National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
®
TM
Voltage Security, Inc.
Palo Alto, CA
Voltage SecureMail Suite 2.0
Report Number: CCEVS-VR-07-0029
Dated: 29 May 2007
Version: 1.3
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
Table of Contents
1 Executive Summary .........................................................................3
2 Identification of the TOE.................................................................8
3 Interpretations..................................................................................9
4 Security Policy..................................................................................9
4.1 Audit ............................................................................................................................... 9
4.1.1 Voltage SecurePolicy Suite Audit .......................................................................... 9
4.1.2 IBE Gateway Audit................................................................................................. 9
4.2 Communication............................................................................................................. 10
4.3 Cryptographic Support.................................................................................................. 10
4.4 Identification and Authentication ................................................................................. 10
4.5 Security Management ................................................................................................... 10
4.6 Protection of the TSF.................................................................................................... 11
5 Assumptions....................................................................................11
5.1 Personnel Assumptions................................................................................................. 11
5.2 Physical Environment Assumptions ............................................................................. 11
5.3 Operational Security Assumptions ............................................................................... 12
6 Evaluated configuration ................................................................12
6.1 Architectural Information ............................................................................................. 12
6.2 TOE Hardware.............................................................................................................. 13
6.3 TOE Software ............................................................................................................... 14
7 Documentation ...............................................................................15
8 IT Product Testing.........................................................................15
8.1 Developer testing .......................................................................................................... 15
8.2 Evaluation Team Independent Testing ......................................................................... 16
8.3 Vulnerability Analysis .................................................................................................. 16
9 Results of the Evaluation...............................................................17
10 Validator Comments/Recommendations .....................................17
11 Security Target...............................................................................17
12 Bibliography ...................................................................................18
1 Executive Summary
This report is intended to assist the end-user of this product with determining the suitability of
this IT product in their environment. End-users should review both the Security Target (ST),
which is where specific security claims are made, in conjunction with this Validation Report
(VR) which describes how those security claims were evaluated.
This report documents the assessment of the National Information Assurance Partnership (NIAP)
validation team of the evaluation of Voltage SecureMail Suite 2.0, the target of evaluation
(TOE). It presents the evaluation results, their justifications, and the conformance results. This
report is not an endorsement of the TOE by any agency of the U.S. government, and no warranty
is either expressed or implied.
The evaluation of the Voltage SecureMail Suite 2.0 product was performed by InfoGard
Laboratories, Inc., San Luis Obispo, CA in the United States and was completed on February 19,
2007. The information in this report is largely derived from the Security Target (ST), Evaluation
Technical Report (ETR) and the functional testing report. The ST was written by InfoGard
Laboratories. The evaluation was conducted in accordance with the requirements of the
Common Criteria for Information Technology Security Evaluation, version 2.2, Evaluation
Assurance Level 2 (EAL2) - augmented, and the Common Evaluation Methodology for IT
Security Evaluation (CEM), Version 2.2.
The Voltage SecureMail Suite 2.0 is a secure email system using identity-based encryption (IBE)
that enables organizations to send secure, ad-hoc business communication such as financial
statements, patient health information (PHI) or sensitive communication regarding intellectual
property. The ability to conduct business electronically, while ensuring compliance with
regulations such as GLBA (Gramm-Leach-Bliley Act) and HIPAA (Health Insurance Portability
and Accountability Act) opens a number of business opportunities not possible before. For
example, federal agencies may communicate securely via email with external entities such as
contractors or suppliers without requiring pre-registration by external users.
Configuration I of the TOE consists of a Voltage SecurePolicy Suite and a Voltage SecureMail
plug-in for Microsoft Outlook. TOE Configuration II adds an IBE Gateway Server.
The Voltage SecurePolicy Suite includes the Zero Download Messenger that may be used, if
needed, by clients using only a web browser.
