Australasian Information
Security Evaluation Program
Certification Report
Certificate Number: 2008/48
06 AUG 2008
Version 1.0
Commonwealth of Australia 2008.
Reproduction is authorised provided
that the report is copied in its entirety.
06 AUG 2008 Version 1.0 Page i
Amendment Record
Version Date Description
1.0 06/08/2008 Public release.
06 AUG 2008 Version 1.0 Page ii
Executive Summary
1 Windows Mobile 6.1 is a compact operating system for use on Pocket PCs
and Smartphones enabling users to extend their corporate Windows
desktop to mobile devices in a secure manner. Windows Mobile 6.1 is the
Target of Evaluation (TOE).
2 Windows Mobile 6.1 extends and strengthens the core security features of
the Windows Mobile 6 operating system by:
a) Enabling management of the mobile device with the System Center
Mobile Device Manager (SCMDM) client application;
b) Providing a ‘double-enveloped’ (IPSec and SSL), secure Mobile
VPN capability between the Mobile Device and the trusted
enterprise; and
c) Encrypting locally stored data.
3 This report describes the findings of the IT security evaluation of
Microsoft Corporation’s Windows Mobile 6.1, to the Common Criteria
Evaluation Assurance Level 2 augmented with basic flaw remediation
(ALC_FLR.1). The report concludes that the product has met the target
assurance level of EAL 2 augmented with ALC_FLR.1 and that the
evaluation was conducted in accordance with the relevant criteria and the
requirements of the Australasian Information Security Evaluation Program
(AISEP). The evaluation was performed by stratsec and was completed on
30 July 2008.
4 With regard to the secure operation of the TOE, the Australasian
Certification Authority (ACA) recommends that users:
a) Review the security of default applications;
b) Consider the necessity of pre-installed certificates contained within the
certificate stores;
c) Maintain the awareness of the evaluated configuration; and
d) Avoid using the device as a primary data store;
5 This report includes information about the underlying security policies and
architecture of the TOE, and information regarding the conduct of the
evaluation.
6 It is the responsibility of the user to ensure that the TOE meets their
requirements. For this reason, it is recommended that a prospective user of
the TOE refer to the Security Target [1], and read this Certification Report
prior to deciding whether to purchase the product.
06 AUG 2008 Version 1.0 Page iii
Table of Contents
CHAPTER 1 - INTRODUCTION ........................................................................................................1
1.1 OVERVIEW ................................................................................................................................1
1.2 PURPOSE....................................................................................................................................1
1.3 IDENTIFICATION ........................................................................................................................1
CHAPTER 2 - TARGET OF EVALUATION.....................................................................................3
2.1 OVERVIEW ................................................................................................................................3
2.2 DESCRIPTION OF THE TOE ........................................................................................................3
2.3 TOE ARCHITECTURE.................................................................................................................4
2.4 CLARIFICATION OF SCOPE .........................................................................................................5
2.4.1 Evaluated Functionality....................................................................................................5
2.4.2 Non-evaluated Functionality ............................................................................................7
2.5 USAGE.......................................................................................................................................8
2.5.1 Evaluated Configuration ..................................................................................................8
2.5.2 Delivery procedures .........................................................................................................8
2.5.3 Verifying the Evaluated Product.....................................................................................10
2.5.4 Documentation................................................................................................................10
2.5.5 Secure Usage..................................................................................................................11
CHAPTER 3 - EVALUATION ...........................................................................................................13
3.1 OVERVIEW ..............................................................................................................................13
3.2 EVALUATION PROCEDURES.....................................................................................................13
3.3 FUNCTIONAL TESTING.............................................................................................................13
3.4 PENETRATION TESTING ...........................................................................................................13
CHAPTER 4 - CERTIFICATION......................................................................................................15
4.1 OVERVIEW ..............................................................................................................................15
4.2 CERTIFICATION RESULT ..........................................................................................................15
4.3 ASSURANCE LEVEL INFORMATION..........................................................................................15
4.4 RECOMMENDATIONS ...............................................................................................................15
ANNEX A - REFERENCES AND ABBREVIATIONS....................................................................17
A.1 REFERENCES ...........................................................................................................................17
A.2 ABBREVIATIONS AND ACRONYMS...........................................................................................18
06 AUG 2008 Version 1.0 Page iv
Chapter 1 - Introduction
1.1 Overview
7 This chapter contains information about the purpose of this document and
how to identify the Target of Evaluation (TOE).
