Aten Cs1182dp4 User manual

ATEN Secure KVM Switch Series (Non-CAC Models)

Security Target

Version 1.1

2022-03-08

Prepared for:

ATEN

3F, No. 125, Section 2, Datung Road,

Sijhih District,

New Taipei City, 221

Taiwan

Prepared by:

Common Criteria Testing Laboratory

6841 Benjamin Franklin Drive

Columbia, Maryland 21046

Security Target Version 1.1

2022-03-08

Revision History

Version

Author

Modifications

0.1

Leidos

Initial Version

0.2

Leidos

Minor update to add adapters

0.3

Leidos

Updates for validator check-in comments

1.0

Leidos

Minor updates for evaluator comments

1.1

Leidos

Updates for validator check-out comments

Security Target Version 1.1
 2022-03-08 
ii 
Table of Contents 
Security Target Introduction.................................................................................................................1 
1 Security Target, Target of Evaluation, and Common Criteria Identification..................................1 
2 Conformance Claims.......................................................................................................................2 
3 Conventions....................................................................................................................................3 
3.1 Terminology ............................................................................................................................3 
3.2 Acronyms.................................................................................................................................5 
TOE Description ....................................................................................................................................7 
1 Product Overview...........................................................................................................................7 
2 TOE Overview .................................................................................................................................7 
3 TOE Architecture ............................................................................................................................7 
3.1 Physical Boundary .................................................................................................................11 
4 Logical Boundary ..........................................................................................................................12 
4.1 Security Audit........................................................................................................................13 
4.2 User Data Protection.............................................................................................................13 
4.3 Identification and Authentication.........................................................................................13 
4.4 Security Management...........................................................................................................13 
4.5 Protection of the TSF.............................................................................................................13 
4.6 TOE Access ............................................................................................................................14 
5 TOE Documentation .....................................................................................................................14 
Security Problem Definition................................................................................................................15 
Security Objectives .............................................................................................................................16 
1 Security Objectives for the Operational Environment .................................................................16 
IT Security Requirements....................................................................................................................17 
1 Extended Requirements...............................................................................................................17 
2 TOE Security Functional Requirements (PSD, MOD_AO_V1.0, MOD_KM_V1.0).........................18 
2.1 Security Audit (FAU)..............................................................................................................19 
2.2 User Data Protection (FDP) ...................................................................................................20 
2.3 Identification and Authentication (FIA).................................................................................24 
2.4 Security Management (FMT).................................................................................................25 
2.5 Protection of the TSF (FPT)....................................................................................................25 
2.6 TOE Access (FTA)...................................................................................................................26 
3 TOE Security Functional Requirements (DP Models) ...................................................................27 
3.1 User Data Protection (FDP) ...................................................................................................27 
4 TOE Security Functional Requirements (H Models) .....................................................................28 
4.1 User Data Protection (FDP) ...................................................................................................28 
5 TOE Security Functional Requirements (D Models) .....................................................................29 
5.1 User Data Protection (FDP) ...................................................................................................29 
6 TOE Security Assurance Requirements ........................................................................................30 
TOE Summary Specification................................................................................................................31 
1 Security Audit (FAU_GEN.1) .........................................................................................................31 
2 User Data Protection....................................................................................................................32 
2.1 FDP_AFL_EXT.1 –Audio Filtration.........................................................................................32 

