1
National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
GuardianEdge Data Protection Framework 9.0.1 with
GuardianEdge Hard Disk Encryption 9.0.1 and
GuardianEdge Removable Storage Encryption 3.0.1
Report Number: CCEVS-VR-VID10003-2008
Dated: December 18, 2008
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6757
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757
2
ACKNOWLEDGEMENTS
Validation Team
Mr. Daniel P. Faigin
The Aerospace Corporation
El Segundo, California
Ms. Jandria S. Alexander
The Aerospace Corporation
Columbia, Maryland
Common Criteria Testing Laboratory
Mr. Clifton Morgan
Mr. Sai Pulugurtha
CygnaCom Solutions
McLean, Virginia
Much of the material in this report was extracted from evaluation material prepared by the CCTL.
The CCTL team deserves credit for their hard work in developing that material. Many of the
product descriptions in this report were extracted from the GuardianEdge Data Protection
Framework 9.0.1 with GuardianEdge Hard Disk Encryption 9.0.1 and GuardianEdge Removable
Storage Encryption 3.0.1 Security Target.
3
Table of Contents
1.0 Executive Summary..................................................................................................................................... 7
2.0 Identification................................................................................................................................................ 9
3.0 Security Policy........................................................................................................................................... 10
3.1 Security Audit.................................................................................................................................... 10
3.2 Data Protection .................................................................................................................................. 10
3.3 Cryptographic Services...................................................................................................................... 11
3.4 Identification and Authentication ...................................................................................................... 11
3.5 Security Management ........................................................................................................................ 12
3.6 Partial Self-Protection........................................................................................................................ 12
3.7 Access Banner ................................................................................................................................... 12
3.8 Summary............................................................................................................................................ 12
4.0 Assumptions and Clarification of Scope ................................................................................................... 15
4.1 Usage Assumptions ........................................................................................................................... 15
4.2 Environmental Assumptions.............................................................................................................. 15
4.3 Clarification of Scope........................................................................................................................ 16
5.0 Architectural Information.......................................................................................................................... 18
6.0 Documentation........................................................................................................................................... 20
6.1 IT Product Testing ............................................................................................................................. 21
6.2 Developer Testing.............................................................................................................................. 21
6.3 Evaluator Independent Testing .......................................................................................................... 22
6.3.1 Test Hardware................................................................................................................................ 22
6.3.2 Test Software................................................................................................................................. 23
6.4 Strategy for Devising Test Subset (Developer and Team Defined Tests) ......................................... 24
6.5 Coverage Provided by Devised Test Subset...................................................................................... 24
6.6 Strength of Function .......................................................................................................................... 25
7.0 Evaluated Configuration............................................................................................................................ 26
8.0 Results of Evaluation................................................................................................................................. 27
9.0 Validator Comments/Recommendations................................................................................................... 29
4
9.1 User Guidance Version Numbers ...................................................................................................... 29
9.2 Product Functionality Excluded from the TOE ................................................................................. 29
9.3 Lost Password.................................................................................................................................... 29
9.4 Power Loss During Initial Encryption............................................................................................... 29
9.5 Removable Media Tested .................................................................................................................. 29
9.6 Sharing Encrypted Data with Other Computers ................................................................................ 30
9.7 Running Defraggers........................................................................................................................... 30
9.8 Default Passwords ............................................................................................................................. 30
9.9 Double Encryption............................................................................................................................. 30
9.10 Recovery from Hard Disk Problems.................................................................................................. 30
9.11 Overflow of the Pre-Boot Authentication (PBA) Buffers ................................................................. 30
9.12 Encryption Library............................................................................................................................. 31
9.13 Encryption Certificate........................................................................................................................ 31
9.14 Unevaluated Algorithms.................................................................................................................... 31
10.0 Security Target .......................................................................................................................................... 32
11.0 Glossary..................................................................................................................................................... 33
12.0 Bibliography.............................................................................................................................................. 39
5
List of Figures
Figure 1. GuardianEdge Components and TOE Boundary ............................................................................... 19
Figure 2. Test Hardware.................................................................................................................................... 23
Figure 3. Evaluated Configuration .................................................................................................................... 26
List of Tables
Table 1. TOE Security Functional Requirements.............................................................................................. 13
Table 2. IT Environment Security Functional Requirements............................................................................ 14
Table 3. Evaluation Documentation and Evidence ........................................................................................... 20
6
7
1.0 Executive Summary
This Validation Report (VR) documents the evaluation and validation of the product
GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk
Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1.
This VR is not an endorsement of the IT product by any agency of the U.S. Government
and no warranty of the IT product is either expressed or implied.
The GuardianEdge Platform provides transparent encryption services for hard disks and
removable storage devices on computers running Windows XP. It employs full disk
encryption, pre-boot authentication, and on-the-fly disk decryption/encryption at the
device driver level to provide complete protection of data on Windows-based notebook
and desktop systems. It also protects information on removable storage devices such as
USB flash drives.
The GuardianEdge Platform is intended for use in computing environments where there
is a potential for attackers possessing a moderate attack potential.
The GuardianEdge Platform protects data at rest on the hard disk and on removable
devices from unauthorized access. The GuardianEdge Platform uses its own FIPS 140-2
validated cryptographic library to perform the cryptographic operations necessary to
protect data, support authentication, and self-protect itself against tampering or bypass.
The product uses Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC)
mode with 256-bit keys to perform bulk encryption on administrator-specified partitions
of hard disks and removable storage devices on a Client Computer.
The Guardian Edge Platform uses a mix of FIPS-validated and non-validated algorithms.
Those algorithms that have undergone FIPS evaluation are as follows:
ƒ AES (Certs. #154 and #759)
ƒ HMAC (Cert. #414)
ƒ SHS (Certs. #239 and #766)
ƒ RNG (Certs. #45 and #437)
The HMAC-SHA-1 algorithm has a certificate (SHS Cert. #239), but is vendor-affirmed. The
Elliptical Curve Cryptographic Algorithm used in this product has not been FIPS certified nor has
it been analyzed or tested to conform to cryptographic standards during this evaluation. This
algorithm has only been asserted as tested by the vendor.