The Voltage Policy Server and the Voltage SecureMail plug-in for Microsoft Outlook email
clients is the minimum system configuration that provides the core functionality of the system,
the ability to encrypt and decrypt email messages using IBE encryption and decryption. The
Policy Server contains the following core functionality elements:
An Authentication Server that ascertains the authentication status of users or
administrators. The TOE does not contain its own system for authenticating users or
system administrators but instead relies on external authentication methods such as
Windows Domain Authentication, or local system credentials.
A Key Server generates public/private key pairs using IBE (Identity-Based Encryption)
cryptography. Public and private keys are generated on demand so there is no need for a
private key server. Public keys may be stored within the system (in association with user
names) for efficiency.
A Server Management Console provides a GUI for administering the system.
Administrators are authenticated if they are logged into the Windows Domain and they
are included in a local administrative group (VoltageConfigAdmins or
VoltageAuditAdmins) on the server.
Authentication Adapters interface with enterprise authentication systems enabling the
Policy Server to leverage enterprise authentication. The evaluated configuration uses the
Microsoft Active Directory as the external authentication service provider.
The Voltage SecureMail plug-in for Microsoft Outlook integrates Voltage SecureMail Suite key
management and usage capabilities with Microsoft Outlook Account Access functions, giving
users the local abilities to encrypt and sign outgoing email messages, and to decrypt and verify
signatures on incoming email messages.
The collection of Voltage SecurePolicy Suite and the Voltage SecureMail plug-in provides
sufficient functionality to support end-to-end encryption between Microsoft Outlook clients as
shown in Figure 1.
In the figure, the IBE public parameters are generated when the Voltage SecurePolicy Suite is
first configured. These parameters are associated with a particular server or district (a district is a
particular server within a domain). All private keys generated by this key server are
cryptographically related via the IBE public parameters such that signatures are unambiguously
identified as coming from the district hosting the public parameters. Client systems use the IBE
public parameters for signature validation purposes, as well as the calculation of IBE public
keys. The Voltage SecurePolicy Suite is installed in the DMZ (demilitarized zone), a sub-
network between an internal trusted network and an external un-trusted public network. The
Active Directory server provides Windows Domain Authentication credentials for users on the
internal trusted network. Active Directory is part of the Microsoft Exchange server that provides
email capabilities for the system.
Figure 1 End-to-End Encryption and Decryption
Voltage
SecureMail
Plug-In
Voltage
SecureMail
Plug-In
Alice@company.com
Voltage SecurePolicy Suite
Web Server(s)
IBE Public
Parameters
(Hosted on web site)
3. Authentication
Request / Response
Firewall Firewall
DMZ Internet
LAN
Outlook Client
(Windows 2000)
2. Key Request
4. Issue Keys
Outlook Client
(Windows 2000)
Bob@b.com
5. Key Request
7. Issue Keys
Authentication
Adapter
6. Authentication
Request / Response
Active
Directory
Exchange
Server Zero Download Messenger
(The Zero Download Messenger
is not used in this diagram.)
1. Authentication
Request / Response
Policy Server:
- Server Management
Console
- Authentication Server
- Key Server
Active Directory
Authentication Adapter
In this configuration that includes Microsoft Outlook clients provisioned with the Voltage
SecureMail plug-in, Alice wants to send a message to Bob. When Alice clicks the Send Secure
button on Outlook placed there by the SecureMail plug-in, several steps happen before the
SecureMail plug-in encrypts the message using the IBE public parameters and Bob’s email
address (bob@b.com) as encryption input parameters.
1. When Alice logs on to her computer, her Windows session interacts with the Active
directory to establish her domain credentials.
2. If Alice does not already have currently-valid IBE and DSA keys when she clicks the
Send Secure button, the SecureMail plug-in sends an IBE key request and DSA
certificate request over a Transport Layer Security (TLS v1) connection to the
Voltage SecurePolicy Suite.
3. The Voltage SecurePolicy Suite authenticates Alice by checking her Windows
domain credentials against the Active Directory service.
