KECS-CR-15-40
AITHER v1.0
Certification Report
Certification No.: KECS-NISS-0612-2015
2015. 6. 10
IT Security Certification Center
Certification Report Page 2
History of Creation and Revision
No. Date
Revised
Pages
Description
00 2015.06.10 -
Certification report for AITHER v1.0
- First documentation
Certification Report Page 3
This document is the certification report for AITHER v1.0 of Korea
Information Security System Co., Ltd.
The Certification Body
IT Security Certification Center
The Evaluation Facility
Telecommunications Technology Association (TTA)
Certification Report Page 4
Table of Contents
Certification Report ....................................................................................................1
1. Executive Summary.............................................................................................5
2. Identification.........................................................................................................6
3. Security Policy .....................................................................................................7
4. Assumptions and Clarification of Scope............................................................8
5. Architectural Information ....................................................................................8
6. Documentation...................................................................................................10
7. TOE Testing........................................................................................................10
8. Evaluated Configuration.................................................................................... 11
9. Results of the Evaluation .................................................................................. 11
9.1 Security Target Evaluation (ASE)............................................................12
9.2 Life Cycle Support Evaluation (ALC) ......................................................12
9.3 Guidance Documents Evaluation (AGD).................................................13
9.4 Development Evaluation (ADV)..............................................................13
9.5 Test Evaluation (ATE).............................................................................14
9.6 Vulnerability Assessment (AVA)..............................................................14
9.7 Evaluation Result Summary ...................................................................15
10. Recommendations.............................................................................................16
11. Security Target ...................................................................................................16
12. Acronyms and Glossary....................................................................................17
13. Bibliography.......................................................................................................19
Certification Report Page 5
1. Executive Summary
This report describes the certification result drawn by the certification body on the
results of the EAL2 evaluation of AITEHR v1.0 with reference to the Common Criteria
for Information Technology Security Evaluation (“CC” hereinafter) [1]. It describes the
evaluation result and its soundness and conformity.
AITHER v1.0 (hereinafter TOE) is a Wireless Access Point (AP) that connects wireless
devices to the wired network by configuring WLAN, and provides security functions
such as Rogue AP/Station detection and unauthorized network connection prevention.
The TOE consists of dedicated H/W (AITHER AP-1000), Firmware (AITHER v1.0.003),
and User Manual (User Operation Manual and Preparation Process Manual).
The evaluation of the TOE has been carried out by Telecommunications Technology Association
(TTA) and completed on June 8th
, 2015. This report grounds on the evaluation technical report
(ETR) [5]. TTA had submitted and the Security Target (ST) [6][7].
The ST has no conformance claim to the Protection Profile (PP). All Security Assurance
Requirements (SARs) in the ST are based only upon assurance component in CC Part 3, and
the TOE satisfies the SARs of Evaluation Assurance Level EAL2. Therefore the ST and the
resulting TOE is CC Part 3 conformant. The Security Functional Requirements (SFRs) are based
upon functional components in CC Part 2, and the TOE satisfies the SFRs in the ST. Therefore
the ST and the resulting TOE is CC Part 2 conformant.
[Figure 1] shows the operational environment of the TOE.
[Figure 1] Operational environment of the TOE
Certification Validity: The certificate is not an endorsement of the IT product by the
Certification Report Page 6
government of Republic of Korea or by any other organization that recognizes or gives
effect to this certificate, and no warranty of the IT product by the government of
Republic of Korea or by any other organization recognizes or gives effect to the
certificate, is either expressed or implied.
2. Identification
The TOE is composite product consisting of the following components and related
guidance documents.
Type Identifier Release Delivery Form
HW AITHER AP-1000 -
Firmware in dedicated
hardware equipment
has been distributed is
installed
Firmware AITHER v1.0.003
DOC
AITHER v1.0 Operational User
Guidance
v1.2
Softcopy (CD)
AITHER v1.0 Preparative
Procedures Guidance
v1.2
[Table 1] TOE identification
[Table 2] summarizes additional information for scheme, developer, sponsor, evaluation
facility, certification body, etc.
Scheme Korea Evaluation and Certification Guidelines for IT Security
(August 8, 2013) [3]
Korea Evaluation and Certification Scheme for IT Security
(November 1, 2012) [4]
TOE AITHER v1.0
Common Criteria Common Criteria for Information Technology Security
Evaluation, Version 3.1 Revision 4, CCMB-2012-09-001 ~
CCMB-2012-09-003, September 2012 [1]
EAL EAL2
Developer Korea Information Security System Co., Ltd.