The evaluation was performed by the CygnaCom Common Criteria Testing Laboratory
(CCTL), and was completed in November 2008. The information in this report is derived
from the Evaluation Technical Report (ETR) and associated test reports, all written by the
CygnaCom CCTL. The evaluation team determined that the product is Common Criteria
version 2.3 [CC] Part 2 extended and Part 3 conformant, and meets the assurance
requirements of EAL 4 augmented with ALC_FLR.3 from the Common Methodology for
Information Technology Security Evaluation, Version 2.3, [CEM]. The product is not
8
conformant with any published Protection Profiles, but rather is targeted to satisfying
specific security objectives.
The evaluation and validation were consistent with National Information Assurance
Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS)
policies and practices as described on their web site www.niap-ccevs.org. The Security
Target (ST) is contained within the document GuardianEdge Data Protection Framework
9.0.1 with GuardianEdge Hard Disk Encryption 9.0.1 and GuardianEdge Removable
Storage Encryption 3.0.1.
9
2.0 Identification
Target of Evaluation: GuardianEdge Data Protection Framework 9.0.1 with
GuardianEdge Hard Disk Encryption 9.0.1 and
GuardianEdge Removable Storage Encryption 3.0.1
Evaluated Software: GuardianEdge Data Protection Framework 9.0.1 with
GuardianEdge Hard Disk Encryption 9.0.1 and
GuardianEdge Removable Storage Encryption 3.0.1
Developer: 475 Brannan Street, Suite 400, San Francisco CA 94107-
5421
CCTL: CygnaCom Solutions
Suite 100 West
7925 Jones Branch Drive
McLean, VA 22102-3305
Evaluators: Clifton Morgan, Sai Pulugurtha
Validation Scheme: National Information Assurance Partnership CCEVS
Validators: Daniel Faigin, Jandria Alexander
CC Identification: Common Criteria for Information Technology Security
Evaluation, Version 2.3, August 2005
CEM Identification: Common Methodology for Information Technology
Security Evaluation, Version 2.3, August 2005
10
3.0 Security Policy
The TOE’s security policy is expressed in the security functional requirements identified
in the section 5.1 in the ST. Potential users of this product should confirm that
functionality implemented is suitable to meet the user’s requirements. A description of
the principle security policies is as follows:
3.1 Security Audit
The TOE auditing service generates audit records into the Windows system event log of the
Client Computer operating system. It captures security events related to use of the authentication
mechanism, initial encryption activity, and the startup and shutdown of the TOE client. The TOE
auditing service is automatically started with the start-up of the TOE client, and there is no
interface to turn off the audit mechanism and no interface to change the security events being
audited.
The audit function requires the following support from the TOE’s IT environment:
ƒ The OS to protect the Windows system event log to ensure it’s protected from
unauthorized deletion and modification.
ƒ The platform to provide reliable time when required to ensure the audit records have
meaningful timestamps.
ƒ The OS to provide an interface to view the audit records in the Windows system event log.
3.2 Data Protection
The TOE uses its FIPS140-2 cryptographic functions, described below, to ensure all data on the
hard disk partitions, as designated by an administrator, is protected by encryption when not in use
(i.e., at rest). Except for the GEFS files (to bootstrap the system), the encryption covers all the
data on the selected hard disk partitions, including system files, e.g., Windows operating system
files, registry, swap files, hibernation files, paging files. A per computer key is used to encrypt all
data on the hard disk; this key is called the Workstation Encryption Key (WEK).
The data protection function also ensures the data is available when requested and that both the
encryption process (to protect the data when at rest) and the decryption process (to make the data
available to registered users) is done transparently to the user, referred to as on-the-fly
decryption/encryption. This transparent operation ensures enforcement and doesn’t rely on users
activating the function.
Data on removable storage devices is encrypted on a per file basis. Files are automatically
encrypted when written to the device. Encrypted files are decrypted when accessed and
encrypted when written. Depending on the configuration, pre-existing plaintext files may be
either automatically encrypted, or left as plaintext. The evaluated configuration is for pre-
11
existing files to be left in plaintext. A per file key is used to encrypt files on removable storage
devices; this key is called the File Encryption Key (FEK).
The data protection function requires the platform to be operating correctly, both in general for
supporting the TOE processes and in particular for loading the TOE kernel-mode device drivers
as configured in the installation process and processing the bits to ensure they pass through the
TOE for the specified partitions.
3.3 Cryptographic Services
The TOE includes cryptographic libraries that provide cryptographic support for the following
security functions:
™ Authentication process password check
¾ Elliptic Curve Cryptography (ECC)
¾ SHA-1
™ New user registration
¾ ECC
¾ RNG
™ Initial encryption and transparent decryption: AES in CBC mode.
™ Self-tests and integrity checks: SHA-1 and CRC.
The IT environment is only required to operate correctly to support the cryptographic services
security function.
Cryptographic Algorithms Certifications are as follows:
™ AES (Certs. #154 and #759);
™ HMAC-SHA-1 (SHS Cert. #239, vendor affirmed);
™ HMAC (Cert. #414);
™ SHS (Certs. #239 and #766);
™ RNG (Certs. #45 and #437); and
™ Elliptical Curve Cryptographic Algorithm (verified by Vendor Assertion).
3.4 Identification and Authentication
The TOE provides an identification and authentication (I&A) mechanism that requires all users to
identify and authenticate themselves during the startup of the Client Computer, before the
operating system is loaded and before users log on to their Windows accounts. This is referred to
12
as pre-Windows authentication. In addition to the pre-Windows authentication requirement, the
TOE also requires all users to log on again when accessing the GuardianEdge Client console.
Supporting the password-based mechanism, the TOE obscures the password users enter on the
TOE logon screens. It provides an authentication failure mechanism and password management
options that defines parameters for acceptable passwords.
The identification and authentication function depends on the operating system to identify and
authenticate the Client Computer users after startup, and the platform to provide an accurate clock
to measure one minute, the delay in the logon process for the authentication failure mechanism.
As with all the security functions, it also requires the support provided as part of the Partial Self-
Protection, described below, both in general and in particular for activating the TOE as part of the
pre-Windows start-up process.
3.5 Security Management
The TOE includes an administrative interface for Client Administrators to remove users, change
passwords, and perform initial encryption on selected partitions. Registered users also use this
interface to change their passwords. The GuardianEdge Platform in its evaluated configuration is
designed to require minimum administration during normal operation. The Client Administrator,
using the Client Console, is also able to verify the evaluated configuration settings. New users are
added to the TOE through a self-registration process coordinated with the operating system logon
for subsequent users after startup of the Client Computer.
The IT environment is required to operate correctly to support this security function.
3.6 Partial Self-Protection
Working in concert with its platform the TOE provides a security architecture and security
mechanisms to ensure the TSF cannot be bypassed, corrupted, or otherwise compromised.
The TOE relies on its platform for domain separation of TSF processes, for non-bypassability, for
access controls on file protections, and for correct operation of the BIOS and media driver data
processing.
3.7 Access Banner
The TOE displays an advisory warning access banner as part of its logon screen. The banner and
warning are defined by the Policy Administrator during the installation process.
3.8 Summary
A summary of the SFRs for the TOE and IT environment are included in the following
tables. Note that _EXP in the SFR ID indicates explicitly specified requirements.
13
Table 1. TOE Security Functional Requirements
Item SFR ID SFR Title
1. FAU_GEN.1 Audit data generation
2. FAU_GEN.2 User Identity Association
3. FCS_CKM.1 Cryptographic key generation
4. FCS_CKM.4 Cryptographic key destruction
5. FCS_COP.1(1) Cryptographic Operation (AES)
6. FCS_COP.1(2) Cryptographic Operation (ECC of UPC)
7. FCS_COP.1(3) Cryptographic Operation (RNG)
8. FCS_COP.1(4) Cryptographic Operation (Secure Hash)
9. FCS_COP.1(5) Cryptographic Operation (HMAC-SHA-1)
10. FDP_IFC.2 Complete information flow control
11. FDP_IFF.1 Simple security attributes
12. FIA_AFL.1 Authentication failure handling
13. FIA_SOS.1 Verification of secrets
14. FIA_UAU.2 User authentication before any action (user access to Client Computer)
15. FIA_UAU_TOE_EXP.2 User authentication before any action (Client console)
16. FIA_UAU.7 Protected authentication feedback
17. FIA_UID.2 User identification before any action (user access to Client Computer)
18. FIA_UID_TOE_EXP.2 User identification before any action (Client console)
19. FMT_MSA.1 Management of security attributes
20. FMT_MSA.2 Secure security attributes
21. FMT_MSA.3 Static attribute initialization
22. FMT_MOF.1 Management of security functions behaviour
23. FMT_MTD.1 Management of TSF data
24. FMT_SMF.1 Specification of Management Functions
25. FMT_SMR.1 Security roles
26. FPT_RVM.1(1) Non-bypassability of the TSP (TOE)
27. FPT_SEP_TOE_EXP.1 TSF partial domain separation
14
Item SFR ID SFR Title
28. FPT_TST.1 TSF testing
29. FTA_TAB.1 Default TOE access banners
Table 2. IT Environment Security Functional Requirements
Item SFR ID1
SFR Title
30. FAU_SAR.1 Audit review
31. FAU_STG.1 Protected audit trail storage
32. FIA_UAU_ENV_EXP.2 User authentication before any action (Client Computer O/S)
33. FIA_UID_ENV_EXP.2 User identification before any action (Client Computer O/S)
34. FPT_AMT.1 Abstract machine testing
35. FPT_RVM.1(2) Non-bypassability of the TSP (Platform)
36. FPT_SEP_ENV_EXP.1 TSF Environment partial domain separation
37. FPT_STM.1 Reliable time stamps
1
Note: Although these SFRs have CC tags, all of the cited SFRs have been modified to apply to the IT
environment.
15
4.0 Assumptions and Clarification of Scope
4.1 Usage Assumptions
For secure usage, the operational environment must be managed in accordance with the
documentation associated with the following EAL 4 augmented with ALC_FLR.3
assurance requirements.
ADO_DEL.1 Delivery procedures:
ƒ Download Procedures are located on GuardianEdge.com
ADO_IGS.1 Installation, generation, and start-up procedures:
ƒ GuardianEdge Hard Disk Encryption Installation Guide V9.0
ƒ GuardianEdge Removable Storage Encryption Installation Guide V3.0
ƒ GuardianEdge Common Criteria Supplement V1.2
AGD_ADM.1 Administrator guidance:
ƒ GuardianEdge Hard Disk Encryption Client Administrator Guide V9.0
ƒ GuardianEdge Removable Storage Encryption Client Administrator Guide V3.0
AGD_USR.1 User guidance:
ƒ GuardianEdge Hard Disk Encryption User Guide V9.0
ƒ GuardianEdge Removable Storage Encryption User Guide V3.0
4.2 Environmental Assumptions
The following assumptions apply to the security environment in which the TOE operates:
ƒ Remote users are required to log on to the Windows operating system to gain access to the
Client Computer. Therefore, Network Sharing Services that do not require a Windows Logon
Authentication must be disabled.
ƒ Administrators must be appropriately trained and follow all administrator guidance.
ƒ All software, firmware, or hardware must be approved by the security officer.
ƒ Users do not leave the GuardianEdge Client Computer unattended when they are logged on.
ƒ Users will protect their authentication data.
ƒ Client Computer users should not be given administrator privileges.
16
4.3 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions
that need clarifying. This text covers some of the more important limitations and
clarifications of this evaluation. Note that:
1. As with any evaluation, this evaluation only shows that the evaluated configuration
meets the security claims made, with a certain level of assurance (EAL 4 augmented
with ALC_FLR.3 in this case).
2. This evaluation only covers the specific version identified in this document, and not
any earlier or later versions released or in process.
3. As with all EAL 4 augmented with ALC_FLR.3 evaluations, this evaluation did not
specifically search for, nor seriously attempt to counter, vulnerabilities that were not
“obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an
“obvious” vulnerability as one that is easily exploited with a minimum of
understanding of the TOE, technical sophistication and resources.
4. The TOE depends on the IT environment to provide the capability to read the audit
records, protect audit information, user identification and authentication before
action, run a suite of tests, reliable time stamps, non-bypassability, and TSF domain
separation.