1.2 Purpose
8 The purpose of this Certification Report is to:
a) report the certification of results of the IT security evaluation of the
TOE, Windows Mobile 6.1, against the requirements of the
Common Criteria (CC) evaluation assurance level EAL 2
augmented with ALC_FLR.1, and
b) provide a source of detailed security information about the TOE for
any interested parties.
9 This report should be read in conjunction with the TOE’s Security Target
[1], which provides a full description of the security requirements and
specifications that were used as the basis of the evaluation.
1.3 Identification
10 Table 1 provides identification details for the evaluation. For details of all
components included in the evaluated configuration refer to section 2.5.1
Evaluated Configuration.
06 AUG 2008 Version 1.0 Page 1
Table 1: Identification Information
Item Identifier
Evaluation Scheme Australasian Information Security Evaluation Program
TOE Windows Mobile 6.1, which includes the following editions:
• Windows Mobile 6.1 Standard;
• Windows Mobile 6.1 Professional; and
• Windows Mobile 6.1 Classic.
Software Version This evaluation includes the following Adaptation Kit Updates
(AKUs):
• Build 19212 AKU 1.0.3;
• Build 19214 AKU 1.0.4; and
• Build 19581 AKU 1.1.1.
Security Target Windows Mobile 6.1 Security Target v1.0, 22 July 2008
Evaluation Level EAL 2 augmented with ALC_FLR.1
Evaluation
Technical Report
Evaluation Technical Report for Windows Mobile 6.1 v1.0, 25
July 2008
Criteria Common Criteria for Information Technology (IT) Security
Evaluation, version 2.3, August 2005.
Methodology CEM version 2.3, August 2005.
Conformance CC Part 2 Extended, Part 2: Security functional requirements,
version 2.3, August 2005.
CC Part 3 Conformant: Security assurance requirements,
version 2.3, August 2005.
Sponsor and
Developer
Microsoft Corporation
1 Microsoft Way, Redmond WA 98052-8300 USA
Evaluation Facility stratsec
Suit 1/50 Geils Court, Deakin ACT
06 AUG 2008 Version 1.0 Page 2
Chapter 2 - Target of Evaluation
2.1 Overview
11 This chapter contains information about the Target of Evaluation (TOE),
including: a description of functionality provided; its architecture
components; the scope of evaluation; security policies; and its secure
usage.
2.2 Description of the TOE
12 The TOE is Windows Mobile 6.1 developed by Microsoft Corporation.
13 The TOE is a single user operating system designed for use with
Smartphone and PocketPC devices. The intended method of use of the
TOE is as a mobile messaging solution that allows users to stay connected
to their email, contacts and calendar whilst away from their enterprise
workstation.
14 The TOE operates in a specific operational environment, the user
environment, and is supported by capabilities that exist within the
operator and enterprise environments. The relationships between the
TOE and relevant elements within each of the operating environments are
depicted in Figure 1.
OEM
Services
&
Applications
Device
Network
Interface
Figure 1 – The TOE operating environment
15 The TOE has the Windows Mobile 6 core security features and extends
those capabilities. A description of the TOE security features are as
follows.
16 The TOE may be managed through either Enterprise Exchange Server or
the System Center Mobile Device Manager (SCMDM). Use of the
SCMDM client application on Windows Mobile 6.1 enables management
of the Mobile device through SCMDM.
06 AUG 2008 Version 1.0 Page 3
17 Use of Windows Mobile 6.1 with Exchange allows secure communication
of the TOE with Line Of Business (LOB) or infrastructure servers over an
SSL/TLS tunnel.
18 Alternatively, use of Windows Mobile 6.1 with an SCMDM allows both a
secure Mobile VPN using IPSec and an SSL/TLS tunnel to be established.
In this configuration, information communicated between the TOE and the
trusted enterprise receives ‘double enveloped’ protection.
19 The TOE supports 128-bit AES encryption of data stored locally on the
Mobile Device and on removable storage cards.
20 Further details on the TOE and its operating environment are provided in
the Security Target [1].
