SECURITY TARGET
FOR
ENTRUST/TRUEDELETE

(EAL 1)
Prepared for:
Communications Security Establishment
Prepared by:
CGI Information Systems and
Management Consultants Inc.
31 March 1999
Author: CGI Senior Consultant, Mr. Mike Riley
Valid: 31 March 1999
CGI File number: CGI-ITSETF-99-01-ST-04
CB File number: 1999-CGI-02
Issue Number: 1.3
Page Count: 16
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- i -
Document Change Log
ST Section Change Reason for Change Date Changed
Sec 5.1 Conformance to FDP_RIP OR CGI-1999-02-01 28 Feb 1999
Title Page CB Reference Number and Version
Number
OR CGI-1999-02-02 16 Feb 1999
Sec 5.1 Clarify description of “file clearing” OR CGI-1999-02-02 16 Feb 1999
Sec 5.3 Amend security requirements for the IT
environment
OR CGI-1999-02-03 20 Feb 1999
Sec 6.1 Clarify TOE Summary Specification OR CGI-1999-02-04 20 Feb 1999
Sec 6.1 TSS for the assurance requirements OR CGI-1999-02-05 20 Feb 1999
Sec 6.1 Description of TOE Security Functions OR CGI-1999-02-11 28 Feb 1999
Sec 1.1 Include Windows ’95 in ST
Identification
ST Evaluation 7 March 1999
Sec 1.2 Clarify file clearing (overwrite) ST Evaluation 7 March 1999
Sec 2 Clarify file clearing (overwrite) ST Evaluation 7 March 1999
Sec 3.1 Expand Assumptions ST Evaluation 7 March 1999
Sec 4.2 Trace Back to Threat ST Evaluation 7 March 1999
Sec 5.1 Clarify file clearing (overwrite) ST Evaluation 7 March 1999
Sec 6.1 Added to improve Certifier comments 7 March 1999
Sec 6.2 Re-numbered from 6.1 and revised to
clarify file clearing (overwrite)
Addition of 6.1 7 March 1999
Sec 6.3 Re-numbered from 6.2 Addition of 6.1 7 March 1999
Sec 8.2 Added Mapping ST Evaluation 7 March 1999
Sec 8.4 Added Mapping ST Evaluation 7 March 1999
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- ii -
ST Section Change Reason for Change Date Changed
Title Page Revised version number and Date CSE Observation 31 March 1999
Sec 2 Clarified paging and swap concepts CSE Observation 31 March 1999
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- iii -
TABLE OF CONTENTS
1 INTRODUCTION.............................................................................................................1
1.1 ST IDENTIFICATION..........................................................................................................1
1.2 ST OVERVIEW .................................................................................................................1
1.3 CC CONFORMANCE..........................................................................................................1
2 TOE DESCRIPTION........................................................................................................2
3 TOE SECURITY ENVIRONMENT................................................................................3
3.1 ASSUMPTIONS..................................................................................................................3
3.2 THREATS..........................................................................................................................3
4 SECURITY OBJECTIVES ..............................................................................................5
4.1 SECURITY OBJECTIVES FOR THE TOE................................................................................5
4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ................................................................5
5 IT SECURITY REQUIREMENTS ..................................................................................6
5.1 SECURITY FUNCTIONAL REQUIREMENTS...........................................................................6
5.2 SECURITY ASSURANCE REQUIREMENTS ............................................................................6
5.3 SECURITY REQUIREMENTS FOR THE IT ENVIRONMENT......................................................7
6 TOE SUMMARY SPECIFICATION...............................................................................8
6.1 TOE SECURITY FUNCTIONS..............................................................................................8
6.2 MAPPING TO TOE SECURITY FUNCTIONAL REQUIREMENTS ..............................................8
6.3 ASSURANCE MEASURES ...................................................................................................8
6.4 MAPPING OF ASSURANCE MEASURES TO EAL REQUIREMENTS .........................................8
6.4.1 Measures Used to Meet Component: ACM_CAP.1........................................................................... 8
6.4.2 Measures Used to Meet Component: ADO_IGS.1 ............................................................................ 8
6.4.3 Measures Used to Meet Component: ADV_FSP.1 ............................................................................ 9
6.4.4 Measures Used to Meet Component: ADV_RCR.1............................................................................ 9
6.4.5 Measures Used to Meet Component: AGD_ADM.1.......................................................................... 9