5. The following product capabilities were not covered by the evaluation:
ƒ GuardianEdge Server was not installed
ƒ Client Monitor was disabled.
ƒ Authenti-Check was disabled
ƒ One-Time Password was disabled.
ƒ I&A optional mechanisms:
o Single Sign-On is disabled.
o Token authentication (“Advanced Authentication”) is disabled.
o Autologon is disabled.
o Grace restarts were disabled (set to zero).
ƒ Initial Encryption configuration:
o Manual encrypt or decrypt partition enabled for Client Administrator only, not
registered users.
o Unused sectors are included in the encryption.
ƒ Removable Storage configuration:
17
o GuardianEdge Hard Disk Encryption is installed and all hard disk partitions of
the protected operating system and associated user data partitions and swap
partitions are encrypted.
o The GuardianEdge Removable Storage Access Utility is not used.
o Encryption policy set to “Encrypt New Files”.
o The option to automatically encrypt pre-existing plaintext on removable devices
is disabled.
o The creation of self-extracting files is disabled.
o Non-registered user support is disabled.
o The access policy is set to read and write.
o Encryption method is set to “password.”
o Certificate (token and software based) encryption is disabled and/or not used.
o Group Key feature is disabled.
o No Master Certificate specified.
ƒ A logon delay was set to one minute after one incorrect logon.
6. The Elliptical Curve Cryptographic (ECC) Algorithm meets the IEEE-P1363 by
Vendor Assertion. There is no FIPS test vector for the ECC algorithm.
7. The encryption certificates for the product, certificate #515, only applies, with respect
to XP, to SP2 (as SP3 had not been released as of the time of certification).
The ST provides additional information on the assumptions made and the threats
countered.
18
5.0 Architectural Information
The evaluated configuration of the GuardianEdge Platform consists the software
components listed below. The TOE includes all product components; however, in the
evaluated configuration, some components do not provide any security functions and are
therefore outside the scope of some assurance evaluation activities.
The following TOE components provide security functions in the evaluated
configuration:
ƒ GuardianEdge Pre-Boot Authentication operates in the pre-Windows environment to
provide pre-Windows authentication, decryption services to start the operating system, self-
tests, a master boot record to interface with the BIOS, and a file storage mechanism to
support these functions, referred to as the GuardianEdge File System (GEFS).
ƒ GuardianEdge Hard Disk Encryption includes a kernel-mode driver that performs on-the-
fly decryption and encryption of data on the client hard disk.
ƒ GuardianEdge Removable Storage Encryption includes a kernel-mode driver that
performs decryption and encryption of data on the removable storage devices, and provides
per-file password-based access control as required to decrypt files accessed on devices.
ƒ GuardianEdge Data Protection Framework provides the cryptographic library and Client
Console interface.
19
P r e - W i n d o w s
GuardianEdge Pre-Boot
Authentication (GPBA)
W i n d o w s
Client
Console
Auditing
Client Database 32-Bit Drivers
Removable
Storage
Service
CD/DVD
Dynamic
Cryptographic
Libraries
Framework/Hard
Disk Services
Registration
Wizard
W i n d o w s
GuardianEdge
Manager console
Client Computer Manager Computer
Used to make client
installation packages
only
Note: There is no
communication between
the Client Computer and
the Manager Computer in
the evaluated
configuration
Optional
Network
Connection
User
Client
Administrator
Policy
Administrator
H a r d D i s k M e d i a R e m o v a b l e M e d i a
Figure 1. GuardianEdge Components and TOE Boundary
The TOE relies on the following IT environment components to support the evaluated
security functions:
ƒ The Client Computer including Windows XP Service Pack 3, x86 platform, hard disk and
removable storage components and device drivers
ƒ The Manager Computer including Windows 2003 Server Service Pack 2, x86 platform with
storage media for the client installation package files.
20
6.0 Documentation
CC Evaluation Evidence:
Note: Bolded documents are available for GuardianEdge customers.
Table 3. Evaluation Documentation and Evidence
Acronym Document Title
FSP GuardianEdge Data Protection Framework 9.0.1, GuardianEdge Hard Disk Encryption 9.0.1
and GuardianEdge Removable Storage Encryption 3.0.1 Functional Specification, V2.5, June
27, 2008
HLD GuardianEdge Data Protection Framework 9.0.0 with GuardianEdge Hard Disk Encryption
9.0.0 and GuardianEdge Removable Storage Encryption 3.0.0 High-Level Design version 3.3,
April 1, 2008
TAT GuardianEdge Data Protection Framework 9.0.1, GuardianEdge Hard Disk Encryption 9.0.1
and GuardianEdge Removable Storage Encryption 3.0.1 Tools and Techniques Version 3.0,
April 30, 2008
LLD LLD-0409\LLD Documentation\index.html - html files, June 26, 2008
RCR GuardianEdge Data Protection Framework 9.0.0 with GuardianEdge Hard Disk Encryption
9.0.0 and GuardianEdge Removable Storage Encryption 3.0.0 Representation Correspondence
Version 1.2, April 2, 2008
FRP GuardianEdge Flaw Remediation Procedure, V1.3, June 23, 2008
ALC GE Software Development Life Cycle Model V5.4, September 19, 2007
TCD SFR_Test_Coverage_Analysis(2008-04-22).xls, Test_Coverage_Analysis-20060627-GE_
Response.xls and FuncSpec_Matrix_TestCases.xls “FR/HD b.197.00.02.1, RS b.78.00.02.1”
TP EAL4 Test Plan for GEFR/GEHD/GERS Version 1.8, April 14, 2008
AT EAL4_Test_Docs_Tree_Cycle_3(2008-04-30).zip (EAL4_Test_Docs_Tree_Cycle_3 folder)
MA GuardianEdge Data Protection Framework 9.0.1, GuardianEdge Hard Disk Encryption 9.0.1
and GuardianEdge Removable Storage Encryption 3.0.1 Misuse Analysis, V1.0, May 8, 2008
SOF Strength of Function Equation 2008-04-22.xls, April 22, 2008
VA PS 269 – GEHD and GERS Vulnerability Analysis Version 1.5, April 10, 2008
ACM GuardianEdge Configuration Management (CM) Plan, version 5.1, May 21, 2008
CI_list.txt, August 22, 2008
Build Procedures for GuardianEdge Hard Disk Version 1.8, May 23, 2008
