Aten Cs1182dp4c User manual

ATEN Secure KVM Switch Series (CAC Models)

Security Target

Version 1.1

2022-03-08

Prepared for:

ATEN

3F, No. 125, Section 2, Datung Road,

Sijhih District,

New Taipei City, 221

Taiwan

Prepared by:

Common Criteria Testing Laboratory

6841 Benjamin Franklin Drive

Columbia, Maryland 21046

Security Target Version 1.1

2022-03-08

Revision History

Version

Author

Modifications

0.1

Leidos

Initial Version

0.2

Leidos

Incorporate vendor review comments

0.3

Leidos

Incorporate vendor review comments

0.4

Leidos

Updates based on evaluator comments

0.5

Leidos

Minor update to add adapters

0.6

Leidos

Updates for validator check-in comments

1.0

Leidos

Minor updates based on evaluator comments

1.1

Leidos

Updates for validator check-out comments

Security Target Version 1.1
 2022-03-08 
ii 
Table of Contents 
Security Target Introduction.................................................................................................................1 
1 Security Target, Target of Evaluation, and Common Criteria Identification..................................1 
2 Conformance Claims.......................................................................................................................2 
3 Conventions....................................................................................................................................3 
3.1 Terminology ............................................................................................................................3 
3.2 Acronyms.................................................................................................................................5 
TOE Description ....................................................................................................................................7 
1 Product Overview...........................................................................................................................7 
2 TOE Overview .................................................................................................................................7 
3 TOE Architecture ............................................................................................................................7 
3.1 Physical Boundary .................................................................................................................11 
4 Logical Boundary ..........................................................................................................................12 
4.1 Security Audit........................................................................................................................13 
4.2 User Data Protection.............................................................................................................13 
4.3 Identification and Authentication.........................................................................................13 
4.4 Security Management...........................................................................................................13 
4.5 Protection of the TSF.............................................................................................................13 
4.6 TOE Access ............................................................................................................................14 
5 TOE Documentation .....................................................................................................................14 
Security Problem Definition................................................................................................................15 
Security Objectives .............................................................................................................................16 
1 Security Objectives for the Operational Environment .................................................................16 
IT Security Requirements....................................................................................................................17 
1 Extended Requirements...............................................................................................................17 
2 TOE Security Functional Requirements (PSD, MOD-AO, MOD-KM, MOD_UA_V1.0)..................18 
2.1 Security Audit (FAU)..............................................................................................................20 
2.2 User Data Protection (FDP) ...................................................................................................20 
2.3 Identification and Authentication (FIA).................................................................................27 
2.4 Security Management (FMT).................................................................................................27 
2.5 Protection of the TSF (FPT)....................................................................................................28 
2.6 TOE Access (FTA)...................................................................................................................29 
3 TOE Security Functional Requirements (DP Models) ...................................................................29 
3.1 User Data Protection (FDP) ...................................................................................................30 
4 TOE Security Functional Requirements (H Models) .....................................................................31 
4.1 User Data Protection (FDP) ...................................................................................................31 
5 TOE Security Functional Requirements (D Models) .....................................................................32 
5.1 User Data Protection (FDP) ...................................................................................................32 
6 TOE Security Assurance Requirements ........................................................................................33 
TOE Summary Specification................................................................................................................34 
1 Security Audit (FAU_GEN.1) .........................................................................................................34 
2 User Data Protection....................................................................................................................35 
2.1 FDP_AFL_EXT.1 –Audio Filtration.........................................................................................35 

Security Target Version 1.1
 2022-03-08 
iii 
6.2.2 FDP_APC_EXT.1 (All Iterations); FDP_UDF_EXT.1/AO –Unidirectional Data Flow (Audio 
Output); FDP_UDF_EXT.1/KM –Unidirectional Data Flow (Keyboard/Mouse); FDP_UAI_EXT.1 User 
Authentication Isolation; FDP_UDF_EXT.1/VI –Unidirectional Data Flow (Video Output); ..............35 
6.2.3 FDP_CDS_EXT.1 –Connected Displays Supported................................................................36 
6.2.4 FDP_FIL_EXT.1/KM –Device Filtering (Keyboard/Mouse); FDP_PDC_EXT.3/KM –Authorized 
Connection Protocols (Keyboard/Mouse) ..........................................................................................36 
6.2.5 FDP_FIL_EXT.1/UA –Device Filtering (User Authentication Devices)...................................37 
6.2.6 FDP_PDC_EXT.1 –Peripheral Device Connection; FDP_PDC_EXT.2/AO –Peripheral Device 
Connection (Audio Output); FDP_PDC_EXT.2/KM –Authorized Devices (Keyboard/Mouse); 
FDP_PDC_EXT.2/UA –Authorized Devices (User Authentication Devices); FDP_PDC_EXT.2/VI –
Peripheral Device Connection (Video Output); FDP_PDC_EXT.4 –Supported Authentication Device
 38 
6.2.7 FDP_PUD_EXT.1 –Powering Unauthorized Devices.............................................................39 
6.2.8 FDP_PWR_EXT.1 Powered By Computer ..............................................................................39 
6.2.9 FDP_RIP.1/KM –Residual Information Protection (Keyboard Data), FDP_RIP_EXT.1 –
Residual Information Protection and FDP_RIP_EXT.2 –Purge of Residual Information....................39 
6.2.10 FDP_SWI_EXT.1 –PSD Switching; FDP_SWI_EXT.2 –PSD Switching Methods; 
FDP_SWI_EXT.3 –Tied Switching .......................................................................................................40 
6.2.11 FDP_TER_EXT.1 Session Termination; FDP_TER_EXT.2 Session Termination or Removed 
Devices; FDP_TER_EXT.3 Session Termination upon Switching.........................................................40 
6.2.12 TOE Video Security Function .............................................................................................41 
6.3 Identification and Authentication (FIA_UAU.2/ FIA_UID.2).........................................................42 
6.4 Security Management ..................................................................................................................43 
6.4.1 FMT_MOF.1 –Management of Security Functions Behavior...............................................43 
6.4.2 FMT_SMF.1 –Specification of Management Functions .......................................................43 
6.4.3 FMT_SMR.1 –Security Roles.................................................................................................44 
6.5 Protection of the TSF....................................................................................................................44 
6.5.1 FPT_FLS_EXT.1 –Failure with Preservation of Secure State.................................................44 
6.5.2 FPT_NTA_EXT.1 –No Access to TOE .....................................................................................44 
6.5.3 FPT_PHP.1 –Passive Detection of Physical Attack and FPT_PHP.3 –Resistance to Physical 
Attack 45 
6.5.4 FPT_STM.1 Reliable Time Stamps .........................................................................................45 
6.5.5 FPT_TST.1 –TSF Testing and FPT_TST_EXT.1 –TSF Testing..................................................45 
6.6 TOE Access....................................................................................................................................47 
6.6.1 FTA_CIN_EXT.1 –Continuous Indications.............................................................................47 
7 Protection Profile Claims ....................................................................................................................49 
8 Rationale.............................................................................................................................................52 
8.1 TOE Summary Specification Rationale .........................................................................................52 
Appendix A Letter of Volatility....................................................................................................................55 
 
 
 

Security Target Version 1.1
 2022-03-08 
iv 
List of Figures and Tables 
Figure 1: Simplified Block Diagram of a 2-Port KVM TOE ...........................................................................10 
Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment..................................12 
Table 1: ATEN Secure KVM Switch TOE Models ...........................................................................................1 
Table 2: Terms and Definitions .....................................................................................................................3 
Table 3: Acronyms.........................................................................................................................................5 
Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models......................................................8 
Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models ..................................................9 
Table 6: Security Objectives for the Operational Environment..................................................................16 
Table 7: TOE Security Functional Components...........................................................................................18 
Table 8: Audio Filtration Specifications ......................................................................................................21 
Table 9: TOE Security Functional Components (DP Models)......................................................................30 
Table 10: TOE Security Functional Components (H Models)......................................................................31 
Table 11: TOE Security Functional Components (D Models)......................................................................32 
Table 12: Assurance Components...............................................................................................................33 
Table 13: Supported protocols by port.......................................................................................................38 
Table 14: DP Models ...................................................................................................................................41 
Table 15: H Models .....................................................................................................................................42 
Table 16: D Models .....................................................................................................................................42 
Table 17: SFR Protection Profile Sources...................................................................................................49 
Table 18: Security Functions vs. Requirements Mapping...........................................................................52 
 

Security Target Version 1.1

2022-03-08

1Security Target Introduction

This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST

conventions, ST conformance claims, and the ST organization. The TOE is ATEN Secure KVM Switch

Series (CAC Models) provided by ATEN.

The Security Target contains the following additional sections:

•TOE Description (Section 2)

•Security Problem Definition (Section 3)

•Security Objectives (Section 4)

•IT Security Requirements(Section 5)

•TOE Summary Specification (Section 6)

•Protection Profile Claims (Section 7)

•Rationale (Section 8)

1.1 Security Target, Target of Evaluation, and Common Criteria Identification

ST Title: ATEN Secure KVM Switch Series (CAC Models) Security Target

ST Version: Version 1.1

ST Date: 2022-03-08

Target of Evaluation (TOE) Identification: ATEN Secure KVM Switch Series (CAC Models)

TOE Versions: The following table identifies the model numbers per configuration. The firmware version

for all models is v1.1.101.