2.3 TOE Architecture
21 Windows Mobile 6.1 is made up of three layers, namely the Application
layer, Operating System layer, and OEM layer, shown in Figure 2. Of
these layers, the security functions are implemented by the Operating
System layer. The TOE is defined as the Operating System layer and
consists of the following major architectural components:
a) Shell services subsystem;
b) Remote connectivity subsystem;
c) Core subsystem;
d) Kernel subsystem;
e) Security policy engine subsystem;
f) Authentication services subsystem;
g) Cryptographic services subsystem;
h) Graphics, Windowing and Events Subsystems (GWES);
i) Device manager subsystem;
j) Storage manager subsystem; and
k) Communications and networking subsystem.
06 AUG 2008 Version 1.0 Page 4
Figure 2 – The TOE architecture
2.4 Clarification of Scope
22 The scope of the evaluation was limited to those claims made in the
Security Target [1].
2.4.1 Evaluated Functionality
23 The TOE provides the following evaluated security functionality:
Table 2: Evaluated Security Functionality
Security function TOE security feature
S
t
SL/TLS channel encryption. SSL/TLS encrypts data
ransmitted between the device and server, over-the-air
or through a wired connection.
S/MIME support. S/MIME provides additional
protection features for e-mail messages, whether in
transit between device and server or at rest. S/MIME
uses an authentication process which verifies that
messages were not tampered.
Sensitive Data Protection. Windows Mobile 6.1
supports 128-bit AES encryption of data stored locally
on the Mobile Device.
Device data protection.
The TOE provides the
capability to protect data at
rest and in transit.
Certified cryptographic module. Windows Mobile
includes a certified FIPS validated cryptographic module.
Applications can make use of cryptographic modules to
perform cryptographic operations.
06 AUG 2008 Version 1.0 Page 5
Security function TOE security feature
Mobile VPN. Incorporating secure key exchange
(IKEv2), an IPSec VPN tunnel can be established
between the TOE and the MDM Gateway Server,
supported by an SSL/TLS tunnel between the TOE and
LOB or infrastructure server. This ‘double envelope’
approach provides protection for information
communicated between the TOE and the trusted
enterprise.
Storage Card Encryption. Windows Mobile 6.1
supports 128-bit AES encryption of data stored locally
on removable storage cards.
Controlled application installation. Windows Mobile
an be configured to only permit applications signed with
a trusted certificate to be installed and access privileged
resources.
c
Device application control.
The TOE provides the
capability to only permit
trusted applications to be
installed and executed on
the Mobile Device.
Controlled application execution. Code execution
control allows the device to be locked so that only
applications signed with a trusted certificate or approved
by the Mobile User can execute on the device.
Secure cha
c
pr
nnel. Windows Mobile establishes a secure
hannel for communicating with another trusted IT
oduct.
Sy
(em
nchronization of Mailbox Items. Mobile Users
ploying a secure channel) can synchronize their
emails, tasks, calendar and contacts with their enterprise
mailbox.
Secure enterprise access.
The TOE provides the
capability to securely
connect the TOE to trusted
Enterprise assets and
facilitate data transfer.
Line of Business server access. Mobile Users can
employ the Mobile VPN capability to access Line of
Business (LOB) servers within the Enterprise.
Password Policy. The Enterprise Administrator can use
the secure channel to push down an enterprise policy for
the Mobile Device.
Trusted provisioning. Windows Mobile can implement
secure communications with a trusted source that has the
ability to provide provisioning and configuration data.
Device configuration
control. The TOE provides
the capability to protect
against modification by un-
trusted systems.
Local configuration control. The authenticated user has
the ability to locally manage specific configurations and
settings as authorized by the Enterprise Administrator.
Device access control. The
TOE has inbuilt security
mechanisms that can be
enabled to provide
controlled access to the
Device authentication and lock. Windows Mobile can
be configured to require a password to gain access to the
Mobile Device; however, it is possible to receive
incoming calls and to make emergency calls without
authenticating.
06 AUG 2008 Version 1.0 Page 6
Security function TOE security feature
Mobile Device. Local device wipe. Windows Mobile can be configured
to perform a local device wipe after a specified number
of incorrect login attempts.
Security r
resources.
oles. Windows Mobile maintains multiple
management roles which determine access to device
Security policies. Security policies establish the
foundation configuration for the Mobile Device, they can
be set to configure low-level device configuration
policies and also implement enterprise password policy.
