.1 The TSF shall protect the integrity of any encrypted DEKs and KEKs and no other keys by • Key Wrap cipher mode for encryption according to FCS_STG_EXT.2; FCS_STG_EXT.3.2 The TSF shall verify the integrity of the MAC of the stored key prior to use of the key. 5.1.8 TLS Client Protocol (FCS_TLSC) 5.1.8.1 EAP-TLS Client Protocol FCS_TLSC_EXT.1 Extended: EAP TLS Protocol FCS_TLSC_EXT.1.1 The TSF shall implement TLS 1.0 and no other TLS version supporting the following ciphersuites: • Mandatory Ciphersuites: o TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 • and the following Ciphersuites allowed as optional in MDFPP2: o TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 26 of 75 FCS_TLSC_EXT.1.2 The TSF shall verify that the server certificate presented for EAP-TLS chains to one of the specified CAs. FCS_TLSC_EXT.1.3 The TSF shall not establish a trusted channel if the peer certificate is invalid. FCS_TLSC_EXT.1.4 The TSF shall support mutual authentication using X.509v3 certificates. 5.1.8.2 TLS Client Protocol FCS_TLSC_EXT.2 Extended: TLS Protocol FCS_TLSC_EXT.2.1 The TSF shall implement TLS 1.2 (RFC 5246) supporting the following ciphersuites: • Mandatory Ciphersuites: o TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 • and the following Ciphersuites allowed as optional in MDFPP2: o TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246 o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 o TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 o TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 o TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 o TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 FCS_TLSC_EXT.2.2 The TSF shall verify that the presented identifier matches the reference identifier according to RFC 6125. FCS_TLSC_EXT.2.3 The TSF shall not establish a trusted channel if the peer certificate is invalid. FCS_TLSC_EXT.2.4 The TSF shall support mutual authentication using X.509v3 certificates. FCS_TLSC_EXT.2.5 The TSF shall present the Supported Elliptic Curves Extension in the Client Hello with the following NIST curves: secp256r1, secp384r1, and no other curves. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 27 of 75 5.2 User Data Protection (FDP) 5.2.1 Access Control (FDP_ACF) FDP_ACF_EXT.1 Extended: Security Access Control FDP_ACF_EXT.1.1 The TSF shall provide a mechanism to restrict the system services that are accessible to an application. FDP_ACF_EXT.1.2 The TSF shall provide an access control policy that prevents application processes from accessing all data stored by other application processes. Exceptions may only be explicitly authorized for such sharing by a common application developer. 5.2.2 Data-At-Rest Protection (FDP_DAR) FDP_DAR_EXT.1 Extended: Protected Data Encryption FDP_DAR_EXT.1.1 Encryption shall cover all protected data. FDP_DAR_EXT.1.2 Encryption shall be performed using DEKs with AES in the CBC mode with key size 256 bits. FDP_DAR_EXT.2 Extended: Sensitive Data Encryption FDP_DAR_EXT.2.1 The TSF shall provide a mechanism for applications to mark data and keys as sensitive. FDP_DAR_EXT.2.2 The TSF shall use an asymmetric key scheme to encrypt and store sensitive data received while the product is locked. FDP_DAR_EXT.2.3 The TSF shall encrypt any stored symmetric key and any stored private key of the asymmetric key(s) used for the protection of sensitive data according to FCS_STG_EXT.2.1 selection 2. 5.2.3 Subset Information Flow Control - VPN (FDP_IFC) FDP_IFC_EXT.1 Extended: Subset Information Flow Control FDP_IFC_EXT.1.1 The TSF shall enable all IP traffic (other than IP traffic required to establish the VPN connection) to flow through the IPsec VPN client. 5.2.4 Certificate Data Storage (FDP_STG) FDP_STG_EXT.1 Extended: User Data Storage FDP_STG_EXT.1.1 The TSF shall provide protected storage for the Trust Anchor Database. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 28 of 75 5.2.5 Inter-TSF User Data Protected Channel (FDP_UPC) FDP_UPC_EXT.1 Extended: Inter-TSF user data transfer protection FDP_UPC_EXT.1.1 The TSF provide a means for non-TSF applications executing on the TOE to use TLS, HTTPS, Bluetooth BR/EDR, and Bluetooth LE to provide a protected communication channel between the non-TSF application and another IT product that is logically distinct from other communication channels, provides assured identification of its end points, protects channel data from disclosure, and detects modification of the channel data. FDP_UPC_EXT.1.2 The TSF shall permit the non-TSF applications to initiate communication via the trusted channel. 5.3 Identification and Authentication (FIA) 5.3.1 Authentication Failures (FIA_AFL) FIA_AFL_EXT.1 Authentication failure handling FIA_AFL_EXT.1.1 The TSF shall detect when a configurable positive integer within 2 to 10 of unsuccessful authentication attempts occur related to last successful authentication by that user. FIA_AFL_EXT.1.2 When the defined number of unsuccessful authentication attempts has been surpassed, the TSF shall perform wipe of all protected data. FIA_AFL_EXT.1.3 The TSF shall maintain the number of unsuccessful authentication attempts that have occurred upon power off. 5.3.2 Bluetooth Authorization and Authentication (FIA_BLT) FIA_BLT_EXT.1 Extended: Bluetooth User Authorization FIA_BLT_EXT.1.1 The TSF shall require explicit user authorization before pairing with a remote Bluetooth device. 5.3.3 Port Access Entity Authentication (FIA_PAE) FIA_PAE_EXT.1 Extended: PAE Authentication FIA_PAE_EXT.1 The TSF shall conform to IEEE Standard 802.1X for a Port Access Entity (PAE) in the “Supplicant” role. 5.3.4 Password Management (FIA_PMG) FIA_PMG_EXT.1 Extended: Password Management FIA_PMG_EXT.1.1 The TSF shall support the following for the Password Authentication Factor: Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 29 of 75 1) Passwords shall be able to be composed of any combination of upper and lower case letters, numbers, and special characters:“!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”; 2) Password length up to 16 characters shall be supported. 5.3.5 Authentication Throttling (FIA_TRT) FIA_TRT_EXT.1 Extended: Authentication Throttling FIA_TRT_EXT.1.1 The TSF shall limit automated user authentication attempts by enforcing a delay between incorrect authentication attempts. The minimum delay shall be such that no more than 10attempts can be attempted per 500 milliseconds. 5.3.6 User Authentication (FIA_UAU) 5.3.6.1 Protected Authentication Feedback FIA_UAU.7 Protected authentication feedback FIA_UAU.7.1 The TSF shall provide only obscured feedback to the device’s display to the user while the authentication is in progress. 5.3.6.2 Authentication for Cryptographic Operation FIA_UAU_EXT.1 Extended: Authentication for Cryptographic Operation FIA_UAU_EXT.1.1 The TSF shall require the user to present the Password Authentication Factor prior to decryption of protected data and encrypted DEKs, KEKs and all software-based key storage at startup. 5.3.6.3 Timing of Authentication FIA_UAU_EXT.2 Extended: Timing of Authentication FIA_UAU_EXT.2.1 The TSF shall allow answering calls, make emergency calls, use the camera (unless its use is generally disallowed) on behalf of the user to be performed before the user is authenticated. FIA_UAU_EXT.2.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 5.3.6.4 Re-Authentication FIA_UAU_EXT.3 Extended: Re-Authentication FIA_UAU_EXT.3.1 The TSF shall require the user to enter the correct Password Authentication Factor when the Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 30 of 75 user changes the Password Authentication Factor, and following TSF- and user-initiated locking in order to transition to the unlocked state, and no other conditions. 5.3.7 X509 Certificates (FIA_X509) 5.3.7.1 Validation of Certificates FIA_X509_EXT.1 Extended: Validation of certificates FIA_X509_EXT.1.1 The TSF shall validate certificates in accordance with the following rules: • RFC 5280 certificate validation and certificate path validation. • The certificate path must terminate with a certificate in the Trust Anchor Database. • The TSF shall validate a certificate path by ensuring the presence of the basicConstraints extension and that the CA flag is set to TRUE for all CA certificates. • The TSF shall validate the revocation status of the certificate using the Online Certificate Status Protocol (OCSP) as specified in RFC 2560. • The TSF shall validate the extendedKeyUsage field according to the following rules: o Certificates used for trusted updates and executable code integrity verification shall have the Code Signing purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field. o Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. o (Conditional) Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kp-cmcRA with OID 1.3.6.1.5.5.7.3.28) in the extendedKeyUsage field. FIA_X509_EXT.1.2 The TSF shall only treat a certificate as a CA certificate if the basic Constraints extension is present and the CA flag is set to TRUE. 5.3.7.2 X509 Certificate Authentication FIA_X509_EXT.2 Extended: X509 certificate authentication FIA_X509_EXT.2.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for EAP-TLS exchanges, and IPsec, TLS, HTTPS, and code signing for system software updates, code signing for mobile applications, code signing for integrity verification, no additional uses. FIA_X509_EXT.2.2 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall allow the administrator to choose whether to accept the certificate, allow the user to choose whether to accept the certificate. 5.3.7.3 Request Validation of Certificates FIA_X509_EXT.3 Extended: Request Validation of certificates Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 31 of 75 FIA_X509_EXT.3.1 The TSF shall provide a certificate validation service to applications. FIA_X509_EXT.3.2 The TSF shall respond to the requesting application with the success or failure of the validation. 5.4 Security Management (FMT) 5.4.1 Management of Functions in TSF (FMT_MOF) FMT_MOF_EXT.1 Extended: Management of security functions behavior FMT_MOF_EXT.1.1 The TSF shall restrict the ability to perform the functions in column 2 of Table 3 to the user. FMT_MOF_EXT.1.2 The TSF shall restrict the ability to perform the functions in column 4 of Table 3 to the administrator when the device is enrolled and according to the administrator-configured policy. 5.4.2 Specification of Management Functions (FMT_SMF) 5.4.2.1 Specification of Management Functions FMT_SMF_EXT.1 Extended: Specification of Management Functions FMT_SMF_EXT.1.1 The TSF shall be capable of performing the following management functions: Management Function User Administrator When enrolled Function 1: Configure password policy: a. minimum password length b. minimum password complexity c. maximum password lifetime - X X Function 2: Configure session locking policy: a. screen-lock enabled/disabled b. screen lock timeout c. number of authentication failures - X X Function 3: Enable/disable the VPN protection: a. across device - X X Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 32 of 75 Management Function User Administrator When enrolled Function 4 Enable/disable Bluetooth, Wi-Fi, cellular radio X - - Function 5: Enable/disable camera: a. across device b. no other method Enable/disable camera on a per-app basis - X X - X - Function 5: Enable/disable microphone on a per- app basis X - - Function 7: Configure security policy for each wireless network: a. specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s) b. security type c. authentication protocol d. client credentials to be used for authentication - X X Function 8: Transition to the locked state - X - Function 9: TSF wipe of protected data - X - Function 10: Configure application installation policy by c. denying installation of applications - X X Function 11: Import keys/secrets into the secure key storage - X - Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 33 of 75 Management Function User Administrator When enrolled Function 12: Destroy imported keys/secrets and no other keys/secrets in the secure key storage - X - Function 13: Import X.509v3 certificates in the Trust Anchor Database - X X Function 14: Remove imported X509v3 certificates and no other X509v3 certificates in the Trust Anchor Database X - - Function 15: Enroll the TOE in management X - - Function 16: Remove