Build Procedures for GuardianEdge Hard Disk Drivers Version 0.2, May 23, 2008
Build Procedures for GuardianEdge Removable Storage Version 1.6, May 20, 2008
How to build PBS, V3.1, June 2, 2008
ADO GuardianEdge Release Procedures, V2.4, January 17, 2008
SW_download_instructions.htm, September 5, 2007
GuardianEdge Hard Disk (GEHD) Installation Guide Version 9.0
GuardianEdge Removable Storage Installation Guide Version 3.0
AGD GuardianEdge Hard Disk (GEHD) Encryption Client Administrator Guide version V9.0
21
Acronym Document Title
GuardianEdge Removable Storage Encryption Policy Administrator Guide V3.0
GuardianEdge Removable Storage Encryption Client Administrator Guide V3.0
GuardianEdge Removable Storage Encryption User Guide V3.0
GuardianEdge Hard Disk Encryption User Guide V9.0
GuardianEdge Common Criteria Supplement V1.2, August 18, 2008
ISP GuardianEdge Information Security Policy Version 20060911
DSQ_1 Development Security Questionnaire: Outworx Corp. Date2007_09_07
DSQ_2 Development Security Questionnaire: ZEN Electronics Ltd Date 2007_11_15
6.1 IT Product Testing
At EAL 4 augmented with ALC_FLR.3, the overall purpose of the testing activity is “to
determine, by independently testing a subset of the TSF, whether the TSF behaves as
specified, and to gain confidence in the developer's test results by performing a sample of
the developer's tests.” (ATE_IND.2, 14.9.5.1 [CEM])
At EAL 4 augmented with ALC_FLR.3, the developer’s test evidence must “demonstrate
the correspondence between the tests identified in the test documentation and the TSF as
described in the functional specification.” (ATE_COV.2, 14.9.2.3)
This section describes the testing efforts of the vendor and the evaluation team.
The purpose of the Testing activity was to determine whether the TOE behaves as
specified in the design documentation and in accordance with the TOE security
functional requirements specified in the ST. This section describes the testing efforts of
the developer and the evaluation team.
The developer and evaluator independent/penetration testing was conducted at
GuardianEdge, 475 Brannan Street, Suite 400, San Francisco CA 94107-5421
The Independent testing was performed over a week period from 8/11/08–8/18/08.
Installation Testing was performed the first day. Developer testing was performed from
8/4/08–8/8/08, three days in prior to Evaluator Testing. The test plan and results, as well
as the evaluation team’s review of the testing in the Evaluation Technical Report, were
well written and complete.
6.2 Developer Testing
The test approach consists of manual tests that were grouped together under the TOE
component being tested. The tests were designed to cover all of the security functions as
described in the SFR and TSS section of the ST.
The test plan and procedures do not cover every possible combination of parameters for a
given interface and every possible combination of parameters for a given security
function. However, the test plan and procedures do stimulate every external interface and
all of the security functions.
22
The individual tests were performed and the results were collected and verified by the
developer. The results were archived, recorded, and sent to the evaluator for review.
The vendor’s testing purposefully intended to cover all the security functions of Security
Audit, Cryptographic Support, Data Protection, Identification and Authentication,
Security Management, TOE Protection, and Access Banner, as defined in Section 6 of the
ST.
The evaluator determined that the developer’s approach to testing the TSFs was adequate
for an EAL4 evaluation.
6.3 Evaluator Independent Testing
The test approach consists of providing full coverage of all the TOE’s security functions
between the developer tests and team-defined functional tests as required under EAL 4.
6.3.1 TEST HARDWARE
GuardianEdge provided the test setup for CygnaCom testing. The figure below shows
logical connections. The test setup was intended to be consistent with the available
GuardianEdge test facilities.
ƒ Client Computers: Windows XP Service Pack 3, Intel platform, hard disk and removable
storage components and device drivers
ƒ Manager Computer: Windows 2003 Server, Intel platform with storage media for the client
installation package files.
ƒ Generic removable storage devices and CD/DVD devices: (Dell Latitude D610, 512 MB
RAM, CPU 1.6 GHz, HDD speed 4200 rpm, OCZ technology - Rally 4GB flash drive)
23
Dell Lattitude C610
Windows Server 2003 SP2
Domain controller
for
GE Management
Console
IP 10.0.2.93
Dell Latitude D610
Windows XP SP3
for
GE Hard Disk &
Removable Storage
Client
Evaluator computer
HP dc7700
Windows XP SP3
for
Forensic Test Tools
Dell Optiplex GX280
Windows XP SP3
for
Forensic tests with GE
Client
Switch
IBM ThinkPad 260T
Windows XP SP3
for
GE Hard Disk &
Removable Storage
Client
HD
Note: Hard Drive
connected to Forensic
Tool as needed.
Figure 2. Test Hardware
6.3.2 TEST SOFTWARE
The following software testing tools were used for testing the TOE:
ƒ Event Viewer—system application
ƒ AccessData FTK Imager Version 2.2
ƒ AccessData FTK Version 1.60
ƒ Encase Enterprise Version 6.7.1.3
24
ƒ Sysinternals Process Explorer 11.4
ƒ Acronis DiskEditor 6.0
All tools were available at Guardian Edge facility and were used for Developer tests.
6.4 Strategy for Devising Test Subset (Developer and Team
Defined Tests)
CygnaCom selected 26 of 28 (92%) tests that GuardianEdge provided as evaluation
evidence. The tests were selected to exercise security functions from the externally
visible TSFI.
The evaluation team ensured that the test sample was sufficient to ensure that:
ƒ All Security Functions were tested
ƒ All External interfaces were exercised
ƒ All Security Functional Requirements were tested
As the product is a Disk/Storage Encryption Decryption product, the emphasis of testing
was on both the Identification and Authentication functionality (I & A) and Information
Flow Control (FDP_IFC/IFF on-the-fly encryption decryption). The test provided by the
developer and the test sample of the developer tests selected tested security functions at
appropriate level of rigor.
