Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance



Yüklə 290,96 Kb.
səhifə5/8
tarix14.10.2017
ölçüsü290,96 Kb.
#4531
1   2   3   4   5   6   7   8

5.2Local Administrator Guidance


The following topics describe how to configure EAP-TLS on Windows 10:

  • Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx4

The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:

  • Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx

5.3User Guidance


The user views the list of available networks (including networks associated with a configured Wi-Fi profile) in Settings -> Network & Internet -> Wi-Fi. Tapping a given Wi-Fi network presents the option to Connect to the network.

6.Managing TLS


This section contains the following Common Criteria SFRs:

  • Extended: EAP TLS Protocol (FCS_TLSC_EXT.1)

  • Extended: TLS Protocol (FCS_TLSC_EXT.2)

6.1IT Administrator Guidance


The cipher suite selection and priority may be configured on the server side of a connection. Cipher suite selection is made according to the default order as described in the previous section for Windows 10.

The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.

Windows 10 devices may be configured to trust a Certificate Authority by using policy pushed to the device by a MDM. The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities may be managed on the Windows 10 device using workplace enrollment and an MDM.Restricting Applications.

There is no configuration necessary to use client authentication on the device once a device has client authentication certificates. See the Managing Certificates section for information on configuring a device to enroll for client certificates.


6.2Local Administrator Guidance


The mandatory and optional cipher suites listed in the Security Target correlate with those available in the TOE as follows:

Cipher Suites (per Security Target)

Cipher Suite Requirement

Available Cipher Suites in TOE5

TLS_RSA_WITH_AES_128_CBC_SHA

Mandatory

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

Optional

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246

Optional

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

Optional

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

Optional

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

Optional

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

Optional

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

Optional

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Optional

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

and/or


TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Optional

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

and/or


TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:



  • Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

  • How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030

The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.

The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:



  • Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx

Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

The elliptic curves supported for a particular cipher suite are part of the cipher suite configuration. For example in the table above one of the supported cipher suites is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, note that the string used to configure this cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, which is slightly different than the actual cipher suite name. The difference is the final four characters which indicate the elliptic curve that is to be used, in this case it is the curve P256 (secp256r1).

The reference identifier in Windows 10 for TLS is the URL of the server. There is no configuration of the reference identifier.

The signature algorithm is not configurable in Windows 10 for TLS.



Yüklə 290,96 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©www.genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya