ATEN CS1182DP4C User manual
ATEN Secure KVM Switch Series (CAC Models)
Security Target
Version 1.1
2022-03-08
Prepared for:
ATEN
3F, No. 125, Section 2, Datung Road,
Sijhih District,
New Taipei City, 221
Taiwan
Prepared by:
Common Criteria Testing Laboratory
6841 Benjamin Franklin Drive
Columbia, Maryland 21046
Security Target Version 1.1
2022-03-08
i
Revision History
Version
Author
Modifications
0.1
Leidos
Initial Version
0.2
Leidos
Incorporate vendor review comments
0.3
Leidos
Incorporate vendor review comments
0.4
Leidos
Updates based on evaluator comments
0.5
Leidos
Minor update to add adapters
0.6
Leidos
Updates for validator check-in comments
1.0
Leidos
Minor updates based on evaluator comments
1.1
Leidos
Updates for validator check-out comments
Security Target Version 1.1
2022-03-08
ii
Table of Contents
1 Security Target Introduction.................................................................................................................1
1.1 Security Target, Target of Evaluation, and Common Criteria Identification..................................1
1.2 Conformance Claims.......................................................................................................................2
1.3 Conventions....................................................................................................................................3
1.3.1 Terminology ............................................................................................................................3
1.3.2 Acronyms.................................................................................................................................5
2 TOE Description ....................................................................................................................................7
2.1 Product Overview...........................................................................................................................7
2.2 TOE Overview .................................................................................................................................7
2.3 TOE Architecture ............................................................................................................................7
2.3.1 Physical Boundary .................................................................................................................11
2.4 Logical Boundary ..........................................................................................................................12
2.4.1 Security Audit........................................................................................................................13
2.4.2 User Data Protection.............................................................................................................13
2.4.3 Identification and Authentication.........................................................................................13
2.4.4 Security Management...........................................................................................................13
2.4.5 Protection of the TSF.............................................................................................................13
2.4.6 TOE Access ............................................................................................................................14
2.5 TOE Documentation .....................................................................................................................14
3 Security Problem Definition................................................................................................................15
4 Security Objectives .............................................................................................................................16
4.1 Security Objectives for the Operational Environment .................................................................16
5 IT Security Requirements....................................................................................................................17
5.1 Extended Requirements...............................................................................................................17
5.2 TOE Security Functional Requirements (PSD, MOD-AO, MOD-KM, MOD_UA_V1.0)..................18
5.2.1 Security Audit (FAU)..............................................................................................................20
5.2.2 User Data Protection (FDP) ...................................................................................................20
5.2.3 Identification and Authentication (FIA).................................................................................27
5.2.4 Security Management (FMT).................................................................................................27
5.2.5 Protection of the TSF (FPT)....................................................................................................28
5.2.6 TOE Access (FTA)...................................................................................................................29
5.3 TOE Security Functional Requirements (DP Models) ...................................................................29
5.3.1 User Data Protection (FDP) ...................................................................................................30
5.4 TOE Security Functional Requirements (H Models) .....................................................................31
5.4.1 User Data Protection (FDP) ...................................................................................................31
5.5 TOE Security Functional Requirements (D Models) .....................................................................32
5.5.1 User Data Protection (FDP) ...................................................................................................32
5.6 TOE Security Assurance Requirements ........................................................................................33
6 TOE Summary Specification................................................................................................................34
6.1 Security Audit (FAU_GEN.1) .........................................................................................................34
6.2 User Data Protection....................................................................................................................35
6.2.1 FDP_AFL_EXT.1 –Audio Filtration.........................................................................................35
Security Target Version 1.1
2022-03-08
iii
6.2.2 FDP_APC_EXT.1 (All Iterations); FDP_UDF_EXT.1/AO –Unidirectional Data Flow (Audio
Output); FDP_UDF_EXT.1/KM –Unidirectional Data Flow (Keyboard/Mouse); FDP_UAI_EXT.1 User
Authentication Isolation; FDP_UDF_EXT.1/VI –Unidirectional Data Flow (Video Output); ..............35
6.2.3 FDP_CDS_EXT.1 –Connected Displays Supported................................................................36
6.2.4 FDP_FIL_EXT.1/KM –Device Filtering (Keyboard/Mouse); FDP_PDC_EXT.3/KM –Authorized
Connection Protocols (Keyboard/Mouse) ..........................................................................................36
6.2.5 FDP_FIL_EXT.1/UA –Device Filtering (User Authentication Devices)...................................37
6.2.6 FDP_PDC_EXT.1 –Peripheral Device Connection; FDP_PDC_EXT.2/AO –Peripheral Device
Connection (Audio Output); FDP_PDC_EXT.2/KM –Authorized Devices (Keyboard/Mouse);
FDP_PDC_EXT.2/UA –Authorized Devices (User Authentication Devices); FDP_PDC_EXT.2/VI –
Peripheral Device Connection (Video Output); FDP_PDC_EXT.4 –Supported Authentication Device
38
6.2.7 FDP_PUD_EXT.1 –Powering Unauthorized Devices.............................................................39
6.2.8 FDP_PWR_EXT.1 Powered By Computer ..............................................................................39
6.2.9 FDP_RIP.1/KM –Residual Information Protection (Keyboard Data), FDP_RIP_EXT.1 –
Residual Information Protection and FDP_RIP_EXT.2 –Purge of Residual Information....................39
6.2.10 FDP_SWI_EXT.1 –PSD Switching; FDP_SWI_EXT.2 –PSD Switching Methods;
FDP_SWI_EXT.3 –Tied Switching .......................................................................................................40
6.2.11 FDP_TER_EXT.1 Session Termination; FDP_TER_EXT.2 Session Termination or Removed
Devices; FDP_TER_EXT.3 Session Termination upon Switching.........................................................40
6.2.12 TOE Video Security Function .............................................................................................41
6.3 Identification and Authentication (FIA_UAU.2/ FIA_UID.2).........................................................42
6.4 Security Management ..................................................................................................................43
6.4.1 FMT_MOF.1 –Management of Security Functions Behavior...............................................43
6.4.2 FMT_SMF.1 –Specification of Management Functions .......................................................43
6.4.3 FMT_SMR.1 –Security Roles.................................................................................................44
6.5 Protection of the TSF....................................................................................................................44
6.5.1 FPT_FLS_EXT.1 –Failure with Preservation of Secure State.................................................44
6.5.2 FPT_NTA_EXT.1 –No Access to TOE .....................................................................................44
6.5.3 FPT_PHP.1 –Passive Detection of Physical Attack and FPT_PHP.3 –Resistance to Physical
Attack 45
6.5.4 FPT_STM.1 Reliable Time Stamps .........................................................................................45
6.5.5 FPT_TST.1 –TSF Testing and FPT_TST_EXT.1 –TSF Testing..................................................45
6.6 TOE Access....................................................................................................................................47
6.6.1 FTA_CIN_EXT.1 –Continuous Indications.............................................................................47
7 Protection Profile Claims ....................................................................................................................49
8 Rationale.............................................................................................................................................52
8.1 TOE Summary Specification Rationale .........................................................................................52
Appendix A Letter of Volatility....................................................................................................................55
Security Target Version 1.1
2022-03-08
iv
List of Figures and Tables
Figure 1: Simplified Block Diagram of a 2-Port KVM TOE ...........................................................................10
Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment..................................12
Table 1: ATEN Secure KVM Switch TOE Models ...........................................................................................1
Table 2: Terms and Definitions .....................................................................................................................3
Table 3: Acronyms.........................................................................................................................................5
Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models......................................................8
Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models ..................................................9
Table 6: Security Objectives for the Operational Environment..................................................................16
Table 7: TOE Security Functional Components...........................................................................................18
Table 8: Audio Filtration Specifications ......................................................................................................21
Table 9: TOE Security Functional Components (DP Models)......................................................................30
Table 10: TOE Security Functional Components (H Models)......................................................................31
Table 11: TOE Security Functional Components (D Models)......................................................................32
Table 12: Assurance Components...............................................................................................................33
Table 13: Supported protocols by port.......................................................................................................38
Table 14: DP Models ...................................................................................................................................41
Table 15: H Models .....................................................................................................................................42
Table 16: D Models .....................................................................................................................................42
Table 17: SFR Protection Profile Sources...................................................................................................49
Table 18: Security Functions vs. Requirements Mapping...........................................................................52
Security Target Version 1.1
2022-03-08
1
1Security Target Introduction
This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST
conventions, ST conformance claims, and the ST organization. The TOE is ATEN Secure KVM Switch
Series (CAC Models) provided by ATEN.
The Security Target contains the following additional sections:
•TOE Description (Section 2)
•Security Problem Definition (Section 3)
•Security Objectives (Section 4)
•IT Security Requirements(Section 5)
•TOE Summary Specification (Section 6)
•Protection Profile Claims (Section 7)
•Rationale (Section 8)
1.1 Security Target, Target of Evaluation, and Common Criteria Identification
ST Title: ATEN Secure KVM Switch Series (CAC Models) Security Target
ST Version: Version 1.1
ST Date: 2022-03-08
Target of Evaluation (TOE) Identification: ATEN Secure KVM Switch Series (CAC Models)
TOE Versions: The following table identifies the model numbers per configuration. The firmware version
for all models is v1.1.101.
Table 1: ATEN Secure KVM Switch TOE Models
Configuration (with CAC function)
2-Port
4-Port
8-Port
DisplayPort
Single Head
CS1182DP4C
CS1184DP4C
CS1188DP4C
Dual Head
CS1142DP4C
CS1144DP4C
CS1148DP4C
HDMI
Single Head
CS1182H4C
CS1184H4C
N/A
Dual Head
CS1142H4C
CS1144H4C
N/A
DVI
Single Head
CS1182D4C
CS1184D4C
CS1188D4C
Dual Head
CS1142D4C
CS1144D4C
CS1148D4C
The TOE includes a wired remote controller: Remote Peripheral Selector (RPS) that is available to
customers as an additional purchase. This device has the same firmware version as the models above.
TOE Developer: ATEN
Evaluation Sponsor: ATEN
CC Identification: Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 5, April 2017.
Security Target Version 1.1
2022-03-08
2
1.2 Conformance Claims
This ST and the TOE it describes are conformant to the following CC specifications:
•Common Criteria for Information Technology Security Evaluation Part 2: Security Functional
Components, Version 3.1 Revision 5, April 2017
•Part 2 Extended
•Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance
Components, Version 3.1 Revision 5, April 2017
•Part 3 Conformant
This ST and the TOE it describes claim exact conformance to the following PP-Configuration: PP-
Configuration for Peripheral Sharing Device, Analog Audio Output Devices, Keyboard/Mouse Devices,
User Authentication Devices, and Video/Display Devices, 19 July 2019 (CFG_PSD-AO-KM-UA-VI_V1.0)
This PP-Configuration includes the following components:
•Protection Profile for Peripheral Sharing Device, Version 4.0, 19 July 2019 (PP_PSD_V4.0) or
[PSD]
oincluding the following optional and selection-based SFRs: FAU_GEN.1, FDP_RIP_EXT.2,
FDP_SWI_EXT.2, FIA_UAU.2, FIA_UID.2, FMT_MOF.1, FMT_SMF.1, FMT_SMR.1, FPT_PHP.3,
FPT_STM.1, and FTA_CIN_EXT.1.
•PP-Module for Analog Audio Output Devices, Version 1.0, 19 July 2019 (MOD_AO_V1.0).
•PP-Module for Keyboard/Mouse Devices, Version 1.0, 19 July 2019 (MOD_KM_V1.0)
oincluding the following optional and selection-based SFRs: FDP_FIL_EXT.1/KM,
FDP_RIP.1/KM, and FDP_SWI_EXT.3.
•PP-Module for User Authentication Devices, Version 1.0, 19 July 2019 (MOD_UA_V1.0)
oincluding the following selection-based SFRs: FDP_TER_EXT.2 and FDP_TER_EXT.3.
•PP-Module for Video/Display Devices, Version 1.0, 19 July 2019 (MOD_VI_V1.0)
oincluding the following selection-based SFRs: FDP_CDS_EXT.1, FDP_IPC_EXT.1,
FDP_SPR_EXT.1/DP(DP), FDP_SPR_EXT.1/DVI-I(D), and FDP_SPR_EXT.1/HDMI(H).
The following NIAP Technical Decisions are applicable to the claimed Protection Profile and Modules:
•TD0593 –Equivalency Arguments for PSD
•TD0586 –DisplayPort and HDMI Interfaces in FDP_IPC_EXT.1
•TD0585 –Update to FDP_APC_EXT.1 Audio Output Tests
•TD0584 –Update to FDP APC_EXT.1 Video Tests
•TD0583 –FPT_PHP.3 modified for PSD remote controllers
•TD0557 –Correction to Audio Filtration Specification Table in FDP_AFL_EXT.1
•TD0539 –Incorrect Selection Trigger in FTA_CIN_EXT.1 in MOD_VI_V1.0
The TOE does not fit the Combiner Use Case and so the specific assignment required by the VI
Module does not apply.
•TD0518 –Typographical Error in Dependency Table
•TD0514 –Correction to MOD_VI FDP_APC_EXT.1 Test 3 Step 6
•TD0507 –Clarification on USB Plug Type
Security Target Version 1.1
2022-03-08
3
•TD0506 –Missing Steps to Disconnect and Reconnect Display
1.3 Conventions
The Security Functional Requirements included in this section are derived from Part 2 of the Common
Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, with additional extended
functional components.
The CC defines operations on Security Functional Requirements: assignments, selections, assignments
within selections, iterations, and refinements. This document retains all operations completed by the PP
author (i.e. selections/assignments they already filled out). These are formatted as italicized text.
This document uses the following font conventions to identify iterations, extended SFRs and operations
performed by the ST author:
•Refinement operation (denoted by bold text and underline) is used to add details to a requirement,
and thus further restricts a requirement.
•Selection (denoted by italicized bold text): is used to select one or more options provided by the
[CC] in stating a requirement. Selection operations completed in the PP are shown in brackets.
•Assignment operation (denoted by bold text) is used to assign a specific value to an unspecified
parameter, such as the length of a password. Showing the value in square brackets indicates
assignment. Assignments within Selections are denoted by italicized bold text).
•Iteration operation is identified with a slash (‘/’) and an identifier (e.g. “/KM”). Additional iterations
made by the ST author are defined with a reference in parentheses to the specific TOE models they
apply to, e.g. “(DP)” indicates the SFR only applies to DisplayPort models. Though technically not an
iteration FDP_IPC_EXT.1, also uses this convention to clarify that this requirement only applies to
certain models.
•Extended SFRs are identified by having a label “EXT” after the SFR name.
1.3.1 Terminology
Table 2: Terms and Definitions
Term
Definition
Aligned
Detected and accepted the connection by the KVM.
Assurance
Grounds for confidence that a TOE meets the SFRs.
Authorized Peripheral
A Peripheral Device that is both technically supported and administratively
permitted to have an active interface with the PSD.
Combiner (multi-viewer)
A PSD with video integration functionality that is used to simultaneously display
output from multiple personal computers (PCs).
Common Criteria (CC)
Common Criteria for Information Technology Security Evaluation.
Common Evaluation
Methodology (CEM)
Common Evaluation Methodology for Information Technology Security
Evaluation.
Computer Interface
The PSD’s physical receptacle or port for connecting to a computer.
Configurable Device
Filtration (CDF)
A PSD function that filters traffic based on properties of a connected peripheral
device and criteria that are configurable by an Administrator.
Security Target Version 1.1
2022-03-08
4
Term
Definition
Connected Computer
A computing device connected to a PSD. May be a personal computer, server,
tablet, or any other computing device.
Connected Peripheral
A Peripheral that is connected to a PSD.
Connection
A physical or logical conduit that enables Devices to interact through respective
interfaces. May consist of one or more physical (e.g., a cable) or logical (e.g., a
protocol) components.
Connector
The plug on a Connection that attaches to a Computer or Peripheral Interface.
Device
An information technology product. In the context of this PP, a Device is a PSD, a
Connected Computer, or a Connected Peripheral.
Display
A device that visually outputs user data, such as a monitor.
Interface
A shared boundary across which two or more Devices exchange information
through a Connection.
KM
A type of PSD that shares a keyboard and pointing device between Connected
Computers. A KM may optionally include an analog audio device.
KVM
A type of PSD that shares a keyboard, video, and pointing device between
Connected Computers. A KVM may optionally include an analog audio device and
user authentication device.
Letter of Volatility
A letter issued by the manufacturer outlining whether onboard memory can store
data when the device is powered off (non‐volatile) or not (volatile).
Monitoring
The ability of a User to receive an indicator of the current Active Interface.
Non-Selected Computer
A Connected Computer that has no Active Interfaces with the PSD.
Peripheral Interface
The PSD’s physical receptacle or port for connecting to a Peripheral Device.
Peripheral/Peripheral
Device
A Device with access that can be Shared or Filtered by a PSD.
Protection Profile (PP)
An implementation‐independent set of security requirements for a category of
products.
Remote Controller
Remote component of the PSD that extends the controls and indications through
a cable.
Secure State
An operating condition in which the PSD disables all connected peripheral and
connected computer interfaces when the correctness of its functions cannot be
ensured.
Security Assurance
Requirement (SAR)
A requirement to assure the security of the TOE.
Security Functional
Requirement (SFR)
A requirement for security enforcement by the TOE.
Security Target (ST)
Implementation‐independent documentation that describes a TOE, its
Operational Environment, and its claimed security functionality.
Selected Computer
A Connected Computer that has Active Interfaces with the PSD.
Supported Peripheral
A Peripheral Device that is technically supported by the PSD.
Target of Evaluation(TOE)
A product or component, consisting of hardware, software, and/or firmware, that
claims to implement certain security functionality in a specific and well-defined
manner.
Security Target Version 1.1
2022-03-08
5
Term
Definition
TOE Security Functionality
(TSF)
The combined hardware, software, and firmware capabilities of a TOE that are
responsible for implementation of its claimed SFRs.
TOE Security Functionality
Interface (TSFI)
Any external interface between the TOE and its Operational Environment that has
a security‐relevant purpose or is used to transmit security‐relevant data.
TOE Summary Specification
(TSS)
Documentation contained within the Security Target that provides the reader
with a description of how the TOE implements the claimed SFRs.
User
A person that interacts with a PSD (or a process or mechanism acting on behalf of
a person).
User Authentication Device
A Peripheral Device that is used to affirm the identity of a User attempting to
authenticate to a computer (e.g., smart card reader, biometric authentication
device, proximity card reader).
User Data
Information that the User inputs to the Connected Computer or is output to the
User from the Connected Computer (and including user authentication and
credential information)
1.3.2 Acronyms
Table 3: Acronyms
Acronym
Definition
ARC
Audio Return Channel
AUX
Display Port Auxiliary Channel
CAC
Common Access Card
CDF
Configurable Device Filtering
CEC
Consumer Electronics Control
DVI
Digital Visual Interface
EDID
Extended Display Identification Data
EEPROM
Electrically Erasable Programmable Read-Only Memory
FIPS
Federal Information Processing Standards
HD
High Definition
HDCP
High‐bandwidth Digital Content Protection
HDMI
High Definition Multimedia Interface
HEAC
HDMI Ethernet Audio Control
HEC
HDMI Ethernet Channel
HID
Human Interface Device
HPD
Hot Plug Detect
IT
Information Technology
KVM
Keyboard, Video, and Mouse
LED
Light-Emitting Diode
MCCS
Hot Plug Detect
Security Target Version 1.1
2022-03-08
6
Acronym
Definition
PC
Personal Computer
PSD
Peripheral Sharing Device
RPS
Remote Port Selector
SFP
Security Function Policy
USB
Universal Serial Bus
Security Target Version 1.1
2022-03-08
7
2TOE Description
2.1 Product Overview
The TOE is the ATEN Secure KVM Switch Series (CAC Models). Each of the sixteen models identified in
Section 1.1 is a Peripheral Sharing Device that include console ports and computer ports. The console
ports are used to connect a single set of peripherals, including a mouse, keyboard, user authentication
device such as smart card or CAC reader, speaker, and one or two video displays (depending on specific
device type) to the TOE. The TOE’s computer ports are connected to up to 2, 4, or 8 separate computers
(again depending on specific device type). The user can then securely switch the connected console
peripherals between any of the connected computers while preventing unauthorized data flows or
leakage between computers. The TOE supports manual port switching using a press and release a port
selection push button (on the switch, or on the Remote Port Selector (RPS) if connected and aligned) to
bring the KVM focus to the computer attached to its corresponding port.
2.2 TOE Overview
The TOE is the ATEN Secure Switch series of products with CAC. The TOE allows users to connect a single
set of peripherals to its console ports to interact with multiple computers that are connected to it via its
computer ports. Controls on the TOE chassis or on the RPS allow the user to select which of the connected
computers is ‘active’ such that the peripherals connected to the console can be used to interact with the
selected computer.
The TOE’s console ports support USB keyboard and mouse, analog audio out (speakers), a USB smart
card/CAC port, and depending on model, DisplayPort, HDMI or DVI-I display.
The TOE’s computer ports support USB keyboard and mouse, analog audio, USB smart card/CAC, and
depending on model, DisplayPort, HDMI, or DVI-I display.
The TOE includes multiple models, all with the same basic functionality. The differences between models
are:
•The type of display interface supported on the console ports (DisplayPort, HDMI or DVI-I)
•The type of display interface supported on the computer ports (DisplayPort, HDMI, or DVI-I)
•The number of sets of computer ports, which determines how many computers can be connected to
the TOE at one time (up to 2, 4, or 8)
2.3 TOE Architecture
The ATEN Secure KVM series are KVM switches with the following characteristics:
•2/4/8 port USB DisplayPort single and dual display for DisplayPort (6 devices)
•2/4 port USB HDMI single and dual display for HDMI (4 devices)
•2/4/8 port USB DVI single and dual display for DVI (6 devices).
The Secure KVM Switch products allow for the connection of a mouse, keyboard, user authentication
device (such as smart card or CAC reader), speaker, and one or two video displays (depending on specific
device type) to the Secure KVM Switch, which is then connected to 2, up to 4, or up to 8 separate
computers (again depending on specific device type). The user can then switch the connected peripherals
Security Target Version 1.1
2022-03-08
8
between any of the connected computers using a push button on the front of the device or on the RPS.
The selected device is always identifiable by a bright orange LED associated with the applicable selection
button.