Table 1: ATEN Secure KVM Switch TOE Models

Configuration (with CAC function)

2-Port

4-Port

8-Port

DisplayPort

Single Head

CS1182DP4C

CS1184DP4C

CS1188DP4C

Dual Head

CS1142DP4C

CS1144DP4C

CS1148DP4C

HDMI

Single Head

CS1182H4C

CS1184H4C

N/A

Dual Head

CS1142H4C

CS1144H4C

N/A

DVI

Single Head

CS1182D4C

CS1184D4C

CS1188D4C

Dual Head

CS1142D4C

CS1144D4C

CS1148D4C

The TOE includes a wired remote controller: Remote Peripheral Selector (RPS) that is available to

customers as an additional purchase. This device has the same firmware version as the models above.

TOE Developer: ATEN

Evaluation Sponsor: ATEN

CC Identification: Common Criteria for Information Technology Security Evaluation, Version 3.1,

Revision 5, April 2017.

Security Target Version 1.1
 2022-03-08 
2 
1.2 Conformance Claims 
This ST and the TOE it describes are conformant to the following CC specifications: 
•Common Criteria for Information Technology Security Evaluation Part 2: Security Functional 
Components, Version 3.1 Revision 5, April 2017 
•Part 2 Extended 
•Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance 
Components, Version 3.1 Revision 5, April 2017 
•Part 3 Conformant 
This ST and the TOE it describes claim exact conformance to the following PP-Configuration: PP-
Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices, 
User Authentication Devices, and Video/Display Devices, 19 July 2019 (CFG_PSD-AO-KM-UA-VI_V1.0) 
This PP-Configuration includes the following components: 
•Protection Profile for Peripheral Sharing Device, Version 4.0, 19 July 2019 (PP_PSD_V4.0) or 
[PSD] 
oincluding the following optional and selection-based SFRs: FAU_GEN.1, FDP_RIP_EXT.2, 
FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_PHP.3, 
FPT_STM.1, and FTA_CIN_EXT.1. 
•PP-Module for Analog Audio Output Devices, Version 1.0, 19 July 2019 (MOD_AO_V1.0). 
•PP-Module for Keyboard/Mouse Devices, Version 1.0, 19 July 2019 (MOD_KM_V1.0) 
oincluding the following optional and selection-based SFRs: FDP_FIL_EXT.1/KM, 
FDP_RIP.1/KM, and FDP_SWI_EXT.3. 
•PP-Module for User Authentication Devices, Version 1.0, 19 July 2019 (MOD_UA_V1.0) 
oincluding the following selection-based SFRs: FDP_TER_EXT.2 and FDP_TER_EXT.3. 
•PP-Module for Video/Display Devices, Version 1.0, 19 July 2019 (MOD_VI_V1.0) 
oincluding the following selection-based SFRs: FDP_CDS_EXT.1, FDP_IPC_EXT.1, 
FDP_SPR_EXT.1/DP(DP), FDP_SPR_EXT.1/DVI-I(D), and FDP_SPR_EXT.1/HDMI(H). 
 
The following NIAP Technical Decisions are applicable to the claimed Protection Profile and Modules: 
•TD0593 –Equivalency Arguments for PSD 
•TD0586 –DisplayPort and HDMI Interfaces in FDP_IPC_EXT.1 
•TD0585 –Update to FDP_APC_EXT.1 Audio Output Tests 
•TD0584 –Update to FDP APC_EXT.1 Video Tests 
•TD0583 –FPT_PHP.3 modified for PSD remote controllers 
•TD0557 –Correction to Audio Filtration Specification Table in FDP_AFL_EXT.1 
•TD0539 –Incorrect Selection Trigger in FTA_CIN_EXT.1 in MOD_VI_V1.0 
The TOE does not fit the Combiner Use Case and so the specific assignment required by the VI 
Module does not apply. 
•TD0518 –Typographical Error in Dependency Table 
•TD0514 –Correction to MOD_VI FDP_APC_EXT.1 Test 3 Step 6 
•TD0507 –Clarification on USB Plug Type 

Security Target Version 1.1

2022-03-08

•TD0506 –Missing Steps to Disconnect and Reconnect Display

1.3 Conventions

The Security Functional Requirements included in this section are derived from Part 2 of the Common

Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, with additional extended

functional components.