applications - X X Function 17: Update system software - X - Function 18: Install applications - X X Function 19: Remove Enterprise applications - X - Function 20: Configure the Bluetooth trusted channel: a. disable/enable the Discoverable mode (for BR/EDR) b. change the Bluetooth device name c. specify minimum level of security for each pairing. X - - Function 21: Enable/disable display notifications in the locked state of: all notifications X X - Function 23: Enable/disable Wi-Fi hotspot functionality X - - Function 28: Wipe Enterprise data - X X Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 34 of 75 Management Function User Administrator When enrolled Function 30: Configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate - X X Function 33: Configure certificate used to validate digital signature on application - X X Function 36: Configure the unlock banner - X X Function 40: Enable/disable backup to • remote system • locally connected system X X - Function 44: Enable/disable location services a. across device b. on a per-app basis X - - Function 45: The following additional functions can be managed: a. enable/disable submission of diagnostic reports b. enable/disable fingerprint (Touch ID) for unlock c. enable/disable screenshots d. enable/disable mandatory encryption for backups - - - - X X X X X X X X Table 3: Management Functions Application note: Most of the administrator management functions are implemented by the specification and installation of Configuration Profiles. Also for the enforcement of other functions like the password policy the installation of Configuration Profiles with dedicated values for some of the payload keys is required. Application note: With respect to function 3 the TOE allows for both demanding VPN across the device or defining a VPN on a per-App basis. NIAP TD0060 allows both options. Application note: Function 6 stated as mandatory in MDFPP Version 2 has been omitted in accordance with NIAP TD0064, which defines this function as optional. Application note: Function 24 has not been included in the table since the TOE does not support a developer mode. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 35 of 75 Application note: Function 25 has not been included in the table since the TOE has data-at- rest protection natively enabled. Application note: Function 26 has not been included in the table since the TOE does not support removable media. Backups can be made using iTunes and backup encryption can be made mandatory. Function 27 has not been included in the table since the TOE (in its evaluated configuration) does not support bypass of local user authentication. Function 32 has not been included in the table since auditing is not a function implemented 5.4.2.2 Specification of Remediation Actions FMT_SMF_EXT.2 Extended: Specification of Remediation Actions FMT_SMF_EXT.2.1 The TSF shall offer wipe of all data associated with profiles under management upon unenrollment and when issuing a remote wipe command. 5.5 Protection of the TSF (FPT) 5.5.1 Anti-Exploitation Services (FPT_AEX) 5.5.1.1 Address-Space Layout Randomization FPT_AEX_EXT.1 Extended: Anti-Exploitation Services (ASLR) FPT_AEX_EXT.1.1 The TSF shall provide address space layout randomization (ASLR) to applications. FPT_AEX_EXT.1.2 The base address of any user-space memory mapping will consist of at least 8 unpredictable bits. 5.5.1.2 Memory Page Permissions FPT_AEX_EXT.2 Extended: Anti-Exploitation Services (Memory Page Permissions) FPT_AEX_EXT.2.1 The TSF shall be able to enforce read, write, and execute permissions on every page of physical memory. FPT_AEX_EXT.2.2 The TSF shall prevent write and execute permissions from being simultaneously granted to any page of physical memory with no exceptions. 5.5.1.3 Overflow Protection FPT_AEX_EXT.3 Extended: Anti-Exploitation Services (Overflow Protection) FPT_AEX_EXT.3.1 TSF processes that execute in a non-privileged execution domain on the application processor shall implement stack-based buffer overflow protection. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 36 of 75 5.5.1.4 Domain Isolation FPT_AEX_EXT.4 Extended: Domain Isolation FPT_AEX_EXT.4.1 The TSF shall protect itself from modification by untrusted subjects. FPT_AEX_EXT.4.2 The TSF shall enforce isolation of address space between applications. 5.5.2 Key Storage (FPT_KST) 5.5.2.1 Plaintext Key Storage FPT_KST_EXT.1 Extended: Key Storage FPT_KST_EXT.1.1 The TSF shall not store any plaintext key material in readable non volatile memory. 5.5.2.2 No Key Transmission FPT_KST_EXT.2 Extended: No Key Transmission FPT_KST_EXT.2.1 The TSF shall not transmit any plaintext key material outside the security boundary of the TOE. 5.5.2.3 No Plaintext Key Export FPT_KST_EXT.3 Extended: No Plaintext Key Export FPT_KST_EXT.3.1 The TSF shall ensure it is not possible for the TOE user(s) to export plaintext keys. 5.5.3 Self-Test Notification (FPT_NOT) FPT_NOT_EXT.1 Extended: Self-Test Notification FPT_NOT_EXT.1.1 The TSF shall transition to non-operational mode and no other action when the following types of failures occur: • failures of the self-test(s) • TSF software integrity verification failures • no other failures. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 37 of 75 5.5.4 Reliable Time Stamps (FPT_STM) FPT_STM.1 Reliable time stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. 5.5.5 TSF Functionality Testing (FPT_TST) 5.5.5.1 TSF Cryptographic Functionality Testing FPT_TST_EXT.1 Extended: TSF Cryptographic Functionality Testing FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (on power on) to demonstrate the correct operation of all cryptographic functionality. 5.5.5.2 TSF Integrity Testing FPT_TST_EXT.2 Extended: TSF Integrity Testing FPT_TST_EXT.2.1 The TSF shall verify the integrity of the bootchain up through the Application Processor OS kernel, and baseband firmware stored in mutable media prior to its execution through the use of a digital signature using a hardware-protected asymmetric key. FPT_TST_EXT.2.2 The TSF shall not execute code if the code signing certificate is deemed invalid. Application Note: FPT_TST_EXT.2.2 has been included as required by Annex C.4 of the Protection Profile. 5.5.6 Trusted Update (FPT_TUD) 5.5.6.1 Trusted Update: TSF Version Query FPT_TUD_EXT.1 Extended: Trusted Update: TSF version query FPT_TUD_EXT.1.1 The TSF shall provide authorized users the ability to query the current version of the TOE firmware/software. FPT_TUD_EXT.1.2 The TSF shall provide authorized users the ability to query the current version of the hardware model of the device. FPT_TUD_EXT.1.3 The TSF shall provide authorized users the ability to query the current version of installed mobile applications. 5.5.6.2 Trusted Update Verification FPT_TUD_EXT.2 Extended: Trusted Update Verification Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 38 of 75 FPT_TUD_EXT.2.1 The TSF shall verify software updates to the Application Processor system software and no other processor system software using a digital signature by the manufacturer prior to installing those updates. FPT_TUD_EXT.2.2 The TSF shall never update the TSF boot integrity key. FPT_TUD_EXT.2.3 The TSF shall verify that the digital signature verification key used for TSF updates matches a hardware-protected public key. FPT_TUD_EXT.2.4 The TSF shall verify mobile application software using a digital signature mechanism prior to installation. FPT_TUD_EXT.2.5 The TSF shall by default only install mobile applications cryptographically verified by a built- in X.509v3 certificate. FPT_TUD_EXT.2.6 The TSF shall not install code if the code signing certificate is deemed invalid. 5.6 TOE Access (FTA) 5.6.1 Session Locking (FTA_SSL) 5.6.1.1 TSF- and User-initiated locked state FTA_SSL_EXT.1 Extended: TSF- and User-initiated locked state FTA_SSL_EXT.1.1 The TSF shall transition to a locked state after a time interval of inactivity. FTA_SSL_EXT.1.2 The TSF shall transition to a locked state after initiation by either the user or the administrator. FTA_SSL_EXT.1.3 The TSF shall, upon transitioning to the locked state, perform the following operations: a) clearing or overwriting display devices, obscuring the previous contents; b) zeroize the decrypted class key for the NSFileProtectionComplete class. 5.6.2 Wireless Network Access (FTA_WSE) FTA_WSE_EXT.1 Extended: Wireless Network Access FTA_WSE_EXT.1.1 The TSF shall be able to attempt connections to wireless networks specified as acceptable networks as configured by the administrator in FMT_SMF_EXT.1. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 39 of 75 5.7 Trusted Path/Channels (FTP) 5.7.1 Trusted Channel Communication (FTP_ITC) FTP_ITC_EXT.1 Extended: Trusted channel Communication FTP_ITC_EXT.1.1 The TSF shall use 802.11-2012, 802.1X, and EAP-TLS and TLS, HTTPS, IPsec protocol to provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels, provides assured identification of its end points, protects channel data from disclosure, and detects modification of the channel data. FTP_ITC_EXT.1.2 The TSF shall permit the TSF to initiate communication via the trusted channel. FTP_ITC_EXT.1.3 The TSF shall initiate communication via the trusted channel for wireless access point connections, administrative communication, configured enterprise connections, and no other connections. 5.8 Objective Requirements 5.8.1 Default TOE Access Banners (FTA_TAB) FTA_TAB.1 Default TOE Access Banners FTA_TAB.1.1 Before establishing a user session, the TSF shall display an advisory warning message regarding unauthorized use of the TOE. 5.8.2 Isolation of Baseband (FPT_BBD) FPT_BBD_EXT.1 Application Processor Mediation FPT_BBD_EXT.1.1 The TSF shall prevent code executing on any baseband processor (BP) from accessing application processor (AP) resources except when mediated by the AP. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 40 of 75 6 Security Assurance Requirements The Security Assurance Requirements for the TOE are defined in [MDFPP2]. They consist of the assurance components of Evaluation Assurance Level 1 (EAL1) as defined in part 3 of the CC augmented by ASE_SPD.1 and ALC_TSU_EXT.1, which is defined in [MDFPP2]. The assurance components included in [MDFPP2] are: • ASE_CCL.1 • ASE_ECD.1 • ASE_INT.1 • ASE_OBJ.1 • ASE_REQ.1 • ASE_SPD.1 • ASE_TSS.1 • ADV_FSP.1 • AGD_OPE.1 • AGD_PRE.1 • ALC_CMC.1 • ALC_CMS.1 • ALC_TSU_EXT • ATE_IND.1 • AVA_VAN.1 6.1 Security Target evaluation (ASE) 6.1.1 Conformance claims (ASE_CCL.1) ASE_CCL.1.1D The developer shall provide a conformance claim. ASE_CCL.1.2D The developer shall provide a conformance claim rationale. ASE_CCL.1.1C The conformance claim shall contain a CC conformance claim that identifies the version of the CC to which the ST and the TOE claim conformance. ASE_CCL.1.2C The CC conformance claim shall describe the conformance of the ST to CC Part 2 as either CC Part 2 conformant or CC Part 2 extended. ASE_CCL.1.3C The CC conformance claim shall describe the conformance of the ST to CC Part 3 as either CC Part 3 conformant or CC Part 3 extended. ASE_CCL.1.4C The CC conformance claim shall be consistent with the extended components definition. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 41 of 75 ASE_CCL.1.5C The conformance claim shall identify all PPs and security requirement packages to which the ST claims conformance. ASE_CCL.1.6C The conformance claim shall describe any conformance of the ST to a package as either package-conformant or package-augmented. ASE_CCL.1.7C The conformance claim rationale shall demonstrate that the TOE type is consistent with the TOE type in the PPs for which conformance is being claimed. ASE_CCL.1.8C The conformance claim rationale shall demonstrate that the statement of the security problem definition is consistent with the statement of the security problem definition in the PPs for which conformance is being claimed. ASE_CCL.1.9C The conformance claim rationale shall demonstrate that the statement of security objectives is consistent with the statement of security objectives in the PPs for which conformance is being claimed. ASE_CCL.1.10C The conformance claim rationale shall demonstrate that the statement of security requirements is consistent with the statement of security requirements in the PPs for which conformance is being claimed. ASE_CCL.