National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto Client Software Report Number: CCEVS-VR-06-0044 Evaluation: VID 3029 Dated: 14 September 2006 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 ii TABLE OF CONTENTS 1 EXECUTIVE SUMMARY ...................................................................................... 1 2 IDENTIFICATION .................................................................................................. 3 3 SECURITY POLICY ............................................................................................... 3 4 ASSUMPTIONS AND CLARIFICATION OF SCOPE ....................................... 5 4.1 USAGE ASSUMPTIONS .......................................................................................... 5 4.2 ENVIRONMENTAL ASSUMPTIONS ......................................................................... 5 5 ARCHITECTURAL INFORMATION .................................................................. 6 • AES (128/192/256 BIT)............................................................................................. 7 • 3DES (192 BIT) ......................................................................................................... 7 • AES-CCMP ............................................................................................................... 7 • TKIP........................................................................................................................... 7 • WEP ........................................................................................................................... 7 • 802.1X/EAP-TLS FOR AUTHENTICATION....................................................... 7 • WPA ........................................................................................................................... 7 • WPA2/802.11I............................................................................................................ 7 6 DOCUMENTATION................................................................................................ 7 7 IT PRODUCT TESTING......................................................................................... 7 7.1 DEVELOPER TESTING........................................................................................... 7 7.2 EVALUATOR INDEPENDENT TESTING ................................................................... 8 7.3 STRENGTH OF FUNCTION ..................................................................................... 9 7.4 VULNERABILITY ANALYSIS ................................................................................. 9 8 EVALUATED CONFIGURATION...................................................................... 10 9 RESULTS OF THE EVALUATION .................................................................... 10 10 VALIDATOR COMMENTS/RECOMMENDATIONS................................. 11 11 SECURITY TARGET........................................................................................ 12 12 GLOSSARY......................................................................................................... 13 13 BIBLIOGRAPHY............................................................................................... 14 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 1 1 Executive Summary This report documents the NIAP validator’s assessment of the evaluation of the 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto Client Software, a product of 3e Technologies International, Inc., 700 King Farm Boulevard, Suite 600, Rockville, MD 20850. It presents the evaluation results, their justifications, and the conformance results. This validation report is not an endorsement of the IT product by any agency of the U.S. Government and no warranty of the IT product is either expressed or implied. The evaluation was performed by the CygnaCom Solutions Security Evaluation Laboratory (CCTL), and was completed during September 2006. The information in this report is largely derived from the Evaluation Technical Report (ETR) and associated test reports, all written by CygnaCom Solutions. The evaluation determined that the product is both Common Criteria Part 2 extended and Part 3 conformant, and meets the assurance requirements of EAL 2 augmented with, ACM_SCP.1 (TOE CM Coverage), ALC_FLR.2 (Flaw Remediation), ACM_CAP.3 (Authorization Controls), and AVA_MSU.1 (Misuse – Examination of Guidance). The product is not conformant with any published Protection Profiles, but rather is targeted to satisfying specific organizational security policies while countering specific threats. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto Client Software (hereafter 3eTI Client System) is a secure wireless client system application designed to be used with another product for a wireless access that is the subject of a separate evaluation. The Target of Evaluation (TOE) was evaluated using the Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005 [CCV2.3], and the Common Methodology for Information Technology Security Evaluation, Version 2.3, Evaluation Methodology, August 2005 [CEMV2.3]. The evaluation and validation were consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) best practices as described within CCEVS Publication #3 [CCEVS3] and Publication #4 [CCEVS4]. The Security Target (ST) for the 3eTI Client System is contained within the document 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto-Client Software Security Target, Revision K, dated August 2006 [ST]. The ST has been shown to be compliant with the Specification of Security Targets requirements found within Annex B of Part 1 of [CCV2.3]. The Target of Evaluation (TOE) is a cryptographic WLAN client comprised of either the 3e- 010F-C-2 or 3e-010F-A-2 Crypto Client Software. The difference between the clients is in the drivers related to the supported hardware. The 3e-010F-C-2 supports Intel PRO/Wireless 2200BG and 2915ABG cards, and the 3e-010F-A-2 supports WLAN cards based on the Atheros AR5001X+, AR5002G and AR5002X chipsets. It is expected that the client will be a component of a larger system (e.g. the WLAN client communicating to a 3eTI Enterprise WLAN Access Point). The WLAN client software is in most cases installed into a laptop or mobile device. The Crypto Client provides standard 802.11a/b/g wireless access along with enhanced protection through a variety of cryptographic features, providing a high level of security for wireless environments. This product is expected to be used in conjunction with The 3e-525A-3 Access 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 2 System This product was evaluated separately by a FIPS certified laboratory and by Cygnacom in a separate and concurrent Common Criteria evaluation. Aspects of the following security functions are controlled / provided by the TOE in conjunction with the IT environment: • Object access control • Encryption Services and key management and exchange. • Role-based user privileges • Audit The following are explicitly excluded from the TOE configuration, but are included in its environment: • Hardware and Software of the 3eTi Access system (subject of a separate evaluation). • Hardware platforms and Operating Systems for the Security Systems • Network hardware and software (e.g., firewalls and routers) The environment is assumed to counter the threats of unauthorized access to the physical components of the TOE. The TOE will properly authenticate users and protect crypto keys and information in transit between the LAN and the client. All copyrights and trademarks are acknowledged. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 3 2 Identification TOE Identification: The TOE for the 3e-010F-A-2 is identified as the FIPS 140-2 Validated™ Cryptomodule 3e-010F-A-2 Version 2.0 Build 18. The TOE for the 3e-010F-C-2 is identified as the FIPS 140-2 Validated™ Cryptomodule 3e-010F-C-2 Version 2.0 Build 15. Evaluation Assurance Level (EAL):Evaluation Assurance Level (EAL) 2 augmented with, ACM_SCP.1 (TOE CM Coverage), ALC_FLR.2 (Flaw Remediation), ACM_CAP.3 (Authorization Controls), and AVA_MSU.1 (Misuse – Examination of Guidance). Strength of Function: SOF-Basic Common Criteria Identification: Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005. International Standard – ISO/IEC 15408:2004. CCTL: Cygnacom Solutions’ Security Evaluation Laboratory Suite 5200 4925 Jones Branch Drive McLean, VA 22102-3305 Validation Team: William R. Simpson (Institute for Defense Analyses) CC Identification: Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005 [CCV2.3]. CEM Identification: Common Methodology for Information Technology Security Evaluation, Version 2.3, Evaluation Methodology, August 2005 [CEMV2.3]. Interpretations: All NIAP and CCIMB interpretations as of the date of the Kick-off meeting held on 13 October 2005 were considered during the evaluation (all CCIMB interpretations issued prior to January 2004 had been incorporated into the version of the CC that was used). Specific interpretations identified as NIAP-0407, NIAP-0409, NIAP-0410, NIAP- 0415 and NIAP-0425 had a direct impact on the work performed. 3 Security Policy The 3eTI 3e-525A-3 Client System security policy is reflected in the security functional requirements for the TOE described in section 5 and 6 of the ST. A description of the principle security policies is as follows: • Audit. The TOE can generate auditable events in cooperation with its IT environment. It is expected that the IT environment will provide the mechanisms for audit event storage and retrieval. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 4 . • Encryption. This 3e-AS includes cryptographic modules which have been evaluated against applicable Federal Information Processing Standard Publication (FIPS PUB) standards. The entire product has been evaluated against FIPS 140-2, which defines security requirements for cryptographic modules, while the 3DES and AES encryption algorithms have been evaluated against FIPS 46-3 and FIPS 197, respectively. All cryptographic operations of the TOE use these evaluated modules/algorithms to ensure the security of all data passed. • Identification and Authentication. The TSF shall require each user to identify itself before allowing any other TSF-mediated actions on behalf of that user. The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. • Management. The TOE requires that administrators be properly identified and authenticated prior to performing any administrative tasks for the TOE. The TOE provides a Crypto-Officer and Administrator accounts which can configure the security settings (this is restricted to the Crypto-Officer account) and other settings on the client. • Protection of the TSF. The TOE performs a series of tests on startup to verify the integrity of the software using FIPS-approved integrity checking techniques. These tests are used to assure the correct security functionality when the TOE is active. The results of these tests are written into the audit records of the installed operating system (i.e. the Event Log). These tests are started automatically when the computer is turned on and the drivers necessary for WLAN connectivity are loaded by the operating system. • User Data Protection: The TOE protects all user data, such as cryptographic keys, stored within the system against malicious recovery by assuring that when the data is no longer needed that it is zeroized, and not just deallocated. This ensures that the data is not still available to other processes which may subsequently use the same resource. The TOE IT Environment ensures that any previous information content of a resource is made unavailable upon the allocation of the resource. The security functional requirements for the TOE and the IT environment are documented in sections 5 and 6 of the ST. A combination of requirements drawn from part 2 of the CC [CCV2.3] as modified by NIAP Interpretations, with iteration and explicitly stated security requirements were necessary to define TOE functionality. A summary of the SFRs for the TOE and environment are included below. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 5 TOE Security Functional Requirements Functional Class Functional Components Security Audit (FAU) FAU_GEN.1-NIAP-0410 - Audit data generation FCS_BCM_EXP.1 - Baseline Cryptographic Module FCS_CKM_EXP.2 - Cryptographic key establishment FCS_CKM.4 - Cryptographic key destruction FCS_COP_EXP.1 - Random Number Generation Cryptographic Support (FCS) FCS_COP_EXP.2 - Cryptographic operation FDP_IFC.1 - Subset information flow control (Wireless Encryption SFP) User Data Protection (FDP) FDP_IFF.1-NIAP-0407 - Simple security attributes (Wireless Encryption SFP) FIA_ATD.1 - User attribute definition FIA_UAU.2 - User authentication before any action FIA_UID.2 - User identification before any action FMT_SMF.1 (1) - Specification of Management Functions (Cryptographic Function) Identification & Authentication (FIA) FMT_SMF.1 (2) - Specification of Management Functions (Cryptographic Key Data) FPT_TST_EXP.1 - TSF testing Protection of TSF (FPT) FPT_TST_EXP.2 - TSF testing of Cryptographic Modules IT Environment Security Functional Requirements Functional Class Functional Components FPT_RVM.1 Non-Bypassability of the TSP FPT_SEP.1 TOE IT Environment Domain Separation Protection of TSF (FPT) FPT_STM.1 Reliable time stamps 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions For secure usage, the operational environment must be managed in accordance with the documentation associated with the following EAL2 assurance requirements: ADO_DEL.1 Delivery procedures ADO_IGS.1 Installation, generation, and start-up procedures AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance 4.2 Environmental Assumptions The environmental assumptions listed in the following table are required to ensure the security of the TOE. Environmental Assumptions Name Assumption Definition A.NO_EVIL Administrators are non-hostile, appropriately trained and follow all administrator guidance. A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the IT environment. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 5 Architectural Information The Target of Evaluation (TOE) is a cryptographic WLAN client comprised of either the 3e-010F-C-2 or 3e-010F-A-2 Crypto Client Software. The difference between the clients is in the drivers related to the supported hardware. The 3e-010F-C-2 supports Intel PRO/Wireless 2200BG and 2915ABG cards, and the 3e-010F-A-2 supports WLAN cards based on the Atheros AR5001X+, AR5002G and AR5002X chipsets. It is expected that the client will be a component of a larger system (e.g. the WLAN client communicating to a 3eTI Enterprise WLAN Access Point). The WLAN client software is in most cases installed into a laptop or mobile device. The Crypto Client provides standard 802.11a/b/g wireless access along with enhanced protection through a variety of cryptographic features, providing a high level of security for wireless environments. TOE Platform 3e-030 Security Server / Certificate Authority 6 A AP P W Wi ir re ed d L LA AN N W Wi ir re el le es ss s C Cl li ie en nt t TOE The TOE is a WLAN client comprised of either the 3e-010F-C-2 or 3e-010F-A-2 Crypto Client Software. The difference between the clients is in the drivers related to the supported hardware. The 3e-010F-C-2 supports Intel PRO/Wireless 2200BG and 2915ABG cards, and the 3e-010F-A-2 supports WLAN cards based on the Atheros AR5001X+, AR5002G and AR5002X chipsets. Other than the drivers needed to work with the specific cards, the clients are identical. The TOE supports Windows 2000 and Windows XP (Home and Professional). The Crypto Client provides standard 802.11a/b/g wireless access along with enhanced protection through a variety of cryptographic features, providing a high level of security for wireless environments. If encryption is desired for the WLAN, different encryption can be employed depending on the mode selected. In FIPS 140-2 mode (highly secure), encryption can be set for None, Static AES, Static 3DES, Dynamic Key Exchange and WPA2 Enterprise and Personal (AES-CCMP). In non-FIPS mode, you can select None, Static AES, Static 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 7 3DES, Dynamic Key Exchange, Static WEP, WPA-Enterprise and Personal (TKIP or AES-CCMP) and WPA2-Enterprise and Personal (TKIP or AES-CCMP). The Configuration Utility provides an intuitive user interface to configure, manage and use various features. The administrator can configure up to 10 separate profiles. Each profile consists of various wireless configuration parameters (e.g., Security Mode (FIPS or non-FIPS mode), SSID, card type (802.11a/b/g), wireless authentication type, encryption (AES, 3DES, DKE, AES-CCMP) and related keys or certificate, power level, transmit rate, etc.). The user interface also provides a Site Survey tool. The FIPS 140-2 mandated Self test suite can also be invoked from the GUI. The Radio state can also be controlled. The following security modules have been implemented in the Crypto-Client: • AES (128/192/256 bit) • 3DES (192 bit) • AES-CCMP • TKIP • WEP • 802.1x/EAP-TLS for authentication • WPA • WPA2/802.11i 6 Documentation The following is a list of the end-user documentation that was used to support this evaluation: • [User Guide AP] Manual, 3e-525A-3 User’s Guide, Version 4.0.9.11, 29000167- 001, Revision D, July 27 2006 • [User Guide SS] Manual, 3e-030-2 Security Server User’s Guide, Version 3.0.7 29000166-001, Revision A, July 25 2006 • [User Guide Erratta Sheet] Errata Sheet, 3e-525A-3 User’s Guide, 29000167-100, Revision A • Errata Sheet, 3e-030-2 Security Server User’s Guide, 29000187-100 Revision A • [CI] 3e-525A-3 Access System Common Criteria Configuration Items List, 22000201- 700, August, 2006, Revision D • [CM-DC] Product-Related Document Control Procedure, 0000121-001 Revision A, SOP-121 Product-Related Document Control Procedure • [DEL] Product Delivery Procedure, 00000310-001, Revision A, July, 2006 • [FLR] Defect Management System Procedure, 00000106-001, Revision A, August, 2006 7 IT Product Testing 7.1 Developer Testing The vendor testing covered all of the security functions identified in Section 7 of the ST. These security functions were: Security Audit, Managed User Access, and Security Management. At 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 8 EAL2, vendor testing must demonstrate correspondence between the tests and the functional specification. However complete testing is not required; “coverage analysis need not demonstrate that all security functions have been tested, or that all external interfaces to the TOE Security Function (TSF) have been tested.”1 The testing was focused on demonstrating that the SFRs worked as claimed in the ST. The test procedures consisted