To interface with connected computers, the Secure KVM Switch products support analog audio output
and USB connections for the keyboard, mouse, and user authentication device. Depending on model, they
support DisplayPort, DVI-I, or HDMI for the computer video display interface. The switched peripherals on
the console side are analog audio output, USB keyboard and mouse, USB user authentication device, and
DisplayPort, HDMI or DVI-I video output (depending on model).
Separate USB cables are used to connect the keyboard/mouse combination and the user authentication
device to the connected computers. The Secure KVM Switch products supporting DisplayPort convert the
DisplayPort video signal to HDMI. The HDMI signal inside the KVM will be converted again to DisplayPort
signal for output to the connected video display(s) and the AUX channel is monitored and converted to
EDID. The Secure KVM Switch products also support audio output connections from the computers to a
connected audio output device. Only speaker connections are supported and the use of an analog
microphone or line-in audio device is prohibited. The tables below identify the interfaces of the Secure
KVM console and computer ports according to model number.
Table 4: ATEN Secure KVM Switch Console Interfaces and TOE Models
Model No.
Console Video Output
Interface
Console
Keyboard
Console
Mouse
Console Audio
output
Console CAC
Reader
DisplayPort
HDMI
DVI-I
USB 1.1/2.0
USB 1.1/2.0
3.5mm Analog
Audio output
(Speaker)
USB
1.1/2.0
CS1182DP4C
•
•
•
•
•
CS1142DP4C
•
•
•
•
•
CS1182H4C
•
•
•
•
•
CS1142H4C
•
•
•
•
•
CS1182D4C
•
•
•
•
•
CS1142D4C
•
•
•
•
•
CS1184DP4C
•
•
•
•
•
CS1144DP4C
•
•
•
•
•
CS1184H4C
•
•
•
•
•
CS1144H4C
•
•
•
•
•
CS1184D4C
•
•
•
•
•
CS1144D4C
•
•
•
•
•
CS1188DP4C
•
•
•
•
•
CS1148DP4C
•
•
•
•
•
CS1188D4C
•
•
•
•
•
Security Target Version 1.1
2022-03-08
9
Model No.
Console Video Output
Interface
Console
Keyboard
Console
Mouse
Console Audio
output
Console CAC
Reader
DisplayPort
HDMI
DVI-I
USB 1.1/2.0
USB 1.1/2.0
3.5mm Analog
Audio output
(Speaker)
USB
1.1/2.0
CS1148D4C
•
•
•
•
•
Table 5: ATEN Secure KVM Switch Computer Interfaces and TOE Models
Model No.
Computer Video Input Interface
Computer
Keyboard / Mouse
Computer Audio
Input
Computer CAC
Input
DisplayPort
HDMI
DVI-I
USB
1.1/2.0
3.5mm Analog
Audio Input
(Speaker)
USB
1.1/2.0
CS1182DP4C
•
•
•
•
CS1142DP4C
•
•
•
•
CS1182H4C
•
•
•
•
CS1142H4C
•
•
•
•
CS1182D4C
•
•
•
•
CS1142D4C
•
•
•
•
CS1184DP4C
•
•
•
•
CS1144DP4C
•
•
•
•
CS1184H4C
•
•
•
•
CS1144H4C
•
•
•
•
CS1184D4C
•
•
•
•
CS1144D4C
•
•
•
•
CS1188DP4C
•
•
•
•
CS1148DP4C
•
•
•
•
CS1188D4C
•
•
•
•
CS1148D4C
•
•
•
•
The ATEN Secure KVM products implement a secure isolation design for all models to share a single set of
peripheral components. Each peripheral has its own dedicated data path. USB keyboard and mouse
peripherals are filtered and emulated. The USB authentication device connection is on a separate circuit
from the keyboard and mouse and, after filtering for qualification, has a direct connection path to the
selected computer. The TOE does not emulate the user authentication device function. DisplayPort video
from the selected computer is converted internally to HDMI, then back to DisplayPort for communication
with the connected video display and the AUX channel is monitored and converted to EDID.
Security Target Version 1.1
2022-03-08
10
The Secure KVM Switch products are designed to enforce the allowed and disallowed data flows between
user peripheral devices and connected computers as specified in [PSD]. Data leakage is prevented across
the TOE to avoid compromise of the user's information. The Secure KVM Switch products automatically
clear the internal TOE keyboard and mouse buffers.
Figure 1 shows the data path design using a 2-Port KVM as an example.
Figure 1: Simplified Block Diagram of a 2-Port KVM TOE
As shown in Figure 1 above, the internal components of the KVM consist of switches, emulators, USB host
controllers, processors, and embedded with non-updateable firmware v1.1.101. The internal hardware
components are identified in Appendix A and include the manufacturer and the part number. The data
flow of USB keyboard/mouse is controlled by the host controller for console HID keyboard and pointing
devices. Details of the data flow architecture are provided in the proprietary Secure KVM Isolation
Document. All keyboard and mouse connections are filtered first, and only authorized devices will be
allowed. The TOE emulates data from authorized USB keyboard and mouse to USB data for computer
sources.