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.1.2 Extended components definition (ASE_ECD.1) ASE_ECD.1.1D The developer shall provide a statement of security requirements. ASE_ECD.1.2D The developer shall provide an extended components definition. ASE_ECD.1.1C The statement of security requirements shall identify all extended security requirements. ASE_ECD.1.2C The extended components definition shall define an extended component for each extended security requirement. ASE_ECD.1.3C The extended components definition shall describe how each extended component is related to the existing CC components, families, and classes. ASE_ECD.1.4C The extended components definition shall use the existing CC components, families, classes, and methodology as a model for presentation. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 42 of 75 ASE_ECD.1.5C The extended components shall consist of measurable and objective elements such that conformance or nonconformance to these elements can be demonstrated. ASE_ECD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_ECD.1.2E The evaluator shall confirm that no extended component can be clearly expressed using existing components. ST Introduction (ASE_INT.1) ASE_INT.1.1D The developer shall provide an ST introduction. ASE_INT.1.1C The ST introduction shall contain an ST reference, a TOE reference, a TOE overview and a TOE description. ASE_INT.1.2C The ST reference shall uniquely identify the ST. ASE_INT.1.3C The TOE reference shall identify the TOE. ASE_INT.1.4C The TOE overview shall summarise the usage and major security features of the TOE. ASE_INT.1.5C The TOE overview shall identify the TOE type. ASE_INT.1.6C The TOE overview shall identify any non-TOE hardware/software/firmware required by the TOE. ASE_INT.1.7C The TOE description shall describe the physical scope of the TOE. ASE_INT.1.8C The TOE description shall describe the logical scope of the TOE. ASE_INT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_INT.1.2E The evaluator shall confirm that the TOE reference, the TOE overview, and the TOE description are consistent with each other. 6.1.3 Security objectives for the operational environment (ASE_OBJ.1) ASE_OBJ.1.1D Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 43 of 75 The developer shall provide a statement of security objectives. ASE_OBJ.1.1C The statement of security objectives shall describe the security objectives for the operational environment. ASE_OBJ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.1.4 Stated security requirements (ASE_REQ.1) ASE_REQ.1.1D The developer shall provide a statement of security requirements. ASE_REQ.1.2D The developer shall provide a security requirements rationale. ASE_REQ.1.1C The statement of security requirements shall describe the SFRs and the SARs. ASE_REQ.1.2C All subjects, objects, operations, security attributes, external entities and other terms that are used in the SFRs and the SARs shall be defined. ASE_REQ.1.3C The statement of security requirements shall identify all operations on the security requirements. ASE_REQ.1.4C All operations shall be performed correctly. ASE_REQ.1.5C Each dependency of the security requirements shall either be satisfied, or the security requirements rationale shall justify the dependency not being satisfied. ASE_REQ.1.6C The statement of security requirements shall be internally consistent. ASE_REQ.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.1.5 Security problem definition (ASE_SPD.1) ASE_SPD.1.1D The developer shall provide a security problem definition. ASE_SPD.1.1C The security problem definition shall describe the threats. ASE_SPD.1.2C All threats shall be described in terms of a threat agent, an asset, and an adverse action. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 44 of 75 ASE_SPD.1.3C The security problem definition shall describe the OSPs. ASE_SPD.1.4C The security problem definition shall describe the assumptions about the operational environment of the TOE. ASE_SPD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.1.6 TOE summary specification (ASE_TSS.1) ASE_TSS.1.1D The developer shall provide a TOE summary specification. ASE_TSS.1.1C The TOE summary specification shall describe how the TOE meets each SFR. ASE_TSS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_TSS.1.2E The evaluator shall confirm that the TOE summary specification is consistent with the TOE overview and the TOE description. 6.2 Development (ADV) 6.2.1 Basic functional specification (ADV_FSP.1) ADV_FSP.1.1d The developer shall provide a functional specification. ADV_FSP.1.2d The developer shall provide a tracing from the functional specification to the SFRs. ADV_FSP.1.1c The functional specification shall describe the purpose and method of use for each SFR- enforcing and SFR-supporting TSFI. ADV_FSP.1.2c The functional specification shall identify all parameters associated with each SFR- enforcing and SFR-supporting TSFI. ADV_FSP.1.3c The functional specification shall provide rationale for the implicit categorisation of interfaces as SFR-non-interfering. ADV_FSP.1.4c The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 45 of 75 ADV_FSP.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_FSP.1.2e The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. 6.3 Guidance documents (AGD) 6.3.1 Operational user guidance (AGD_OPE.1) AGD_OPE.1.1d The developer shall provide operational user guidance. AGD_OPE.1.1c The operational user guidance shall describe, for each user role, the user-accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. AGD_OPE.1.2c The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. AGD_OPE.1.3c The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. AGD_OPE.1.4c The operational user guidance shall, for each user role, clearly present each type of security relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. AGD_OPE.1.5c The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences and implications for maintaining secure operation. AGD_OPE.1.6c The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfil the security objectives for the operational environment as described in the ST. AGD_OPE.1.7c The operational user guidance shall be clear and reasonable. AGD_OPE.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 46 of 75 6.3.2 Preparative procedures (AGD_PRE.1) AGD_PRE.1.1d The developer shall provide the TOE including its preparative procedures. AGD_PRE.1.1c The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer's delivery procedures. AGD_PRE.1.2c The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. AGD_PRE.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AGD_PRE.1.2e The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. 6.4 Life-cycle support (ALC) 6.4.1 Labelling of the TOE (ALC_CMC.1) ALC_CMC.1.1d The developer shall provide the TOE and a reference for the TOE. ALC_CMC.1.1c The TOE shall be labelled with its unique reference. ALC_CMC.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.4.2 TOE CM coverage (ALC_CMS.1) ALC_CMS.2.1d The developer shall provide a configuration list for the TOE. ALC_CMS.2.1c The configuration list shall include the following: the TOE itself; and the evaluation evidence required by the SARs. ALC_CMS.2.2c The configuration list shall uniquely identify the configuration items. ALC_CMS.2.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 47 of 75 6.4.3 Timely Security Updates (ALC_TSU_EXT.1) ALC_TSU_EXT.1.1d The developer shall provide a description in the TSS of how timely security updates are made to the TOE. ALC_TSU_EXT.1.1c The description shall include the process for creating and deploying security updates for the TOE software/firmware. ALC_TSU_EXT.1.2c The description shall express the time window as the length of time, in days, between public disclosure of a vulnerability and the public availability of security updates to the TOE. ALC_TSU_EXT.1.3c The description shall include the mechanisms publicly available for reporting security issues pertaining to the TOE. ALC_TSU_EXT.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.5 Tests (ATE) 6.5.1 Independent testing - conformance (ATE_IND.1) ATE_IND.1.1d The developer shall provide the TOE for testing. ATE_IND.1.1c The TOE shall be suitable for testing. ATE_IND.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ATE_IND.1.2e The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. 6.6 Vulnerability assessment (AVA) 6.6.1 Vulnerability survey (AVA_VAN.1) AVA_VAN.1.1d The developer shall provide the TOE for testing. AVA_VAN.1.1c The TOE shall be suitable for testing. AVA_VAN.1.1e Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 48 of 75 The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VAN.1.2e The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VAN.1.3e The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 49 of 75 7 TOE Summary Specification This chapter describes the relevant aspects of how the security functional requirements are implemented in the security functionality provided by the TOE. This chapter is structured in accordance with the structuring of the security functional requirements in chapter 5 of this document, which in turn has been taken from the structure of the description of the security functional requirements in [MDFPP2]. 7.1 Hardware Protection Functions 7.1.1 The Secure Enclave The Secure Enclave is a coprocessor fabricated in the Apple A7, A8 and A8Xprocessors. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised. The Secure Enclave uses encrypted memory and includes a hardware random number generator. Its microkernel is based on the L4 family, a second-generation microkernel generally used to implement Unix-like operating systems, with modifications by Apple. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers. Note that only a small dedicated amount of memory used for communication between the secure enclave and the main system is shared. The main system has no access to other memory areas of the secure enclave. Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space. Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter. The UID also serves as the REK for the whole device. In addition to the UID also the Group Key (GID) and Apple's root certificate are provisioned during manufacturing. The GID is only unique per device type and is used in the secure software update process. Apple's root certificate is used to verify the integrity and authenticity of software during the secure boot process and for updates of the system software. The Secure Enclave has its own physical noise source and random number generator which is used for generating the salt value for the password-based key generation function PBKDF2, which uses AES with the device UID as the key for the pseudorandom function (PRF). The counter is calculated such that it takes at least 80 milliseconds to execute the function. While the counter value therefore may vary per device type, it is larger than 10.000 for each device type. The salt (128 bit) is regenerated every time the password changes. The salt value is stored AES encrypted with the UID in the system keybag. Other salt values used for functions in iOS are generated using the true random number generator (TRNG) of the application processor. This includes nonces used in the generation of DSA signatures as well as nonces required for the WiFi and TLS protocol. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 50 of 75 7.1.2 Memory Protection iOS uses the read and write protection for memory pages provided by the advanced RISC machine (ARM) processor for separating applications from the kernel and to provide a sandbox for each application. Further protection is provided by iOS using ARM’s Execute Never (XN) feature, which marks memory pages as non-executable. Memory pages marked as both writable and executable can be used only by apps under tightly controlled conditions: The kernel checks for the presence of the Apple-only dynamic code-signing entitlement. Even then, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. 