Certification Report Page 7
Sponsor Korea Information Security System Co., Ltd.
Evaluation Facility Telecommunications Technology Association (TTA)
Completion Date of
Evaluation
June 8th
, 2015
Certification Body IT Security Certification Center
[Table 2] Additional identification information
3. Security Policy
The TOE complies with security policies defined in the ST [6][7] by security objectives
and security requirements. The TOE provides the security functions as follows.
 Security Audit
- TOE provides audit log creation and query execution functions to the
subject that require audit.
 Cryptographic Support
- TOE provides cryptographic functions to protect user data between TOE
and wireless user and TSF data between TOE and administrator PC.
 User Data Protection
- TOE provides threat detection and prevention functions by configuring
secure WLAN and by monitoring wireless network traffic.
 Identification and Authentication
- TOE provides authorization and authentication functions to control
administrator who accesses the management UI and wireless devices
connected to WLAN.
 Security Management
- TOE provides functions for system configuration, security policy planning
and security function management, wireless intrusion detection and
prevention sensor (WIDPS), etc.
 Protection of the TSF
- TOE provides self-test function for TOE itself.
 TOE Access
- TOE provides functions that constrains duplicated sessions from
establishing for an administrator account and destroys the authenticated
Certification Report Page 8
session after the defined idle time.
 Trusted Path/Channels
- TOE provides secure paths and channels for data transmission between
TOE and wireless users as well as TOE and an administrator PC.
For more details refer to the ST.
4. Assumptions and Clarification of Scope
The following assumptions describe the security aspects of the operational
environment in which the TOE will be used or is intended to be used (for the detailed
and precise definition of the assumption refer to the ST [6][7], chapter 3.4):
 An external NTP Server is to be reliable and stable.
 A WLAN Key for the wireless terminal should be managed securely.
 An authorized administrator of the TOE is not malicious, and well trained about
the TOE management functions and carries out his/her duties accurately in
accordance with the administrator guidelines
5. Architectural Information
[Figure 2] shows the physical scope of the TOE. The TOE is a wireless AP that
connects wireless devices to the wired network by configuring WLAN.
[Figure 2] TOE physical scope
Certification Report Page 9
The TOE consists of the following components.
 OS(Kunicorn OS v1.0)
- This component is a Linux based customized operating system. It connects a
wired network and wireless network via router functions and supports AP and
wireless traffic data collection functions and performs authentication and
authorization, security management, security audit.
 DBMS(SQLite)
- This component is storage for audit logs and use SQLite v3.8.9
 Python Library
- This component is a library for the web server based administration UI
support and use Python 2.7.9.
 SSL
- This component supports HTTPS based secure server and use the default of
Python Library.
 SSH Server
- This component provides administrative console to the administrator and use
Dropbear server v2015.67.
The following summarizes TOE hardware, which takes a role to start up through
firmware:
 H/W(AITHER AP-1000)
TOE hardware and detailed specifications for each component are summarized in
[Table 3]
Classification Hardware Specification
CPU Intel N2600 1.6 Ghz dual core x 1ea
Chipset Intel NM10 x 1ea
RAM 2GByte x 1ea
ROM NAND Flash MiSD 8Gbyte x 1ea
Certification Report Page 10
Classification Hardware Specification
Ethernet Port 10/100/1000 Base-T(VIA VT6122 ) x 1ea
Wireless Interface
AR9382 (802.11a/b/g/n) x 3ea
QCA9880 (802.11ac) x 1ea
PoE 802.3AF Type Watt/Port : 15.4W
Power Input DC 12V Min : 1A, Max : 4A
[Table 3] TOE Hardware Detailed Specifications
For the detailed description is refer to the ST [6][7].
6. Documentation
The following documentation is evaluated and provided with the TOE by the developer
to the customer.
Identifier Release Date
AITHER v1.0 Operational User Guidance v1.2 April 17, 2015
AITHER v1.0 Preparative Procedures Guidance v1.2 April 17, 2015
[Table 4] Documentation
7. TOE Testing
Tests for the TOE are:
 ST-based SFR tests
 Testing the correct implementation of the security functional requirements
described in ST
 TSFI-based tests
 Testing the functionality of TSFI which consists TOE
 Integration tests
 Testing the integrity of security functions provided by the TOE
The developer tested all the TSF and analyzed testing results according to the
Certification Report Page 11
assurance component ATE_COV.1. This means that the developer tested all the TSFI
defined for SFR-enforcing of the TOE, and demonstrated that the TSFI behaves as
described in the functional specification. The developer correctly performed and
documented the tests according to the assurance component ATE_FUN.1
The evaluator performed all tests provided by developer and conducted independent
testing based upon test cases devised by the evaluator. The TOE and test
configuration are identical to the developer’s tests. The tests cover preparative
procedures, according to the guidance.