For cryptographic algorithms claimed in the ST based on both FIPS 140-x standard and
by vendor affirmation, the tests did not include testing the correctness of the crypto
algorithm or standard. However, testing ensured that a cipher text is created when
encrypted and vice versa.
In particular, the SHA-1 algorithm (certificated, but vendor-affirmed) and the Elliptic
Curve Cryptography algorithms (vendor asserted) was not analyzed or tested as
conforming to cryptographic standards during this evaluation. Those algorithms have
only been asserted as tested by the vendor. Other cryptographic algorithms are covered
by FIPS certificates.
6.5 Coverage Provided by Devised Test Subset
The evaluator ensured that the test sample sufficient tests such that:
ƒ All Security Functions were tested
ƒ All External interfaces were exercised
ƒ All Security Functional Requirements were tested.
The environment and configuration for the Team-Defined testing has been previously
described. A distributed environment was selected to be able to test all of the
functionality as described in the ST including optional features. This product can be
installed in a number of configurations, including all on one machine.
25
The independent testing purposefully (directly) covered all of the security functions of,
Cryptographic Support, Identification and Authentication, Access Banner, Data
Protection, Security Management, TOE Protection, Security Audit, as defined in Section
6 of the ST.
Two tests failed, but these did not indicate failure of covered TOE security functions.
Testing resulted in updates to the CC Supplement to the User Guidance, and download
Instructions. No obvious vulnerabilities were found.
The following updates were made to the CC User’s Guide:
ƒ A CC Supplement to the TOE User Guidance is included as part of the TOE’s user guidance.
ƒ Text added to the CC Supplement Appendix D providing a caution about running the chkdsk
utility at boot-time, indicating that using chkdsk at boottime could cause the Client Computer
to fail to boot.
The following updates were made to the Installation supplements:
ƒ Installation and configuration instructions specific to the evaluated configuration has been
published and is included with the TOE’s user guidance.
6.6 Strength of Function
The overall strength of function requirement is SOF-medium. The strength of function
requirement applies to FIA_SOS.1 which constrains the passwords used for the
password-based authentication mechanism defined in FIA_UAU.2 and FIA_UAU.2. The
SOF claim for this requirement is SOF-medium. The strength of the “secrets” mechanism
is consistent with the objectives of authenticating users (O.PARTIAL_TOE_ACCESS).
Strength of Function shall be demonstrated for the password-based authentication
mechanisms to be SOF-medium, as defined in Part 1 of the CC. Specifically, the local
authentication mechanism must demonstrate adequate protection against attackers
possessing a moderate attack potential.
26
7.0 Evaluated Configuration
The Evaluated Configuration (consistent with the ST):
ƒ Client Computer—Windows XP Service Pack 3, Intel platform, hard disk and removable
storage components and device drivers
ƒ Manager Computer—Windows 2003 Server SP2, Intel platform with storage media for the
client installation package files.
P r e - W i n d o w s
GuardianEdge Pre-Boot
Authentication (GPBA)
W i n d o w s
Client
Console
Auditing
Client Database 32-Bit Drivers
Removable
Storage
Service
CD/DVD
Dynamic
Cryptographic
Libraries
Framework/Hard
Disk Services
Registration
Wizard
W i n d o w s
GuardianEdge
Manager console
Client Computer Manager Computer
Used to make client
installation packages
only
Note: There is no
communication between
the Client Computer and
the Manager Computer in
the evaluated
configuration
Optional
Network
Connection
User
Client
Administrator
Policy
Administrator
H a r d D i s k M e d i a R e m o v a b l e M e d i a
Figure 3. Evaluated Configuration
27
8.0 Results of Evaluation
A verdict for an assurance component is determined by the resulting verdicts assigned to
the corresponding evaluator action elements. The evaluation was conducted based upon
version 2.3 of the CC and the CEM.
The Evaluation Team assigned a Pass, Fail, or Inconclusive verdict to each work unit of
each EAL4 assurance component. For Fail or Inconclusive work unit verdicts, the
Evaluation Team advised the developer of issues requiring resolution or clarification
within the evaluation evidence. In this way, the Evaluation Team assigned an overall Pass
verdict to the assurance component only when all of the work units for that component
had been assigned a Pass verdict.
The details of the evaluation are recorded in the Evaluation Technical Report (ETR),
which is controlled by CygnaCom CCTL.
• Below lists the assurance requirements the TOE was required meet to be
evaluated and pass at Evaluation Assurance Level 4. The following components
are taken from CC part 3. The components in the following section have no
dependencies unless otherwise noted. ACM_AUT.1 Partial CM Automation
• ACM_CAP.4 Generation Support and Acceptance Procedures
• ACM_SCP.2 Problem Tracking CM Coverage
• ADO_DEL.2 Detection of Modification
• ADO_IGS.1 Installation, generation, and start-up procedures
• ADV_FSP.2 Fully defined external interfaces
• ADV_HLD.2 Security enforcing high-level design
• ADV_IMP.1 Subset of the implementation of the TSF
• ADV_LLD.1 Descriptive low-level design
• ADV_RCR.1 Informal correspondence demonstration
• ADV_SPM.1 Informal TOE security policy model
• AGD_ADM.1 Administrator guidance
• AGD_USR.1 User guidance
• ALC_DVS.1 Identification of Security Measures
• ALC_LCD.1 Developer defined life-cycle model
• ALC_TAT.1 Well defined development tools
• ATE_COV.2 Analysis of coverage
• ATE_DPT.1 Testing: high-level design
• ATE_FUN.1 Functional testing
28
• ATE_IND.2 Independent testing—sample
• AVA_MSU.2 Validation of Analysis
• AVA_SOF.1 Strength of TOE security function evaluation
• AVA_VLA.2 Independent vulnerability analysis
The evaluators concluded that the overall evaluation result for the target of evaluation is
Pass. The evaluation team reached pass verdicts for all applicable evaluator action
elements and consequently all applicable assurance components.
ƒ The TOE is CC Part 2 Extended
ƒ The TOE is CC Part 3 Conformant for EAL4 augmented with ALC_FLR.3.
ƒ Strength of Function Rating of SOF-medium
The validators reviewed the findings of the evaluation team, and have concurred that the evidence
and documentation of the work performed support the assigned rating.