6.4.6 Measures Used to Meet Component: AGD_USR.1 ........................................................................... 9
6.4.7 Measures Used to Meet Component: ATE_IND.1............................................................................. 9
7 PROTECTION PROFILE CLAIMS .............................................................................10
7.1 PP REFERENCE...........................................................................................................10
8 RATIONALE ..................................................................................................................11
8.1 SECURITY OBJECTIVES RATIONALE ................................................................................11
8.2 SECURITY REQUIREMENTS RATIONALE...........................................................................11
8.3 TOE SUMMARY SPECIFICATION RATIONALE...................................................................11
8.4 PP CLAIMS RATIONALE..................................................................................................12
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 1 -
1 INTRODUCTION
1.1 ST Identification
This document is the security target (ST) for the Common Criteria evaluation of Entrust
Technologies “Entrust/TrueDelete version 4.0” program, a component of Entrust/ICE
version 4.0 and Entrust/Enterprise Desktop Client, used on a PC (desktop, laptop,
notebook) running either Windows ’95 or Windows NT 4.0.
1.2 ST Overview
Entrust/TrueDelete makes deleted files unrecoverable by meeting U.S. Department of
Defense specifications for file clearing (secure overwriting of file contents prior to file
deletion). This standard ensures that information stored in files that are deleted (or left
behind in Windows SWAP files) cannot be retrieved or viewed using a disk editor.
1.3 CC Conformance
The TOE is Part 2 conformant, meaning that the functional requirements are only based
on the relevant functional components of CC Part 2.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 2 -
2 TOE DESCRIPTION
A term that often arises during discussions of magnetic media sanitization is "data
remanence." Data remanence is the residual magnetic or electrical representation of data
that has been in some way erased or overwritten. This residual information may allow
data to be reconstructed typically using laborious, time-consuming methods. This usually
is a concern only to those processing classified information, but can also be a significant
concern for unclassified but sensitive information and for potentially embarrassing
comments, which can be unknowingly retained in a file after deletion when using some
modern software applications. Often, utility overwrite programs contain an option to
overwrite the location of the file to ensure that the chance of recovery of the information
from data remanence is very remote.
As well, when users delete files from their computers, they do not often realize that
instead of deleting the contents of these files, all that they have deleted is the links, or
directory entries, to the files. The information that was contained in the file is not
removed from the system until other information is saved that overwrites the same area of
the computer disk. This typical method of file deletion enables disk editor products to
recover information that has supposedly been "deleted".
Entrust/TrueDelete 4.0, a component of both Entrust/Enterprise Desktop Suite 4.0 and
Entrust/ICE 4.0 provides secure file clearing, deletion of temporary files and any
information that was stored by the operating system in Windows NT paging files or
Windows 95 SWAP file. Entrust/TrueDelete makes deleted information unrecoverable by
meeting U.S. Department of Defense specifications for file clearing or overwriting of file
contents prior to file deletion. This means that Entrust/TrueDelete completely overwrites
the contents of the file to ensure that information originally stored in these deleted files
cannot be retrieved or viewed using a disk editor.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 3 -
3 TOE SECURITY ENVIRONMENT
3.1 Assumptions
The following is the assumption relevant to the security environment:
• Physical Assumptions:
A.LOCATE – The processing platform of the TOE is assumed to be
located within controlled access facilities (for classified processing
platforms), which would prevent unauthorized persons access to the disk
media. Sensitive but unclassified processing platforms are not always in
controlled areas, and in order for the threat below to occur, unauthorized
person(s) would require access to the platform.
• Personnel Assumptions:
A.ATTACK - Attackers are assumed to have a moderate level of expertise,
resources and motivation.
• Connectivity Assumptions:
There are no connectivity assumptions.
• Hardware/Software Assumptions:
There are no hardware or software assumptions.