Also, the evaluator conducted vulnerability analysis and penetration testing based upon
test cases devised by the evaluator resulting from the independent search for potential
vulnerabilities. The evaluator testing effort, the testing approach, configuration, depth,
and results are summarized in the ETR [5].
8. Evaluated Configuration
The TOE is AITHER v1.0. The TOE is product consisting of the following components:
 Hardware Device : AITHER AP-1000
 Embedded software(Firmware) : AITHER v1.0.003
The product name and the firmware version of TOE are in the product box, the warrant
document. Administrator can identify those in the initial screen after logging into the
management system. Also, HW model information of TOE is written on the warrant
document.
Administrator can identify those in the initial screen after log in the management
system.
And the guidance documents listed in chapter 6 of this report, [Table 4] were evaluated
with the TOE.
9. Results of the Evaluation
The evaluation facility provided the evaluation result in the ETR [11] which references
Work Package Reports for each assurance requirement and Observation Reports.
The evaluation result was based on the CC [1] and CEM [2].
Certification Report Page 12
As a result of the evaluation, the verdict PASS is assigned to all assurance components of EAL2.
9.1 Security Target Evaluation (ASE)
The ST Introduction correctly identifies the ST and the TOE, and describes the TOE in
a narrative way at three levels of abstraction (TOE reference, TOE overview and TOE
description), and these three descriptions are consistent with each other. Therefore the
verdict PASS is assigned to ASE_INT.1.
The Conformance Claim properly describes how the ST and the TOE conform to the
CC and how the ST conforms to PPs and packages. Therefore the verdict PASS is
assigned to ASE_CCL.1.
The Security Problem Definition clearly defines the security problem intended to be
addressed by the TOE and its operational environment. Therefore the verdict PASS is
assigned to ASE_SPD.1.
The Security Objectives adequately and completely address the security problem
definition and the division of this problem between the TOE and its operational
environment is clearly defined. Therefore the verdict PASS is assigned to ASE_OBJ.2.
The ST does not contain extended security requirements. Therefore the verdict PASS
is assigned to ASE_ECD.1.
The Security Requirements is defined clearly and unambiguously, and it is internally
consistent and the SFRs meet the security objectives of the TOE. Therefore the verdict
PASS is assigned to ASE_REQ.2.
The TOE Summary Specification addresses all SFRs, and it is consistent with other
narrative descriptions of the TOE. Therefore the verdict PASS is assigned to
ASE_TSS.1.
Thus, the ST is sound and internally consistent, and suitable to be used as the basis
for the TOE evaluation.
The verdict PASS is assigned to the assurance class ASE.
9.2 Life Cycle Support Evaluation (ALC)
The developer uses a CM system that uniquely identifies all configuration items.
Therefore the verdict PASS is assigned to ALC_CMC.2.
The configuration list includes the TOE, the parts that comprise the TOE, and the
evaluation evidence. These configuration items are controlled in accordance with CM
capabilities. Therefore the verdict PASS is assigned to ALC_CMS.2.
The delivery documentation describes all procedures used to maintain security of the
Certification Report Page 13
TOE when distributing the TOE to the user. Therefore the verdict PASS is assigned to
ALC_DEL.1.
Thus, the security procedures that the developer uses during the development and
maintenance of the TOE are adequate. These procedures include the configuration
management used throughout TOE development and the delivery activity.
The verdict PASS is assigned to the assurance class ALC.
9.3 Guidance Documents Evaluation (AGD)
The procedures and steps for the secure preparation of the TOE have been
documented and result in a secure configuration. Therefore the verdict PASS is
assigned to AGD_PRE.1.
The operational user guidance describes for each user role the security functionality
and interfaces provided by the TSF, provides instructions and guidelines for the secure
use of the TOE, addresses secure procedures for all modes of operation, facilitates
prevention and detection of insecure TOE states, or it is misleading or unreasonable.
Therefore the verdict PASS is assigned to AGD_OPE.1.
Thus, the guidance documents are adequately describing the user can handle the TOE
in a secure manner. The guidance documents take into account the various types of
users (e.g. those who accept, install, administrate or operate the TOE) whose incorrect
actions could adversely affect the security of the TOE or of their own data.
The verdict PASS is assigned to the assurance class AGD.
9.4 Development Evaluation (ADV)
The TOE design provides a description of the TOE in terms of subsystems sufficient to
determine the TSF boundary. Therefore the verdict PASS is assigned to ADV_TDS.1.
The developer has provided a description of the TSFIs in terms of their purpose,
method of use, and parameters. In addition, for the SFR-enforcing TSFIs the developer
has described the SFR-enforcing actions and direct error messages. Therefore the
verdict PASS is assigned to ADV_FSP.2.
The TSF is structured such that it cannot be tampered with or bypassed, and TSFs that
provide security domains isolate those domains from each other. Therefore the verdict
PASS is assigned to ADV_ARC.1.
Thus, the design documentation is adequate to understand how the TSF meets the
SFRs and how the implementation of these SFRs cannot be tampered with or
Certification Report Page 14
bypassed. Design documentation consists of a functional specification (which
describes the interfaces of the TSF), a TOE design description (which describes the
architecture of the TSF in terms of how it works in order to perform the functions
related to the SFRs being claimed). In addition, there is a security architecture
description (which describes the architectural properties of the TSF to explain how its
security enforcement cannot be compromised or bypassed).
The verdict PASS is assigned to the assurance class ADV.
9.5 Test Evaluation (ATE)
The developer has tested TSFIs, and that the developer's test coverage evidence
shows correspondence between the tests identified in the test documentation and the
TSFIs described in the functional specification. Therefore the verdict PASS is assigned
to ATE_COV.1.
The developer correctly performed and documented the tests in the test documentation.
Therefore the verdict PASS is assigned to ATE_FUN.1.
By independently testing a subset of the TSF, the evaluator confirmed that the TOE
behaves as specified in the design documentation, and had confidence in the
developer's test results by performing all of the developer's tests. Therefore the verdict
PASS is assigned to ATE_IND.2.
Thus, the TOE behaves as described in the ST and as specified in the evaluation
evidence (described in the ADV class).
The verdict PASS is assigned to the assurance class ATE.
9.6 Vulnerability Assessment (AVA)
By penetrating testing, the evaluator confirmed that there are no exploitable
vulnerabilities by attackers possessing basic attack potential in the operational
environment of the TOE. Therefore the verdict PASS is assigned to AVA_VAN.2.
Thus, potential vulnerabilities identified, during the evaluation of the development and
anticipated operation of the TOE, don’t allow attackers possessing basic attack
potential to violate the SFRs.
The verdict PASS is assigned to the assurance class AVA.
Certification Report Page 15
9.7 Evaluation Result Summary
Assurance
Class
Assurance
Component
Evaluator
Action
Elements
Verdict
Evaluator Action
Elements
Assurance
Component
Assurance
Class
ASE ASE_INT.1 ASE_INT.1.1E PASS PASS PASS
ASE_INT.1.2E PASS
ASE_CCL.1 ASE_CCL.1.1E PASS PASS
ASE_SPD.1 ASE_SPD.1.1E PASS PASS
ASE_OBJ.2 ASE_OBJ.2.1E PASS PASS
ASE_ECD.1 ASE_ECD.1.1E PASS PASS
ASE_ECD.1.2E PASS
ASE_REQ.2 ASE_REQ.2.1E PASS PASS
ASE_TSS.1 ASE_TSS.1.1E PASS PASS
ASE_TSS.1.2E PASS
ALC ALC_CMS.2 ALC_CMS.2.1E PASS PASS PASS
ALC_CMC.2 ALC_CMC.2.1E PASS PASS
ALC_DEL.1 ALC_DEL.1.1E PASS PASS
AGD AGD_PRE.1 AGD_PRE.1.1E PASS PASS PASS
AGD_PRE.1.2E PASS PASS
AGD_OPE.1 AGD_OPE.1.1E PASS PASS
ADV ADV_TDS.1 ADV_TDS.1.1E PASS PASS PASS
ADV_TDS.1.2E PASS PASS
ADV_FSP.2 ADV_FSP.2.1E PASS PASS
ADV_FSP.2.2E PASS
ADV_ARC.1 ADV_ARC.1.1E PASS PASS
ATE ATE_COV.1 ATE_COV.1.1E PASS PASS PASS
ATE_FUN.1 ATE_FUN.1.1E PASS PASS
ATE_IND.2 ATE_IND.2.1E PASS PASS
ATE_IND.2.2E PASS
ATE_IND.2.3E PASS
AVA AVA_VAN.2 AVA_VAN.2.1E PASS PASS PASS
AVA_VAN.2.2E PASS
AVA_VAN.2.3E PASS
AVA_VAN.2.4E PASS
Certification Report Page 16
[Table 5] Evaluation Result Summary
10. Recommendations
The TOE security functionality can be ensured only in the evaluated TOE operational
environment with the evaluated TOE configuration, thus the TOE shall be operated by
complying with the followings:
 The TOE administrator must operate after changing the default SSID and
password of the product.