Security Target Version 1.1
 2022-03-08 
iii 
6.2.2 FDP_APC_EXT.1 (All Iterations); FDP_UDF_EXT.1/AO –Unidirectional Data Flow (Audio 
Output); FDP_UDF_EXT.1/KM –Unidirectional Data Flow (Keyboard/Mouse); FDP_UDF_EXT.1/VI –
Unidirectional Data Flow (Video Output);..........................................................................................32 
6.2.3 FDP_CDS_EXT.1 –Connected Displays Supported................................................................33 
6.2.4 FDP_FIL_EXT.1/KM –Device Filtering (Keyboard/Mouse); FDP_PDC_EXT.3/KM –Authorized 
Connection Protocols (Keyboard/Mouse) ..........................................................................................33 
6.2.5 FDP_PDC_EXT.1 –Peripheral Device Connection; FDP_PDC_EXT.2/AO –Peripheral Device 
Connection (Audio Output); FDP_PDC_EXT.2/KM –Authorized Devices (Keyboard/Mouse); 
FDP_PDC_EXT.2/VI –Peripheral Device Connection (Video Output).................................................34 
6.2.6 FDP_PUD_EXT.1 –Powering Unauthorized Devices.............................................................35 
6.2.7 FDP_RIP.1/KM –Residual Information Protection (Keyboard Data), FDP_RIP_EXT.1 –
Residual Information Protection and FDP_RIP_EXT.2 –Purge of Residual Information....................35 
6.2.8 FDP_SWI_EXT.1 –PSD Switching; FDP_SWI_EXT.2 –PSD Switching Methods; FDP_SWI_EXT.3 
–Tied Switching..................................................................................................................................36 
6.2.9 TOE Video Security Function.................................................................................................36 
6.3 Identification and Authentication (FIA_UAU.2/ FIA_UID.2).........................................................38 
6.4 Security Management ..................................................................................................................38 
6.4.1 FMT_MOF.1 –Management of Security Functions Behavior...............................................38 
6.4.2 FMT_SMF.1 –Specification of Management Functions .......................................................38 
6.4.3 FMT_SMR.1 –Security Roles.................................................................................................39 
6.5 Protection of the TSF....................................................................................................................39 
6.5.1 FPT_FLS_EXT.1 –Failure with Preservation of Secure State.................................................39 
6.5.2 FPT_NTA_EXT.1 –No Access to TOE .....................................................................................40 
6.5.3 FPT_PHP.1 –Passive Detection of Physical Attack and FPT_PHP.3 –Resistance to Physical 
Attack 40 
6.5.4 FPT_STM.1 Reliable Time Stamps .........................................................................................40 
6.5.5 FPT_TST.1 –TSF Testing and FPT_TST_EXT.1 –TSF Testing..................................................40 
6.6 TOE Access....................................................................................................................................42 
6.6.1 FTA_CIN_EXT.1 –Continuous Indications.............................................................................42 
7 Protection Profile Claims ....................................................................................................................44 
8 Rationale.............................................................................................................................................46 
8.1 TOE Summary Specification Rationale .........................................................................................46 
Appendix A Letter of Volatility....................................................................................................................48 
 
 
 
List of Figures and Tables 
Figure 1: Simplified Block Diagram of a 2-Port KVM TOE ...........................................................................10 
Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment..................................12 
Table 1: ATEN Secure KVM Switch TOE Models ...........................................................................................1 
Table 2: Terms and Definitions .....................................................................................................................3 

Security Target Version 1.1
 2022-03-08 
iv 
Table 3: Acronyms.........................................................................................................................................5 
Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models......................................................8 
Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models ..................................................9 
Table 6: Security Objectives for the Operational Environment..................................................................16 
Table 7: TOE Security Functional Components...........................................................................................18 
Table 8: Audio Filtration Specifications ......................................................................................................20 
Table 9: TOE Security Functional Components (DP Models)......................................................................27 
Table 10: TOE Security Functional Components (H Models)......................................................................28 
Table 11: TOE Security Functional Components (D Models)......................................................................29 
Table 12: Assurance Components...............................................................................................................30 
Table 13: Supported protocols by port.......................................................................................................34 
Table 14: DP Models ...................................................................................................................................36 
Table 15: H Models .....................................................................................................................................37 
Table 16: D Models .....................................................................................................................................37 
Table 17: SFR Protection Profile Sources...................................................................................................44 
Table 18: Security Functions vs. Requirements Mapping...........................................................................46 
 

Security Target Version 1.1

2022-03-08

1Security Target Introduction

This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST

conventions, ST conformance claims, and the ST organization. The TOE is ATEN Secure KVM Switch

Series (Non-CAC Models) provided by ATEN.

The Security Target contains the following additional sections:

•TOE Description (Section 2)

•Security Problem Definition (Section 3)

•Security Objectives (Section 4)

•IT Security Requirements(Section 5)

•TOE Summary Specification (Section 6)

•Protection Profile Claims (Section 7)

•Rationale (Section 8)

1.1 Security Target, Target of Evaluation, and Common Criteria Identification

ST Title: ATEN Secure KVM Switch Series (Non-CAC Models) Security Target

ST Version: Version 1.1

ST Date: 2022-03-08

Target of Evaluation (TOE) Identification: ATEN Secure KVM Switch Series (Non-CAC Models)

TOE Versions: The following table identifies the model numbers per configuration. The firmware version

for all models is v1.1.101.