3.2 Threats
Most users do not realize that performing a typical delete function on a file in Microsoft
Windows 95 and Microsoft Windows NT does not necessarily delete the information
contained in that file. The delete function simply removes the directory link to that
information, leaving the information accessible on the computer (by disk editor tools)
until new information is saved overtop of the original disk space. The threat is as
follows:
T.ACCESS – An unauthorized user of the TOE may access information or
resources without having permission from the person who owns, or is
responsible for, the information.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 4 -
The asset requiring protection is the information that was intended to be deleted, which
was presumed to be sensitive (in the worst case). It needs to be protected from recovery
by unauthorized persons (i.e., it is a threat related to confidentiality, not integrity or
availability). The threat agents are personnel using a disk utility program who may
intentionally or inadvertently be able to read information which was intended to be
deleted (and therefore not meant for disclosure). They could, either accidentally or out of
malicious intent, recover the information and use the information in a manner harmful or
embarrassing to the person who attempted to delete it.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 5 -
4 SECURITY OBJECTIVES
4.1 Security Objectives for the TOE
The following is the security objective for the TOE, which will minimize the threat noted
in section 3.2, that an unauthorized user will access the information:
O.OVERWRITE - The TOE must overwrite deleted information, rendering it
unrecoverable by disk recovery programs.
4.2 Security Objectives for the Environment
The TOE is used only to make files unrecoverable under a PC’s normal operating
conditions, not to declassify floppy or hard disks (because there are elaborate, but well
known, laboratory procedures which make it possible to recover information from media
long after it has been erased, although this represents a very low risk in most instances).
Organizational security procedures must be in effect that prevent the loss of the floppy of
physical disk media, which would enable the conduct of these laboratory attacks on the
sensitive information. Retaining the disk media under positive inventory control and
storage until ready for disposal, and the destruction of the media at that time, are
recommended. Disks that had at any time been used for the storage of sensitive
information must never be released into an uncontrolled environment (i.e., sold or given,
while in a usable state, to unauthorized persons/organizations for their intended re-use or
disposal). These objectives will minimize the threat, noted in section 3.2, that an
unauthorized user will access the information.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 6 -
5 IT SECURITY REQUIREMENTS
5.1 Security Functional Requirements
In accordance the security requirement SFR FDP_RIP.2, Full Residual Information
Protection, subset SFR FDP_RIP.2.1, the TSF shall ensure that any previous information content
of a resource is made unavailable upon the [refinement: deallocation of the resource from] all objects.
The TOE must ensure the protection of residual information (or data remanence), by
ensuring that information in deleted files and temporary files cannot be retrieved or
viewed using disk editor programs. The TOE must “TrueDelete" any file the user chooses
and has the necessary privileges for, and will complete the operation with the selection of
"deallocation of the resource”. Available documentation states that the TOE meets the
US Department of Defense requirements for file clearing by the overwriting procedure
defined in NCSC-TG-025.
The CC Part 2 component, which may be used to express the appropriate requirements, is
Access Control – Object Reuse - Protection of residual information in files, memory, etc.
- FDP_RIP.1-2. The reader is referred to CC Part 2 Annexes for guidance relating to the
use of specific CC Part 2 functional components.
5.2 Security Assurance Requirements
The security assurance requirement for the TOE is Evaluated Assurance Level (EAL) 1
(Functionally Tested) as described in the CC Part 3 and detailed in the following table:
Table 1 - Security Assurance Requirements
Component ID Component Name
ACM_CAP.1 Version numbers
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 7 -
ATE_IND.1 Independent testing - conformance
5.3 Security Requirements for the IT Environment
There are no security requirements for the IT environment.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 8 -
6 TOE SUMMARY SPECIFICATION
6.1 TOE Security Functions
The TOE performs the following security functions in support of the functional
requirements:
Overwrite of the deleted information and temporary files at least once with a
preset pattern of characters to meet the standards for file clearing as specified
in the NCSC-TG-025 standard. The default character is 0x55.