Device security
management. The TOE
has configurable security
policies that establish which
actions a user or application
may take.
Remote wipe. The Enterprise Administrator can issue a
command to wipe a managed device if it has been lost or
stolen.
2.4.2 Non-evaluated Functionality
24 Potential users of the TOE are advised that some functions and services
have not been evaluated as part of the evaluation. Potential users of the
TOE should carefully consider their requirements for using functions and
services outside of the evaluated configuration; Australian Government
users should refer to Australian Government Information and
Communications Technology Security Manual (ACSI 33) [2] for policy
relating to using an evaluated product in an un-evaluated configuration.
New Zealand Government users should refer to the New Zealand
Information and Communications Technology Security series, (NZSIT
400) [3].
25 The functions and services that have not been included as part of the
evaluation are provided below:
a) Application Layer which includes:
i) Microsoft Windows Mobile applications;
ii) OEM applications; and
iii) Applications provided by independent software vendors.
b) OEM Layer which includes:
i) Drivers;
ii) Boot loader;
iii) OEM configuration files; and
iv) Hardware.
06 AUG 2008 Version 1.0 Page 7
26 While the actual mobile device does not form part of the TOE, potential
users should note that the security functionality provided by the TOE is
independent of the device that the operating system is installed upon.
2.5 Usage
2.5.1 Evaluated Configuration
27 This section describes the configurations of the TOE that were included
within scope of the evaluation. The assurance gained via evaluation
applies specifically to the TOE in these defined evaluated configuration(s).
Australian Government users should refer to ACSI 33 [2] to ensure that
configuration(s) meet the minimum Australian Government policy
requirements. New Zealand Government users should refer to NZSIT 400
[3].
28 The evaluated configuration is provided in the Installation and
Administrator Guide [4]. The key policies that are applied to the TOE in
the evaluated configuration are:
a) Minimum password length and complexity requirements;
b) Storage card encryption;
c) Device encryption;
d) Local device wipe after maximum unsuccessful authentication
attempts;
e) SMIME settings, 3DES/SHA1;
f) Applications must be signed to be installed or to run;
g) SI/SL/OMA-CP disabled; and
h) Device password required for Desktop ActiveSync.
2.5.2 Delivery procedures
29 The end customer does not purchase the TOE directly from the developer.
Windows Mobile 6.1 is sold pre-installed on the device. A customer can
purchase a device that contains the TOE in two ways: from the OEM or
from a network provider.
30 The TOE has either two or three delivery stages depending on where the
customer purchases the device.
06 AUG 2008 Version 1.0 Page 8
2.5.2.1 OEM
31 An OEM obtains the TOE directly from the developer and can develop
images for deployment onto their mobile devices. The OEM development
activities add functionality to the handset including:
a) Drivers to support the specific hardware components of the mobile
device;
b) Device specific applications that may use Windows Mobile
operating system resources; and/or
c) Device configuration settings as requested by Mobile Operators, or
by enterprise customers.
32 Once the OEMs have completed development and integration with a
specific AKU, OEMs are required to either:
a) Submit their developed OEM image to an National Standards
Testing Laboratory for independent verification and validation; or
b) Self certify that the developed OEM image satisfies the Logo Test
Kit (LTK).
33 The LTK includes a test case that performs a Cyclic Redundancy Check
(CRC) check of all Microsoft developed components that can be used to
verify the integrity of the Windows Mobile operating system.
34 Note: The OEMs are trusted not to deliberately make changes to the TOE.
(See A.DELIVERY in the Security Target [1]).
2.5.2.2 Network provider
35 In the mobile operator customisation phase, Mobile Operators perform
final customisation of the mobile device.
36 This customisation of the mobile device may include:
a) Installation of mobile operator specific applications;
b) Setting of mobile device themes;
c) Configuration of functionality to allow device management within
the mobile operator network; and/or
d) Device configuration (within the limitation of the mobile operator(s)
security role) on behalf of customers.
37 Mobile Operators can make use of the CRC verification tool to determine
whether the Windows Mobile operating system image provided by an
OEM is the same as that released by Microsoft in the release to
manufacturer Phase.
06 AUG 2008 Version 1.0 Page 9
38 Note: The network operators are trusted not to deliberately make changes
to the TOE. (See A.DELIVERY in the Security Target [1]).