The CC defines operations on Security Functional Requirements: assignments, selections, assignments

within selections, iterations, and refinements. This document retains all operations completed by the PP

author (i.e. selections/assignments they already filled out). These are formatted as italicized text.

This document uses the following font conventions to identify iterations, extended SFRs and operations

performed by the ST author:

•Refinement operation (denoted by bold text and underline) is used to add details to a requirement,

and thus further restricts a requirement.

•Selection (denoted by italicized bold text): is used to select one or more options provided by the

[CC] in stating a requirement. Selection operations completed in the PP are shown in brackets.

•Assignment operation (denoted by bold text) is used to assign a specific value to an unspecified

parameter, such as the length of a password. Showing the value in square brackets indicates

assignment. Assignments within Selections are denoted by italicized bold text).

•Iteration operation is identified with a slash (‘/’) and an identifier (e.g. “/KM”). Additional iterations

made by the ST author are defined with a reference in parentheses to the specific TOE models they

apply to, e.g. “(DP)” indicates the SFR only applies to DisplayPort models. Though technically not an

iteration FDP_IPC_EXT.1, also uses this convention to clarify that this requirement only applies to

certain models.

•Extended SFRs are identified by having a label “EXT” after the SFR name.

1.3.1 Terminology

Table 2: Terms and Definitions

Term

Definition

Aligned

Detected and accepted the connection by the KVM.

Assurance

Grounds for confidence that a TOE meets the SFRs.

Authorized Peripheral

A Peripheral Device that is both technically supported and administratively

permitted to have an active interface with the PSD.

Combiner (multi-viewer)

A PSD with video integration functionality that is used to simultaneously display

output from multiple personal computers (PCs).

Common Criteria (CC)

Common Criteria for Information Technology Security Evaluation.

Common Evaluation

Methodology (CEM)

Common Evaluation Methodology for Information Technology Security

Evaluation.

Computer Interface

The PSD’s physical receptacle or port for connecting to a computer.

Configurable Device

Filtration (CDF)

A PSD function that filters traffic based on properties of a connected peripheral

device and criteria that are configurable by an Administrator.

Security Target Version 1.1

2022-03-08

Term

Definition

Connected Computer

A computing device connected to a PSD. May be a personal computer, server,

tablet, or any other computing device.

Connected Peripheral

A Peripheral that is connected to a PSD.

Connection

A physical or logical conduit that enables Devices to interact through respective

interfaces. May consist of one or more physical (e.g., a cable) or logical (e.g., a

protocol) components.

Connector

The plug on a Connection that attaches to a Computer or Peripheral Interface.

Device

An information technology product. In the context of this PP, a Device is a PSD, a

Connected Computer, or a Connected Peripheral.

Display

A device that visually outputs user data, such as a monitor.

Interface

A shared boundary across which two or more Devices exchange information

through a Connection.

A type of PSD that shares a keyboard and pointing device between Connected

Computers. A KM may optionally include an analog audio device.

KVM

A type of PSD that shares a keyboard, video, and pointing device between

Connected Computers. A KVM may optionally include an analog audio device and

user authentication device.

Letter of Volatility

A letter issued by the manufacturer outlining whether onboard memory can store

data when the device is powered off (non‐volatile) or not (volatile).

Monitoring

The ability of a User to receive an indicator of the current Active Interface.

Non-Selected Computer

A Connected Computer that has no Active Interfaces with the PSD.

Peripheral Interface

The PSD’s physical receptacle or port for connecting to a Peripheral Device.

Peripheral/Peripheral

Device

A Device with access that can be Shared or Filtered by a PSD.

Protection Profile (PP)

An implementation‐independent set of security requirements for a category of

products.

Remote Controller

Remote component of the PSD that extends the controls and indications through

a cable.

Secure State

An operating condition in which the PSD disables all connected peripheral and

connected computer interfaces when the correctness of its functions cannot be

ensured.

Security Assurance

Requirement (SAR)

A requirement to assure the security of the TOE.

Security Functional

Requirement (SFR)

A requirement for security enforcement by the TOE.

Security Target (ST)

Implementation‐independent documentation that describes a TOE, its

Operational Environment, and its claimed security functionality.

Selected Computer

A Connected Computer that has Active Interfaces with the PSD.

Supported Peripheral

A Peripheral Device that is technically supported by the PSD.

Target of Evaluation(TOE)

A product or component, consisting of hardware, software, and/or firmware, that

claims to implement certain security functionality in a specific and well-defined

manner.