4. The key server generates the IBE private key and DSA public key certificate and
returns these to her over the TLS connection.
The SecureMail plug-in signs the message using Alice’s DSA private key, encrypts
the signed message using the public key for bob@b.com, and sends the encrypted and
signed message to bob@b.com.
5. On receiving the encrypted and signed email, the SecureMail plug-in requests Bob’s
IBE private key and DSA keys from the key server (assuming he does not already
have his keys). The request is passed using a TLS connection.
6. The Voltage SecurePolicy Suite authenticates Bob, using, in this case, the Question
and Answer authentication adapter, which requires Bob to correctly answer m of n
questions. (Bob is in a domain that is outside the Active Directory domain so other
authentication adapters (methods) must be used.)
7. The key server generates Bob’s private IBE key and DSA certificate, passing them to
him over the TLS connection. Bob’s SecureMail plug-in decrypts the message using
Bob’s private key as decryption input parameters.
Bob’s SecureMail plug-in verifies the digital signature on the signed payload using
Alice’s DSA certificate that was included in the secure message.
Additional TOE functionality is provided by the Zero Download Messenger. TOE Configuration
II adds the Voltage IBE Gateway Server to TOE Configuration I.
The Zero Download Messenger (ZDM) relieves email clients from having to download
any specialized client software onto their machine. All clients need is a browser (Internet
Explorer version 6.x with 128-bit encryption enabled). When a client user receives an
encrypted email, he or she clicks on an attachment that creates a TLS connection to the
ZDM server. The ZDM server authenticates the client based on the policy defined in the
Server Management Console. On success, the ZDM server requests the private key from
the key server over a TLS connection established with the Key Server and uses the
private key to decrypt Bob’s email. ZDM offers the capability to reply or to save the
decrypted message contents on the local machine. Note that no user data is ever saved on
the ZDM. All email messages are saved in the client’s mailbox where they remain the
property of the recipient. In some configurations, as when all clients are provisioned with
the SecureMail plug-in, the ZDM may be disabled.
The IBE Gateway expands the Voltage SecureMail solution, letting organizations move
decisions on whether to encrypt emails from users to the centralized server where enterprise
policies can be enforced. The IBE Gateway is a rules-based encryption and decryption engine
that enforces information flow policies, encrypting and decrypting email messages, based on
sender and recipient identity, along with header and subject content.
Figure 2 shows the full Voltage SecureMail Suite Configuration II that includes the Policy
Server, Zero Download Messenger, Voltage SecureMail plug-in, and IBE Gateway Server.
Figure 2 TOE Boundary
LAN
Voltage
SecureMail
Plug-In
Voltage
IBE Gateway
Server
Policy Server:
- Server Management
Console
- Authentication Server
- Key Server
Zero Download
Messenger
TLS
TLS
Generic client
(IE 6.0.2x Browser)
TLS
Generic client
(IE 6.0.2x Browser)
SMTP Email - Plaintext Email SMTP Email - Encrypted or Plaintext
Encrypted or
Plaintext Email
Outlook Client
(Windows 2000 SP4
or Windows XP SP2)
Firewall Firewall
DMZ
SMTP
Internet
Voltage
SecureMail
Plug-In
Outlook Client
(Windows 2000 SP4
or Windows XP SP2)
TOE
Boundary
TLS
TLS
Voltage SecurePolicy Suite
Exchange
Server
Active
Directory
CentOS 4.0
(Windows 2003 Server with SP1)
The dashed line shows the TOE Boundary. Generic clients and browsers are in the environment,
not in the TOE boundary. Similarly, Outlook Client system hardware and Outlook software
reside in the environment while the SecureMail plug-in is inside the TOE boundary. The Active
Directory is shown but not used in this example. See Figure 1 for a usage example. Not shown
but implied in the figure is a web server component of the Voltage SecurePolicy Suite that
supports HTTPS communications between the Voltage SecurePolicy Suite and distributed TOE
subsystems and external TOE users. TLS connections protect all sensitive data flows between
distributed parts of the TOE.
