TÜV Rheinland Nederland B.V.
Headoffice:
Westervoortsedijk 73
NL-6827 AV Arnhem
P.O. Box 2220
NL-6802 CE Arnhem
The Netherlands
Location Leek:
Eiberkamp 10
NL-9351 VT Leek
P.O. Box 37
NL-9350 AA Leek
The Netherlands
info@nl.tuv.com
www.tuv.com/nl
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 879
TÜV Rheinland Nederland B.V. is a
registered company at the Dutch
Chamber of Commerce under
number 27288788
VAT number: NL815820380B01
IBAN: NL61DEUT0265155096
Version
2020-2
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Certification Report
Thales Luna K7 Cryptographic Module
Sponsor and developer: Thales
Avenue du Jujubier,
ZI Athélia IV - 13705 La Ciotat,
France
Evaluation facility: Brightsight
Brassersplein 2
2612 CT Delft
The Netherlands
Report number: NSCIB-CC-195307-CR
Report version: 1
Project number: 195307
Author(s): Denise Cater
Date: 06 October 2020
Number of pages: 12
Number of appendices: 0
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 2/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
CONTENTS:
Foreword 3
Recognition of the certificate 4
International recognition 4
European recognition 4
1 Executive Summary 5
2 Certification Results 6
2.1 Identification of Target of Evaluation 6
2.2 Security Policy 6
2.3 Assumptions and Clarification of Scope 7
2.4 Architectural Information 7
2.5 Documentation 8
2.6 IT Product Testing 8
2.7 Re-used evaluation results 10
2.8 Evaluated Configuration 10
2.9 Results of the Evaluation 10
2.10 Comments/Recommendations 10
3 Security Target 11
4 Definitions 11
5 Bibliography 12
Page: 3/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Foreword
The Netherlands Scheme for Certification in the Area of IT Security (NSCIB) provides a third-party
evaluation and certification service for determining the trustworthiness of Information Technology (IT)
security products. Under this NSCIB, TÜV Rheinland Nederland B.V. has the task of issuing
certificates for IT security products, as well as for protection profiles and sites.
Part of the procedure is the technical examination (evaluation) of the product, protection profile or site
according to the Common Criteria assessment guidelines published by the NSCIB. Evaluations are
performed by an IT Security Evaluation Facility (ITSEF) under the oversight of the NSCIB Certification
Body, which is operated by TÜV Rheinland Nederland B.V. in cooperation with the Ministry of the
Interior and Kingdom Relations.
An ITSEF in the Netherlands is a commercial facility that has been licensed by TÜV Rheinland
Nederland B.V. to perform Common Criteria evaluations; a significant requirement for such a license is
accreditation to the requirements of ISO Standard 17025 “General requirements for the accreditation
of calibration and testing laboratories”.
By awarding a Common Criteria certificate, TÜV Rheinland Nederland B.V. asserts that the product or
site complies with the security requirements specified in the associated (site) security target, or that
the protection profile (PP) complies with the requirements for PP evaluation specified in the Common
Criteria for Information Security Evaluation. A (site) security target is a requirements specification
document that defines the scope of the evaluation activities.
The consumer should review the (site) security target or protection profile, in addition to this
certification report, in order to gain an understanding of any assumptions made during the evaluation,
the IT product's intended environment, its security requirements, and the level of confidence (i.e., the
evaluation assurance level) that the product or site satisfies the security requirements stated in the
(site) security target.
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 4/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Recognition of the certificate
Presence of the Common Criteria Recognition Arrangement and SOG-IS logos on the certificate
indicates that this certificate is issued in accordance with the provisions of the CCRA and the SOG-IS
agreement and will be recognised by the participating nations.
International recognition
The CCRA has been signed by the Netherlands in May 2000 and provides mutual recognition of
certificates based on the CC. Starting September 2014 the CCRA has been updated to provide mutual
recognition of certificates based on cPPs (exact use) or STs with evaluation assurance components
up to and including EAL2+ALC_FLR. The current list of signatory nations and approved certification
schemes can be found on: http://www.commoncriteriaportal.org.
European recognition
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA) version 3 effective from April
2010 provides mutual recognition of Common Criteria and ITSEC certificates at a basic evaluation
level for all products. A higher recognition level for evaluation levels beyond EAL4 (resp. E3-basic) is
provided for products related to specific technical domains. This agreement was initially signed by
Finland, France, Germany, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Italy
joined the SOGIS-MRA in December 2010. The current list of signatory nations, approved certification
schemes and the list of technical domains for which the higher recognition applies can be found on:
http://www.sogisportal.eu.
Page: 5/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
1 Executive Summary
This Certification Report states the outcome of the Common Criteria security evaluation of the Thales
Luna K7 Cryptographic Module. The developer of the Thales Luna K7 Cryptographic Module is Thales
located in La Ciotat, France and they also act as the sponsor of the evaluation and certification. A
Certification Report is intended to assist prospective consumers when judging the suitability of the IT
security properties of the product for their particular requirements.
The Thales Luna K7 Cryptographic Module (i.e. the TOE) is a Hardware Security Module (HSM) in the
form of a PCI-E card (Thales Luna PCIe HSM). It is operated in a controlled environment and can be
used either as a standalone device to be inserted in a server, or as a device embedded in a Thales
Luna Network HSM.
The TOE is also suitable for use in support of electronic signature and electronic sealing operations,
certificate issuance and revocation, time stamp operations, and authentication services, as identified
by the (EU) No 910/2014 regulation of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market (eIDAS). For that
purpose, the present Security Target has been explicitly written to comply with [PP 419221-5]; the
TOE supports Assigned Keys, External Key Storage and Key Import/Export operations as defined in
the PP.
The TOE has been evaluated by Brightsight B.V. located in Delft, The Netherlands. The evaluation
was completed on 06 October 2020 with the approval of the ETR. The certification procedure has
been conducted in accordance with the provisions of the Netherlands Scheme for Certification in the
Area of IT Security [NSCIB].
The scope of the evaluation is defined by the security target [ST], which identifies assumptions made
during the evaluation, the intended environment for the Thales Luna K7 Cryptographic Module, the
security requirements, and the level of confidence (evaluation assurance level) at which the product is
intended to satisfy the security requirements. Consumers of the Thales Luna K7 Cryptographic
Module are advised to verify that their own environment is consistent with the security target, and to
give due consideration to the comments, observations and recommendations in this certification
report.
The results documented in the evaluation technical report [ETR]
1
for this product provides sufficient
evidence that the TOE meets the EAL4 augmented (EAL4+) assurance requirements for the evaluated
security functionality. This assurance level is augmented with ALC_FLR.2 (Flaw Reporting
Procedures) and AVA_VAN.5 (Advanced methodical vulnerability analysis).
The evaluation was conducted using the Common Methodology for Information Technology Security
Evaluation, Version 3.1 Revision 5 [CEM] for conformance to the Common Criteria for Information
Technology Security Evaluation, version 3.1 Revision 5 [CC].
TÜV Rheinland Nederland B.V., as the NSCIB Certification Body, declares that the evaluation meets
all the conditions for international recognition of Common Criteria Certificates and that the product will
be listed on the NSCIB Certified Products list. It should be noted that the certification results only apply
to the specific version of the product as evaluated.
1
The Evaluation Technical Report contains information proprietary to the developer and/or the
evaluator, and is not releasable for public review.
Page: 6/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
2 Certification Results
2.1 Identification of Target of Evaluation
The Target of Evaluation (TOE) for this evaluation is the Thales Luna K7 Cryptographic Module from
Thales located in La Ciotat, France.
The TOE is comprised of the following main components:
Delivery
item type
Identifier Version
Hardware
808-000048-002
808-000073-001
808-000066-001
808-000069-001
808-000070-001
n/a
Software
Boot Loader
1.1.1,
1.1.2, or
1.1.4
Firmware 7.7.0
To ensure secure usage a set of guidance documents is provided together with the Thales Luna K7
Cryptographic Module. Details can be found in section 2.5 of this report.
2.2 Security Policy
The TOE has the following features:
 Storage and management of cryptographic keys inside containers (i.e. partitions). The TOE
supports a mandatory Admin Partition and several (optional) User Partitions. For a given
partition, the management and usage of the related key material is restricted to the roles
assigned to that partition, therefore enforcing a strict isolation between the different partitions
managed inside the TOE.