Table 1: ATEN Secure KVM Switch TOE Models

Configuration

2-Port

4-Port

8-Port

DisplayPort

Single Head

CS1182DP4

CS1184DP4

CS1188DP4

Dual Head

CS1142DP4

CS1144DP4

CS1148DP4

HDMI

Single Head

CS1182H4

CS1184H4

N/A

Dual Head

CS1142H4

CS1144H4

N/A

DVI

Single Head

CS1182D4

CS1184D4

CS1188D4

Dual Head

CS1142D4

CS1144D4

CS1148D4

The TOE includes a wired remote controller: Remote Peripheral Selector (RPS) that is available to

customers as an additional purchase. This device has the same firmware version as the models above.

TOE Developer: ATEN

Evaluation Sponsor: ATEN

CC Identification: Common Criteria for Information Technology Security Evaluation, Version 3.1,

Revision 5, April 2017.

Security Target Version 1.1
 2022-03-08 
2 
1.2 Conformance Claims 
This ST and the TOE it describes are conformant to the following CC specifications: 
•Common Criteria for Information Technology Security Evaluation Part 2: Security Functional 
Components, Version 3.1 Revision 5, April 2017 
•Part 2 Extended 
•Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance 
Components, Version 3.1 Revision 5, April 2017 
•Part 3 Conformant 
This ST and the TOE it describes claim exact conformance to the following PP-Configuration: PP-
Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, 
and Video/Display Devices, 19 July 2019 (CFG_PSD-AO-KM-VI_V1.0) 
This PP-Configuration includes the following components: 
•Protection Profile for Peripheral Sharing Device, Version 4.0, 19 July 2019 (PP_PSD_V4.0) or 
[PSD] 
oincluding the following optional and selection-based SFRs: FAU_GEN.1, FDP_RIP_EXT.2, 
FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_PHP.3, 
FPT_STM.1, and FTA_CIN_EXT.1. 
•PP-Module for Analog Audio Output Devices, Version 1.0, 19 July 2019 (MOD_AO_V1.0). 
•PP-Module for Keyboard/Mouse Devices, Version 1.0, 19 July 2019 (MOD_KM_V1.0) 
oincluding the following optional and selection-based SFRs: FDP_FIL_EXT.1/KM, 
FDP_RIP.1/KM, and FDP_SWI_EXT.3. 
•PP-Module for Video/Display Devices, Version 1.0, 19 July 2019 (MOD_VI_V1.0) 
oincluding the following selection-based SFRs: FDP_CDS_EXT.1, FDP_IPC_EXT.1, 
FDP_SPR_EXT.1/DP(DP), FDP_SPR_EXT.1/DVI-I(D), and FDP_SPR_EXT.1/HDMI(H). 
 
The following NIAP Technical Decisions are applicable to the claimed Protection Profile and Modules: 
•TD0593 –Equivalency Arguments for PSD 
•TD0586 –DisplayPort and HDMI Interfaces in FDP_IPC_EXT.1 
•TD0585 –Update to FDP_APC_EXT.1 Audio Output Tests 
•TD0584 –Update to FDP APC_EXT.1 Video Tests 
•TD0583 –FPT_PHP.3 modified for PSD remote controllers 
•TD0557 –Correction to Audio Filtration Specification Table in FDP_AFL_EXT.1 
•TD0539 –Incorrect Selection Trigger in FTA_CIN_EXT.1 in MOD_VI_V1.0 
The TOE does not fit the Combiner Use Case and so the specific assignment required by the VI Module 
does not apply. 
•TD0518 –Typographical Error in Dependency Table 
•TD0514 –Correction to MOD_VI FDP_APC_EXT.1 Test 3 Step 6 
•TD0507 –Clarification on USB Plug Type 
•TD0506 –Missing Steps to Disconnect and Reconnect Display 

Security Target Version 1.1

2022-03-08

1.3 Conventions

The Security Functional Requirements included in this section are derived from Part 2 of the Common

Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, with additional extended

functional components.