2.5.2.3 End user
39 It is possible for an enterprise customer to bypass the Mobile Operator and
negotiate provisioning of mobile devices directly from an OEM. In either
case, the following procedures must be followed.
40 The Enterprise Administrator or Mobile User can have assurance that the
mobile device and operating system have not been altered if the
manufacturer’s shrink-wrapped packaging is intact.
41 The Enterprise Administrator or Mobile User must check the shrink-
wrapping of the delivered Mobile Device. If there are signs of tampering
or damage then the manufacturer should be contacted.
2.5.3 Verifying the Evaluated Product
42 The Enterprise Administrator or Mobile User must check that the AKU of
the received product matches one of the versions contained in the
introduction of this report. This can be done by selecting “Settings ->
About” from the main Windows Menu.
2.5.4 Documentation
43 It is important that the TOE is used in accordance with guidance
documentation in order to ensure the secure usage. The following
documentation is available:
a) Windows Mobile 6.1 Installation and Administration Guide 1.0,
June 2008 [4]; and
b) Windows Mobile 6.1 User Guide Supplement 1.0, June 2008 [5].
44 Other guidance is referenced from these documents and should be
followed where there is no contradiction. In the case of a contradiction, the
above references are considered to be authoritative.
45 To gain access to the relevant evaluation guidance the Enterprise
Administrator can request access to the Windows Mobile 6 LTK Beta
program (covering version 6.1), which provides controlled and secure
access to the Microsoft Connect website where evaluation documentation
and information is posted. The site provides both identification and
authentication for controlling access and encryption and secure channel via
SSL for all access to Microsoft Connect.
46 Additionally, access to the Windows Mobile 6 LTK Beta program is only
provided on a case-by-case basis. Enterprise Administrators must contact
their local Microsoft office to request access to this program.
06 AUG 2008 Version 1.0 Page 10
47 Once the Enterprise Administrator has been provided with access to the
program, the Enterprise Administrator will need to go to the Microsoft
Connect site and register. Once a Connect profile is established, the
Windows Mobile team will be able to activate the individual in the
Windows Mobile LTK Preview program.
48 To register on Connect, the followings steps should be used:
a) Go to http://connect.microsoft.com.
b) Click “Sign In” and log in with your Windows Live ID Passport
account.
c) Select “Manage Your Connect Profile”.
d) Accept the “Terms and Conditions”.
e) Fill out the Registration screen. Note: You MUST select YES to the
question “I would like to be contacted about participating in other
MS Beta programs”.
f) Click Submit.
49 Once this is completed a member of the Windows Mobile team will
contact the individual to determine that they have a valid external record
and need to access the evaluation guidance documentation.
2.5.5 Secure Usage
50 The evaluation of the TOE took into account certain assumptions about its
operational environment. These assumptions must hold in order to ensure
the security objectives of the TOE are met.
06 AUG 2008 Version 1.0 Page 11
Table 3: Secure Usage Assumptions
Assumption Identifier Assumption Description
A.USAGE Mobile Users are trusted to:
• Follow user guidance;
• Ensure that the TOE continues to operate in the
evaluated configuration;
• only permit ActiveSync connections between the Mobile
Device and trusted computing devices; and
• Store the Mobile Device when not in use in a physically
protected area that is appropriate for the information
processed by the TOE.
A.DELIVERY The security enforcing components of the TOE will not be
modified by either the Mobile Operator or the manufacturer
of the Mobile Device during the delivery process.
A.IT_ENTERPRISE The MDM Gateway Server, MDM Device Management
Server, MDM Enrolment Server, Enterprise Exchange
Server, Certificate Authority and Active Directory Server
are located within the enterprise boundary and are protected
from unauthorized logical/physical access.
A.IT_MOBILE The Trusted Provisioning Server is located within the
Mobile Operator’s network boundary and is protected from
unauthorized logical and physical access.
A.ADMIN The Enterprise Administrator is not careless, wilfully
negligent, or hostile, and will follow and abide by the
instructions provided by administrator documentation.
A.OPERATOR The Mobile Operator will not transmit configuration
messages that undermine the security objectives of the TOE.
A.I&A_ENTERPRISE The IT environment will provide mechanisms for
authenticating Mobile Users when accessing their mailbox
and other resources within the corporate network.