mainly of automated scripts, with a few manual tests to test administrator operations entered through the Administrator component. For the automated scripts, the output from the script was stored in a file and then compared with the expected results file. For the manual tests, a screen shot showing the results was saved. The testing showed that the proper audit records were generated accurately and unambiguously and contained the required information that authorized administrators could access the audit records, and that unauthorized users could not. It also tested both authorized and unauthorized accesses to the stored content. The evaluator determined that the vendor tested (at a high level) most of the security-relevant aspects of the product that were claimed in the ST. Information Flow control was only functionally evaluated, but greater level of testing is not warranted at this assurance level. All security functionality was tested at the interface. The evaluator determined that the developer’s tests were sound in their approach. The test document provided the configuration of the test hardware and software, the objective for each of the tests, and test procedures. The information provided was adequate to be able to reproduce the tests. The evaluators determined that the developer’s approach to testing the TSFs was appropriate for this EAL2 augmented evaluation. The vendor tests were conducted in conjunction with the companion server product (The 3e- 525A-3 Access (evaluated separately by a FIPS certified laboratory and by the evaluator under Common Criteria)). The lab repeated the entire vendor test set which covered audit features, Identification and Authentication features, potential misuse and data protection. It also covered, to a limited extent the flow control by testing expired certificates, access to logs, and other events that should restrict information flow. The lab was able to verify the results of the vendor testing of the product. 7.2 Evaluator Independent Testing At EAL 2, the stated purpose of the evaluator’s independent testing activity “is to determine, by independently testing a subset of the TSF, whether the TOE behaves as specified, and to gain confidence in the developer’s test results by performing a sample of the developer’s tests.” ([CEM V2.3] 12.8.4.1). The CEM further instructs the evaluator to consider a number of factors including: the “Rigour of developer testing of the security functions. Some security functions identified in the functional specification may have had little or no developer test evidence attributed to them.” (([CEM V2.3] 12.8.4.4 paragraph 816) As a result, the testing at EAL 2 may not be systematic and the end-users should not assume that all claims in the ST have been explicitly verified by either the developer or the evaluators. 1 CEM, V2.3, paragraph 6.8.2.2 (application note for EAL2:ATE_COV.1) 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 9 The testing was performed in a dedicated laboratory at the 3eTi building in Rockville, MD. All machines in the laboratory are used solely for Common Criteria Testing of 3eTi’s products. The lab is kept locked when not in use for functional and independent Common Criteria testing. The evaluation team installed the TOE as specified in the secure installation procedures. The same test equipment that was used for developer testing was used for the independent testing. The evaluator reran all of the developer tests. All of the results duplicated those of the developer. The evaluator also devised twelve tests, each of which covered multiple security functionalities. Tests were devised to establish various types of encryption with valid and revoked certificates. Both positive and negative tests were devised. A coverage analysis was provided to insure that each of the security functions was exercised. Each of these tests produced the expected results. The independent tests were conducted in conjunction with the companion server product (The 3e-525A-3 Access (evaluated separately by a FIPS certified laboratory and by the evaluator under Common Criteria)). The lab tested the product functionality which covered the administrative and user guidance for safe configuration, audit features, Identification and Authentication features, cryptographic transmission to the extent that data were observed by sniffer and found to be “not transmitted in the clear” (the actual algorithm was certified by FIPS- 140 testing and was not part of this evaluation). The testing covered misuse and data protection through a combination of the user interface and attempts to escalate privilege. Multiple users were logged on and various combinations of log off and user identifications were used to test for separation of data and session integrity. It did not cover the flow control in exhaustive testing, but did cover the basic functionality of the TSF by exercising both valid user requests and invalid user requests. The coverage analysis relates the independent testing to ST claimed functionality and, although not required by EAL2, the coverage of all functions at the interface level was incorporated in the independent testing. Test results, which are contained in proprietary reports, were satisfactory to both the Evaluation Team and the Validation Team. 7.3 Strength of Function The TOE was demonstrated to meet SOF basic. 