29
9.0 Validator Comments/Recommendations
9.1 User Guidance Version Numbers
The User Guides indicate two-level version numbers, such as 9.0 and 3.0 while the actual
TOE contains three-level version numbers, such as 9.0.1 and 3.0.1.
There are no significant differences between 9.0.0 and 9.0.1, or 3.0.0 and 3.0.1, modulo
defect repairs. The only updates to provided documentation are increments of the version
number on the cover pages.
9.2 Product Functionality Excluded from the TOE
The following product functions are excluded from the TOE:
ƒ Token Authentication (Advanced Authentication)
ƒ Single Sign-On
ƒ Authenti-Check
ƒ One-Time Password
See comments on Lost Password below:
9.3 Lost Password
Although the product supports several methods to recover from a lost or forgotten
password, these recovery mechanisms are not part of the TOE. The TOE supports
recovery by a Client Administrator. If both the client administrator and the user
passwords are lost, the encrypted disk cannot be recovered.
9.4 Power Loss During Initial Encryption
Unexpected power loss during initial encryption process was tested and found that the
TOE encryption process was able to safely recover without corrupting data. The
encryption process continued to completion when power was restored.
9.5 Removable Media Tested
The following removable storage devices were tested:
ƒ USB Flash Drive
ƒ CD
ƒ DVD
ƒ 1.5 inch floppy disk
30
ƒ SD card
Note: Although iPods and MP3 players may also be used as removable storage devices,
such devices are not supported by the TOE, and encryption of files written to such
devices is likely to impact their functionality in the TOE configuration.
9.6 Sharing Encrypted Data with Other Computers
GuardianEdge provides an optional utility that allows for decryption on Windows
computers that do not have GuardianEdge Removable Storage Encryption installed.
However, this utility is not part of the current evaluation. GuardianEdge plans to include
this utility in a maintenance evaluation at a later date. Without the utility, it is not
possible to share encrypted data with computers that do not have GuardianEdge
Removable Storage Encryption installed.
9.7 Running Defraggers
Running the chkdsk utility at boot-time can damage the Master Boot Record. If used,
chkdsk at boot time could cause the Client Computer to fail to boot. See Appendix D of
the CC supplement to the user’s guide.
9.8 Default Passwords
Use of a Default Password introduces the risk that a breach of the password for one file
or device will breach multiple files and devices. On the other hand, users greatly resist
having to enter a password for every file written to removable storage. This increases
overall security risk since users may attempt to bypass encryption all together.
9.9 Double Encryption
Encrypting data once with a product from one vendor and a second time with a product
from another vendor, may prevent future decryption. Some removable storage devices
offer encryption services of their own. If the administrator configures the installation of
GuardianEdge Removable Storage to always encrypt, users should not utilize any
additional encryption services that may be offered, as they may preclude decyrption.
9.10 Recovery from Hard Disk Problems
Recovery from hard disk problems with the recovery utilities is not covered in the ST as
it was not tested. GuardianEdge Hard Disk Encryption Client Administrator Guide,
Version 9.0 describes the hard disk recovery methods for the product.
9.11 Overflow of the Pre-Boot Authentication (PBA) Buffers
The PBA audit log is on a circular buffer that can store approx 100,000 records therefore
it is unlikely recent events could be lost through overflow of the buffer.
31
9.12 Encryption Library
The TOE uses the GuardianEdge Encryption Plus Cryptographic Library version 1.04.
9.13 Encryption Certificate
The encryption certificates for the product, certificate #515, only applies, with respect to
XP, to SP2 (as SP3 wasn’t out yet).
Additionally, the certificate indicates “Single-User Mode.” The evaluation team
concluded that the in this context, the term “Single-User Mode” refers to only one user
using the TOE as opposed to booting to a single super user. The validation team concurs
that the evaluation is in sync with the FIPS certificate.
9.14 Unevaluated Algorithms
The SHA-1 algorithm (certificated, but vendor-affirmed) and the Elliptic Curve
Cryptography algorithms (vendor asserted) were not analyzed or tested as conforming to
cryptographic standards during this evaluation. Those algorithms have only been asserted
as tested by the vendor. Other cryptographic algorithms are covered by FIPS certificates.
32
10.0 Security Target
GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk
Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1The ST is
compliant with the Specification of Security Targets requirements found within Annex B
of Part 1of the CC.
33
11.0 Glossary
The following table is a glossary of terms used within this validation report and
evaluation.
CC Common Criteria
EAL Evaluation Assurance Level
GEFR GuardianEdge Framework
GEFS GuardianEdge File System
GEHD GuardianEdge Hard Disk Encryption
GMBR GuardianEdge Master Boot Record
GPBA GuardianEdge Pre-Boot Authentication
GERS GuardianEdge Removable Storage Encryption
IT Information Technology
MBR Master Boot Record
OSP Organizational Security Policy
SF Security Function
SFP Security Function Policy
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Function
TSFI TSF Interface
TSP TOE Security Policy
WEK Workstation Encryption Key
This section defines the Common Criteria terms. Not all of these terms are used in this document.
Assignment The specification of an identified parameter in a
component.
Assurance Grounds for confidence that an entity meets its
security objectives.
Attack potential The perceived potential for success of an attack,
should an attack be launched, expressed in terms of
a threat agent’s expertise, resources and motivation.
Augmentation The addition of one or more assurance
component(s) from Part 3 to an EAL or assurance
package.
Authentication data Information used to verify the claimed identity of a
user.
Authorized user A user who may, in accordance with the TSP,
perform an operation.
34
Bulk Encryption The encryption of large amounts of data. This is as
opposed to key encryption.
Class A grouping of families that share a common focus.
Component The smallest selectable set of elements that may be
included in a PP, an ST, or a package.
Connectivity The property of the TOE that allows interaction
with IT entities external to the TOE. This includes
exchange of data by wire or by wireless means, over
any distance in any environment or configuration.
Dependency A relationship between requirements such that the
requirement that is depended upon must normally
be satisfied for the other requirements to be able to
meet their objectives.
Element An indivisible security requirement.
Evaluation Assessment of a PP, an ST, or a TOE against
defined criteria.