7.2 Cryptographic support 7.2.1 Overview of Key Management Each TOE comes with a unique 256-bit AES key called the UID. This key is stored in the Secure Enclave and is not accessible by the "regular" processor. Even the software in the Secure Enclave cannot read the UID. It can only request encryption and decryption operations performed by a dedicated AES engine accessible only from the Secure Enclave. The UID itself is generated outside of the device in the production environment using a protected system with a random number generator that complies with the requirements of NIST Special Publication 800-90A and is seeded appropriately. (FCS_RBG_EXT.1.1 and FCS_RBG_EXT.1.2 for the random number generator used to generate the REK). The UID is used to derive two other keys, called "key 0x89B" and "key 0x835". Both keys are derived during the first boot by encrypting defined constants with the UID. Those keys then are used to wrap two other keys the "EMF key" (the file system master key, wrapped by "key 0x89B") and the "DKey" (the device key, wrapped by "key 0x835") and both are stored in block 0 of the flash memory, which is also called the "effaceable storage.” This area of flash memory can be wiped very quickly. Both keys are generated using the random number generator of the secure enclave (post-processed by the CTR_DRBG) when iOS is first installed or after the device has been wiped. All keys are generated using an internal entropy source post-processed by a deterministic random number generator (DRNG) (CTR_DRBG). System entropy is generated from timing variations during boot, and additionally from interrupt timing once the device has booted. Keys generated inside the Secure Enclave use its true hardware random number generator based on multiple ring oscillators post processed with CTR_DRBG. The EMF key is used as a master key used for the encryption of file system metadata. The EMF key is generated using the random number generator of the secure enclave (post- processed by the CTR_DRBG) when iOS is first installed or after the device has been wiped. Also all class keys are generated in the secure enclave and passed to the iOS kernel in wrapped form only. The Dkey is used within the key hierarchy to directly wrap the class keys that can be used when the device is locked. For class keys that can only be used when the device is unlocked the class keys are wrapped with the XOR of the Dkey and the passcode key. Every time a file on the data partition is created, a new 256-bit AES key (the "per-file" key) is created using the hardware random number generator of the secure enclave post-processed by CTR_DBRG. Files are encrypted using this key with AES in cipher block chaining (CBC) mode where the initialization vector (IV) is calculated with the block offset into the file, Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 51 of 75 encrypted with the SHA-1 hash of the per-file key. (FCS_RBG_EXT.1 for the data encryption keys). Each per-file keys is wrapped (in the secure enclave) with the class key of the file's class and then stored in the metadata of the file. Key wrapping uses AES key wrapping per RFC3394. Class keys themselves are wrapped either with device key only (for the class NSFileProtectionNone) or are wrapped with a key derived from the device key and the passcode key using XOR. This key wrapping is also performed within the secure enclave. Each file belongs to one of the following classes with its associated class key. NSFileProtectionComplete The class key is protected with a key derived from the user passcode and the device UID. Shortly after the user locks a device (10 seconds, if the 'Require Password' setting is 'Immediately'), the decrypted class key is erased, rendering all data in this class inaccessible until the user enters the passcode again. NSFileProtectionCompleteUnlessOpen Some files may need to be written while the device is locked. A good example of this is a mail attachment downloading in the background. This behavior is achieved by using asymmetric elliptic curve cryptography (ECDH over Curve25519). iOS implements this by generating a device-wide asymmetric key pair and then protects the private key of this pair by encrypting it with the class key for the NSFileProtectionCompleteUnlessOpen class. Note that this class key can only be unwrapped when the device is unlocked since it requires the passcode to be entered which then is used in the key derivation function (KDF) for that generates the key encryption key (KEK) for this class key as described above. The device- wide asymmetric key pair is generated within the secure enclave. When receiving data to be protected when the device is in the locked state, the application can create a file with the file attribute NSFileProtectionCompleteUnlessOpen. In this case iOS generates another asymmetric key pair within the secure enclave (per file object used to store the data). The device-wide public key and the file object private key are then used to generate a shared secret (using one-pass DH as described in NIST SP 800-56A). The KDF is a Concatenation Key Derivation Function (Approved Alternative 1) as described in 5.8.1 of NIST SP 800-56A. AlgorithmID is omitted. PartyUInfo and PartyVInfo are the ephemeral and static public keys, respectively. SHA-256 is used as the hashing function. The key generated that way is used as the symmetric key to encrypt the data. The object private key and the shared secret are cleared when the file is closed and only the object public key is stored with the file object. To read the file, the per file object shared secret is regenerated using the device-wide private key and the per file object public key. Unwrapping of the device-wide private key can only be performed when the correct passcode has been entered, since the device-wide private key is wrapped with a key that can only be unwrapped with a class key that itself can only be unwrapped when the passcode is available. The guidance given in section D.3.3 of MDFPP Version 2 allows a key agreement scheme to be used. The key agreement scheme implemented uses using ECDH over curve 25519. When the correct passcode has been entered, the files with sensitive data received while the device was in the locked state get their per-file key re-wrapped with the NSFileProtectionCompleetUnlessOpenclass key. It is up to the application to check when the device is unlocked and then cause iOS to re-wrap the file encryption key with the class key for the NSFileProtectionComplete class by changing the file's NSFileProtectionKey attribute to NSFileProtectionComplete. Protected Until First User Authentication Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 52 of 75 This class behaves in the same way as Complete Protection, except that the decrypted class key is not removed from memory when the device is locked. The protection in this class has similar properties to desktop full-volume encryption, and protects data from attacks that involve a reboot. This is the default class for all third-party app data not otherwise assigned to a Data Protection class. NSFileProtectionNone This class key is wrapped only with the device key, and is kept in Effaceable Storage. Since all the keys needed to decrypt files in this class are stored on the device, the encryption only affords the benefit of fast remote wipe. If a file is not assigned a Data Protection class, it is still stored in encrypted form (as is all data on an iOS device). Keychain data is protected using a class structure similar to the one used for files. Those classes have behaviors equivalent to the file Data Protection classes but use distinct keys. In addition there are keychain classes with the additional extension "ThisDeviceOnly". Class keys for those classes are wrapped with a key that is also derived from the Device Key which, when copied from a device during backup and restored on a different device will make them useless. The keys for both file and keychain Data Protection classes are collected and managed in keybags. iOS uses the following four keybags: system, backup, escrow, and iCloudBackup. Relevant for the keys used for functions defined in [MDFPP2] are the keys stored in the System keybag and some keys stored in the Escrow keybag used for device update and keys used by Mobile Device Management. The system keybag is where the wrapped class keys used in normal operation of the device are stored. For example, when a passcode is entered, the NSFileProtectionComplete key is loaded from the system keybag and unwrapped. It is a binary plist stored in the No Protection class, but whose contents are encrypted with a key held in Effaceable Storage. In order to give forward security to keybags, this key is wiped and regenerated each time a user changes their passcode. The AppleKeyStore kernel extension manages the system keybag, and can be queried regarding a device’s lock state. It reports that the device is unlocked only if all the class keys in the system keybag are accessible, and have been unwrapped successfully. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 53 of 75 The following figure provides an overview on the key management hierarchy implemented in iOS: Figure 4:Key Hierarchy in iOS The Data Protection application programmers interface (API) can be used by applications to define the class a new file belongs to by using NSFileProtectionKey attribute and set its value to one of the classes described above. When the device is locked, a new file can only be created in the classes NSFileProtectionNone and NSFileProtectionCompleteUnlessOpen. Note that the UID is not accessible by any software and that the two keys 'Key 0x89B' and 'Key 0x835' are both derived by encrypting defined values (identical for all devices) with the Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 54 of 75 UID. Both are stored in the Secure Enclave. All other keys shown in the figure are stored in wrapped form in persistent storage and unwrapped when needed. To summarize: • All file system items and all key chain items are stored in encrypted form only. • File system metadata is encrypted using the EMF key. • Files and key chain items are encrypted with individual keys. Those keys are wrapped with the class key of the class the file or keychain item belongs to. • Files and key chain items belonging to the classes 'NSFileProtectionNone' (files) and 'Always' or 'AlwaysThisDeviceOnly' are encrypted with keys that are wrapped with the Dkey only. Those items can be accessed (decrypted) before the user is authenticated. For all other classes the passcode key (which is derived from the user's passcode) is used in the generation of the wrapping key used for those classes and therefore decrypting those items is only possible when the user has correctly entered his passphrase. iOS performs the following activities to protect the keys used for file encryption: Every time the TOE is booted, the TOE does the following: • an ephemeral AES key (256 bit) is created in the secure enclave using the random number generator of the secure enclave. • The (wrapped) Dkey and (wrapped) EMF key (both 256-bit keys) are loaded by the iOS kernel from the effaceable storage and sent to the secure enclave. • The secure enclave unwraps the Dkey and the EMF key. • The secure enclave wraps the Dkey with the newly generated ephemeral key. • The secure enclave stores the ephemeral key in the storage controller. This area is not accessible by the iOS kernel. When iOS accesses a file the following operations are performed: • The iOS kernel first extracts the file metadata (which are encrypted with the EMF key) and sends them to the secure enclave. • The secure enclave decrypts the file metadata and sends it back to the iOS kernel. • The iOS kernel determines which class key to use and sends the class key (which is wrapped with the Dkey, or with the XOR of the Dkey and the Passcode Key) and the file key (which is wrapped with the class key) to the secure enclave. • The secure enclave unwraps the file key and re-wraps it with the ephemeral key and sends this wrapped key back to the iOS kernel. • The iOS kernel sends the file access request (read or write) together with the wrapped file key to the storage controller. • The storage controller uses its internal implementation of AES, decrypts the file key and then decrypts (when the operation is read) or encrypts (when the operation is write) the data during its transfer from/to the flash memory. To summarize the storage location for key material: • The UID is stored in the firmware of the secure enclave in a section not accessible by any program in the secure enclave or the main processor. The processor in the secure enclave can only be used to encrypt and decrypt data (using AES256) using the UID as a key. • Keys 0x89B and 0x835 are stored in the secure enclave. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 55 of 75 • EMF key, DKey and the class keys are stored in the effaceable area, all in wrapped form only. As explained they are never available in clear in the main processor system. • File keys and keychain item keys are stored in non-volatile memory, but in wrapped form only. As explained, they are never available in the clear in the main processor system. • The system and the applications can store private keys in keychain items. They are protected by the encryption of the keychain item. • Symmetric keys used for TLS, HTTPS, or WiFi sessions are held in RAM only. They are generated and managed using one of the two FIPS 140-2 validated libraries. The functions of those libraries also perform the clearing of those keys after use. 7.2.2 CAVS Certificates The following CAVS certificates apply to iOS 9.2: User space: CPU A7 based devices: • Triple-DES: 2064, 2065 • AES: 3686, 3687, 3719, 3720, 3702, 3703 • RSA: 1908, 1909 • ECDSA: 781, 782 • SHA: 3100, 3101, 2978, 2979 • HMAC: 2432, 2433, 2312, 2313 • DRBG: 993, 994, 1008, 1009 • PBKDF: Vendor-affirmed • AES Key Wrapping: 3686, 3687, 3719, 3720, 3702, 3703 • ECDH primitive Z: 687, 688 CPU A8 based devices: • Triple-DES: 2066, 2078 • AES: 3688, 3690, 3721, 3722, 3704, 3740 • RSA: 1910, 1920 • ECDSA: 783, 793 • SHA: 3102, 3113, 2974, 2975 • HMAC: 2434, 2444, 2306, 2309 • DRBG: 995, 997, 1010, 1019 • PBKDF: Vendor-affirmed • AES Key Wrapping: 3688, 3690, 3721, 3722, 3704, 3740 • ECDH primitive Z: 689, 698 CPU A8X based devices: • Triple-DES: 2067, 2068 Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 56 of 75 • AES: 3689, 3691, 3723, 3724, 3705, 3706 • RSA: 1911, 1912 • ECDSA: 784, 785 • SHA: 3103, 3104, 2976, 2977 • HMAC: 2435, 2436, 2310, 2311 • DRBG: 996, 998, 1011, 1012 • PBKDF: Vendor-affirmed • AES Key Wrapping: 3689, 3691, 3723, 3724, 3705, 3706 • ECDH primitive Z: 690, 691 Kernel space: CPU A7 based devices: • Triple-DES: 2081 • AES: 3733, 3743 • RSA: 1923 • ECDSA: 796 • SHA: 3116, 3019 • HMAC: 2447, 2353 • DRBG: 1022 • PBKDF: Vendor-affirmed CPU A8 based devices: • Triple-DES: 2082 • AES: 3734, 3744 • RSA: 1924 • ECDSA: 797 • SHA: 3117, 3020 • HMAC: 2448, 2354 • DRBG: 1023 • PBKDF: Vendor-affirmed CPU A8X based devices: • Triple-DES: 2083 • AES: 3735, 3745 • RSA: 1925 • ECDSA: 798 • SHA: 3118, 3021 • HMAC: 2449, 2355 • DRBG: 1024 • PBKDF: Vendor-affirmed Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 57 of 75 7.3 User Data Protection (FDP) 7.3.1 Protection of Files When a new file is created on an iOS device, it’s assigned a class by the app that creates it. Each class uses different policies to determine when the data is accessible. As described above each class has a dedicated class key which is stored in wrapped form. Note that for the classes other than 'No Protection' to work the user must have an active passcode lock set for the device. The basic classes and policies are described below. Complete Protection (referred to as "class A" in some documents) Files in this class can only be accessed when the device is unlocked. Protected Unless Open (referred to as "class B" in some documents) This class is for files that may need to be written while the device is locked. Protected Until First User Authentication (referred to as "class C" in some documents) This class is for files that are protected until the user has successfully authenticated. Unlike the 'Complete Protection' class, the class key for this class is not wiped when the device is locked, but after a re-boot the user has to authenticate before files in this class can be accessed. So, once the user has authenticated after reboot the key is available until the phone is shutdown or rebooted. No Protection (referred to as "class D" in some documents) Files in this class can be always accessed. Still the files themselves are encrypted using a file specific key, but this key can be unwrapped without using the passcode key derived from the user's passcode. Note: class A, class B and class C keys require that the user has defined a PIN. Unless he has done this only class D keys exist. All data in files is considered private data, since all files are encrypted. Sensitive data is data protected with a class A or class B key, since this data is not accessible when the device is locked. 7.3.2 Application Access to Files An iOS app’s interactions with the file system are limited mostly to the directories inside the app’s sandbox. During installation of a new app, the installer creates a number of containers for the app. Each container has a specific role. The bundle container holds the app’s bundle, whereas the data container holds data for both the application and the user. The data container is further divided into a number of directories that the app can use to sort and organize its data. The app may also request access to additional containers—for example, the iCloud container—at runtime. When an application is removed, all its files are also removed. 7.3.3 Declaring the Required Device Capabilities of an App All apps must declare the device-specific capabilities they need to run. The value of the UIRequiredDeviceCapabilities key is either an array or dictionary that contains additional keys identifying features your app requires (or specifically prohibits). If you specify the value Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 58 of 75 of the key using an array, the presence of a key indicates that the feature is required; the absence of a key indicates that the feature is not required and that the app can run without it. If a dictionary is specified instead, each key in the dictionary must have a Boolean value that indicates whether the feature is required or prohibited. A value of true indicates the feature is required and a value of false indicates that the feature must not be present on the device. 7.3.4 App Groups Apps and extensions owned by a given developer account can share content when configured to be part of an App Group. It is up to the developer to create the appropriate groups on the Apple Developer Portal and include the desired set of apps and extensions. Once configured to be part of an App Group, apps have access to the following: • A shared on-disk container for storage, which will stay on the device as long as at least one app from the group is installed • Shared preferences • Shared keychain items The Apple Developer Portal guarantees that App Group IDs are unique across the app ecosystem. 7.3.5 Restricting app access to system services The TOE allows a user to restrict the system services an app can access. The services that can be restricted on a per-app basis are: • Location Services • Contacts • Calendar • Reminders • Photos • Microphone • Camera 7.3.6 Keychain Data Protection Many apps need to handle passwords and other short but sensitive bits of data, such as keys and login tokens. The iOS keychain provides a secure way to store these items. The keychain is implemented as a SQLite database stored on the file system. There is only one database; the securityd daemon determines which keychain items each process or app can access. Keychain access APIs result in calls to the daemon, which queries the app’s “keychain-access-groups” and the “application-identifier” entitlement. Rather than limiting access to a single process, access groups allow keychain items to be shared between apps. Keychain items can only be shared between apps from the same developer. This is managed by requiring third-party apps to use access groups with a prefix allocated to them through the iOS Developer Program, or in iOS 9, via application groups. The prefix requirement and application group uniqueness are enforced through code signing, Provisioning Profiles, and the iOS Developer Program. iOS provides a UI in the Settings Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 59 of 75 dialog that allows importing of keys for use for Apple-provided applications such as Safari or VPN. Keychain data is protected using a class structure similar to the one used in file Data Protection. These classes have behaviors equivalent to file Data Protection classes, but use distinct keys and are part of APIs that are named differently. The following table shows the keychain classes and their equivalent file system classes: Keychain data protection class File data protection class When unlocked NSFileProtectionComplete While locked NSFileProtectionCompleteUnlessOpen After first unlock NSFileProtectionCompleteUntilFirstUserAuthentication Always NSFileProtectionNone Table 4: Keychain to File-system Mapping In addition there are the Keychain data protection classes with the additional "ThisDeviceOnly" added to their class name. Keychain items in those classes cannot be moved to a different device using backup and restore; key chain items in those classes are bound to the device. Among the data stored in keychain items are digital certificates used for setting up VPN connections and certificates and private keys installed by the Configuration Profile. Keychains can use access control lists (ACLs) to set policies for accessibility and authentication requirements. Items can establish conditions that require user presence by specifying that they can’t be accessed unless authenticated entering the device’s passcode. ACLs are evaluated inside the Secure Enclave and are released to the kernel only if their specified constraints are met. 7.4 Identification and Authentication (FIA) The user of the device is authenticated using a passcode. The following passcode policies can be defined for managed devices: • the minimum length of the passcode • the minimum number of special characters a valid passcode must contain • the maximum number of consecutive failed attempts to enter the passcode (which can be value between 2 and 10—the default is 10) • the number of minutes for which the device can be idle before it gets locked by the system • the maximum number of days a passcode can remain unchanged • the size of the passcode history (the maximum value is 50) Those parameters for the passcode policy can be defined in the Passcode Policy Payload section of a configuration profile defined by a system administrator for a managed device. For details see the Section 7.5, below. The number of failed authentication attempts is maintained in a system file. The time between consecutive authentication attempts is at least the time it takes the PBKDF2 function to execute. This is calibrated to be at least 80 milliseconds. In addition the TOE enforces a 5 second delay between repeated failed authentication attempts. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 60 of 75 When a user exceeds the number of consecutive failed login attempts, the user's partition is erased (by erasing the encryption key). The OS partition is mounted READONLY upon boot and is never modified during the use of the TOE except during a software update or restore. Note that entering the same incorrect password multiple times consecutively causes the failed login counter to increment only once for those multiple attempts even though these are all failed login attempts. 