7.4 Vulnerability Analysis The vendor searched for publicly known vulnerabilities specifically related to the TOE using key words related to the product type, as well as publicly known vulnerabilities in the third-party products that are incorporated in the TOE. Potential product vulnerabilities in the developer’s vulnerability analysis for the product were reviewed and justifications examined, with several added to the labs penetration test development. No publicly-known vulnerabilities applicable to the evaluated version of 3eTi Client System were found. The developer examined the known vulnerabilities in the supporting third party products (MS Windows) using the National Vulnerability Database (nvd.nist.gov), the Common Vulnerability and Exposure list (www.cve.mitre.org), and SecureFocus (www.securityfocus.com); an explanation was given why these are not exploitable in the intended environment. These data bases covered primarily the environments and contained the standard 802.11 and other wireless vulnerabilities which were reviewed for exploitability and incorporated in the vulnerability testing where appropriate. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 10 The evaluator devised penetration tests using the developer’s analysis, including some of the developer’s tests. NESSUS (www.nessus.org) was used for port analysis. No exploitable obvious vulnerabilities were found. The following tools were used in the vulnerability testing: • Nessus version 3.0.3 (beta) for Windows • nmap and WinPcap for Windows. • The wireless sniffer tool AiroPeek NX, from WildPackets, software version is 2.0.5 and it is used without any modification At EAL 2 vulnerability testing is only a requirement for obvious vulnerabilities. 8 Evaluated Configuration The evaluated configuration WLAN client comprised of both the 3e-010F-C-2 or 3e-010F-A-2 Crypto Client Software. The difference between the clients is in the drivers related to the supported hardware. The 3e-010F-C-2 supports Intel PRO/Wireless 2200BG and 2915ABG cards, and the 3e-010F-A-2 supports WLAN cards based on the Atheros AR5001X+, AR5002G and AR5002X chipsets. These were installed in laptop PCs running the Windows XP operating System. 9 Results of the Evaluation A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation was conducted based upon CC, Version 2.3; CEM, Version 2.3, and all applicable NIAP CCEVS and International Interpretations in effect on 13 October 2005. The Evaluation Team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each EAL 2 assurance component. For Fail or Inconclusive work unit verdicts, the Evaluation Team advised the developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the Evaluation Team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict. The evaluation determined that the product is both Common Criteria Part 2 extended and Part 3 conformant, and meets the assurance requirements of EAL 2 augmented. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by CygnaCom Solutions. The security assurance requirements are displayed in the following table. TOE Security Assurance Requirements (EAL 2 Augmented) Augmentation shown in Italics Assurance Class Assurance Components ACM_CAP.3 Authorization controls Configuration Management (ACM) ACM_SCP.1 TOE CM coverage ADO_DEL.1 Delivery procedures Delivery and Operation (ADO) ADO_IGS.1 Installation, generation, and start- up procedures 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 11 ADV_FSP.1 Informal functional specification ADV_HLD.1 Security enforcing high-level design Development (ADV) ADV_RCR.1 Informal correspondence demonstration AGD_ADM.1 Administrator guidance Guidance Documents (AGD) AGD_USR.1 User guidance Life cycle support (ALC) ALC_FLR.2 Flaw reporting procedures ATE_COV.1 Analysis of Coverage ATE_FUN.1 Functional testing Tests (ATE) ATE_IND.2 Independent testing - sample AVA_MSU.1 Examination of guidance AVA_SOF.1 Strength of TOE security function evaluation Vulnerability assessment (AVA) AVA_VLA.1 Developer vulnerability analysis 10 