The CC defines operations on Security Functional Requirements: assignments, selections, assignments

within selections, iterations, and refinements. This document retains all operations completed by the PP

author (i.e. selections/assignments they already filled out). These are formatted as italicized text.

This document uses the following font conventions to identify iterations, extended SFRs and operations

performed by the ST author:

•Refinement operation (denoted by bold text and underline) is used to add details to a requirement,

and thus further restricts a requirement.

•Selection (denoted by italicized bold text): is used to select one or more options provided by the

[CC] in stating a requirement. Selection operations completed in the PP are shown in brackets.

•Assignment operation (denoted by bold text) is used to assign a specific value to an unspecified

parameter, such as the length of a password. Showing the value in square brackets indicates

assignment. Assignments within Selections are denoted by italicized bold text).

•Iteration operation is identified with a slash (‘/’) and an identifier (e.g. “/KM”). Additional iterations

made by the ST author are defined with a reference in parentheses to the specific TOE models they

apply to, e.g. “(DP)” indicates the SFR only applies to DisplayPort models. Though technically not an

iteration FDP_IPC_EXT.1, also uses this convention to clarify that this requirement only applies to

certain models.

•Extended SFRs are identified by having a label “EXT” after the SFR name.

1.3.1 Terminology

Table 2: Terms and Definitions

Term

Definition

Aligned

Detected and accepted the connection by the KVM.

Assurance

Grounds for confidence that a TOE meets the SFRs.

Authorized Peripheral

A Peripheral Device that is both technically supported and administratively

permitted to have an active interface with the PSD.

Combiner (multi-viewer)

A PSD with video integration functionality that is used to simultaneously display

output from multiple personal computers (PCs).

Common Criteria (CC)

Common Criteria for Information Technology Security Evaluation.

Common Evaluation

Methodology (CEM)

Common Evaluation Methodology for Information Technology Security

Evaluation.

Computer Interface

The PSD’s physical receptacle or port for connecting to a computer.

Configurable Device

Filtration (CDF)

A PSD function that filters traffic based on properties of a connected peripheral

device and criteria that are configurable by an Administrator.

Connected Computer

A computing device connected to a PSD. May be a personal computer, server,

tablet, or any other computing device.

Security Target Version 1.1

2022-03-08

Term

Definition

Connected Peripheral

A Peripheral that is connected to a PSD.

Connection

A physical or logical conduit that enables Devices to interact through respective

interfaces. May consist of one or more physical (e.g., a cable) or logical (e.g., a

protocol) components.

Connector

The plug on a Connection that attaches to a Computer or Peripheral Interface.

Device

An information technology product. In the context of this PP, a Device is a PSD, a

Connected Computer, or a Connected Peripheral.

Display

A device that visually outputs user data, such as a monitor.

Interface

A shared boundary across which two or more Devices exchange information

through a Connection.

A type of PSD that shares a keyboard and pointing device between Connected

Computers. A KM may optionally include an analog audio device.

KVM

A type of PSD that shares a keyboard, video, and pointing device between

Connected Computers. A KVM may optionally include an analog audio device and

user authentication device.

Letter of Volatility

A letter issued by the manufacturer outlining whether onboard memory can store

data when the device is powered off (non‐volatile) or not (volatile).

Monitoring

The ability of a User to receive an indicator of the current Active Interface.

Non-Selected Computer

A Connected Computer that has no Active Interfaces with the PSD.

Peripheral Interface

The PSD’s physical receptacle or port for connecting to a Peripheral Device.

Peripheral/Peripheral

Device

A Device with access that can be Shared or Filtered by a PSD.

Protection Profile (PP)

An implementation‐independent set of security requirements for a category of

products.

Remote Controller

Remote component of the PSD that extends the controls and indications through

a cable.

Secure State

An operating condition in which the PSD disables all connected peripheral and

connected computer interfaces when the correctness of its functions cannot be

ensured.

Security Assurance

Requirement (SAR)

A requirement to assure the security of the TOE.

Security Functional

Requirement (SFR)

A requirement for security enforcement by the TOE.

Security Target (ST)

Implementation‐independent documentation that describes a TOE, its

Operational Environment, and its claimed security functionality.

Selected Computer

A Connected Computer that has Active Interfaces with the PSD.

Supported Peripheral

A Peripheral Device that is technically supported by the PSD.