A.COMMS_NET The IT environment will provide the server-side of a secure
channel between the Trusted Provisioning Server and the
Mobile Device.
A.COMMS_ENT The IT environment will provide the server-side of a secure
channel between the Enterprise Exchange Server, MDM
Gateway Server, MDM Device Management Server, MDM
Enrolment Server, Line of Business server and the Mobile
Device.
A.SEC_POLICY The IT environment will provide a mechanism for setting
enterprise policy and pushing it to the Mobile Device.
06 AUG 2008 Version 1.0 Page 12
Chapter 3 - Evaluation
3.1 Overview
51 This chapter contains information about the procedures used in conducting
the evaluation and the testing conducted as part of the evaluation.
3.2 Evaluation Procedures
52 The criteria against which the Target of Evaluation (TOE) has been
evaluated are contained in the Common Criteria for Information
Technology Security Evaluation [6], [7], [8]. The methodology used is
described in the Common Methodology for Information Technology
Security Evaluation (CEM) [9]. The evaluation was also carried out in
accordance with the operational procedures of the Australasian
Information Security Evaluation Program (AISEP) [10], [11], [12], [13]. In
addition, the conditions outlined in the Arrangement on the Recognition of
Common Criteria Certificates in the field of Information Technology
Security [14] were also upheld.
3.3 Functional Testing
53 To gain confidence that the developer’s testing was sufficient to ensure the
correct operation of the TOE, the evaluators analysed the evidence of the
developer’s testing effort. This analysis included examining: test coverage;
test plans and procedures; and expected and actual results. The evaluators
drew upon this evidence to perform a sample of the developer tests in
order to verify that the test results were consistent with those recorded by
the developers.
3.4 Penetration Testing
54 The developer performed a vulnerability analysis of the TOE in order to
identify any obvious vulnerability in the product and to show that the
vulnerabilities were not exploitable in the intended environment of the
TOE. This analysis included a search for possible vulnerability sources in
publicly available information.
55 Of the vulnerabilities identified, the evaluators deemed that two
vulnerabilities exist but are not exploitable in the intended environment.
These residual vulnerabilities are:
a) An attacker could attempt to recover user data from the internal
RAM of the TOE device before the RAM resets to the original
factory state. If an attacker obtained the physical TOE device, they
could freeze the RAM or use specialised equipment and increase the
potential of recovering user data from the RAM. This residual
vulnerability is highly dependent on the type of hardware of the
mobile device used.
06 AUG 2008 Version 1.0 Page 13
b) The TOE operates on portable devices that are intended to allow
users to access office automation tools whilst away from their
enterprise workstation. By their nature, such devices are subject to
being lost, or physically stolen. It is possible that an attacker may
access User data of a lost or stolen device by interacting with the
user interface. While the device has a lockout, the device could be
stolen/found within the timeout period.
06 AUG 2008 Version 1.0 Page 14
Chapter 4 - Certification
4.1 Overview
56 This chapter contains information about the result of the certification, an
overview of the assurance provided by the level chosen, and
recommendations made by the certifiers.
4.2 Certification Result
57 After due consideration of the conduct of the evaluation as witnessed by
the certifiers, and of the Evaluation Technical Report [15], the
Australasian Certification Authority (ACA) certifies the evaluation of
Windows Mobile 6.1 performed by the Australasian Information Security
Evaluation Facility, stratsec.
58 stratsec has found that Windows Mobile 6.1 upholds the claims made in
the Security Target [1] and has met the requirements of the Common
Criteria (CC) evaluation assurance level EAL 2 augmented with
ALC_FLR.1.
59 Certification is not a guarantee of freedom from security vulnerabilities.
4.3 Assurance Level Information
60 EAL2 provides assurance by an analysis of the security functions, using a
functional and interface specification, guidance documentation and the
high-level design of the TOE, to understand the security behaviour.
61 The analysis is supported by independent testing of the TOE security
functions, evidence of developer testing based on the functional
specification, selective independent confirmation of the developer test
results, strength of function analysis, and evidence of a developer search
for obvious vulnerabilities (e.g. those in the public domain).
62 EAL2 also provides assurance through a configuration list for the TOE,
and evidence of secure delivery procedures.