 The TOE administrator must maintain a safe condition, such as changing the
password of the administrator and the user periodically.
 The TOE administrator is recommended to avoid WEP cracking and WLAN
sniffing using WPA2 method between the product and the device when
configuring WLAN.
 The TOE administrator must decide the installation place, and quantities
considering protection range, because RF coverage of WLAN is different
depending on the environment.
 The TOE administrator must check the free space in the audit data storage and
perform backups periodically to prepare for the loss of audit trail.
11. Security Target
AITHER v1.0 Security Target V1.5 [6] is included in this report for reference. For the
purpose of publication, it is provided as sanitized version [7] according to the CCRA
supporting document ST sanitizing for publication [8].
Certification Report Page 17
12. Acronyms and Glossary
CC Common Criteria
EAL Evaluation Assurance Level
PP Protection Profile
SAR Security Assurance Requirement
SFR Security Functional Requirement
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functionality
TSFI TSF Interface
WIDPS Wireless Intrusion Detection & Prevention Sensor
AP Access Point
SSID Service Set Identifier
WPA Wi-Fi Protected Access
PBKDF2 Password-Based Key Derivation Function 2
PSK Pre-Shared Key
RF Radio Frequency
WIDPS A sensor (or function) that detects and blocks intrusion
threats by continually monitoring wireless network traffic
IEEE 802.11 Computer wireless network technology for local area
called Wireless LAN or Wi-Fi. It is developed by the 11th
working group of IEEE LAN/MAN standard committee
(IEEE 802)
AP Wired-Wireless connection bridge device that performs
transfer frames from one wireless device to another
device
Station A device equipped with IEEE base WNIC (Wireless
Network Interface card), which performs operations of
physical layer and MAC layer operations based on IEEE
802.11 standard
Authorized AP An AP registered in the whitelist of TOE by the
Certification Report Page 18
administrator
Authorized Station A station registered in the whitelist of TOE by the
administrator
Unauthorized AP An AP not registered in the whitelist of TOE
Unauthorized Station A station not registered in the whitelist of TOE
SSID A connection identifier between wireless device and AP
that are used by the service provider to differentiate
various basic service sets in the wireless LAN
Rogue AP An AP, installed without permission by the administrator,
can cause a security threat that induces malicious
internal network intrusion by the insider or by the
outsider
Honeypot AP An AP that disclosure use information such as user IDs
and passwords by stealing the SSID of the attack target
AP and by pretending that you are connected to a
normal AP
WPA Wireless LAN encryption technology that uses TKIP
(Temporal Key Integrity Protocol), which uses RC4
stream encryption that improves the WEP vulnerabilities
specified in the IEEE 802.11i standard
WPA2 Wireless LAN encryption technology that uses CCMP
(CCM Mode Protocol), which uses AES encryption
method specified in IEEE 802.11i standard
Ad-hoc Network A network that communicates each other between
devices without fixed wired network
PBKDF2 An one-way hash function algorithm approved by NIST
(National Institute of Standards and Technology,
American Institute of Standards and Technology) and
used to generate an encrypted digest of the user
password
PSK AP and wireless user share specific string as password
and use it for authentication
RF Coverage Distance capable of wireless communication between
TOE and other AP or wireless device. TOE can search
for all wireless network traffic within the RF coverage
Certification Report Page 19
13. Bibliography
The certification body has used following documents to produce this report.
[1] Common Criteria for Information Technology Security Evaluation, Version 3.1
Revision 4, CCMB-2012-09-001 ~ CCMB-2012-09-003, September 2012
Part 1: Introduction and general model
Part 2: Security functional components
Part 3: Security assurance components
[2] Common Methodology for Information Technology Security Evaluation,
Version 3.1 Revision 4, CCMB-2012-09-004, September 2012
[3] Korea Evaluation and Certification Guidelines for IT Security (August 8, 2013)
[4] Korea Evaluation and Certification Scheme for IT Security (November 1,
2012)
[5] TTA-CCE-14-018 AITHER v1.0 Evaluation Technical Report V1.7, June 8th
, 2015
[6] AITHER v1.0 Security Target v1.5, May 21th
, 2015 (Confidential Version)
[7] AITHER v1.0 Security Target Lite v1.5, May 21th
, 2015 (Sanitized Version)
[8] ST sanitizing for publication, CCDB-2006-04-004, April 2006