Security Target Version 1.1

2022-03-08

Term

Definition

TOE Security Functionality

(TSF)

The combined hardware, software, and firmware capabilities of a TOE that are

responsible for implementation of its claimed SFRs.

TOE Security Functionality

Interface (TSFI)

Any external interface between the TOE and its Operational Environment that has

a security‐relevant purpose or is used to transmit security‐relevant data.

TOE Summary Specification

(TSS)

Documentation contained within the Security Target that provides the reader

with a description of how the TOE implements the claimed SFRs.

User

A person that interacts with a PSD (or a process or mechanism acting on behalf of

a person).

User Authentication Device

A Peripheral Device that is used to affirm the identity of a User attempting to

authenticate to a computer (e.g., smart card reader, biometric authentication

device, proximity card reader).

User Data

Information that the User inputs to the Connected Computer or is output to the

User from the Connected Computer (and including user authentication and

credential information)

1.3.2 Acronyms

Table 3: Acronyms

Acronym

Definition

ARC

Audio Return Channel

AUX

Display Port Auxiliary Channel

CAC

Common Access Card

CDF

Configurable Device Filtering

CEC

Consumer Electronics Control

DVI

Digital Visual Interface

EDID

Extended Display Identification Data

EEPROM

Electrically Erasable Programmable Read-Only Memory

FIPS

Federal Information Processing Standards

High Definition

HDCP

High‐bandwidth Digital Content Protection

HDMI

High Definition Multimedia Interface

HEAC

HDMI Ethernet Audio Control

HEC

HDMI Ethernet Channel

HID

Human Interface Device

HPD

Hot Plug Detect

Information Technology

KVM

Keyboard, Video, and Mouse

LED

Light-Emitting Diode

MCCS

Hot Plug Detect

Security Target Version 1.1

2022-03-08

Acronym

Definition

Personal Computer

PSD

Peripheral Sharing Device

RPS

Remote Port Selector

SFP

Security Function Policy

USB

Universal Serial Bus

Security Target Version 1.1

2022-03-08

2TOE Description

2.1 Product Overview

The TOE is the ATEN Secure KVM Switch Series (CAC Models). Each of the sixteen models identified in

Section 1.1 is a Peripheral Sharing Device that include console ports and computer ports. The console

ports are used to connect a single set of peripherals, including a mouse, keyboard, user authentication

device such as smart card or CAC reader, speaker, and one or two video displays (depending on specific

device type) to the TOE. The TOE’s computer ports are connected to up to 2, 4, or 8 separate computers

(again depending on specific device type). The user can then securely switch the connected console

peripherals between any of the connected computers while preventing unauthorized data flows or

leakage between computers. The TOE supports manual port switching using a press and release a port

selection push button (on the switch, or on the Remote Port Selector (RPS) if connected and aligned) to

bring the KVM focus to the computer attached to its corresponding port.

2.2 TOE Overview

The TOE is the ATEN Secure Switch series of products with CAC. The TOE allows users to connect a single

set of peripherals to its console ports to interact with multiple computers that are connected to it via its

computer ports. Controls on the TOE chassis or on the RPS allow the user to select which of the connected

computers is ‘active’ such that the peripherals connected to the console can be used to interact with the

selected computer.

The TOE’s console ports support USB keyboard and mouse, analog audio out (speakers), a USB smart

card/CAC port, and depending on model, DisplayPort, HDMI or DVI-I display.

The TOE’s computer ports support USB keyboard and mouse, analog audio, USB smart card/CAC, and

depending on model, DisplayPort, HDMI, or DVI-I display.

The TOE includes multiple models, all with the same basic functionality. The differences between models

are:

•The type of display interface supported on the console ports (DisplayPort, HDMI or DVI-I)

•The type of display interface supported on the computer ports (DisplayPort, HDMI, or DVI-I)

•The number of sets of computer ports, which determines how many computers can be connected to

the TOE at one time (up to 2, 4, or 8)

2.3 TOE Architecture

The ATEN Secure KVM series are KVM switches with the following characteristics:

•2/4/8 port USB DisplayPort single and dual display for DisplayPort (6 devices)

•2/4 port USB HDMI single and dual display for HDMI (4 devices)

•2/4/8 port USB DVI single and dual display for DVI (6 devices).

The Secure KVM Switch products allow for the connection of a mouse, keyboard, user authentication

device (such as smart card or CAC reader), speaker, and one or two video displays (depending on specific

device type) to the Secure KVM Switch, which is then connected to 2, up to 4, or up to 8 separate

computers (again depending on specific device type). The user can then switch the connected peripherals

Security Target Version 1.1

2022-03-08

between any of the connected computers using a push button on the front of the device or on the RPS.