4.4 Recommendations
63 Not all of the evaluated functionality present in the TOE may be suitable
for Australian and New Zealand Government users. For further guidance,
Australian Government users should refer to ACSI 33 [2] and New
Zealand Government users should refer to NZSIT 400 [3].
06 AUG 2008 Version 1.0 Page 15
64 In addition to ensuring that the assumptions concerning the operational
environment are fulfilled and the guidance document is followed [4], [5],
the ACA also recommends the following for users and administrators.
a) The administrator should review the applications included in the
default image and determine whether they allow the user to change
the security areas of the registry.
b) The administrator should consider the necessity of all pre-installed
certificates contained within the certificate stores. While specific
OEM and Mobile Operator certificates may be required to ensure
that the TOE boots and operates correctly, there may be no
requirements to have other pre-installed certificates on the TOE.
c) The administrator should ensure that users are aware of the
importance of running the TOE in the evaluated configuration, and
ensure that they return for reconfiguration following a device wipe.
d) The administrator should advise users against using the device as a
primary data store. This is because device wipe makes the data on a
storage card unreadable even if it is removed from the TOE before
the wipe is executed, as the keys stored on the device are destroyed.
06 AUG 2008 Version 1.0 Page 16
Annex A - References and Abbreviations
A.1 References
[1] Windows Mobile 6.1 Security Target EAL2 augmented with ALC_FLR.1
1.0, July 2008
[2] Australian Government Information and Communications Technology
Security Manual (ACSI 33), September 2007, Defence Signals
Directorate, (available at www.dsd.gov.au).
[3] New Zealand Government Information Technology Security Manual
(NZSIT 400), February 2008, Government Communications Security
Bureau (available at http://www.gcsb.govt.nz/newsroom/nzsits.html).
[4] Windows Mobile 6.1 Installation and Administration Guide 1.0,
June 2008.
[5] Windows Mobile 6.1 User Guide Supplement 1.0, June 2008.
[6] Common Criteria for Information Technology Security Evaluation, Part 1:
Introduction and General Model (CC), Version 2.3, August 2005, CCMB-
2005-08-001.
[7] Common Criteria for Information Technology Security Evaluation, Part 2:
Security Functional Requirements (CC), Version 2.3, August 2005,
CCMB-2005-08-002.
[8] Common Criteria for Information Technology Security Evaluation, Part 3:
Security Assurance Requirements (CC), Version 2.3, August 2005,
CCMB-2005-08-003.
[9] Common Methodology for Information Technology Security Evaluation
(CEM), Version 2.3, August 2005, CCMB-2005-08-004.
[10] AISEP Publication No. 1 – Program Policy, AP 1, Version 3.1,
29 September 2006, Defence Signals Directorate.
[11] AISEP Publication No. 2 – Certifier Guidance, AP 2. Version 3.1,
29 September 2006, Defence Signals Directorate.
[12] AISEP Publication No. 3 – Evaluator Guidance, AP 3. Version 3.1,
29 September 2006, Defence Signals Directorate.
[13] AISEP Publication No. 4 – Sponsor and Consumer Guidance, AP 4.
Version 3.1, 29 September 2006, Defence Signals Directorate.
[14] Arrangement on the Recognition of Common Criteria Certificates in the
field of Information Technology Security, May 2000.
[15] Evaluation Technical Report for Windows Mobile 6.1 v1.0, 25 July 2008.
06 AUG 2008 Version 1.0 Page 17
A.2 Abbreviations and Acronyms
ACSI Australian Government Information and Communications Technology
Security Manual
AES Advanced Encryption Standard
AISEF Australasian Information Security Evaluation Facility
AISEP Australasian Information Security Evaluation Program
CC Common Criteria
CRC Cyclic Redundancy Check
CEM Common Evaluation Methodology
DSD Defence Signals Directorate
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
GCSB Government Communications Security Bureau
GWES Graphics, Windowing and Events Subsystems
LOB Line of Business
NZSIT New Zealand Government Information Technology Security Manual
OEM Original Equipment Manufacturer
PP Protection Profile
RAM Random Access Memory
SCMDM System Center Mobile Device Manager
SFP Security Function Policy
SFR Security Functional Requirements
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
TLS Transport Layer Security
TSF TOE Security Functions
TSP TOE Security Policy
06 AUG 2008 Version 1.0 Page 18