The following components are present in the Voltage SecureMail Suite but are were not
evaluated (excluded from the Common Criteria Evaluated Configuration):
• The Voltage SecurePolicy Suite supports several identity adapters. The following are
specifically excluded from the TOE:
• POP 3
• Remote Identity Adapter
• The Voltage IBE Gateway has a decryption and re-encryption capability for the purposes
of virus scanning or content scanning by an external application. This capability is
specifically excluded from the TOE.
• The Voltage Security Voltage SecureMail plug-in for Outlook includes a file wiping
capability that is specifically excluded from the TOE.
2 Identification of the TOE
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and
Technology (NIST) effort to establish commercial facilities to perform trusted product
evaluations.
Under this program, security evaluations are conducted by commercial testing laboratories called
Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology
(CEM) for EAL 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment
Program (NVLAP) accreditation.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
consistency across evaluations. Developers of information technology products desiring a
security evaluation contract with a CCTL pay a fee for their product’s NIAP Validated Products
List.
Table 1 provides information needed to completely identify the product, including:
• The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated;
• The Security Target (ST), describing the security features, claims, and assurances of the
product;
• The conformance result of the evaluation;
• The organizations and individuals participating in the evaluation.
Evaluation Scheme United States Common Criteria Evaluation
Validation Scheme
Evaluated Target of Evaluation Voltage SecureMail Suite 2.0
Protection Profile Not applicable
Security Target Voltage SecureMail Suite 2.0 Version 1.18
May 4, 2007
Dates of evaluation Start Date: 10/13/05
Finish Date: 2/19/07
Conformance result Part 2 extended, Part 3 conformant, EAL 2
Common Criteria version CC version 2.2
Common Evaluation Methodology (CEM)
version
CEM version 2.2
Evaluation Technical Report (ETR) 07-797-R-0035 V1.1
Sponsor/Developer Voltage Security
1070 Arastadero Road, Suite 100
Palo Alto, CA 94304
Common Criteria Testing Lab (CCTL) InfoGard Laboratories
CCTL Evaluators Mark Plascencia, Albert Chang
CCEVS Validators Deborah Downs, Aerospace Corporation
Nicole Carlson, Aerospace Corporation
3 Interpretations
The Evaluation Team performed an analysis of the international interpretations of the CC and the
CEM and determined that none of the international interpretations issued by the Common
Criteria Interpretations Management Board (CCIMB) identified below were applicable to this
evaluation.
The TOE is also compliant with all International interpretations with effective dates on or before
10/13/05.
4 Security Policy
The Voltage SecureMail Suite 2.0 performs the following security functionality:
4.1 Audit
The Voltage SecurePolicy Suite and the IBE Gateway have distinct auditing systems.
4.1.1 Voltage SecurePolicy Suite Audit
The Voltage SecurePolicy Suite audit system records events from the Authentication Server,
Server Management Console, Key Server, Identity Adapter, and Zero Download Messenger.
Audit Data Generation The TOE Voltage SecurePolicy Suite components
generate audit records for the start-up and shut
down of audit functions, administrator log in and
log out, all decisions regarding key generation
including key requests from the Zero Download
Messenger and IBE Gateway, all security-relevant
events and other non-security relevant events.
User Identity Association Audit records include the identity of the user that
caused the event.
Audit Data Review The Voltage SecurePolicy Suite provides a
graphical user interface to review audit records.
Records may be searched using any of the
following fields:
Time
Presumed subject identity or role
Event source
Log level (Error, Warning, Normal, Verbose, All)
Session ID
Status
4.1.2 IBE Gateway Audit
Audit data generation The TOE IBE Gateway components generate audit
records for the start-up and shut down of audit
functions, all decisions regarding encryption and
decryption operations, all failed attempts to use a
secret or private key, and all failed attempts to
create a secure (TLS) connection.