 Enforcement of per-partition authenticated user roles with varying privileges.
 Enforcement of user authentication (either token-based or password-based) and per-key
authorization before allowing users to perform TSF-mediated actions as defined in [ST].
 Cryptographic functions (as fully detailed in [ST]) including:
o Digital signature generation and verification
o Message digest generation
o Message authentication code generation and verification
o Encryption and decryption (symmetric and asymmetric)
o Key generation
o Key derivation
o Generation of shared secret values
o Cryptographic support for one time password and other non-PKI based authentication
mechanisms
o Random number generation (in accordance with [AIS31] PTG.2 and [AIS31] DRG.4
security capabilities).
 Key management functions.
 Secure Trusted Channel (STC) for confidentiality and integrity protection of communication
between TOE and Remote Client Applications.
Page: 7/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
 Firmware update.
 Auditing functionalities.
 Self protection mechanisms:
o voltage and temperature monitors and zeroization response
o passive shield (for K7 TOE variant)
o active shield (for K7+ TOE variant).
2.3 Assumptions and Clarification of Scope
2.3.1 Assumptions
The assumptions defined in the Security Target are not covered by the TOE itself. These aspects lead
to specific Security Objectives to be fulfilled by the TOE-Environment. Detailed information on these
security objectives that must be fulfilled by the TOE environment can be found in section 3.5 of the
[ST].
2.3.2 Clarification of scope
The evaluation did not reveal any threats to the TOE that are not countered by the evaluated security
functions of the product.
Note that the PP [PP 419221-5] claims the environment for the TOE protects against loss or theft of
the TOE, deters and detects physical tampering, protects against attacks based on emanations of the
TOE, and protects against unauthorised software and configuration changes on the TOE and the
hardware appliance it is contained in (“OE.Env Protected operating environment”).
The ST follows the PP and also claims OE.Env, thus the environment in which the TOE is used must
ensure the above protection.
Any threats violating these objectives for the environment are not considered.
2.4 Architectural Information
The Thales Luna K7 Cryptographic Module (i.e. the TOE) is a standalone PCI-E card in the form of
‘Thales Luna PCIe HSM’ or as an embedded module inside the ‘Thales Network HSM’. The TOE can
fulfil general purpose HSM use cases, where assured cryptographic services alongside generation
and management of cryptographic keys are required. The TOE also supports the option for further
customization of the HSM for a given integration through the ability to load 3rd party developed code
(non-TOE) in the form of Functional Modules (FM) onto the HSM.
Local client applications reside in the same hardware appliance as the TOE, e.g. in the case of the
TOE being a PCI-E card inside a server, local client applications are the applications running within
the same server boundary and using the TOE’s services through the PCI-E bus. Another example of
local client application is an embedded application running inside the physical boundary of the TOE
and using the Luna FM API. Note that the secure environment is considered sufficient to provide the
authentication, confidentiality and integrity protection needed for communication between the TOE and
local applications.
External client applications communicate remotely with the TOE through a network connection and
over a secure channel identified as Secure Trusted Channel (STC) which provides authentication of its
end-points and protection of confidentiality and integrity of data sent over the channel.
The high level logical architecture of the TOE can be depicted as follows:
Page: 8/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Figure 1 Thales Luna K7 Cryptographic Module, TOE logical boundary
2.5 Documentation
The following documentation is provided with the product by the developer to the customer:
Identifier Version
[AGDPRE] 007-013968-001, Thales Luna K7(+) Cryptographic Module,
Common Criteria User Guidance – Part1: Preparative Procedures
Revision E
[AGDOPE_P2] 007-000465-001, Thales Luna K7(+) Cryptographic
Module, Common Criteria User Guidance – Part2: Operational Guidance
(General)
Revision F
[AGDOPE_P3] 007-000466-001, Thales Luna K7(+) Cryptographic
Module, Common Criteria User Guidance – Part3: eIDAS guidance
Revision E
[AGDOPE_P4] 007-000467-001, Thales Luna K7(+) Cryptographic
Module, Common Criteria User Guidance – Part4: TOE Integration for use
in Composite Evaluation
Revision D
2.6 IT Product Testing
Testing (depth, coverage, functional tests, independent testing): The evaluators examined the
developer’s testing activities documentation and verified that the developer has met their testing
responsibilities.