The TOEs proprietary design ensures there is no possibility of data leakage from a user’s peripheral output
device to the input device; ensures that no unauthorized data flows from the monitor to a connected
computer; and unidirectional buffers ensure that the audio data can travel only from the selected
computer to the audio device. There is no possibility of data leakage between computers or from a
peripheral device connected to a console port to a non-selected computer. Each connected computer has
its own independent Device Controller, power circuit, and EEPROM. Additionally, keyboard and mouse
are always switched together.
All Secure KVM Switch components including the RPS, feature hardware security mechanisms including
tamper-evident labels, always active chassis-intrusion detection, and tamper-proof hardware
Security Target Version 1.1
2022-03-08
11
construction, while software security includes restricted USB connectivity (non-Human Interface Devices
(HIDs) are ignored when switching), an isolated channel per port that makes it impossible for data to be
communicated between computers, and automatic clearing of the keyboard and mouse buffer.
The ATEN Port Authentication Utility must be installed on a separate secure source computer using an
installation wizard. The utility supports Microsoft Windows 8 and higher. The Port Authentication Utility
computer connects to the TOE via USB connection to Computer Port 1. The dedicated secure source
computer must have its own monitor, keyboard, and mouse connected for installation and operation.
A detailed description of the TOE security features can be found in Section 6 (TOE Summary
Specification).
2.3.1 Physical Boundary
The TOE includes the RPS and hardware models identified in Section 1.1 along with embedded firmware
v1.1.101 and corresponding documentation identified in Section 2.5 below.
An optional KVM cable set (not supplied with the TOE) is available as a separate purchase. The KVM cable
sets are built for the KVM connection to the PCs, providing better compatibility. Users can connect the
KVM and PCs using their own cable sets as long as the protocols are compatible but the vendor KVM cable
sets are recommended. The TOE was tested using the cable sets mentioned above and the following
adapters:
•UC32381 (USB-C to HDMI converter)
•UC3239 (USB-C to DP converter)
•VC986 (Active DP-to-HDMI adapter)
•VC965 (Active DP-to-DVI adapter)
While the cable sets and adapters were supplied, they were not included in the evaluation because they
are considered part of the operational environment, along with the switched PCs, peripheral devices,
DisplayPort / HDMI / DVI-I monitors, USB keyboard, USB mouse, 3.5mm audio output (e.g. speakers),
smart card/CAC reader, and the host computers.
The ATEN Port Authentication Utility requires a dedicated secure source computer with Microsoft
Windows 8 or higher, along with its own monitor, keyboard, and mouse.
The following figure shows a representative TOE and its environment. In particular, it shows a four port,
single-head KVM and its connections.
Security Target Version 1.1
2022-03-08
12
Figure 2: Representative ATEN Secure KVM Switch TOE Model in its environment
The ATEN Secure KVM devices do not include any wireless interfaces. The ATEN Secure KVM devices
have been tested and found to comply with the radio frequency emissions limits for a Class A digital
device, pursuant to Part 15 of the Federal Communications Commission rules. If not installed and used
in accordance with the guidance instructions, the device may cause harmful interference to radio
communications. This evaluation did not test for RFI leakage of information.
2.4 Logical Boundary
This section summarizes the security functions provided by the TOE:
•Security Audit
•User Data Protection
•Identification and authentication
•Security Management
•Protection of the TSF
•TOE Access
Security Target Version 1.1
2022-03-08
13
2.4.1 Security Audit
The TOE generates audit records for the authorized administrator actions. Each audit record records a
standard set of information such as date and time of the event, type of event, and the outcome (success
or failure) of the event.
2.4.2 User Data Protection
The TOE controls and isolates information flowing between the peripheral device interfaces and a
computer interface. The peripheral devices supported include USB keyboard; USB mouse; USB
authentication device (CAC reader and smart card); audio output; and (depending on device type)
DisplayPort, DVI-I, or HDMI video. Some TOE models accept DisplayPort signals at the computer interface
and internally convert the signals to HDMI signals and then convert back to DisplayPort for output to the
console interface.
The TOE authorizes peripheral device connections with the TOE console ports based on the peripheral
device type.
The TOE ensures that any previous information content of a resource is made unavailable upon the
deallocation of the resource from a TOE computer interface immediately after the TOE switches to
another selected computer and on start-up of the TOE.
The TOE provides a Reset to Factory Default function allowing authenticated authorized Administrators
to remove all settings previously configured by the Administrator (such as USB device whitelist/blacklist).