7.4.1 Certificates There are a number of certificates used by the TOE. First there is the Apple certificate used to verify the integrity and authenticity of software updates. This certificate is installed in ROM during manufacturing. Other certificates used for setting up trusted channels or decrypt/verify protected e-mail can be imported by a user (if allowed by the policy) or installed using configuration profiles. Certificates can be installed for: • Active Directory • Email (S/MIME) • Host pairing • Single-Sign On • IPSec • TLS • EAP-TLS, other supported EAP protocols Note that only IPSec, TLS and EAP-TLS are addressed by [MDFPP2]. Certificates have a certificate type that defines their respective application area. This ensures that only certificates defined for a specific application area are used. The certificate types supported by the TOE are: • AppleX509Basic • AppleSSL • AppleSMIME • AppleEAP • AppleIPsec • AppleCodeSigning • AppleIDValidation • AppleTimeStamping External entities can be authenticated using a digital certificate. Out of the box, iOS includes a number of preinstalled root certificates. Code signing certificates need to be assigned by Apple and can be imported into a device. The issue of such a certificate can be by app developers or by enterprises that want to deploy apps from their MDM to managed devices. All apps must have a valid signature that can be verified by a code signing certificate before they are installed on a device. iOS can update certificates wirelessly, if any of the preinstalled root certificates become compromised. To disable this, there is a restriction that prevents over-the-air certificate updates. The list of supported certificate and identity formats are: Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 61 of 75 • X.509 certificates with RSA keys • File extensions cer, .crt, .der, .p12, and .pfx To use a root certificate that isn’t preinstalled, such as a self-signed root certificate created by the organization managing the TOE, they can be distributed using one of the methods listed below: • when reviewed and accepted by the user • using the configuration profile • downloaded from a web site When attempting to establish a connection using a remote certificate, the certificate is first checked to ensure it is valid. If the certificate is valid, the attempt to establish the connection continues. If the certificate is invalid, the next step is up to the application to provide an indication to the user that the certificate is invalid and providing options to accept or reject. TLS is implemented as a stack that can be utilized by third-party applications. The API informs the calling application that the certificate is not valid. Safari will display a message to the user that the remote certificate validation failed and allow the user to examine the certificate with the option to allow the connection or not. iOS can be configured to disable the user option to accept invalid TLS certificates using the "Allow user to accept untrusted TLS certificates" setting. This is described in the iOS Security guide [iOS_SEC]. 7.5 Security Management (FMT) The TOE can be configured using Configuration Profiles that are installed on the TOE. Configuration Profiles are XML files that may contain settings for a number of configurable parameters. For details on the different payloads and keys that can be defined see the document "Configuration Profile Reference" ([iOS_CFG]) that can be downloaded from the Apple web site. Configuration profiles can be deployed in one of 5 different ways: • using the Apple Configurator tool • via an email message • via a web page • using over-the-air configuration • using over-the-air configuration via a MDM Server To preserve the integrity, authenticity and confidentiality of Configuration Profiles they can be required to be digitally signed and encrypted. Managed items relevant for this ST that have to be configured using Configuration Profiles are: • the password policy: the administrator can define this using the Passcode Policy Payload and o define the minimum password length o define requirements for the password complexity o define the maximum password lifetime o define the maximum time of inactivity after which the device is locked automatically Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 62 of 75 o define the maximum number of consecutive authentication failures after which the device is wiped. • the VPN policy o if VPN is always on o define the authentication method (Shared Secret or Certificate) o specification of certificates or shared keys • the Wi-Fi policy o the EAP types allowed o the SSIDs allowed to connect to o the encryption type(s) allowed • general restrictions o allowing or disallowing specific services (e. g. remote backup) or using devices like the camera o allowing or disallowing notifications when locked o allowing or disallowing a prompt when an untrusted certificate is presented in a TLS/HTTPS connection Note that the microphone cannot be disabled in general but a user can restrict access to the microphone on a per-app basis. Other functions that can be enabled/disabled by an administrator are: • installation of applications by a user • possibility to perform backups to iCloud • ability to submit diagnostics automatically • ability to use the fingerprint device (Touch ID) for user authentication • ability to see notifications on the lock screen • ability to take screen shots • ability to accept untrusted TLS certificates • ability to perform unencrypted backups (via iTunes) Further restrictions can be enforced for enrolled devices. Those include: • ability to modify the account • ability to modify the cellular data usage • ability to pair with a host other than the supervision host • ability for the user to install configuration profiles or certificates interactively • ability for the user to use 'Enable Restrictions' interface A user can access management functions available to him via the menus of the graphical user interface. The functions he can perform are described in [iPhone_UG] and [iPad_UG]. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 63 of 75 7.6 Protection of the TSF (FPT) 7.6.1 Secure Boot Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust. This includes the bootloaders, kernel, kernel extensions, and baseband firmware. When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel. This secure boot chain helps ensure that the lowest levels of software are not tampered with and allows iOS to run only on validated Apple devices. For devices with cellular access, the baseband subsystem also utilizes its own similar process of secure booting with signed software and keys verified by the baseband processor. For devices with an A7 or later A-series processor, the Secure Enclave coprocessor also utilizes a secure boot process that ensures its separate software is verified and signed by Apple. If one step of this boot process is unable to load or verify the next process, startup is stopped and the device displays the “Connect to iTunes” screen. This is called recovery mode. If the Boot ROM is not able to load or verify LLB, it enters DFU (Device Firmware Upgrade) mode. In both cases, the device must be connected to iTunes via USB and restored to factory default settings. 7.6.2 Secure Software Update Software updates to the TOE are released regularly to address emerging security concerns and also provide new features; these updates are provided for all supported devices simultaneously. Users receive iOS update notifications on the device and through iTunes, and updates are delivered wirelessly, encouraging rapid adoption of the latest security fixes. The startup process described above helps ensure that only Apple-signed code can be installed on a device. To prevent devices from being downgraded to older versions that lack the latest security updates, iOS uses a process called System Software Authorization. If downgrades were possible, an attacker who gains possession of a device could install an older version of iOS and exploit a vulnerability that’s been fixed in the newer version. On a device with an A7 or later A-series processor, the Secure Enclave coprocessor also utilizes System Software Authorization to ensure the integrity of its software and prevent downgrade installations. iOS software updates can be installed using iTunes or over-the-air (OTA) on the device. With iTunes, a full copy of iOS is downloaded and installed. OTA software updates download only the components required to complete an update, improving network efficiency, rather than downloading the entire OS. Additionally, software updates can be cached on a local network server running the caching service on OS X Server so that iOS devices do not need to access Apple servers to obtain the necessary update data. During an iOS upgrade, iTunes (or the device itself, in the case of OTA software updates) connects to the Apple installation authorization server and sends it a list of cryptographic Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 64 of 75 measurements for each part of the installation bundle to be installed (for example, LLB, iBoot, the kernel, and OS image), a random anti-replay value (nonce), and the device’s unique ID (ECID). The authorization server checks the presented list of measurements against versions for which installation is permitted and, if it finds a match, adds the ECID to the measurement and signs the result. The server passes a complete set of signed data to the device as part of the upgrade process. Adding the ECID “personalizes” the authorization for the requesting device. By authorizing and signing only for known measurements, the server ensures that the update takes place exactly as provided by Apple. The boot-time chain-of-trust evaluation verifies that the signature comes from Apple and that the measurement of the item loaded from disk, combined with the device’s ECID, matches what was covered by the signature. These steps ensure that the authorization is for a specific device and that an old iOS version from one device can’t be copied to another. The nonce prevents an attacker from saving the server’s response and using it to tamper with a device or otherwise alter the system software. Note that this ensures the integrity and authenticity of software updates. Since there is no need for confidentiality protection, there is no trusted channel required for this process. 7.6.3 Domain Isolation All applications are executed in their own domain or 'sandbox' which isolates the application from other applications and the rest of the system. They are also restricted from accessing files stored by other applications or from making changes to the device configuration. Each application has a unique home directory for its files, which is randomly assigned when the application is installed. If a third-party application needs to access information other than its own, it does so only by using services explicitly provided by iOS. System files and resources are also shielded from the user’s apps. The majority of iOS runs as the non-privileged user “mobile,” as do all third-party apps. The entire OS partition is mounted as read-only. Unnecessary tools, such as remote login services, aren’t included in the system software, and APIs do not allow apps to escalate their own privileges to modify other apps or iOS itself. Access by third-party apps to user information and features is controlled using declared entitlements. Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors like a unix user ID. Since entitlements are digitally signed, they cannot be changed. Entitlements are used extensively by system apps and daemons to perform specific privileged operations that would otherwise require the process to run as root. This greatly reduces the potential for privilege escalation by a compromised system application or daemon. Address space layout randomization (ASLR) protects against the exploitation of memory corruption bugs. Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on. 7.6.4 Device locking The TOE is locked after a configurable time of user inactivity or upon request of the user. When the device is locked, the class key for the 'Complete Protection' class is wiped 10 seconds after locking, making files in that class inaccessible. This also applies for the class key of the 'Accessible when unlocked' keychain class. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 65 of 75 The lock screen of a device can be defined and set for supervised devices by an administrator using Apple Configurator or an MDM. The TOE can be locked remotely either via the iCloud "Lost Mode" function or by a mobile device management if the device is enrolled in management. 7.6.5 Time The following security functional requirements make use of time: • FPT_STM.1.1 • FIA_UAU.7 • FTA_SSL_EXT.1 • FMT_SMF_EXT.1.1 Function 1: • FMT_SMF_EXT.1.1 Function 2: • FIA_X509_EXT.1.1 • FIA_X509_EXT.3.1 • FCS_STG_EXT. When the device starts and the "Set Automatically" setting is set on the device the following services are used to synchronize the real time clock on the device: For A7 and later platforms the devices set time by: 1. GPS time as provided by Eureka. 2. If GPS is unavailable, NTP will be used. If the "Set Automatically" setting is not set on the device the user can manually set the clock using an appropriate reference facility. When configured and maintained according to the Network, Identity and Time Zone (NITZ), Global Positioning Satellites (GPS), Network Time Protocol (NTP) standards or the cellular carrier time service the time may be considered reliable. 