2.6.1 Testing approach and depth
The developer has performed extensive testing on functional specification and module-to-module
interaction level. Several proprietary automated test suites are used, supported by execution of
cryptographic test suites (such as known answer tests) and to demonstrate FPT_PHP.1 and
FPT_PHP.3 requirements from [PP 419221-5] (and hence compliance with ISO/IEC 19790:2012
Security Level 3) physical hardware tests were also performed.
The underlying hardware are extendable to composite evaluations, providing the underlying platform is
operated according to its guidance and the composite evaluation requirements are met.
Page: 9/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
For the testing performed by the evaluators, the developer test environment was used. The developer
also provided samples to the evaluator. The evaluators have repeated the developer tests, as well as
additional test cases designed by the evaluator including testing of random number generation in
accordance with [AIS31].
2.6.2 Independent Penetration Testing
The AVA_VAN.5 assurance class requires the evaluator to conduct a methodical vulnerability analysis
based on publicly available source of information and based on structured examination of the
evidence while performing other evaluation activities (ASE, ADV, AGD, ALC & ATE).
Given the restrictions imposed by the PP (which prevents any physical attack and any side channel
attack that requires physical proximity to the TOE), the evaluator focused on vulnerabilities related to
logical design/architectural flaws in the TOE implementation that would lead intended users to abuse
the TOE.
With the exception of one test case, all penetration tests were logical test cases. Considering that
physical access to the TOE is prevented by the protected environment, hardware attacks to the TOE,
as well as any attack that requires side channel techniques based on power/EM emanation were
excluded from the test plan. The devised test cases focus on fuzzing over externally visible
commands, abuse of policy settings and timing measurements when performing cryptographic
operations.
A total of 12 weeks of effort were applied to the execution of the penetration test cases.
2.6.3 Test Configuration
The Security Target [ST] lists five part numbers for TOE variants:
HW part number Description
808-000048-002 Thales Luna K7 PCI-E card with Fans
808-000073-001 Thales Luna K7 PCI-E card without Fans
808-000066-001 Thales Luna K7 PCI-E card without Fans (legacy part number)
808-000069-001 Thales Luna K7+ PCI-E card with Fans
808-000070-001 Thales Luna K7+ PCI-E card without Fans
The evaluators assessed the differences and concluded that they were not security impacting.
Most evaluator independent functional tests were performed on a variant of each of the K7 and K7+.
All evaluator penetration tests were performed on a K7 variant with a selection also performed on a
K7+ variant.
A modified firmware with respect to the base build was used for execution of specific test cases to
support the demonstration of specific TOE behaviour.
Boot loader tests were run against a target boot loader version (BL v 1.1.4) loaded onto the TOE and
where no user configurable options apply. BL v 1.1.1 and 1.1.2 are not as extensively tested, however
this is considered acceptable by the evaluator because the evaluator concluded the differences
between BL versions are of functional nature and not security impacting, and also BL v 1.1.4 offers the
biggest command interface among the three BL versions, hence it is considered as a representative
superset of available BL commands.
The PED used to demonstrate PED authentication was not one of those listed in the ST, but the
evaluator assessed the differences and determined they would not impact the TOE behaviour.
2.6.4 Testing Results
The testing activities, including configurations, procedures, test cases, expected results and observed
results are summarised in the [ETR], with references to the documents containing the full details.
Page: 10/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
The developer’s tests and the independent functional tests produced the expected results, giving
assurance that the TOE behaves as specified in its [ST] and functional specification.
No exploitable vulnerabilities were found with the independent penetration tests.
The algorithmic security level of cryptographic functionality has not been rated in this certification
process, but the current consensus on the algorithmic security level in the open domain, i.e. from the
current best cryptanalytic attacks published, has been taken into account.
For composite evaluations, please consult the [ETRfC] for details.
2.7 Re-used evaluation results
There is no re-use of evaluation results in this certification.