Target of Evaluation(TOE)

A product or component, consisting of hardware, software, and/or firmware, that

claims to implement certain security functionality in a specific and well-defined

manner.

Security Target Version 1.1

2022-03-08

Term

Definition

TOE Security Functionality

(TSF)

The combined hardware, software, and firmware capabilities of a TOE that are

responsible for implementation of its claimed SFRs.

TOE Security Functionality

Interface (TSFI)

Any external interface between the TOE and its Operational Environment that has

a security‐relevant purpose or is used to transmit security‐relevant data.

TOE Summary Specification

(TSS)

Documentation contained within the Security Target that provides the reader

with a description of how the TOE implements the claimed SFRs.

User

A person that interacts with a PSD (or a process or mechanism acting on behalf of

a person).

User Authentication Device

A Peripheral Device that is used to affirm the identity of a User attempting to

authenticate to a computer (e.g., smart card reader, biometric authentication

device, proximity card reader).

User Data

Information that the User inputs to the Connected Computer or is output to the

User from the Connected Computer (and including user authentication and

credential information)

1.3.2 Acronyms

Table 3: Acronyms

Acronym

Definition

ARC

Audio Return Channel

AUX

Display Port Auxiliary Channel

CAC

Common Access Card

CDF

Configurable Device Filtering

CEC

Consumer Electronics Control

DVI

Digital Visual Interface

EDID

Extended Display Identification Data

EEPROM

Electrically Erasable Programmable Read-Only Memory

FIPS

Federal Information Processing Standards

High Definition

HDCP

High‐bandwidth Digital Content Protection

HDMI

High Definition Multimedia Interface

HEAC

HDMI Ethernet Audio Control

HEC

HDMI Ethernet Channel

HID

Human Interface Device

HPD

Hot Plug Detect

Information Technology

KVM

Keyboard, Video, and Mouse

LED

Light-Emitting Diode

MCCS

Hot Plug Detect

Security Target Version 1.1

2022-03-08

Acronym

Definition

Personal Computer

PSD

Peripheral Sharing Device

RPS

Remote Port Selector

SFP

Security Function Policy

USB

Universal Serial Bus

Security Target Version 1.1

2022-03-08

2TOE Description

2.1 Product Overview

The TOE is the ATEN Secure KVM Switch Series (non CAC Models). Each of the sixteen models identified

in Section 1.1 is a Peripheral Sharing Device that include console ports and computer ports. The console

ports are used to connect a single set of peripherals, including a mouse, keyboard, speaker, and one or

two video displays (depending on specific device type) to the TOE. The TOE’s computer ports are

connected to up to 2, 4, or 8 separate computers (again depending on specific device type). The user can

then securely switch the connected console peripherals between any of the connected computers while

preventing unauthorized data flows or leakage between computers. The TOE supports manual port

switching using a press and release a port selection push button (on the switch, or on the Remote Port

Selector (RPS) if connected and aligned) to bring the KVM focus to the computer attached to its

corresponding port.

2.2 TOE Overview

The TOE is the ATEN Secure Switch series of products without CAC. The TOE allows users to connect a

single set of peripherals to its console ports to interact with multiple computers that are connected to it

via its computer ports. Controls on the TOE chassis or on the RPS allow the user to select which of the

connected computers is ‘active’ such that the peripherals connected to the console can be used to interact

with the selected computer.

The TOE’s console ports support USB keyboard and mouse, analog audio out (speakers), and depending

on model, DisplayPort, HDMI or DVI-I display.

The TOE’s computer ports support USB keyboard and mouse, analog audio, and depending on model,

DisplayPort, HDMI, or DVI-I display.

The TOE includes multiple models, all with the same basic functionality. The differences between models

are:

•The type of display interface supported on the console ports (DisplayPort, HDMI or DVI-I)

•The type of display interface supported on the computer ports (DisplayPort, HDMI, or DVI-I)

•The number of sets of computer ports, which determines how many computers can be connected to

the TOE at one time (up to 2, 4, or 8)

2.3 TOE Architecture

The ATEN Secure KVM series are KVM switches with the following characteristics:

•2/4/8 port USB DisplayPort single and dual display for DisplayPort (6 devices)

•2/4 port USB HDMI single and dual display for HDMI (4 devices)

•2/4/8 port USB DVI single and dual display for DVI (6 devices).