7.6.6 Inventory of TSF Binaries and Libraries All user space binaries (applications as well as shared libraries) are subject to address space layout randomization. The logic is implemented in the binary loader and agnostic of a particular file or its contents. An inventory of TSF binaries and libraries has been provided to NIAP since the list is considered proprietary. 7.7 TOE Access (FTA) 7.7.1 Session Locking iOS devices can be configured to transit to a locked state after a configurable time interval of inactivity. This time can be defined by an administrator using a Configuration Profile. Displaying notifications when in the locked state can be prohibited via the allowLockScreenNotificationsView key in the Restrictions Payload of a Configuration Profile. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 66 of 75 7.7.2 Restricting access to Wireless Networks Users and administrators can restrict the wireless networks an iOS device connects to. Using the configuration profile administrators can define the wireless networks the device is allowed to connect to and the EAP types allowed for authentication. For the list of radios supported by each device see Tables 1 and 2. The standards listed there define the frequency ranges. 7.8 Trusted Path/Channels (FTP) The TOE provides secured (encrypted and mutually authenticated) communication channels between itself and other trusted IT products through the use of 802.11-2012, 802.1X, and EAP-TLS, TLS and IPsec. IPsec supports authentication using shared keys or certificate based authentication. 7.8.1 EAP-TLS and TLS The TOE supports EAP-TLS using TLS version 1.0 and supports the following ciphersuites: 1. TLS_RSA_WITH_AES_128_CBC_SHAas defined in RFC 5246 2. TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246 EAP-TLS can be configured as one of the EAP types accepted using the AcceptEAPTypes key in the Wi-Fi payload of the configuration profile. When configuring the TOE to utilize EAP-TLS as part of a WPA2 protected WiFi-network, the CA certificate(s) to which the server's certificate must chain can be configured using the PayLoadCertificateAnchorUUID key in the Wi-Fi payload of the configuration profile. Using the TLSAllowTrustExceptions key in the Wi-Fi payload of the configuration profile the administrator can enforce that untrusted certificates are not accepted and the authentication fails if such an untrusted certificate is presented. The TOE provides mobile applications API service for TLS versions 1.0, 1.1, and 1.2 including support for following ciphersuites: 1. TLS_RSA_WITH_AES_128_CBC_SHAas defined in RFC 5246 2. TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246 3. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 4. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 5. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492 6. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492 7. TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 8. TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 9. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 10. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 11. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC5289 12. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC5289 When an application uses the provided APIs to attempt to establish a trusted channel, the TOE will compare the distinguished name (DN) contained within the peer certificate (specifically the Subject CN, as well as any Subject Alternative Name fields) to the DN of the Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 67 of 75 requested server. If the DN in the certificate does not match the expected DN for the peer, then the application cannot establish the connection. Applications can request from the TOE the list of cipher suites supported and then define which of the supported cipher suites they enable for the TLS protected session they are going to set up. Once the connection has been set up the application can retrieve the cipher suite negotiated with the communication partner. When setting up a TLS session, the library function for the handshake (SSLHandshake) will indicate via a result code any error that occurred during the certificate chain validation. 7.8.2 AlwaysOn VPN For managed and supervised devices the TOE has the option to be configured with an 'AlwaysOn' VPN where the organization has full control over device traffic by tunneling all IP traffic back to the organization using an IKEv2 based IPSec tunnel. A specific set of configuration key values dedicated to the VPN type 'AlwaysOn' allows the specification of the interfaces (cellular or WiFi) for which the VPN is 'AlwaysOn' (default is: for both), the specification of exceptions from this service (only VoiceMail and Airprint can be listed as exceptions), and define exceptions for Captive networking (if any). For IKEv2 the configuration contains (among other items): • the IP address or hostname of the VPN server • the identifier of the IKEv2 client in one of the supported formats • the authentication method (shared key or certificate) • the server certificate (for certificate based authentication) • if extended authentication is enabled • the encryption algorithm (allows for 3DES (default), AES-128, and AES-256. Single DES shall not be used in the evaluated configuration) • the integrity algorithm (allows for SHA1-96 (default), SHA1-128, SHA2-256, SHA2- 384, SHA2-512) 7.8.3 Bluetooth The TOE supports Bluetooth 4.0 with the following Bluetooth profiles: • Hands-Free Profile (HFP 1.6) • Phone Book Access Profile (PBAP) • Advanced Audio Distribution Profile (A2DP) • Audio/Video Remote Control Profile (AVRCP 1.4) • Personal Area Network Profile (PAN) • Human Interface Device Profile (HID) • Message Access Profile (MAP) Users can pair their device with a remote Bluetooth device using the 'Set up Bluetooth Device' option from the Bluetooth status menu. They can also remove a device from the device list. Manual authorization is implicitly configured since pairing can only occur when explicitly authorised through the Settings»Bluetooth interface. During the pairing time, another device (or the iOS) can send a pairing request. Commonly, a six digit number is displayed on both sides which must be manually matched by a user, i.e. the PIN is shown and the user must Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 68 of 75 accept it before the pairing completes. If one device does not support this automatic exchange of a PIN, a window for entering a manual PIN is shown. That PIN must match on both sides. iOS requires that remote Bluetooth devices support an encrypted connection. Devices that want to pair with the TOE via Bluetooth are required by Apple to use Secure Simple Pairing, which uses ECDH based authentication and key exchange. See the Specification of the Bluetooth System 4.0 [BT], Volume 2, Part H, chapter 7 for details. The only time the device is Bluetooth discoverable is when the Bluetooth configuration panel is active and in the foreground (there is no toggle switch for discoverable or not discoverable—unless the config panel is the active panel, the device is not discoverable). Connections via Bluetooth/LE are secured using AES-128 in CCM mode. For details of the security of Bluetooth/LE see the Specification of the Bluetooth System 4.0 [BT], Volume 6, Part E, chapter 1. 7.8.4 Wireless LAN The TOE implements the wireless LAN protocol as defined in IEEE 802.11 (2012). For the generation of keys and other random values used as part of this protocol the random number generator of the CoreCrypto cryptographic module is used. As required by IEEE 802.11 (2012), the TOE implements the CTR with CBC-MAC protocol (CCMP) with AES (128-bit key) as defined in section 11.4.3 of 802.11. This protocol is mandatory for IEEE 802.11 (2012) and is also the default protocol for providing confidentiality and integrity for wireless LANs that comply with IEEE 802.11. The implementation of the AES algorithm is performed by the bulk encryption operation of the WLAN chip. AES key wrapping as defined in NIST SP800-38F is used to wrap the Group Temporal Key (GTK), which is sent in an EAPOL key frame in message 3 of the 4-way handshake defined in section 11.6.2 of IEEE 802.11 (2012). The TOE implements Wi-Fi Protected Access 2 (WPA2) Enterprise, certified by the Wi-Fi Alliance, certificates WFA20103, WFA20606, WFA20607, WFA55890, WFA55891, WFA55892, WFA56011, and WFA56012. 7.9 Mapping to the Security Functional Requirements The following table provides a mapping of the SFRs defined in chapter 5 of this ST to the functions implemented by the TOE, referring to the previous sections of the TOE Summary Specification where additional information is required. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 69 of 75 SFR Comment FCS_CKM.1(1) RSA and ECC key generation are functions of the Apple iOS CoreCrypto Module v6. The module can generate RSA key pairs with modulus sizes of 2048 to 4096 in increments of 32 bit. ECC key pairs can be generated for NIST curves P-256, P-384. The following list shows the algorithm certificates of this module for RSA and ECDSA: RSA (Certs. #1908, #1909, #1910, #1920, #1911, #1912, #1923, #1924, and #1925); ECDSA (Certs. #781, #782, #783, #793, #784, #785, #796, #797, and #798) FCS_CKM.1(2) PRF-384 is implemented as defined in IEEE 802.11-2012, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", section 11.6.1.2. It is implemented in the TOE as part of the WPA implementation and is used for the key generation of AES keys when the CCMP cipher (defined in section 11.4.3.1 of IEEE 802.11-2012 is used. The Random Bit Generator used is the one of the main device. Compliance to the requirements of FCS_RBG_EXT.1 has been analyzed in the proprietary Entropy Assessment Report which has been provided to NIAP. See section 7.8.4 for Wi-Fi Alliance certificates. FCS_CKM.2(1) RSA and ECC based key establishment are functions of the Apple iOS CoreCrypto Module v6. The following list shows the algorithm certificates of this module for RSA and ECDSA: RSA (Certs. #1908, #1909, #1910, #1920, #1911, #1912, #1923, #1924, and #1925); ECDSA (Certs. #781, #782, #783, #793, #784, #785, #796, #797, and #798) FCS_CKM.2(2) AES Key Wrap in an EAPOL-Key frame is implemented as defined in IEEE 802.11-2012, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", sections 11.6.2 and 11.6.3. Option 2 in 11.6.2 of IEEE 802.11-2012 which describes the value for 2 or 3 of the Key Descriptor Version subfield of the Key Information field of the EAPOL key frame. This value indicates that HMAC-SHA1- 128 is the EAPOL-Key MIC and NIST AES key wrap is used for EAPOL-Key encryption. This is implemented by the TOE. FCS_CKM_EXT.1 The TOE supports a device unique REK (256-bit AES keys) that is generated in the production environment and installed during production. This REK is protected by the hardware such that it can only be used for encryption and decryption operation and only in the Secure Enclave. It cannot be read or modified by any software or firmware in the TOE. The proprietary Entropy Assessment Report, which has been provided to NIAP, has analyzed the RBG used in the production environment for compliance to the requirements defined in FCS_RBG_EXT.1 FCS_CKM_EXT.2 All the DEKs described in the key hierarchy diagram in Figure 4 are generated using the RBG of the secure enclave and are AES keys with 256 bit key size or Curve25519 keys with 256 bit key size. The Key Generation functions are pre-programmed to use only this RBG and key-size, which cannot be changed. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 70 of 75 SFR Comment FCS_CKM_EXT.3 All the KEKs described in the key hierarchy diagram in Figure 4 are generated using the RBG of the secure enclave and are AES keys with 256 bit key size. The Passcode Key is generated using PBKDF with the UID as the key and a salt that is generated using the RBG in the Secure Enclave. This RBG in the Secure Enclave has been analyzed for compliance with the requirements of FCS_RBG_EXT.1 in the proprietary Entropy Assessment Report, which has been provided to NIAP. FCS_CKM_EXT.4 Keys in volatile memory are overwritten by zeros when no longer needed. Keys in non-volatile flash memory are cleared by a block erase when no longer needed. Note that in accordance with TD0028 and TD0057 a read-verify is not performed after clearing the keys. FCS_CKM_EXT.5 A wipe operation is performed after exceeding the limit number of failed authentication attempts or upon receiving a request from an authorized administrator. Wiping is performed by clearing the block with the highest level of KEKs shown in the diagram in Figure 4 using a block erase of the 'effaceable area' of the non-volatile flash memory. FCS_CKM_EXT.6 The salt used for the password-based key derivation function is generated using the RBG in the Secure Enclave, which (as noted before) has been analyzed for compliance with the requirements of FCS_RBG_EXT.1 in the proprietary Entropy Assessment Report, which has been provided to NIAP. Other salts and random values are generated using the RBG of the main device. FCS_COP.1(1) AES-CBC and AES-GCM are implemented as approved functions in the Apple iOS CoreCrypto Module v6. AES-CCM and AES Key Wrap are implemented as non-approved functions in the Apple iOS CoreCrypto Module v6. AES-CCMP is implemented as defined in IEEE 802.11-2012, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", section 11.4.3. See section 7.8.4 for Wi-Fi Alliance certificates. FCS_COP.1(2) SHA-1, SHA-256, SHA-394, and SHA-512 are implemented as approved functions in the Apple iOS CoreCrypto Module v6. FCS_COP.1(3) RSA and ECDSA signature generation are implemented as approved functions in the Apple iOS CoreCrypto Module v6. ECDSA using NIST curves P-256 and P-384 is implemented as an approved function. FCS_COP.1(4) HMAC-SHA1, HMAC-SHA-256, HMAC-SHA384, and HMAC-SHA- 512 are implemented as approved functions in the Apple iOS CoreCrypto Module v6.The key attributes used are defined in the SFR, FCS_COP.1.1(4). FCS_COP.1(5) PBKDF is implemented as a vendor affirmed function in the Apple iOS CoreCrypto Module v6. The password is fed as a binary string to the SHA algorithm. The settings for the algorithm (padding, blocking, etc.) are described in section 5.1.2.5 of this ST. The output of the hash function is used to form the sub-mask and is conditioned to be the same length as the KEK, 256-bits, that is specified in FCS_CKM_EXT.3. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 71 of 75 SFR Comment FCS_HTTPS_EXT.1 The TOE provides a library that allows the implementation to set up TLS protected connections. This is used by browsers (including Safari) to implement the HTTPS protocol. The TOE can be configured to not establish a connection if the peer certificate is deemed invalid. FCS_IV_EXT.1 All initialization vectors are implemented as defined in table 14 of [MDFPP2]. FCS_RBG_EXT.1 There are two Random Bit Generators implemented in the TOE that are used for security functionality specified in this Security Target: one in the Secure Enclave (used to generate the salt used in the PBKDF for generating the Passcode Key), and one in the main device (used for the generation of all other random bits used for security functionality specified in the Security Target). Both RBGs are based on hardware noise sources and both have been analyzed in the proprietary Entropy Assessment Report, which has been provided to NIAP, to have a minimum of 256 bits of entropy. The cryptographic library provides an interface for application programs that those programs can use to request random bits from the RBG in the main device. FCS_SRV_EXT.1 All functions mentioned can be accessed by applications via interfaces to the cryptographic library. FCS_STG_EXT.1 Cryptographic keys are stored in keychains. Keys may be installed by an administrator as part of a configuration profile of may be installed by an application. Access control to keychain items is described in section 7.3.6, Keychain Data Protection, in this Security Target. FCS_STG_EXT.2 The key hierarchy implemented by the TOE is explained in section 7.2.1 and Figure 4 of this Security Target. All keys are wrapped using AES in Key Wrap mode with 256 bit keys. FCS_STG_EXT.3 The integrity of wrapped keys is implemented through the MAC before the unwrapped key is used. FCS_TLSC_EXT.1 EAP TLS with TLS 1.0, TLS 1.1 and TLS 1.2 is implemented by the TOE including all mandatory and optional cipher suites listed in [MDFPP2]. A client certificate can be installed on the device via a configuration profile. FCS_TLSC_EXT.2 The TOE provides a library that allows applications to protect their communication using TLS 1.2 including all mandatory and optional cipher suites listed in [MDFPP2]. FDP_ACF_EXT.1 The TOE implements an access control policy to data as described in section 7.3.1 (for files) and section 7.3.2 (for keychain items) of this Security Target. FDP_DAR_EXT.1 All data-at-rest is protected using the class key of the class the file belongs to. Similar all keychain items are protected by their class key. Figure 4 explains the KEKs used to protect the class keys. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 72 of 75 SFR Comment FDP_DAR_EXT.2 The class key for the NSFileProtectionCompleteUnlessOpen is used for the case of protecting data when the device is locked. The description of the NSFileProtectionCompleteUnlessOpen class describes the use of the asymmetric key pair over curve 25519 for this purpose. FDP_IFC_EXT.1 The TOE can be configured (using a Configuration Profile) such that all IP traffic flows through an IPsec VPN client (AlwaysOn VPN). FDP_STG_EXT.1 The Trust Anchor Database is stored as a protected item. FDP_UPC_EXT.1 The TOE provides a library that applications can use to set up a TLS protected connection, set up a HTTPS protected connection, use Bluetooth BR/EDR and Bluetooth LE to set up a protected communication channel and initiate communication via this channel. FIA_AFL_EXT.1 The TSF can be configured (using a Configuration Profile) to limit the number of consecutive failed authentication attempts to any number between 2 and 10. FIA_BLT_EXT.1 The TSF can be configured to require explicit user authorization before pairing with a remote Bluetooth device. See section 7.8.3 of this ST for more detail FIA_PAE_EXT.1 The TOE conforms to IEEE 802.1X for PAE in the Supplicant role. FIA_PMG_EXT.1 The TSF can be configured for a password policy that supports passwords consisting of any combination of upper and lower case letters, numbers, and any special character available on the keyboard. The minimum size of such passwords can also be defined via a Configuration Profile. FIA_TRT_EXT.1 The TSF enforces a delay of at least 5 seconds between user authentication attempts. FIA_UAU.7 When a password is entered the character entered is shown for a short time in clear and then replaced by a dot. FIA_UAU_EXT.2 The TSF can be configured to allow no actions to be performed before the user is authenticated. FIA_UAU_EXT.3 The TSF requires the user to authenticate when changing his password and when transitioning from the locked state to the unlocked state. FIA_X509_EXT.1 X.509 certificates are validated using the certificate path validation algorithm defined in RFC 5280. Certificate paths must terminate in the Trust Anchor Database for a certificate to be regarded as trusted. The extendedKeyUsage field in the certificate is validated to ensure that the key is used in accordance with its usage specification. CA certificates are only accepted if the basicConstraints extension exists and the CA flag in this extension is set. OCSP is supported to determine if a certificate has been revoked. FIA_X509_EXT.2 X.509v3 certificates are supported for authentication for EAP-TLS, IPsec, TLS, HTTPS, code signing for software updates, and code signing for mobile applications. Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 73 of 75 SFR Comment FIA_X509_EXT.3 The library provided for certificate handling and management provides a service for certificate validation. The return value indicates the success or failure of the validation with detailed failure codes indicating why the validation failed. FMT_MOF_EXT.1 Table 3 in this Security Target indicates the management functions and the entity (user or administrator) that can perform the function. FMT_SMF_EXT.1 Table 3 indicates the management functions that can be performed by either the administrator, the user or both. In case of administrator functions most of them (except for remote wipe and remote locking) are performed by installing Configuration Profiles on the TOE. Administration functions for the user are available through the user interface. FMT_SMF_EXT.2 Upon unenrollment and when a remote wipe command is issued protected data is wiped by erasing the top level KEKs. Since all data- at-rest is encrypted with one of those keys, the device is wiped. FPT_AEX_EXT.1 Address space layout randomization is used for every sandbox used to execute applications in. There are 8 bits of randomness taken from the application processor TRNG involved in the randomization. FPT_AEX_EXT.2 Hardware enforced memory protection is used for every memory page. FPT_AEX_EXT.3 Stack-based buffer overflow protection is implemented for every sandbox. FPT_AEX_EXT.4 The TSF protects itself as well as applications from modification by untrusted subjects. Applications execute in their own address space separated from the address space of other applications and separated from the address space used by the TSF. The TOE does not support USSD or MMI codes and also does not support auxiliary boot modes. FPT_KSK_EXT.1 Keys are stored in keychains and are therefore encrypted by one of the KEKs for keychain objects. FPT_KSK_EXT.2 Keys are never transmitted in plaintext outside the TOE by the TSF. FPT_KSK_EXT.3 Plaintext keys can also not be exported by TOE users. There is no function that allows this. FPT_NOT_EXT.1 In the case of a self-test failure or a software integrity verification failure the device will not start. Self-tests for cryptographic functions are performed by the cryptographic modules. FPT_STM.1 The TSF maintains a time stamp for its own use. FPT_TST_EXT.1 The TSF runs a suite of self-tests during initial start-up as required by FIPS 140-2 for all cryptographic functionality. FPT_TST_EXT.2 The TSF verifies the integrity of the bootchain as described in section 7.6.1 of this Security Target Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 74 of 75 SFR Comment FPT_TUD_EXT.1 Users can query the current version of the TOE firmware and software as well as the current version of the hardware model via the user interface. Users can also query the current version of installed mobile applications via the user interface. FPT_TUD_EXT.2 All software updates and all applications need to be digitally signed. This signature is verified before installing any update or application. Details of this process are described in section 7.6.2 of this Security Target. FTA_SSL_EXT.1 A Configuration Profile can be used to define the maximum time of inactivity before the TSF initiates a transition to the locked state. In addition both the user and the administrator can initiate a transition to the locked state. During such a transition the display is overwritten and the decrypted class key for the NSFileProtection Complete class is zeroized. FTA_WSE_EXT.1 Wireless connections can be specified as acceptable can be configured by an administrator using a Configuration Profile. The TSF will connect to such acceptable wireless networks either automatically or on demand. FTP_ITC_EXT.1 The TSF provides the specified list of protocols that allow for the establishment of a trusted channel between itself and another trusted IT product. It is always the TSF that initiates such a communication via a trusted channel. FTA_TAB.1 It is possible for an enterprise to define the display of a managed device that is provided before a user session is established. This can include an enterprise defined warning message regarding unauthorized use of the TOE. FPT_BBD_EXT.1 The application processor and the baseband processor are separated such that the baseband processor can only access resources of the application processor under the control of the application processor. Communication between the application processor and the baseband processor is via dedicated memory areas and the application processor uses those memory areas only to transmit data to or receive data from the baseband processor. Table 5: Mapping of SFRs Last update: 2016-01-28 © 2016 Apple Inc. Version: 1.4 Page 75 of 75