The selected device is always identifiable by a bright orange LED associated with the applicable selection

button.

To interface with connected computers, the Secure KVM Switch products support analog audio output

and USB connections for the keyboard, mouse, and user authentication device. Depending on model, they

support DisplayPort, DVI-I, or HDMI for the computer video display interface. The switched peripherals on

the console side are analog audio output, USB keyboard and mouse, USB user authentication device, and

DisplayPort, HDMI or DVI-I video output (depending on model).

Separate USB cables are used to connect the keyboard/mouse combination and the user authentication

device to the connected computers. The Secure KVM Switch products supporting DisplayPort convert the

DisplayPort video signal to HDMI. The HDMI signal inside the KVM will be converted again to DisplayPort

signal for output to the connected video display(s) and the AUX channel is monitored and converted to

EDID. The Secure KVM Switch products also support audio output connections from the computers to a

connected audio output device. Only speaker connections are supported and the use of an analog

microphone or line-in audio device is prohibited. The tables below identify the interfaces of the Secure

KVM console and computer ports according to model number.

Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models

Model No.

Console Video Output

Interface

Console

Keyboard

Console

Mouse

Console Audio

output

Console CAC

Reader

DisplayPort

HDMI

DVI-I

USB 1.1/2.0

3.5mm Analog

Audio output

(Speaker)

USB

1.1/2.0

CS1182DP4C

•

CS1142DP4C

•

CS1182H4C

•

CS1142H4C

•

CS1182D4C

•

CS1142D4C

•

CS1184DP4C

•

CS1144DP4C

•

CS1184H4C

•

CS1144H4C

•

CS1184D4C

•

CS1144D4C

•

CS1188DP4C

•

CS1148DP4C

•

CS1188D4C

•

Security Target Version 1.1

2022-03-08

Model No.

Console Video Output

Interface

Console

Keyboard

Console

Mouse

Console Audio

output

Console CAC

Reader

DisplayPort

HDMI

DVI-I

USB 1.1/2.0

3.5mm Analog

Audio output

(Speaker)

USB

1.1/2.0

CS1148D4C

•

Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models

Model No.

Computer Video Input Interface

Computer

Keyboard / Mouse

Computer Audio

Input

Computer CAC

Input

DisplayPort

HDMI

DVI-I

USB

1.1/2.0

3.5mm Analog

Audio Input

(Speaker)

USB

1.1/2.0

CS1182DP4C

•

CS1142DP4C

•

CS1182H4C

•

CS1142H4C

•

CS1182D4C

•

CS1142D4C

•

CS1184DP4C

•

CS1144DP4C

•

CS1184H4C

•

CS1144H4C

•

CS1184D4C

•

CS1144D4C

•

CS1188DP4C

•

CS1148DP4C

•

CS1188D4C

•

CS1148D4C

•

The ATEN Secure KVM products implement a secure isolation design for all models to share a single set of

peripheral components. Each peripheral has its own dedicated data path. USB keyboard and mouse

peripherals are filtered and emulated. The USB authentication device connection is on a separate circuit

from the keyboard and mouse and, after filtering for qualification, has a direct connection path to the

selected computer. The TOE does not emulate the user authentication device function. DisplayPort video

from the selected computer is converted internally to HDMI, then back to DisplayPort for communication

with the connected video display and the AUX channel is monitored and converted to EDID.

Security Target Version 1.1

2022-03-08

The Secure KVM Switch products are designed to enforce the allowed and disallowed data flows between

user peripheral devices and connected computers as specified in [PSD]. Data leakage is prevented across

the TOE to avoid compromise of the user's information. The Secure KVM Switch products automatically

clear the internal TOE keyboard and mouse buffers.

Figure 1 shows the data path design using a 2-Port KVM as an example.

Figure 1: Simplified Block Diagram of a 2-Port KVM TOE

As shown in Figure 1 above, the internal components of the KVM consist of switches, emulators, USB host

controllers, processors, and embedded with non-updateable firmware v1.1.101. The internal hardware

components are identified in Appendix A and include the manufacturer and the part number. The data

flow of USB keyboard/mouse is controlled by the host controller for console HID keyboard and pointing

devices. Details of the data flow architecture are provided in the proprietary Secure KVM Isolation

Document. All keyboard and mouse connections are filtered first, and only authorized devices will be

allowed. The TOE emulates data from authorized USB keyboard and mouse to USB data for computer

sources.