6.2 Mapping to TOE Security Functional Requirements
The TOE security function maps to the security requirement SFR FDP_RIP.2, Full
Residual Information Protection. The SFR FDP_RIP.2.1, requires that any previous
information content of a resource is made unavailable. File clearing to the NCSC-TG-025 standard
accomplishes this.
6.3 Assurance Measures
The TOE is packaged and shipped with an administrator's guide as well as with help files
that address the CC requirement for secure installation, generation and start-up
procedures. Additional assurance information is provided in the following sub-section.
6.4 Mapping of Assurance Measures to EAL Requirements
6.4.1 Measures Used to Meet Component: ACM_CAP.1
The TOE implements ACM_CAP.1 by including a version number on both the product
container and the media (CD-ROM) on which it is provided. Additionally, the TOE
software has an “about” option which lists both the version and the Build Number (for
further granularity)
6.4.2 Measures Used to Meet Component: ADO_IGS.1
The TOE implements ADO_IGS.1, installation, generation, and start-up procedures, by
providing installation instructions on the CD-ROM.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 9 -
6.4.3 Measures Used to Meet Component: ADV_FSP.1
The TOE ADV_FSP.1 Functional Specification requirement was satisfied by the
provision of a Functional Specification document by the vendor and the use of publicly
posted information on the vendor’s WWW site.
6.4.4 Measures Used to Meet Component: ADV_RCR.1
The TOE implements ADV_RCR.1, informal correspondence demonstration, in the
functional specification.
6.4.5 Measures Used to Meet Component: AGD_ADM.1
The TOE implements AGD_ADM.1, administrator guidance, through documentation and
help files provided on the TOE CD-ROM and through the vendor’s WWW site.
6.4.6 Measures Used to Meet Component: AGD_USR.1
The TOE implements AGD_USR.1, user guidance, through documentation and help files
provided on the TOE CD-ROM and through the vendor’s WWW site.
6.4.7 Measures Used to Meet Component: ATE_IND.1
The TOE implements ATE_IND.1, independent testing – conformance, by the vendor
providing the most recent version of the software to an evaluator for testing.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 10 -
7 PROTECTION PROFILE CLAIMS
7.1 PP Reference
There are no relevant Protection Profiles for a TOE whose objective is to perform secure
overwrite.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 11 -
8 RATIONALE
8.1 Security Objectives Rationale
O.OVERWRITE - The TOE must overwrite deleted information, rendering it
unrecoverable by disk recovery programs.
The security objective of overwriting deleted information, rendering it unrecoverable by
disk recovery programs, is satisfactory to address the identified threat of an unauthorized
user gaining access to the information without the permission of the owner of the
information. By overwriting, disk utilities will be unable to reconstruct or recover the
deleted data.
8.2 Security Requirements Rationale
OBJECTIVE SECURITY FUNCTIONAL REQUIREMENT (CC 2)
O.OVERWRITE SFR FDP_RIP.2 - Full Residual Information Protection
Overwriting is an effective method of clearing data from magnetic media, one that is
recognized by many standards organizations, and the US DoD. As the name implies,
overwriting utilizes a program to write (a characters, a complementary character, or a
combination of both) onto the location of the media where the file to be sanitized is
located. The number of times that media is overwritten depends on the level of sensitivity
of the information.
For an EAL 1 assurance, it is sufficient to demonstrate that users will have confidence in
correct operation of the TOE in accordance with the available documentation, and the
threats are not particularly serious. In this threat scenario, the threat is low for PCs
processing classified information, as they are in strictly controlled areas, preventing
access by unauthorized persons. In the case of PCs processing lower sensitive
information, they are usually in moderately controlled environments (even if only to
protect against theft), and the benefit of theft of this information is moderate at best,
therefore the threat is low to moderate.
8.3 TOE Summary Specification Rationale
There is only one Security Functional Requirement required (as specified above), as all
others are irrelevant.
Security Target - CGI-ITSETF-99-01-ST-04
EAL 1 Trial Evaluation of Entrust/TrueDelete
CGI Information Systems and 31 March 1999
Management Consultants Inc.
- 12 -
8.4 PP Claims Rationale
There are no PP compliance issues, as there are no relevant PPs for this TOE.