The Secure KVM Switch products allow for the connection of a mouse, keyboard, and one or two video

displays (depending on specific device type) to the Secure KVM Switch, which is then connected to 2, up

to 4, or up to 8 separate computers (again depending on specific device type). The user can then switch

the connected peripherals between any of the connected computers using a push button on the front of

Security Target Version 1.1

2022-03-08

the device or on the RPS. The selected device is always identifiable by a bright orange LED associated with

the applicable selection button.

To interface with connected computers, the Secure KVM Switch products support analog audio output

and USB connections for the keyboard/mouse device. Depending on model, they support DisplayPort,

DVI-I, or HDMI for the computer video display interface. The switched peripherals on the console side are

analog audio output, USB keyboard and mouse, and DisplayPort, HDMI or DVI-I video output (depending

on model).

Separate USB cables are used to connect the keyboard/mouse combination to the connected computers.

The Secure KVM Switch products supporting DisplayPort convert the DisplayPort video signal to HDMI.

The HDMI signal inside the KVM will be converted again to DisplayPort signal for output to the connected

video display(s) and the AUX channel is monitored and converted to EDID. The Secure KVM Switch

products also support audio output connections from the computers to a connected audio output device.

Only speaker connections are supported and the use of an analog microphone or line-in audio device is

prohibited. The tables below identify the interfaces of the Secure KVM console and computer ports

according to model number.

Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models

Model No.

Console Video Output

Interface

Console

Keyboard

Console

Mouse

Console Audio

output

DisplayPort

HDMI

DVI-I

USB 1.1/2.0

3.5mm Analog

Audio output

(Speaker)

CS1182DP4

•

CS1142DP4

•

CS1182H4

•

CS1142H4

•

CS1182D4

•

CS1142D4

•

CS1184DP4

•

CS1144DP4

•

CS1184H4

•

CS1144H4

•

CS1184D4

•

CS1144D4

•

CS1188DP4

•

CS1148DP4

•

CS1188D4

•

CS1148D4

•

Security Target Version 1.1

2022-03-08

Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models

Model No.

Computer Video Input Interface

Computer

Keyboard / Mouse

Computer Audio

Input

DisplayPort

HDMI

DVI-I

USB

1.1/2.0

3.5mm Analog

Audio Input

(Speaker)

CS1182DP4

•

CS1142DP4

•

CS1182H4

•

CS1142H4

•

CS1182D4

•

CS1142D4

•

CS1184DP4

•

CS1144DP4

•

CS1184H4

•

CS1144H4

•

CS1184D4

•

CS1144D4

•

CS1188DP4

•

CS1148DP4

•

CS1188D4

•

CS1148D4

•

The ATEN Secure KVM products implement a secure isolation design for all models to share a single set of

peripheral components. Each peripheral has its own dedicated data path. USB keyboard and mouse

peripherals are filtered and emulated. DisplayPort video from the selected computer is converted

internally to HDMI, then back to DisplayPort for communication with the connected video display and the

AUX channel is monitored and converted to EDID.

The Secure KVM Switch products are designed to enforce the allowed and disallowed data flows between

user peripheral devices and connected computers as specified in [PSD]. Data leakage is prevented across

the TOE to avoid compromise of the user's information. The Secure KVM Switch products automatically

clear the internal TOE keyboard and mouse buffers.

Figure 1 shows the data path design using a 2-Port KVM as an example.

Security Target Version 1.1

2022-03-08

Figure 1: Simplified Block Diagram of a 2-Port KVM TOE

As shown in Figure 1 above, the internal components of the KVM consist of switches, emulators, USB host

controllers, processors, and embedded with non-updateable firmware v1.1.101. The internal hardware

components are identified in Appendix A and include the manufacturer and the part number. The data

flow of USB keyboard/mouse is controlled by the host controller for console HID keyboard and pointing

devices. Details of the data flow architecture are provided in the proprietary Secure KVM Isolation

Document. All keyboard and mouse connections are filtered first, and only authorized devices will be

allowed. The TOE emulates data from authorized USB keyboard and mouse to USB data for computer

sources.