Audit data review The TOE IBE Gateway relies on operating system
utilities less to review audit messages.
4.2 Communication
Selective proof of origin The TOE Voltage SecureMail plug-in for
Microsoft Outlook provides digital signature
generation and verification services.
4.3 Cryptographic Support
Cryptographic key generation The TOE generates cryptographic keys in
accordance with FIPS 140-2 standards.
Cryptographic key destruction The TOE destroys cryptographic keys in
accordance with FIPS 140-2 standards.
Cryptographic operation The TOE performs cryptographic operations in
accordance with FIPS and IEEE P1363.3
Standards.
4.4 Identification and Authentication
User identification before any
action
The TOE and TOE environment ensures users are
identified before allowing any user interactions
with TOE security functions.
User authentication before any
action
The TOE and TOE environment ensures users are
authenticated before allowing any user interactions
with TOE security functions
4.5 Security Management
Management of security attributes The Voltage SecurePolicy Suite and the IBE
Gateway administration interfaces enable
authorized administrators to manage security
attributes.
Secure security attributes The TOE generates, uses, and destroys
cryptographic keys in accordance with FIPS 140-2
standards to ensure they are secure security
attributes.
Specification of Management
Functions
The Voltage SecurePolicy Suite and the IBE
Gateway administration interfaces enable
authorized administrators to manage security
functions.
Security roles The Voltage SecurePolicy Suite maintains
authorized configuration administrator and
authorized audit administrator roles. The IBE
Gateway supports a single administrator role. The
Voltage SecureMail plug-in supports an implicit
user role.
Management of security attributes
for the TOE environment
The TOE environment provides management of
security attributes.
Management of TSF data The TOE Voltage SecurePolicy Suite and IBE
Gateway limit the ability to manage TSF data to
authorized administrators.
4.6 Protection of the TSF
Reliable timestamps for TSF use The TOE environment provides reliable
timestamps for use in auditing functions.
Inter-TSF confidentiality during
transmission
The TOE uses TLS to provide confidentiality
when communicating with remote IT products.
Basic internal TSF data transfer
protection
The TOE uses TLS to provide confidentiality
when communicating distributed parts of the TOE.
Non-bypassability of the TSP The TOE and TOE environment contain features
that prevent an attacker from bypassing the TSP.
Domain Separation The TOE and TOE environment contain features
that provide domain separation.
5 Assumptions
The assumptions are ordered into three categories: personnel assumptions, physical environment
assumptions, and operational assumptions.
5.1 Personnel Assumptions
A.ACCESS Only authorized IT administrators will have access to the servers on the
TOE.
A.NO_EVIL Administrators are non-hostile, appropriately trained, and follow all
administrator guidance.
A.USERDOCS TOE users will follow all guidance provided in the user
5.2 Physical Environment Assumptions
A.LOCATE The Voltage SecurePolicy Suite and IBE Gateway TOE components
operate in a DMZ where they are subject to logical attack. The TOE is
protected by a firewall with rules set to prevent unauthorized access to
TOE resources.
A.LOWEXP The threat of malicious attacks aimed at discovering exploitable
vulnerabilities is considered low.
A.PHYSICAL It is assumed that appropriate physical security is provided within the
domain for the value of the IT assets protected by the TOE and the value
of the stored, processed, and transmitted information.
5.3 Operational Security Assumptions
A.AUDIT_BACKUP Administrators will back up the audit files and monitor disk usage to
ensure audit information is not lost.
A.EXTSRVPROT The TOE interacts with external Microsoft Exchange and Active Directory
servers. Secure TOE operation assumes IT administrators follow best
practices to protect these external servers from attacks.
A.SECURE_COMMS It is assumed that the IT environment will provide a secure line of
communication between distributed portions of the TOE and between the
TOE and remote operators.
