Users often need to perform functions through direct interaction with the TSF. A trusted path provides confidence that a user is communicating directly with the TSF whenever it is invoked. A user's response via the trusted path guarantees that untrusted applications cannot intercept or modify the user's response. Similarly, trusted channels are one approach for secure communication between the TSF and remote IT products.
Figure 1.2 of this part of the CC illustrates the relationships between the various types of communication that may occur within a TOE or network of TOEs (i.e. Internal TOE transfers, Inter-TSF transfers, and Import/Export Outside of TSF Control) and the various forms of trusted paths and channels.
Absence of a trusted path may allow breaches of accountability or access control in environments where untrusted applications are used. These applications can intercept user-private information, such as passwords, and use it to impersonate other users. As a consequence, responsibility for any system actions cannot be reliably assigned to an accountable entity. Also, these applications could output erroneous information on an unsuspecting user's display, resulting in subsequent user actions that may be erroneous and may lead to a security breach.
Figure M.1 shows the decomposition of this class into its constituent components.
Figure M.1 - Trusted path/channels class decomposition
This family defines the rules for the creation of a trusted channel connection that goes between the TSF and another trusted IT product for the performance of security critical operations between the products. An example of such a security critical operation is the updating of the TSF authentication database by the transfer of data from a trusted product whose function is the collection of audit data.
FTP_ITC.1 Inter-TSF trusted channel
User application notes
This component should be used when a trusted communication channel between the TSF and another trusted IT product is required.
Operations
Selection:
In FTP_ITC.1.2, the PP/ST author must specify whether the local TSF, the remote trusted IT product, or both shall have the capability to initiate the trusted channel.
Assignment:
In FTP_ITC.1.3, the PP/ST author should specify the functions for which a trusted channel is required. Examples of these functions may include transfer of user, subject, and/or object security attributes and ensuring consistency of TSF data.
This family defines the requirements to establish and maintain trusted communication to or from users and the TSF. A trusted path may be required for any security-relevant interaction. Trusted path exchanges may be initiated by a user during an interaction with the TSF, or the TSF may establish communication with the user via a trusted path.
User application notes
This component should be used when trusted communication between a user and the TSF is required, either for initial authentication purposes only or for additional specified user operations.
Operations
Selection:
In FTP_TRP.1.1, the PP/ST author should specify whether the trusted path must be extended to remote and/or local users.
In FTP_TRP.1.2, the PP/ST author should specify whether the TSF, local users, and/or remote users should be able to initiate the trusted path.
In FTP_TRP.1.3, the PP/ST author should specify whether the trusted path is to be used for initial user authentication and/or for other specified services.
Assignment:
In FTP_TRP.1.3, if selected, the PP/ST author should identify other services for which trusted path is required, if any.