2.8 Evaluated Configuration
The TOE is defined uniquely by its name Thales Luna K7 Cryptographic Module and associated
version numbers as detailed in Identification of Target of Evaluation.
2.9 Results of the Evaluation
The evaluation lab documented their evaluation results in the [ETR],which references an ASE
Intermediate Report and other evaluator documents. To support composite evaluations according to
[CCDB-2007-09-01] a derived document [ETRfC] was provided and approved. This document
provides details of the TOE evaluation that have to be considered when this TOE is used as platform
in a composite evaluation.
The verdict of each claimed assurance requirement is “Pass”.
Based on the above evaluation results the evaluation lab concluded the Thales Luna K7
Cryptographic Module, to be CC Part 2 extended, CC Part 3 conformant, and to meet the
requirements of EAL 4 augmented with ALC_FLR.2 and AVA_VAN.5. This implies that the product
satisfies the security requirements specified in Security Target [ST].
The Security Target claims ‘strict’ conformance to the Protection Profile [PP 419221-5].
2.10 Comments/Recommendations
The user guidance as outlined in section 2.5 contains necessary information about the usage of the
TOE. Certain aspects of the TOE’s security functionality, in particular the countermeasures against
attacks, depend on accurate conformance to the user guidance of both the software and the hardware
part of the TOE. There are no particular obligations or recommendations for the user apart from
following the user guidance. Please note that the documents contain relevant details with respect to
the resistance against certain attacks.
In addition all aspects of assumptions, threats and policies as outlined in the Security Target not
covered by the TOE itself need to be fulfilled by the operational environment of the TOE.
The customer or user of the product shall consider the results of the certification within his system risk
management process. In order for the evolution of attack methods and techniques to be covered, he
should define the period of time until a re-assessment for the TOE is required and thus requested from
the sponsor of the certificate.
The strength of the cryptographic algorithms and protocols was not rated in the course of this
evaluation. This specifically applies to the following proprietary or non-standard algorithms, protocols
and implementations: None.
Page: 11/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
3 Security Target
The Thales Luna K7 Cryptographic Module Security Target, 002-010985-001, Rev J, 25 September
2020 [ST] is included here by reference.
4 Definitions
This list of Acronyms and the glossary of terms contains elements that are not already defined by the
CC or CEM:
HSM Hardware Security Module
IT Information Technology
ITSEF IT Security Evaluation Facility
JIL Joint Interpretation Library
NSCIB Netherlands Scheme for Certification in the area of IT security
PED PIN Entry Device
PP Protection Profile
STC Secure Trusted Channel
TOE Target of Evaluation
Page: 12/12 of report number: NSCIB-CC-195307-CR, dated 06 October 2020
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
5 Bibliography
This section lists all referenced documentation used as source material in the compilation of this
report:
[AIS31] AIS31, Anwendungshinweise und Interpretationen zum Schema (AIS), AIS 31,
Funktionalitätsklassen und Evaluationsmethodologie für physikalische
Zufallszahlengeneratoren, BSI, Version 2.1, 2011-12-02.
[CC] Common Criteria for Information Technology Security Evaluation, Parts I, II and III,
Version 3.1 Revision 5, April 2017.
[CEM] Common Methodology for Information Technology Security Evaluation, Version 3.1
Revision 5, April 2017.
[ETR] Evaluation Technical Report Thales Luna K7/K7+ – EAL4+, 19-RPT-515, Version
6.0, 05 October 2020.
[ETRfC] Evaluation Technical Report for Composition Thales Luna K7/K7+ – EAL4+, 20-
RPT-983, v3.0, 05 October 2020.
[NSCIB] Netherlands Scheme for Certification in the Area of IT Security, Version 2.5, 28
March 2019.
[PP 419221-5] EN 419 221-5:2018 version 1.0, Protection Profiles for TSP Cryptographic Modules
– Part 5: Cryptographic Module for Trust Services, v1.0, registered under the
reference ANSSI-CC-PP-2016/05-M01, 18 May 2020.
[ST] Thales Luna K7 Cryptographic Module Security Target, 002-010985-001, Rev J, 25
September 2020.
(This is the end of this report).