6 Evaluated configuration
The evaluated configuration consists of the following 2 options, both of which require software
and hardware deployed to be in the evaluated configuration of the TOE:
TOE Configuration I
• Voltage SecurePolicy Suite version 2.0 on Windows 2003 Server with
SP1
• Voltage SecureMail 2.0.5 for Outlook 2003 SP2 running on Windows
2000 with SP4 or Windows XP with SP2
TOE Configuration II
• Voltage SecurePolicy Suite version 2.0 on Windows 2003 Server with
SP1
• Voltage SecureMail 2.0.5 for Outlook 2003 SP2 running on Windows
2000 with SP4 or Windows XP with SP2
• Voltage IBE Gateway Server version 2.0 on CentOS version 4.0
The TOE (Configuration I) consists of a Voltage SecurePolicy Suite, and a Voltage
SecureMail plug-in for Microsoft Outlook.
The Voltage SecurePolicy Suite includes the Zero Download Messenger that may be used, if
needed, by clients using only a web browser.
The Voltage Policy Server and the Voltage SecureMail plug-in for Microsoft Outlook email
clients provide the minimum system configuration that provides the core functionality of the
system, the ability to encrypt and decrypt email messages using IBE encryption and decryption.
TOE Configuration II adds the Voltage IBE Gateway Server to TOE Configuration I.
6.1 Architectural Information
The high-level architecture of the TOE is shown in Figure 2.
6.2 TOE Hardware
This table identifies required hardware components, all of which are in the environment and not
part of the TOE.
TOE or
Environment
Component Description
For TOE Configuration I
Environment Server platform capable of
running the Microsoft
Windows 2003 Server
operating system.
This is the server platform on which the
Voltage SecurePolicy Suite executes.
Minimally, this is a 2+ GHz server with at
least 512 MB of RAM and 30 GB of free
disk space, and Ethernet Network
Interface Card (NIC).
Environment PC or Workstation capable
of running Windows 2000
SP4 or Windows XP SP2
and running Microsoft
Outlook 2003.
This platform hosts the Voltage
SecureMail plug-in for Microsoft
Outlook. The hardware is a 75 MHz Intel
Pentium processor, or above with at least
8 MB RAM, 2 MB disk space, a CD-
ROM drive, and Ethernet Network
Interface Card (NIC).
Environment Any PC or Workstation
capable of hosting Internet
Explorer Version 6.x.x.
This platform hosts a web browser
required for the use of ZDM. The
hardware is a 75 MHz Intel Pentium
processor, or above with at least 8 MB
RAM, 2 MB disk space, a CD-ROM
drive, and Ethernet Network Interface
Card (NIC).
Environment Server platform capable of
running the Microsoft
Windows 2003 Server
operating system and the
Microsoft Exchange Server
5.5. The Microsoft Exchange
Server contains the Active
Directory.
This is the server platform on which the
Microsoft Exchange Server executes.
Minimally, this is a 2+ GHz server with at
least 512 MB of RAM and 30 GB of free
disk space, and Ethernet Network
Interface Card (NIC).
For TOE Configuration II
Configuration II includes Configuration I and the following:
Environment Server platform capable of
running the CentOS 4.0, a
Linux distribution derived
from the Red Hat Linux 4
operating system.
This is the server platform on which the
Voltage IBE Gateway executes. The
hardware is 1.8 GHz Intel Pentium 4
processor, or above with 1 GB RAM −
Recommended (512 MB RAM is the
Minimum Requirement), 10 GB disk
space, a CD-ROM drive and Ethernet
Network Interface Card (NIC).
Environment CD RW drive capable of
writing a .iso image to a CD-
ROM.
This is used to write the downloaded
Voltage IBE Gateway and CentOS 4.0
image to a CD-ROM for the purpose of
installing the image on the IBE Gateway
server platform.
Table 1 Hardware Components
6.3 TOE Software
This table identifies software components and indicates whether or not each component is in the
TOE.
TOE or
Environment
Component Description
For TOE Configuration I
TOE Voltage SecurePolicy Suite
2.0
This component includes the
Authentication Server, Server
Management Console, Key Server,
Authentication Adapter, and Zero
Download Messenger.