The TOEs proprietary design ensures there is no possibility of data leakage from a user’s peripheral output

device to the input device; ensures that no unauthorized data flows from the monitor to a connected

computer; and unidirectional buffers ensure that the audio data can travel only from the selected

computer to the audio device. There is no possibility of data leakage between computers or from a

peripheral device connected to a console port to a non-selected computer. Each connected computer has

its own independent Device Controller, power circuit, and EEPROM. Additionally, keyboard and mouse

are always switched together.

All Secure KVM Switch components including the RPS, feature hardware security mechanisms including

tamper-evident labels, always active chassis-intrusion detection, and tamper-proof hardware

construction, while software security includes restricted USB connectivity (non-Human Interface Devices

(HIDs) are ignored when switching), an isolated channel per port that makes it impossible for data to be

communicated between computers, and automatic clearing of the keyboard and mouse buffer.

Security Target Version 1.1

2022-03-08

A detailed description of the TOE security features can be found in Section 6 (TOE Summary Specification).

2.3.1 Physical Boundary

The TOE includes the RPS and hardware models identified in Section 1.1 along with embedded firmware

v1.1.101 and corresponding documentation identified in Section 2.5 below.

An optional KVM cable set (not supplied with the TOE) is available as a separate purchase. The KVM cable

sets are built for the KVM connection to the PCs, providing better compatibility. Users can connect the

KVM and PCs using their own cable sets as long as the protocols are compatible but the vendor cable sets

are recommended. The TOE was tested using the cable sets mentioned above and the following adapters:

•UC32381 (USB-C to HDMI converter)

•UC3239 (USB-C to DP converter)

•VC986 (Active DP-to-HDMI adapter)

•VC965 (Active DP-to-DVI adapter)

While the cable sets and adapters were supplied, they were not included in the evaluation because they

are considered part of the operational environment, along with the switched PCs, peripheral devices,

DisplayPort / HDMI / DVI-I monitors, USB keyboard, USB mouse, 3.5mm audio output (e.g. speakers) and

the host computers.

The following figure shows a representative TOE and its environment. In particular, it shows a four port,

single-head KVM and its connections.

Security Target Version 1.1

2022-03-08

Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment

The ATEN Secure KVM devices do not include any wireless interfaces. The ATEN Secure KVM devices have

been tested and found to comply with the radio frequency emissions limits for a Class A digital device,

pursuant to Part 15 of the Federal Communications Commission rules. If not installed and used in

accordance with the guidance instructions, the device may cause harmful interference to radio

communications. This evaluation did not test for RFI leakage of information.

2.4 Logical Boundary

This section summarizes the security functions provided by the TOE:

•Security Audit

•User Data Protection

•Identification and authentication

•Security Management

•Protection of the TSF

•TOE Access

Security Target Version 1.1

2022-03-08

2.4.1 Security Audit

The TOE generates audit records for the authorized administrator actions. Each audit record records a

standard set of information such as date and time of the event, type of event, and the outcome (success

or failure) of the event.

2.4.2 User Data Protection

The TOE controls and isolates information flowing between the peripheral device interfaces and a

computer interface. The peripheral devices supported include USB keyboard; USB mouse; audio output;

and (depending on device type) DisplayPort, DVI-I, or HDMI video. Some TOE models accept DisplayPort

signals at the computer interface and internally convert the signals to HDMI signals and then convert back

to DisplayPort for output to the console interface.

The TOE authorizes peripheral device connections with the TOE console ports based on the peripheral

device type.

The TOE ensures that any previous information content of a resource is made unavailable upon the

deallocation of the resource from a TOE computer interface immediately after the TOE switches to

another selected computer and on start-up of the TOE.

The TOE provides a Reset to Factory Default function allowing authenticated authorized Administrators

to remove all settings previously configured by the Administrator (such as USB device whitelist/blacklist).

Once the Reset to Factory Default function has been completed, the Secure KVM will terminate the

Administrator Logon mode, purge keyboard/mouse buffer, and power cycle the Secure KVM

automatically.

2.4.3 Identification and Authentication

The TOE provides an identification and authentication function for the administrative user to perform

administrative functions such as configuring the keyboard/mouse device filtering blacklist. The

authorized administrator must logon by providing a valid password.