Once the Reset to Factory Default function has been completed, the Secure KVM will terminate the
Administrator Logon mode, purge keyboard/mouse buffer, and power cycle the Secure KVM
automatically.
2.4.3 Identification and Authentication
The TOE provides an identification and authentication function for the administrative user to perform
administrative functions such as configuring the user authentication device filtering whitelist and
blacklist. The authorized administrator must logon by providing a valid password.
2.4.4 Security Management
The TOE supports configurable device filtration (CDF). This function is restricted to the authorized
administrator and allows the TOE to be configured to accept or reject specific USB devices using CDF
whitelist and blacklist parameters. Additionally, the TOE provides security management functions to
configure the keyboard/mouse device filtration, Reset to Factory Default and to change the administrator
password.
2.4.5 Protection of the TSF
The TOE runs a suite of self-tests during initial startup and after activating the reset button that includes
a test of the basic TOE hardware and firmware integrity; a test of the basic computer-to-computer
isolation; and a test of critical security functions (i.e., user control and anti-tampering). The TOE provides
users with the capability to verify the integrity of the TSF and the TSF functionality.
Security Target Version 1.1
2022-03-08
14
The TOE resists physical attacks on the main TOE enclosure as well as the RPS enclosure for the purpose
of gaining access to the internal components or to damage the anti-tampering battery by becoming
permanently disabled. The TOE preserves a secure state by disabling the TOE when there is a failure of
the power on self-test, or a failure of the anti-tampering function.
The TOE provides unambiguous detection of physical tampering that might compromise the TSF. The TSF
provides the capability to determine whether physical tampering with the TSF's devices or TSF's elements
has occurred.
2.4.6 TOE Access
The TOE displays a continuous visual indication of the computer to which the user is currently
connected, including on power up, and on reset.
2.5 TOE Documentation
There are several documents that provide information and guidance for the deployment and usage of
the TOE. In particular, the following guides reference the security-related guidance material for all
devices in the evaluated configuration.
Guidance Documentation:
•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual
Display PP v4.0 Secure KVM Switch Administrator Guide, Version 1.03, 2021-1-25
•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual
Display PP v4.0 Secure KVM Switch Port Authentication Utility Guide, Version 1.03, 2021-1-25
•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual
Display PP v4.0 Secure KVM Switch User Manual, Version 1.03, 2021-1-25
•ATEN PSD PP v4.0 Secure KVM Switch Series 2/4/8-Port USB DVI/HDMI/DisplayPort Single/Dual
Display PP v4.0 Secure KVM Switch Admin Log Audit Code, Version 1.03, 2021-1-25
TOE Documentation:
•PP4.0 Secure KVM Isolation Document, Version 1.1 (Proprietary)
oNote: The PP4.0 Secure KVM Isolation Document is proprietary as permitted by PSD 4.0 Annex
D.1 Isolation Document and Assessment.
oThe isolation document supplements the security target Section 6 TOE Summary Specification in
order to demonstrate the TOE provides isolation between connected computers. In particular,
the isolation document describes how the TOE mitigates the risk of each unauthorized data flow
listed in PSD 4.0 Annex D and Evaluation Activities specified in the PP v4.0 and modules.
Security Target Version 1.1
2022-03-08
15
3Security Problem Definition
This security target includes by reference the Security Problem Definition from the [PSD],
[MOD_AO_V1.0], and [MOD_VI_V1.0]. The Security Problem Definition consists of threats that a
conformant TOE is expected to address and assumptions about the operational environment of the TOE.
In general, the [PSD] has presented a Security Problem Definition appropriate for peripheral sharing
devices. The ATEN Secure KVM Switch Series supports KVM (USB Keyboard/Mouse, analog audio (out),
DisplayPort, DVI-I and HDMI video) peripheral switch functionality by combining a 2/4/8 port KVM switch,
an audio output port, and a USB authentication device (CAC port and smart card). As such, the [PSD]
Security Problem Definition applies to the TOE.
Other manuals for CS1182DP4C
1
This manual suits for next models
15
Table of contents
Other ATEN Switch manuals
ATEN
ATEN Altusen KM0032 User manual
ATEN
ATEN CL5708IM User manual
ATEN
ATEN Master View CS-1762 User manual
ATEN
ATEN Slideaway CL5708 User manual
ATEN
ATEN CS72D User manual
ATEN
ATEN CS724KM User manual
ATEN
ATEN KN-9116 User manual
ATEN
ATEN Master View SlideAway ACS-1208L User manual
ATEN
ATEN VS-0404 User manual
ATEN
ATEN KN8100V Series User manual