Environment Microsoft Windows 2003
Server with SP1
This operating system underlies the
Voltage SecurePolicy Suite.
Environment MySQL Database Server
4.1.10a
This database software (provided with the
TOE) holds TOE configuration data.
Environment MySQL Connector 3.1.7 This jar file (provided with the TOE)
enables communication between the TOE
and the database.
Environment Java Runtime Environment
(JRE) v1.4.2
The JRE supports Java functions of the
Voltage SecurePolicy Suite.
TOE Voltage SecureMail 2.0.5 This component manages encryption and
decryption and signature generation and
verification for end users.
Environment Microsoft Outlook 2003 with
SP2
This component hosts Voltage SecureMail
and enables users to access email
messages.
Environment Microsoft Windows 2000
with SP4 or Windows XP
with SP2
This operating system underlies the
Microsoft Outlook Clients using the
Voltage SecureMail plug-in.
Environment Microsoft Internet Explorer
Version 6 or higher
This browser component is used on
Microsoft Windows platforms to access
the Zero Download Messenger
component.
For TOE Configuration II
Configuration II includes Configuration I and the following:
TOE Voltage IBE Gateway Server
2.0
This component is a rules-based
encryption and decryption appliance.
Environment CentOS 4.0 − a Linux
distribution derived from the
Red Hat Linux 4 operating
system
This operating system underlies the
Voltage IBE Gateway.
Table 2 Software Components
7 Documentation
The following documentation is delivered with the TOE:
• Read Me First for Installers Voltage SecureMail Suite 2.0 Common Criteria Supplemental
Guidance
• Voltage SecurePolicy Suite 2.0 Administrators Guide
• Voltage SecurePolicy Suite 2.0 Installation Guide For Windows
• Voltage IBE Gateway Server 2.0 Installation and Upgrade Instructions
• Voltage IBE Gateway Server 2.0 Setup Guide
• Voltage IBE Gateway Server 2.0 Configuration Guide
• Voltage SecurePolicy Server 2.0 Release Notes
• Voltage IBE Gateway Server 2.0 Release Notes
• Read Me First for Users Voltage SecureMail Suite 2.0 Common Criteria Supplemental
Guidance
• DOT Windows 2000 Secure Baseline Configuration Standards
• DISA Windows 2000 Security Checklist Version 4, Release 1.13
• DISA Windows 2003/XP/2000 Addendum Version 5, Release 1
8 IT Product Testing
This section describes the testing efforts of the Developer and the evaluation team.
8.1 Developer testing
The test procedures were written by the Developer and designed to be conducted using manual
interaction with the TOE interfaces. During the evaluation of the ATE_FUN.1, the evaluation
team identified inconsistencies in the test cases and worked with the Developer to create accurate
test cases.
The Developer tested the TOE consistent with the Common Criteria evaluated configuration
identified in the ST. The Developer’s approach to testing is defined in the TOE Test Plan. The
expected and actual test results (ATRs) are also included in the TOE Test Plan. Each test case
was identified by a number that correlates to the expected test results in the TOE Test Plan.
The evaluation team analyzed the Developer’s testing to ensure adequate coverage for EAL 2.
The evaluation team determined that the Developer’s actual test results matched the Developer’s
expected test results.
The evaluation team reviewed the Developer’s test plan and assessed that all security functions
were tested except the following:
ƒ Cryptographic key generation - FCS_CKM.1a, FCS_CKM.1b
ƒ Cryptographic key destruction - FCS_CKM.4
ƒ Cryptographic operations - FCS_COP.1a, FCS_COP.1b, FCS_COP.1c, FCS_COP.1d,
FCS_COP.1e
The evaluation generated additional tests during Independent Testing to test the security
functions that were not tested by the Developer’s test plan.
8.2 Evaluation Team Independent Testing
The evaluation team conducted independent testing at the CCTL. The evaluation team installed
the TOE according to vendor installation instructions and the evaluated configuration as
identified in the Security Target.