The TOEs proprietary design ensures there is no possibility of data leakage from a user’s peripheral output

device to the input device; ensures that no unauthorized data flows from the monitor to a connected

computer; and unidirectional buffers ensure that the audio data can travel only from the selected

computer to the audio device. There is no possibility of data leakage between computers or from a

peripheral device connected to a console port to a non-selected computer. Each connected computer has

its own independent Device Controller, power circuit, and EEPROM. Additionally, keyboard and mouse

are always switched together.

All Secure KVM Switch components including the RPS, feature hardware security mechanisms including

tamper-evident labels, always active chassis-intrusion detection, and tamper-proof hardware

Security Target Version 1.1

2022-03-08

construction, while software security includes restricted USB connectivity (non-Human Interface Devices

(HIDs) are ignored when switching), an isolated channel per port that makes it impossible for data to be

communicated between computers, and automatic clearing of the keyboard and mouse buffer.

The ATEN Port Authentication Utility must be installed on a separate secure source computer using an

installation wizard. The utility supports Microsoft Windows 8 and higher. The Port Authentication Utility

computer connects to the TOE via USB connection to Computer Port 1. The dedicated secure source

computer must have its own monitor, keyboard, and mouse connected for installation and operation.

A detailed description of the TOE security features can be found in Section 6 (TOE Summary

Specification).

2.3.1 Physical Boundary

The TOE includes the RPS and hardware models identified in Section 1.1 along with embedded firmware

v1.1.101 and corresponding documentation identified in Section 2.5 below.

An optional KVM cable set (not supplied with the TOE) is available as a separate purchase. The KVM cable

sets are built for the KVM connection to the PCs, providing better compatibility. Users can connect the

KVM and PCs using their own cable sets as long as the protocols are compatible but the vendor KVM cable

sets are recommended. The TOE was tested using the cable sets mentioned above and the following

adapters:

•UC32381 (USB-C to HDMI converter)

•UC3239 (USB-C to DP converter)

•VC986 (Active DP-to-HDMI adapter)

•VC965 (Active DP-to-DVI adapter)

While the cable sets and adapters were supplied, they were not included in the evaluation because they

are considered part of the operational environment, along with the switched PCs, peripheral devices,

DisplayPort / HDMI / DVI-I monitors, USB keyboard, USB mouse, 3.5mm audio output (e.g. speakers),

smart card/CAC reader, and the host computers.

The ATEN Port Authentication Utility requires a dedicated secure source computer with Microsoft

Windows 8 or higher, along with its own monitor, keyboard, and mouse.

The following figure shows a representative TOE and its environment. In particular, it shows a four port,

single-head KVM and its connections.

Security Target Version 1.1

2022-03-08

Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment

The ATEN Secure KVM devices do not include any wireless interfaces. The ATEN Secure KVM devices

have been tested and found to comply with the radio frequency emissions limits for a Class A digital

device, pursuant to Part 15 of the Federal Communications Commission rules. If not installed and used

in accordance with the guidance instructions, the device may cause harmful interference to radio

communications. This evaluation did not test for RFI leakage of information.

2.4 Logical Boundary

This section summarizes the security functions provided by the TOE:

•Security Audit

•User Data Protection

•Identification and authentication

•Security Management

•Protection of the TSF

•TOE Access

Security Target Version 1.1

2022-03-08

2.4.1 Security Audit

The TOE generates audit records for the authorized administrator actions. Each audit record records a

standard set of information such as date and time of the event, type of event, and the outcome (success

or failure) of the event.

2.4.2 User Data Protection

The TOE controls and isolates information flowing between the peripheral device interfaces and a

computer interface. The peripheral devices supported include USB keyboard; USB mouse; USB

authentication device (CAC reader and smart card); audio output; and (depending on device type)

DisplayPort, DVI-I, or HDMI video. Some TOE models accept DisplayPort signals at the computer interface

and internally convert the signals to HDMI signals and then convert back to DisplayPort for output to the

console interface.

The TOE authorizes peripheral device connections with the TOE console ports based on the peripheral

device type.

The TOE ensures that any previous information content of a resource is made unavailable upon the

deallocation of the resource from a TOE computer interface immediately after the TOE switches to

another selected computer and on start-up of the TOE.

The TOE provides a Reset to Factory Default function allowing authenticated authorized Administrators

to remove all settings previously configured by the Administrator (such as USB device whitelist/blacklist).

Once the Reset to Factory Default function has been completed, the Secure KVM will terminate the

Administrator Logon mode, purge keyboard/mouse buffer, and power cycle the Secure KVM

automatically.

2.4.3 Identification and Authentication

The TOE provides an identification and authentication function for the administrative user to perform

administrative functions such as configuring the user authentication device filtering whitelist and

blacklist. The authorized administrator must logon by providing a valid password.