Evaluation Assurance Level (EAL) A package consisting of assurance components
from Part 3 that represents a point on the CC
predefined assurance scale.
Evaluation authority A body that implements the CC for a specific
community by means of an evaluation scheme and
thereby sets the standards and monitors the quality
of evaluations conducted community.
Evaluation scheme The administrative and regulatory framework under
which the CC is applied by an evaluation authority
within a specific community.
Extension The addition to an ST or PP of functional
requirements not contained in Part 2 and/or
assurance requirements not contained in Part 3 of
the CC.
External IT entity Any IT product or system, untrusted or trusted,
outside of the TOE that interacts with the TOE.
Family A grouping of components that share security
objectives but may differ in emphasis or rigor.
Formal Expressed in a restricted syntax language with
defined semantics based on well-established
mathematical concepts.
Human user Any person who interacts with the TOE.
35
Identity A representation (e.g. a string) uniquely identifying
an authorized user, which can either be the full or
abbreviated name of that user or a pseudonym.
Informal Expressed in natural language.
Initial Encryption The encryption of the designated hard disk
partitions that follows the installation of
GuardianEdge Hard Disk Encryption is called initial
encryption. This is as opposed to terminal
decryption.
Internal communication channel A communication channel between separated parts
of TOE.
Internal TOE transfer Communicating data between separated parts of the
TOE.
Inter-TSF transfers Communicating data between the TOE and the
security functions of other trusted IT products.
Iteration The use of a component more than once with
varying operations.
Key Encryption Encryption of keys for key management purposes.
This is as opposed to bulk encryption.
Object An entity within the TSC that contains or receives
information and upon which subjects perform
operations.
Organizational security policies One or more security rules, procedures, practices, or
guidelines imposed by an organization upon its
operations.
Package A reusable set of either functional or assurance
components (e.g. an EAL), combined together to
satisfy a set of identified security objectives.
Product A package of IT software, firmware and/or
hardware, providing functionality designed for use
or incorporation within a multiplicity of systems.
Protection Profile (PP) An implementation-independent set of security
requirements for a category of TOEs that meet
specific consumer needs.
Reference monitor The concept of an abstract machine that enforces
TOE access control policies.
Reference validation mechanism An implementation of the reference monitor
concept that possesses the following properties: it is
tamperproof, always invoked, and simple enough to
be subjected to thorough analysis and testing.
36
Refinement The addition of details to a component.
Role A predefined set of rules establishing the allowed
interactions between a user and the TOE.
Secret Information that must be known only to authorized
users and/or the TSF in order to enforce a specific
SFP.
Security attribute Information associated with subjects, users and/or
objects that is used for the enforcement of the TSP.
Security Officer Person responsible for setting IT security policies at
an organization.
Security Function (SF) A part or parts of the TOE that have to be relied
upon for enforcing a closely related subset of the
rules from the TSP.
Security Function Policy (SFP) The security policy enforced by an SF.
Security objective A statement of intent to counter identified threats
and/or satisfy identified organization security
policies and assumptions.
Security Target (ST) A set of security requirements and specifications to
be used as the basis for evaluation of an identified
TOE.
Selection The specification of one or more items from a list in
a component.
Semiformal Expressed in a restricted syntax language with
defined semantics.
Strength of Function (SOF) A qualification of a TOE security function
expressing the minimum efforts assumed necessary
to defeat its expected security behavior by directly
attacking its underlying security mechanisms.
SOF-basic A level of the TOE strength of function where
analysis shows that the function provides adequate
protection against casual breach of TOE security by
threat agents possessing a low attack potential.
SOF-medium A level of the TOE strength of function where
analysis shows that the function provides adequate
protection against straightforward or intentional
breach of TOE security by threat agents possessing
a moderate attack potential.
SOF-high A level of the TOE strength of function where
analysis shows that the function provides adequate
protection against deliberately planned or organized
37
breach of TOE security by threat agents possessing
a high attack potential.
Subject An entity within the TSC that causes operations to
be performed.
System A specific IT installation, with a particular purpose
and operational environment.
Target of Evaluation (TOE) An IT product or system and its associated
administrator and user guidance documentation that
is the subject of an evaluation.
Terminal Decryption Terminal decryption refers to the decryption of
encrypted hard disk partitions. In the TOE, only the
Client Administrator can perform this task. This is
as opposed to initial encryption.
TOE resource Anything useable or consumable in the TOE.
TOE Security Functions (TSF) A set consisting of all hardware, software, and
firmware of the TOE that must be relied upon for
the correct enforcement of the TSP.
TOE Security Functions Interface (TSFI). A set of interfaces, whether interactive
(man-machine interface) or programmatic
(application programming interface), through which
TOE resources are accessed, mediated by the TSF,
or information is obtained from the TSF.
TOE Security Policy (TSP) A set of rules that regulate how assets are managed,
protected and distributed within a TOE.
TOE security policy model A structured representation of the security policy to
be enforced by the TOE.
Transfers outside TSF control Communicating data to entities not under control of
the TSF.
Trusted channel A means by which a TSF and a remote trusted IT
product can communicate with necessary
confidence to support the TSP.
Trusted path A means by which a user and a TSF can
communicate with necessary confidence to support
the TSP.
TSF data Data created by and for the TOE, that might affect
the operation of the TOE.
TSF Scope of Control (TSC) The set of interactions that can occur with or within
a TOE and are subject to the rules of the TSP.
User Any entity (human user or external IT entity)
outside the TOE that interacts with the TOE.
38
User data Data created by and for the user that does not affect
the operation of the TSF.
39
12.0 Bibliography
URLs
ƒ Common Criteria Evaluation and Validation Scheme (CCEVS): (http://www.niap-
ccevs.org/cc-scheme).
ƒ CygnaCom Solutions CCTL (http://www.cygnacom.com).
ƒ GuardianEdge Technologies (http://www.guardianedge.com/).
CCEVS Documents
ƒ [CC] Common Criteria for Information Technology Security Evaluation, Version 2.3, August
2005.
ƒ [CEM] Common Methodology for Information Technology Security Evaluation, Version 2.3,
August 2005.
Other Documents
ƒ [ST] GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk
Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1