The evaluation team confirmed the technical accuracy of the setup and installation guide during
installation of the TOE while performing work unit ATE_IND.2-2. The evaluation team
confirmed that the TOE version delivered for testing was identical to the version identified in the
ST.
The evaluation team used the Developer’s Test Plan as a basis for creating the Independent Test
Plan. The evaluation team analyzed the Developer’s test procedures to determine their relevance
and adequacy to test the security function under test. The following items represent a subset of
the factors considered in selecting the functional tests to be conducted:
• Security functions that implement critical security features
• Security functions critical to the TOE’s security objectives
• Security functions that gave rise to suspicion regarding the behavior of the security
features during the documentation evidence evaluation
• Security functions not tested adequately in the vendor’s test plan and procedures
The evaluation team reran 30% of the Sponsor’s test cases and specified additional tests. The
additional test coverage was determined based on the analysis of the Developer test coverage and
the ST.
Each TOE Security Function was exercised at least once, and the evaluation team verified that
each test passed.
8.3 Vulnerability Analysis
The evaluation team ensured that the TOE does not contain exploitable flaws or weaknesses in
the TOE based upon the Developer Strength of Function analysis, the Developer Vulnerability
Analysis, and the evaluation team’s Vulnerability Analysis, and the evaluation team’s
performance of penetration tests.
The Developer performed a Vulnerability Analysis of the TOE to identify any obvious
vulnerabilities in the product and to show that they are not exploitable in the intended
environment for the TOE operation. In addition, the evaluation team conducted a sampling of the
vulnerability sites claimed by the Sponsor to determine the thoroughness of the analysis.
Based on the results of the Developer’s Vulnerability Analysis, the evaluation team devised
penetration testing to confirm that the TOE was resistant to penetration attacks performed by an
attacker with an expertise level of unsophisticated. The evaluation team conducted testing using
the same test configuration that was used for the independent team testing. In addition to the
documentation review used in the independent testing, the team used the knowledge gained
during independent testing to devise the penetration testing. This resulted in a set of six (6)
penetration tests.
9 Results of the Evaluation
The evaluation was carried out in accordance with the Common Criteria Evaluation and
Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the
criteria contained in the Common Criteria for Information Technology Security Evaluation,
Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation
is the Common Methodology for Information Technology Security Evaluation, Version 2.2.
InfoGard Laboratories has determined that the product meets the security criteria in the Security
Target, which specifies an assurance level of EAL 2. A team of Validators, on behalf of the
CCEVS Validation Body, monitored the evaluation. The evaluation was completed in February
2007.
10 Validator Comments/Recommendations
The TOE makes use of cryptographic modules in order to fulfill some security functions.
Cryptographic modules are evaluated under the National Institute of Standards and Technology
(NIST) Federal Information Processing Standards (FIPS) 140-2, a separate standard from the
Common Criteria; the cryptographic functions were not evaluated further during this evaluation.
Users should ensure that they select a product that meets their needs, including FIPS 140-2
compliance, if appropriate.
11 Security Target
Voltage SecureMail Suite 2.0 Version 1.18 May 4, 2007
12 Bibliography
Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 1: Introduction and General Model, Version 2.2, January
2004. CCIMB-2004-01-001.
Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 2: Security Functional Requirements, Version 2.2, January
2004. CCIMB-2004-01-002.
Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 3: Security Assurance Requirements, Version 2.2, January
2004. CCIMB-2004-01-003.
Common Criteria Project Sponsoring Organisations. Common Criteria Commmon Methodology
for Information Technolgoy Security Evaluation. January 2004 CCIMB-2004-01-004.
Common Criteria, Evaluation and Validation Scheme for Information Technology Security,
Guidance to Validators of IT Security Evaluations, Scheme Publication #3, Version 1.0, January
2002.
Voltage SecureMail Suite 2.0 Version 1.18 May 4, 2007