2.4.4 Security Management

The TOE supports configurable device filtration (CDF). This function is restricted to the authorized

administrator and allows the TOE to be configured to accept or reject specific USB devices using CDF

whitelist and blacklist parameters. Additionally, the TOE provides security management functions to

configure the keyboard/mouse device filtration, Reset to Factory Default and to change the administrator

password.

2.4.5 Protection of the TSF

The TOE runs a suite of self-tests during initial startup and after activating the reset button that includes

a test of the basic TOE hardware and firmware integrity; a test of the basic computer-to-computer

isolation; and a test of critical security functions (i.e., user control and anti-tampering). The TOE provides

users with the capability to verify the integrity of the TSF and the TSF functionality.

Security Target Version 1.1

2022-03-08

The TOE resists physical attacks on the main TOE enclosure as well as the RPS enclosure for the purpose

of gaining access to the internal components or to damage the anti-tampering battery by becoming

permanently disabled. The TOE preserves a secure state by disabling the TOE when there is a failure of

the power on self-test, or a failure of the anti-tampering function.

The TOE provides unambiguous detection of physical tampering that might compromise the TSF. The TSF

provides the capability to determine whether physical tampering with the TSF's devices or TSF's elements

has occurred.

2.4.6 TOE Access

The TOE displays a continuous visual indication of the computer to which the user is currently

connected, including on power up, and on reset.

2.5 TOE Documentation

There are several documents that provide information and guidance for the deployment and usage of

the TOE. In particular, the following guides reference the security-related guidance material for all

devices in the evaluated configuration.

Guidance Documentation:

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch Administrator Guide, Version 1.03, 2021-1-25

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch Port Authentication Utility Guide, Version 1.03, 2021-1-25

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch User Manual, Version 1.03, 2021-1-25

•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual

Display PP v4.0 Secure KVM Switch Admin Log Audit Code, Version 1.03, 2021-1-25

TOE Documentation:

•PP4.0 Secure KVM Isolation Document, Version 1.1 (Proprietary)

oNote: The PP4.0 Secure KVM Isolation Document is proprietary as permitted by PSD 4.0 Annex

D.1 Isolation Document and Assessment.

oThe isolation document supplements the security target Section 6 TOE Summary Specification in

order to demonstrate the TOE provides isolation between connected computers. In particular,

the isolation document describes how the TOE mitigates the risk of each unauthorized data flow

listed in PSD 4.0 Annex D and Evaluation Activities specified in the PP v4.0 and modules.

Security Target Version 1.1

2022-03-08

3Security Problem Definition

This security target includes by reference the Security Problem Definition from the [PSD],

[MOD_AO_V1.0], and [MOD_VI_V1.0]. The Security Problem Definition consists of threats that a

conformant TOE is expected to address and assumptions about the operational environment of the TOE.

In general, the [PSD] has presented a Security Problem Definition appropriate for peripheral sharing

devices. The ATEN Secure KVM Switch Series supports KVM (USB Keyboard/Mouse, analog audio (out),

DisplayPort, DVI-I and HDMI video) peripheral switch functionality by combining a 2/4/8 port KVM switch,

an audio output port, and a USB authentication device (CAC port and smart card). As such, the [PSD]

Security Problem Definition applies to the TOE.

Other manuals for CS1182DP4C

This manual suits for next models

Table of contents

Popular Switch manuals by other brands

GrandEye

GrandEye GE-P8001-UT quick start guide

Netgate

Netgate Nighthawk S8000 user manual

IBM

IBM 4002AC2 Installation and user guide

Theben

Theben SEL 173 DCF operating instructions

KinAn

KinAn KM0104 user manual

HETEC

HETEC V-Switch quad Installation and operation manual

Leviton

Leviton Decora ODS15-TDW installation instructions

Cisco

Cisco Catalyst 6500-E Series Guide

HP 5130 EI Switch Series installation guide

Eaton

Eaton VFI Installation, operation and maintenance instructions

Repotec

Repotec RP-G1416D Quick installation guide

Dell

Dell Broadcom NetXtreme Family of Adapters manual

D-Link

D-Link DES-1005P Quick installation guide

SMC Networks

SMC Networks SMC6924VF Specifications

Jabra

Jabra Link 14201-19 How to connect

Voltaire

Voltaire ISR 9024 user manual

NETGEAR

NETGEAR JFS516v2 installation guide

Beijer Electronics

Beijer Electronics korenix JetNet 5020G Quick installation guide

ATEN CS1182DP4C User manual

Popular Switch manuals by other brands