Validator Comments/Recommendations The Validator agrees with the conclusion of the CygnaCom Solutions Evaluation Team, and recommends to CCEVS Management that an EAL2 augmented certificate rating be issued for 3eTI 3e-525A-3 Client System. Testing was more than would be expected at EAL2 in that the vendor test suite was completely duplicated by the laboratory and all security functions were independently tested though not exhaustively. Neither of these are required at the EAL2 level. Vulnerability testing was not exhaustive, but is not required at all at this level where a review of the vendor’s vulnerability analysis is sufficient and a testing for obvious vulnerabilities is required. The evaluators have looked at the design of the Client System, tested its functionality, and looked for obvious vulnerabilities; they found that the TOE satisfies the functional claims made in the ST and the validator concurs. Note that no evaluation verifies that there are no flaws, only that the evaluator could not find any. The cryptography used in this product has been FIPS certified. The common criteria does not evaluate cryptologic algorithms. The use of FIPS certified algorithms, the mandatory access control and certificate administration scheme, are sufficient to provide the TOE and the client adequate mitigation against a moderate threat for confidentiality and integrity. This is not true for availability. The TOE does not protect the connection between itself and the Client interface; an unauthorized party could potentially observe or disrupt this connection. However, encrypted communication will be more difficult to interpret. The wireless connection is subject to disruption and denial of service through jamming the wireless link. These factors were not tested and no claims were made that the TOE provided such protections. Comment: Not actually part of the client software and is a residual cut and paste. 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 12 11 Security Target The Security Target for 3eTI 3e-525A-3 Client System is contained within the document 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto Client Software Security Target, 22000209-701, Revision K, dated August 2006 [ST]. The ST is compliant with the Specification of Security Targets requirements found within Annex B of Part 1 of the CC [CCV2.3]. The ST is an accurate representation of the product and its functionality and is coherent. It adequately describes the TOE, the physical and logical boundaries and, to the extent tested, the interfaces present in the TOE (no additional interfaces have been discovered). 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 13 12 Glossary The following table is a glossary of terms used within this validation report. Acronym Expansion CC Common Criteria for Information Technology Security Evaluation. [Note: Within this Validation Report, CC always means Version 2.3, dated August 2005.] CCEVS Common Criteria Evaluation and Validation Scheme CCTL Common Criteria Testing Laboratory CCIMB Common Criteria Interpretations Management Board EAL Evaluation Assurance Level ETR Evaluation Technical Report GUI Graphical User Interface I&A Identification and Authentication IT Information Technology NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NSA National Security Agency NVLAP National Voluntary Laboratory Accreditation Program PP Protection Profile SFR Security Function Requirement SOF Strength of Function SSL Secure Socket Layer ST Security Target TOE Target of Evaluation TSF TOE Security Functions 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Client Systems CCEVS-VR-06-0044 14 13 Bibliography URLs • Common Criteria Evaluation and Validation Scheme (CCEVS): http://niap.nist.gov/cc-scheme/ • Cygnacom Solutions: http://www.cygnacom.com/ • 3e Technologies International, Inc., http://www.3eti.com/ • Nessus vulnerability scanner, http://www.nessus.org/ CCEVS Documents [CCV2.2] Common Criteria for Information Technology Security Evaluation, Version 2.2, January 2004. [CCV2.3] Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005. [CEMV2.2] Common Methodology for Information Technology Security Evaluation, Version 2.2, Part 2: Evaluation Methodology, January 2004. [CEMV2.3] Common Methodology for Information Technology Security Evaluation, Version 2.3, Part 2: Evaluation Methodology, August 2005. [CCEVS3] Guidance to Validators of IT Security Evaluations, Version 1.0, February 2000. [CCEVS4] Guidance to Common Criteria Testing Laboratories, Draft, Version 1.0, March 2000. Other Documents [ST] 3e Technologies International 3e-010F-A-2 and 3e-010F-C-2 Crypto Client Software Security Target, 22000209-701, Revision K, dated August 2006.