2.4.4 Security Management

The management functions are restricted to the authorized administrator and allow the TOE to be

configured to reject specific USB keyboard/mouse devices using CDF blacklist parameters. Additionally,

the TOE provides security management functions to Reset to Factory Default and to change the

administrator password.

2.4.5 Protection of the TSF

The TOE runs a suite of self-tests during initial startup and after activating the reset button that includes

a test of the basic TOE hardware and firmware integrity; a test of the basic computer-to-computer

isolation; and a test of critical security functions (i.e., user control and anti-tampering). The TOE provides

users with the capability to verify the integrity of the TSF and the TSF functionality.

The TOE resists physical attacks on the main TOE enclosure as well as the RPS enclosure for the purpose

of gaining access to the internal components or to damage the anti-tampering battery by becoming

Security Target Version 1.1

2022-03-08

permanently disabled. The TOE preserves a secure state by disabling the TOE when there is a failure of

the power on self-test, or a failure of the anti-tampering function.

The TOE provides unambiguous detection of physical tampering that might compromise the TSF. The TSF

provides the capability to determine whether physical tampering with the TSF's devices or TSF's elements

has occurred.

2.4.6 TOE Access

The TOE displays a continuous visual indication of the computer to which the user is currently

connected, including on power up, and on reset.

2.5 TOE Documentation

There are several documents that provide information and guidance for the deployment and usage of

the TOE. In particular, the following guides reference the security-related guidance material for all

devices in the evaluated configuration.

Guidance Documentation:

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch Administrator Guide, Version 1.03, 2021-1-25

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch User Manual, Version 1.03, 2021-1-25

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch Admin Log Audit Code, Version 1.03, 2021-1-25

TOE Documentation:

•PP4.0 Secure KVM Isolation Document, Version 1.1 (Proprietary)

oNote: The PP4.0 Secure KVM Isolation Document is proprietary as permitted by PSD 4.0 Annex

D.1 Isolation Document and Assessment.

oThe isolation document supplements the security target Section 6 TOE Summary Specification in

order to demonstrate the TOE provides isolation between connected computers. In particular,

the isolation document describes how the TOE mitigates the risk of each unauthorized data flow

listed in PSD 4.0 Annex D and Evaluation Activities specified in the PP v4.0 and modules.

Security Target Version 1.1

2022-03-08

3Security Problem Definition

This security target includes by reference the Security Problem Definition from the [PSD],

[MOD_AO_V1.0], and [MOD_VI_V1.0]. The Security Problem Definition consists of threats that a

conformant TOE is expected to address and assumptions about the operational environment of the TOE.

In general, the [PSD] has presented a Security Problem Definition appropriate for peripheral sharing

devices. The ATEN Secure KVM Switch Series supports KVM (USB Keyboard/Mouse, analog audio (out),

DisplayPort, DVI-I and HDMI video) peripheral switch functionality by combining a 2/4/8 port KVM switch,

and an audio output port. As such, the [PSD] Security Problem Definition applies to the TOE.

This manual suits for next models

Table of contents

Popular Switch manuals by other brands

Moxa Technologies

Moxa Technologies ToughNet TN-5524-8PoE Hardware installation guide

Philips

Philips VSS7390/00T installation instructions

Draytek

Draytek VigorSwitch V1281 user guide

Kramer

Kramer vs-162 user manual

Ruijie

Ruijie RG-S6000C-48GT4XS-E-AC DCN Hardware installation and reference guide

Cerio

Cerio HS Series user guide

Viessmann

Viessmann VITOPLANAR operating instructions

HP 5500-24G-PoE+-4SFP Product End-of-Life Disassembly Instructions

Hubner

Hubner EGS 41 Configuration manual

Balluff

Balluff BES M30MF2-PSC15F-BV02-EXD user guide

HP ProCurve zl Series Planning and implementation guide

Alps Electric

Alps Electric SPPW8 Series specification

Tube-Town

Tube-Town TT-Midi-Switcher manual

H3C

H3C S5500-HI Switch Series Command reference

Sun Oracle

Sun Oracle Sun Datacenter InfiniBand Switch 36 Hardware Security Guide

Eaton

Eaton COOPER POWER SERIES Installation and operation instructions

EchoLab

EchoLab MVS3 Operator's manual

Leviton

Leviton 2653 installation instructions

ATEN CS1182DP4 User manual

Popular Switch manuals by other brands